mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 04:06:03 +00:00
Merge pull request #38816 from deads2k/rbac-23-switch-kubedns-sa
Automatic merge from submit-queue move kube-dns to a separate service account Switches the kubedns addon to run as a separate service account so that we can subdivide RBAC permission for it. The RBAC permissions will need a little more refinement which I'm expecting to find in https://github.com/kubernetes/kubernetes/pull/38626 . @cjcullen @kubernetes/sig-auth since this is directly related to enabling RBAC with subdivided permissions @thockin @kubernetes/sig-network since this directly affects now kubedns is added. ```release-note `kube-dns` now runs using a separate `system:serviceaccount:kube-system:kube-dns` service account which is automatically bound to the correct RBAC permissions. ```
This commit is contained in:
commit
b799bbf0a8
@ -157,3 +157,4 @@ spec:
|
||||
memory: 20Mi
|
||||
cpu: 10m
|
||||
dnsPolicy: Default # Don't use cluster DNS.
|
||||
serviceAccountName: kube-dns
|
||||
|
@ -157,3 +157,4 @@ spec:
|
||||
memory: 20Mi
|
||||
cpu: 10m
|
||||
dnsPolicy: Default # Don't use cluster DNS.
|
||||
serviceAccountName: kube-dns
|
||||
|
@ -156,3 +156,4 @@ spec:
|
||||
memory: 20Mi
|
||||
cpu: 10m
|
||||
dnsPolicy: Default # Don't use cluster DNS.
|
||||
serviceAccountName: kube-dns
|
||||
|
6
cluster/addons/dns/kubedns-sa.yaml
Normal file
6
cluster/addons/dns/kubedns-sa.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kube-dns
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
@ -33,6 +33,7 @@ function deploy_dns {
|
||||
|
||||
if [ ! "$KUBEDNS" ]; then
|
||||
# use kubectl to create kube-dns deployment and service
|
||||
${KUBECTL} --namespace=kube-system create -f kubedns-sa.yaml
|
||||
${KUBECTL} --namespace=kube-system create -f kubedns-controller.yaml
|
||||
${KUBECTL} --namespace=kube-system create -f kubedns-svc.yaml
|
||||
|
||||
|
@ -67,6 +67,7 @@ ENABLE_DNS_HORIZONTAL_AUTOSCALER="${KUBE_ENABLE_DNS_HORIZONTAL_AUTOSCALER:-false
|
||||
#Generate dns files
|
||||
sed -f "${KUBE_ROOT}/cluster/addons/dns/transforms2sed.sed" < "${KUBE_ROOT}/cluster/addons/dns/kubedns-controller.yaml.base" | sed -f "${KUBE_ROOT}/cluster/libvirt-coreos/forShellEval.sed" > "${KUBE_ROOT}/cluster/libvirt-coreos/kubedns-controller.yaml"
|
||||
sed -f "${KUBE_ROOT}/cluster/addons/dns/transforms2sed.sed" < "${KUBE_ROOT}/cluster/addons/dns/kubedns-svc.yaml.base" | sed -f "${KUBE_ROOT}/cluster/libvirt-coreos/forShellEval.sed" > "${KUBE_ROOT}/cluster/libvirt-coreos/kubedns-svc.yaml"
|
||||
cp "${KUBE_ROOT}/cluster/addons/dns/kubedns-sa.yaml" "${KUBE_ROOT}/cluster/libvirt-coreos/kubedns-sa.yaml"
|
||||
|
||||
|
||||
#Generate registry files
|
||||
|
@ -187,6 +187,7 @@ function initialize-pool {
|
||||
render-template "$ROOT/namespace.yaml" > "$POOL_PATH/kubernetes/addons/namespace.yaml"
|
||||
render-template "$ROOT/kubedns-svc.yaml" > "$POOL_PATH/kubernetes/addons/kubedns-svc.yaml"
|
||||
render-template "$ROOT/kubedns-controller.yaml" > "$POOL_PATH/kubernetes/addons/kubedns-controller.yaml"
|
||||
render-template "$ROOT/kubedns-sa.yaml" > "$POOL_PATH/kubernetes/addons/kubedns-sa.yaml"
|
||||
fi
|
||||
|
||||
virsh pool-refresh $POOL
|
||||
|
@ -43,11 +43,13 @@ function deploy_dns {
|
||||
echo "Deploying DNS on Kubernetes"
|
||||
sed -e "s/\\\$DNS_DOMAIN/${DNS_DOMAIN}/g" "${KUBE_ROOT}/cluster/addons/dns/kubedns-controller.yaml.sed" > kubedns-controller.yaml
|
||||
sed -e "s/\\\$DNS_SERVER_IP/${DNS_SERVER_IP}/g" "${KUBE_ROOT}/cluster/addons/dns/kubedns-svc.yaml.sed" > kubedns-svc.yaml
|
||||
