Merge pull request #38816 from deads2k/rbac-23-switch-kubedns-sa

Automatic merge from submit-queue move kube-dns to a separate service account Switches the kubedns addon to run as a separate service account so that we can subdivide RBAC permission for it. The RBAC permissions will need a little more refinement which I'm expecting to find in https://github.com/kubernetes/kubernetes/pull/38626 . @cjcullen @kubernetes/sig-auth since this is directly related to enabling RBAC with subdivided permissions @thockin @kubernetes/sig-network since this directly affects now kubedns is added. ```release-note `kube-dns` now runs using a separate `system:serviceaccount:kube-system:kube-dns` service account which is automatically bound to the correct RBAC permissions. ```
2025-09-16 06:32:32 +00:00 · 2017-02-23 12:06:13 -08:00
parent 17375fc59f 36b586d5d7
commit b799bbf0a8
12 changed files with 58 additions and 0 deletions
--- a/cluster/addons/dns/kubedns-controller.yaml.base
+++ b/cluster/addons/dns/kubedns-controller.yaml.base
@@ -157,3 +157,4 @@ spec:
            memory: 20Mi
            cpu: 10m
      dnsPolicy: Default  # Don't use cluster DNS.
+      serviceAccountName: kube-dns
--- a/cluster/addons/dns/kubedns-controller.yaml.in
+++ b/cluster/addons/dns/kubedns-controller.yaml.in
@@ -157,3 +157,4 @@ spec:
            memory: 20Mi
            cpu: 10m
      dnsPolicy: Default  # Don't use cluster DNS.
+      serviceAccountName: kube-dns
--- a/cluster/addons/dns/kubedns-controller.yaml.sed
+++ b/cluster/addons/dns/kubedns-controller.yaml.sed
@@ -156,3 +156,4 @@ spec:
            memory: 20Mi
            cpu: 10m
      dnsPolicy: Default  # Don't use cluster DNS.
+      serviceAccountName: kube-dns
--- a/cluster/addons/dns/kubedns-sa.yaml
+++ b/cluster/addons/dns/kubedns-sa.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-dns
+  labels:
+    kubernetes.io/cluster-service: "true"