[Federation] Use service accounts instead of the user's credentials when accessing joined clusters' API servers.

2026-01-05 23:47:50 +00:00 · 2017-02-24 00:33:40 -08:00
parent ee9bab1111
commit af2a8f7e8a
11 changed files with 918 additions and 191 deletions
--- a/pkg/kubectl/cluster.go
+++ b/pkg/kubectl/cluster.go
@@ -25,6 +25,11 @@ import (
 	"k8s.io/kubernetes/pkg/api/v1"
 )

+const (
+	ServiceAccountNameAnnotation = "federation.kubernetes.io/servive-account-name"
+	ClusterRoleNameAnnotation    = "federation.kubernetes.io/cluster-role-name"
+)
+
 // ClusterGeneratorV1Beta1 supports stable generation of a
 // federation/cluster resource.
 type ClusterGeneratorV1Beta1 struct {
@@ -39,6 +44,15 @@ type ClusterGeneratorV1Beta1 struct {
 	// SecretName is the name of the secret that stores the credentials
 	// for the Kubernetes cluster that is being registered (optional)
 	SecretName string
+	// ServiceAccountName is the name of the service account that is
+	// created in the cluster being registered. If this is provided,
+	// then ClusterRoleName must also be provided (optional)
+	ServiceAccountName string
+	// ClusterRoleName is the name of the cluster role and cluster role
+	// binding that are created in the cluster being registered. If this
+	// is provided, then ServiceAccountName must also be provided
+	// (optional)
+	ClusterRoleName string
 }

 // Ensure it supports the generator pattern that uses parameter
@@ -68,6 +82,8 @@ func (s ClusterGeneratorV1Beta1) Generate(genericParams map[string]interface{})
 	clustergen.ClientCIDR = params["client-cidr"]
 	clustergen.ServerAddress = params["server-address"]
 	clustergen.SecretName = params["secret"]
+	clustergen.ServiceAccountName = params["service-account-name"]
+	clustergen.ClusterRoleName = params["cluster-role-name"]
 	return clustergen.StructuredGenerate()
 }

@@ -79,6 +95,8 @@ func (s ClusterGeneratorV1Beta1) ParamNames() []GeneratorParam {
 		{"client-cidr", false},
 		{"server-address", true},
 		{"secret", false},
+		{"service-account-name", false},
+		{"cluster-role-name", false},
 	}
 }

@@ -110,6 +128,21 @@ func (s ClusterGeneratorV1Beta1) StructuredGenerate() (runtime.Object, error) {
 			},
 		},
 	}
+
+	annotations := make(map[string]string)
+	if s.ServiceAccountName != "" {
+		annotations[ServiceAccountNameAnnotation] = s.ServiceAccountName
+	}
+	if s.ClusterRoleName != "" {
+		annotations[ClusterRoleNameAnnotation] = s.ClusterRoleName
+	}
+	if len(annotations) == 1 {
+		return nil, fmt.Errorf("Either both or neither of ServiceAccountName and ClusterRoleName must be provided.")
+	}
+	if len(annotations) > 0 {
+		cluster.SetAnnotations(annotations)
+	}
+
 	return cluster, nil
 }