cp "${KUBE_ROOT}/cluster/addons/dns/kubedns-sa.yaml" kubedns-sa.yaml
|
||||
|
||||
KUBEDNS=`eval "${KUBECTL} get services --namespace=kube-system | grep kube-dns | cat"`
|
||||
|
||||
if [ ! "$KUBEDNS" ]; then
|
||||
# use kubectl to create kubedns controller and service
|
||||
${KUBECTL} --namespace=kube-system create -f kubedns-sa.yaml
|
||||
${KUBECTL} --namespace=kube-system create -f kubedns-controller.yaml
|
||||
${KUBECTL} --namespace=kube-system create -f kubedns-svc.yaml
|
||||
|
||||
|
@ -688,6 +688,7 @@ function start_kubedns {
|
||||
# TODO update to dns role once we have one.
|
||||
${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" create clusterrolebinding system:kube-dns --clusterrole=cluster-admin --serviceaccount=kube-system:default
|
||||
# use kubectl to create kubedns deployment and service
|
||||
${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" --namespace=kube-system create -f ${KUBE_ROOT}/cluster/addons/dns/kubedns-sa.yaml
|
||||
${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" --namespace=kube-system create -f kubedns-deployment.yaml
|
||||
${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" --namespace=kube-system create -f kubedns-svc.yaml
|
||||
echo "Kube-dns deployment and service successfully deployed."
|
||||
|
@ -341,6 +341,13 @@ func ClusterRoles() []rbac.ClusterRole {
|
||||
rbac.NewRule(Read...).Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(),
|
||||
},
|
||||
},
|
||||
{
|
||||
// a role to use for the kube-dns pod
|
||||
ObjectMeta: metav1.ObjectMeta{Name: "system:kube-dns"},
|
||||
Rules: []rbac.PolicyRule{
|
||||
rbac.NewRule("list", "watch").Groups(legacyGroup).Resources("endpoints", "services").RuleOrDie(),
|
||||
},
|
||||
},
|
||||
{
|
||||
// a role for an external/out-of-tree persistent volume provisioner
|
||||
ObjectMeta: metav1.ObjectMeta{Name: "system:persistent-volume-provisioner"},
|
||||
@ -370,6 +377,7 @@ func ClusterRoleBindings() []rbac.ClusterRoleBinding {
|
||||
rbac.NewClusterBinding("system:node").Groups(user.NodesGroup).BindingOrDie(),
|
||||
rbac.NewClusterBinding("system:node-proxier").Users(user.KubeProxy).BindingOrDie(),
|
||||
rbac.NewClusterBinding("system:kube-controller-manager").Users(user.KubeControllerManager).BindingOrDie(),
|
||||
rbac.NewClusterBinding("system:kube-dns").SAs("kube-system", "kube-dns").BindingOrDie(),
|
||||
rbac.NewClusterBinding("system:kube-scheduler").Users(user.KubeScheduler).BindingOrDie(),
|
||||
}
|
||||
addClusterRoleBindingLabel(rolebindings)
|
||||
|
@ -74,6 +74,23 @@ items:
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: User
|
||||
name: system:kube-controller-manager
|
||||
- apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
annotations:
|
||||
rbac.authorization.kubernetes.io/autoupdate: "true"
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
kubernetes.io/bootstrapping: rbac-defaults
|
||||
name: system:kube-dns
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: system:kube-dns
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kube-dns
|
||||
namespace: kube-system
|
||||
- apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
@ -536,6 +536,24 @@ items:
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
annotations:
|
||||
rbac.authorization.kubernetes.io/autoupdate: "true"
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
kubernetes.io/bootstrapping: rbac-defaults
|
||||
name: system:kube-dns
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- endpoints
|
||||
- services
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
Loading…
Reference in New Issue
Block a user