Use the updated (RBAC enabled) cdk-addons

cluster/juju/layers/kubernetes-master/README.md

@@ -54,6 +54,10 @@ The domain name to use for the Kubernetes cluster for DNS.
 Enables the installation of Kubernetes dashboard, Heapster, Grafana, and
 InfluxDB.
 
+#### enable-rbac
+
+Enable RBAC and Node authorisation.
+
 # DNS for the cluster
 
 The DNS add-on allows the pods to have a DNS names in addition to IP addresses.

cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py

@@ -534,7 +534,6 @@ def addons_ready():
 
     """
     try:
-        apply_rbac()
         check_call(['cdk-addons.apply'])
         return True
     except CalledProcessError:
@@ -665,44 +664,6 @@ def enable_rbac_config():
         remove_state('kubernetes-master.components.started')
 
 
-def apply_rbac():
-    # TODO(kjackal): we should be checking if rbac is already applied
-    config = hookenv.config()
-    if is_state('leadership.is_leader'):
-        if config.get('enable-rbac'):
-            try:
-                cmd = ['kubectl', 'apply', '-f', 'templates/heapster-rbac.yaml']
-                check_output(cmd).decode('utf-8')
-            except CalledProcessError:
-                hookenv.log('Failed to apply heapster rbac rules')
-            try:
-                cmd = ['kubectl', 'apply', '-f', 'templates/nginx-ingress-controller-rbac.yml']
-                check_output(cmd).decode('utf-8')
-            except CalledProcessError:
-                hookenv.log('Failed to apply heapster rbac rules')
-
-            # TODO(kjackal): The follwoing is wrong and imposes security risk. What we should be doing is
-            # update the add-ons to include an rbac enabled dashboard
-            try:
-                cmd = "kubectl create clusterrolebinding add-on-cluster-admin  --clusterrole=cluster-admin" \
-                      " --serviceaccount=kube-system:default".split(' ')
-                check_output(cmd).decode('utf-8')
-            except CalledProcessError:
-                hookenv.log('Failed to elevate credentials')
-
-        else:
-            try:
-                cmd = ['kubectl', 'delete', '-f', 'templates/heapster-rbac.yaml']
-                check_output(cmd).decode('utf-8')
-            except CalledProcessError:
-                hookenv.log('Failed to delete heapster rbac rules')
-            try:
-                cmd = ['kubectl', 'delete', '-f', 'templates/nginx-ingress-controller-rbac.yml']
-                check_output(cmd).decode('utf-8')
-            except CalledProcessError:
-                hookenv.log('Failed to apply heapster rbac rules')
-
-
 @when('kubernetes-master.components.started')
 @when('nrpe-external-master.available')
 @when_any('config.changed.nagios_context',

cluster/juju/layers/kubernetes-master/templates/heapster-rbac.yaml

@@ -1,58 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: heapster-binding
-  labels:
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:heapster
-subjects:
-- kind: ServiceAccount
-  name: heapster
-  namespace: kube-system
----
-# Heapster's pod_nanny monitors the heapster deployment & its pod(s), and scales
-# the resources of the deployment if necessary.
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
-  name: system:pod-nanny
-  namespace: kube-system
-  labels:
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-- apiGroups:
-  - "extensions"
-  resources:
-  - deployments
-  verbs:
-  - get
-  - update
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
-metadata:
-  name: heapster-binding
-  namespace: kube-system
-  labels:
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: system:pod-nanny
-subjects:
-- kind: ServiceAccount
-  name: heapster
-  namespace: kube-system
----

cluster/juju/layers/kubernetes-master/templates/nginx-ingress-controller-rbac.yml

@@ -1,127 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: nginx-ingress-serviceaccount
-  namespace: default
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
-  name: nginx-ingress-clusterrole
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - endpoints
-      - nodes
-      - pods
-      - secrets
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-  - apiGroups:
-      - ""
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - "extensions"
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-        - events
-    verbs:
-        - create
-        - patch
-  - apiGroups:
-      - "extensions"
-    resources:
-      - ingresses/status
-    verbs:
-      - update
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
-  name: nginx-ingress-role
-  namespace: default
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - pods
-      - secrets
-      - namespaces
-    verbs:
-      - get
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    resourceNames:
-      # Defaults to "<election-id>-<ingress-class>"
-      # Here: "<ingress-controller-leader>-<nginx>"
-      # This has to be adapted if you change either parameter
-      # when launching the nginx-ingress-controller.
-      - "ingress-controller-leader-nginx"
-    verbs:
-      - get
-      - update
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - create
-  - apiGroups:
-      - ""
-    resources:
-      - endpoints
-    verbs:
-      - get
-      - create
-      - update
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
-metadata:
-  name: nginx-ingress-role-nisa-binding
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: nginx-ingress-role
-subjects:
-  - kind: ServiceAccount
-    name: nginx-ingress-serviceaccount
-    namespace: default
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: nginx-ingress-clusterrole-nisa-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: nginx-ingress-clusterrole
-subjects:
-  - kind: ServiceAccount
-    name: nginx-ingress-serviceaccount
-    namespace: default

cluster/juju/layers/kubernetes-worker/templates/ingress-replication-controller.yaml

@@ -1,4 +1,132 @@
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nginx-ingress-serviceaccount
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: nginx-ingress-clusterrole
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - nodes
+      - pods
+      - secrets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "extensions"
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+        - events
+    verbs:
+        - create
+        - patch
+  - apiGroups:
+      - "extensions"
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: nginx-ingress-role
+  namespace: default
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - pods
+      - secrets
+      - namespaces
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    resourceNames:
+      # Defaults to "<election-id>-<ingress-class>"
+      # Here: "<ingress-controller-leader>-<nginx>"
+      # This has to be adapted if you change either parameter
+      # when launching the nginx-ingress-controller.
+      - "ingress-controller-leader-nginx"
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+      - create
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: nginx-ingress-role-nisa-binding
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: nginx-ingress-role
+subjects:
+  - kind: ServiceAccount
+    name: nginx-ingress-serviceaccount
+    namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: nginx-ingress-clusterrole-nisa-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: nginx-ingress-clusterrole
+subjects:
+  - kind: ServiceAccount
+    name: nginx-ingress-serviceaccount
+    namespace: default
+---
+apiVersion: v1
 kind: ConfigMap
 metadata:
   name: nginx-load-balancer-conf