diff --git a/cluster/addons/cluster-monitoring/google/heapster-controller.yaml b/cluster/addons/cluster-monitoring/google/heapster-controller.yaml index 22b6f265648..0e81f2dac7c 100644 --- a/cluster/addons/cluster-monitoring/google/heapster-controller.yaml +++ b/cluster/addons/cluster-monitoring/google/heapster-controller.yaml @@ -11,6 +11,15 @@ {% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%} {% endif -%} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: heapster + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -134,6 +143,7 @@ spec: - name: usr-ca-certs hostPath: path: "/usr/share/ca-certificates" + serviceAccountName: heapster tolerations: - key: "CriticalAddonsOnly" operator: "Exists" diff --git a/cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml b/cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml index 3f1e861cc84..12b07734bf3 100644 --- a/cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml +++ b/cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml @@ -11,6 +11,15 @@ {% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%} {% endif -%} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: heapster + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -135,6 +144,7 @@ spec: - name: usr-ca-certs hostPath: path: "/usr/share/ca-certificates" + serviceAccountName: heapster tolerations: - key: "CriticalAddonsOnly" operator: "Exists" diff --git a/cluster/addons/cluster-monitoring/heapster-rbac.yaml b/cluster/addons/cluster-monitoring/heapster-rbac.yaml new file mode 100644 index 00000000000..58fa1b9921b --- /dev/null +++ b/cluster/addons/cluster-monitoring/heapster-rbac.yaml @@ -0,0 +1,58 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: heapster-binding + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:heapster +subjects: +- kind: ServiceAccount + name: heapster + namespace: kube-system +--- +# Heapster's pod_nanny monitors the heapster deployment & its pod(s), and scales +# the resources of the deployment if necessary. +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: system:pod-nanny + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - "extensions" + resources: + - deployments + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: heapster-binding + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: system:pod-nanny +subjects: +- kind: ServiceAccount + name: heapster + namespace: kube-system +--- diff --git a/cluster/addons/cluster-monitoring/influxdb/heapster-controller.yaml b/cluster/addons/cluster-monitoring/influxdb/heapster-controller.yaml index 9f29285de28..30b4c3290b5 100644 --- a/cluster/addons/cluster-monitoring/influxdb/heapster-controller.yaml +++ b/cluster/addons/cluster-monitoring/influxdb/heapster-controller.yaml @@ -11,6 +11,15 @@ {% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%} {% endif -%} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: heapster + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -113,6 +122,7 @@ spec: - --container=eventer - --poll-period=300000 - --estimator=exponential + serviceAccountName: heapster tolerations: - key: "CriticalAddonsOnly" operator: "Exists" diff --git a/cluster/addons/cluster-monitoring/stackdriver/heapster-controller.yaml b/cluster/addons/cluster-monitoring/stackdriver/heapster-controller.yaml index a1e8d32c146..86cbbf911df 100644 --- a/cluster/addons/cluster-monitoring/stackdriver/heapster-controller.yaml +++ b/cluster/addons/cluster-monitoring/stackdriver/heapster-controller.yaml @@ -9,6 +9,15 @@ {% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%} {% endif -%} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: heapster + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -91,6 +100,7 @@ spec: - name: usr-ca-certs hostPath: path: "/usr/share/ca-certificates" + serviceAccountName: heapster tolerations: - key: "CriticalAddonsOnly" operator: "Exists" diff --git a/cluster/addons/cluster-monitoring/standalone/heapster-controller.yaml b/cluster/addons/cluster-monitoring/standalone/heapster-controller.yaml index 148ee49d24d..06454ff4673 100644 --- a/cluster/addons/cluster-monitoring/standalone/heapster-controller.yaml +++ b/cluster/addons/cluster-monitoring/standalone/heapster-controller.yaml @@ -9,6 +9,15 @@ {% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%} {% endif -%} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: heapster + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -75,6 +84,7 @@ spec: - --container=heapster - --poll-period=300000 - --estimator=exponential + serviceAccountName: heapster tolerations: - key: "CriticalAddonsOnly" operator: "Exists" diff --git a/cluster/addons/e2e-rbac-bindings/README.md b/cluster/addons/e2e-rbac-bindings/README.md deleted file mode 100644 index 6987184e7ea..00000000000 --- a/cluster/addons/e2e-rbac-bindings/README.md +++ /dev/null @@ -1,5 +0,0 @@ -These resources are used to add extra (non-default) bindings to e2e to match users and groups -that are particular to the e2e environment. These are not standard bootstrap bindings and -not standard users they are bound to. This is not a recipe for adding bootstrap bindings. - -[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/e2e-rbac-bindings/README.md?pixel)]() diff --git a/cluster/addons/e2e-rbac-bindings/random-addon-grabbag.yaml b/cluster/addons/e2e-rbac-bindings/random-addon-grabbag.yaml deleted file mode 100644 index ec180e212b4..00000000000 --- a/cluster/addons/e2e-rbac-bindings/random-addon-grabbag.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# TODO remove this -# currently, the kube-addon-manager is adding lots of pods which all share -# the system:serviceaccount:kube-system:default identity. We need to subdivide -# those service accounts, figure out which ones we're going to make bootstrap roles for -# and bind those particular roles in the addon yaml itself. This just gets us started -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: todo-remove-grabbag-cluster-admin - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: default - namespace: kube-system diff --git a/cluster/addons/e2e-rbac-bindings/kubelet-binding.yaml b/cluster/addons/rbac/kubelet-binding.yaml similarity index 75% rename from cluster/addons/e2e-rbac-bindings/kubelet-binding.yaml rename to cluster/addons/rbac/kubelet-binding.yaml index fd8624951c1..80567a4b61c 100644 --- a/cluster/addons/e2e-rbac-bindings/kubelet-binding.yaml +++ b/cluster/addons/rbac/kubelet-binding.yaml @@ -1,8 +1,7 @@ # The GKE environments don't have kubelets with certificates that # identify the system:nodes group. They use the kubelet identity -# TODO cjcullen should figure out how wants to manage his upgrade -# this will only hold the e2e tests until we get an authorizer -# which authorizes particular nodes +# TODO: remove this once new nodes are granted individual identities and the +# NodeAuthorizer is enabled. apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: diff --git a/cluster/gce/container-linux/configure-helper.sh b/cluster/gce/container-linux/configure-helper.sh index 52c8a029a13..3ce39b8db91 100755 --- a/cluster/gce/container-linux/configure-helper.sh +++ b/cluster/gce/container-linux/configure-helper.sh @@ -1126,8 +1126,8 @@ function start-kube-addons { local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" local -r dst_dir="/etc/kubernetes/addons" - # prep the additional bindings that are particular to e2e users and groups - setup-addon-manifests "addons" "e2e-rbac-bindings" + # prep addition kube-up specific rbac objects + setup-addon-manifests "addons" "rbac" # Set up manifests of other addons. if [[ "${ENABLE_CLUSTER_MONITORING:-}" == "influxdb" ]] || \ @@ -1136,6 +1136,7 @@ function start-kube-addons { [[ "${ENABLE_CLUSTER_MONITORING:-}" == "standalone" ]] || \ [[ "${ENABLE_CLUSTER_MONITORING:-}" == "googleinfluxdb" ]]; then local -r file_dir="cluster-monitoring/${ENABLE_CLUSTER_MONITORING}" + setup-addon-manifests "addons" "cluster-monitoring" setup-addon-manifests "addons" "${file_dir}" # Replace the salt configurations with variable values. base_metrics_memory="140Mi" diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 554fbc3ab15..71068f9ffe4 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1520,10 +1520,6 @@ function start-kube-addons { local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" local -r dst_dir="/etc/kubernetes/addons" - # TODO(mikedanese): only enable these in e2e - # prep the additional bindings that are particular to e2e users and groups - setup-addon-manifests "addons" "e2e-rbac-bindings" - # prep addition kube-up specific rbac objects setup-addon-manifests "addons" "rbac" @@ -1534,6 +1530,7 @@ function start-kube-addons { [[ "${ENABLE_CLUSTER_MONITORING:-}" == "standalone" ]] || \ [[ "${ENABLE_CLUSTER_MONITORING:-}" == "googleinfluxdb" ]]; then local -r file_dir="cluster-monitoring/${ENABLE_CLUSTER_MONITORING}" + setup-addon-manifests "addons" "cluster-monitoring" setup-addon-manifests "addons" "${file_dir}" # Replace the salt configurations with variable values. base_metrics_memory="140Mi"