Merge pull request #38816 from deads2k/rbac-23-switch-kubedns-sa

Automatic merge from submit-queue move kube-dns to a separate service account Switches the kubedns addon to run as a separate service account so that we can subdivide RBAC permission for it. The RBAC permissions will need a little more refinement which I'm expecting to find in https://github.com/kubernetes/kubernetes/pull/38626 . @cjcullen @kubernetes/sig-auth since this is directly related to enabling RBAC with subdivided permissions @thockin @kubernetes/sig-network since this directly affects now kubedns is added. ```release-note `kube-dns` now runs using a separate `system:serviceaccount:kube-system:kube-dns` service account which is automatically bound to the correct RBAC permissions. ```
2025-09-06 11:42:14 +00:00 · 2017-02-23 12:06:13 -08:00
parent 17375fc59f 36b586d5d7
commit b799bbf0a8
12 changed files with 58 additions and 0 deletions
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -688,6 +688,7 @@ function start_kubedns {
        # TODO update to dns role once we have one.
        ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" create clusterrolebinding system:kube-dns --clusterrole=cluster-admin --serviceaccount=kube-system:default
        # use kubectl to create kubedns deployment and service
+        ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" --namespace=kube-system create -f ${KUBE_ROOT}/cluster/addons/dns/kubedns-sa.yaml
        ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" --namespace=kube-system create -f kubedns-deployment.yaml
        ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" --namespace=kube-system create -f kubedns-svc.yaml
        echo "Kube-dns deployment and service successfully deployed."