Replace todo-grabbag binding w/ more specific heapster roles/bindings.

Move kubelet binding to the rbac folder.
2025-09-14 21:53:52 +00:00 · 2017-05-31 17:52:06 -07:00
parent cc568f6433
commit eba50dfeb6
11 changed files with 114 additions and 34 deletions
--- a/cluster/addons/cluster-monitoring/google/heapster-controller.yaml
+++ b/cluster/addons/cluster-monitoring/google/heapster-controller.yaml
@@ -11,6 +11,15 @@
  {% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
 {% endif -%}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: heapster
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@@ -134,6 +143,7 @@ spec:
        - name: usr-ca-certs
          hostPath:
            path: "/usr/share/ca-certificates"
      serviceAccountName: heapster
      tolerations:
        - key: "CriticalAddonsOnly"
          operator: "Exists"
--- a/cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml
+++ b/cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml
@@ -11,6 +11,15 @@
  {% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
 {% endif -%}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: heapster
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@@ -135,6 +144,7 @@ spec:
        - name: usr-ca-certs
          hostPath:
            path: "/usr/share/ca-certificates"
      serviceAccountName: heapster
      tolerations:
        - key: "CriticalAddonsOnly"
          operator: "Exists"
--- a/cluster/addons/cluster-monitoring/heapster-rbac.yaml
+++ b/cluster/addons/cluster-monitoring/heapster-rbac.yaml
@@ -0,0 +1,58 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: heapster-binding
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:heapster
 subjects:
 - kind: ServiceAccount
  name: heapster
  namespace: kube-system
 ---
 # Heapster's pod_nanny monitors the heapster deployment & its pod(s), and scales
 # the resources of the deployment if necessary.
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: system:pod-nanny
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
 rules:
 - apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
 - apiGroups:
  - "extensions"
  resources:
  - deployments
  verbs:
  - get
  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: heapster-binding
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: system:pod-nanny
 subjects:
 - kind: ServiceAccount
  name: heapster
  namespace: kube-system
 ---
--- a/cluster/addons/cluster-monitoring/influxdb/heapster-controller.yaml
+++ b/cluster/addons/cluster-monitoring/influxdb/heapster-controller.yaml
@@ -11,6 +11,15 @@
  {% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
 {% endif -%}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: heapster
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@@ -113,6 +122,7 @@ spec:
            - --container=eventer
            - --poll-period=300000
            - --estimator=exponential
      serviceAccountName: heapster
      tolerations:
        - key: "CriticalAddonsOnly"
          operator: "Exists"
--- a/cluster/addons/cluster-monitoring/stackdriver/heapster-controller.yaml
+++ b/cluster/addons/cluster-monitoring/stackdriver/heapster-controller.yaml
@@ -9,6 +9,15 @@
  {% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
 {% endif -%}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: heapster
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@@ -91,6 +100,7 @@ spec:
        - name: usr-ca-certs
          hostPath:
            path: "/usr/share/ca-certificates"
      serviceAccountName: heapster
      tolerations:
        - key: "CriticalAddonsOnly"
          operator: "Exists"
--- a/cluster/addons/cluster-monitoring/standalone/heapster-controller.yaml
+++ b/cluster/addons/cluster-monitoring/standalone/heapster-controller.yaml
@@ -9,6 +9,15 @@
  {% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
 {% endif -%}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: heapster
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@@ -75,6 +84,7 @@ spec:
            - --container=heapster
            - --poll-period=300000
            - --estimator=exponential
      serviceAccountName: heapster
      tolerations:
        - key: "CriticalAddonsOnly"
          operator: "Exists"
--- a/cluster/addons/e2e-rbac-bindings/README.md
+++ b/cluster/addons/e2e-rbac-bindings/README.md
@@ -1,5 +0,0 @@
 These resources are used to add extra (non-default) bindings to e2e to match users and groups
 that are particular to the e2e environment.  These are not standard bootstrap bindings and 
 not standard users they are bound to.  This is not a recipe for adding bootstrap bindings.
 [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/e2e-rbac-bindings/README.md?pixel)]()
--- a/cluster/addons/e2e-rbac-bindings/random-addon-grabbag.yaml
+++ b/cluster/addons/e2e-rbac-bindings/random-addon-grabbag.yaml
@@ -1,20 +0,0 @@
 # TODO remove this
 # currently, the kube-addon-manager is adding lots of pods which all share
 # the system:serviceaccount:kube-system:default identity.  We need to subdivide
 # those service accounts, figure out which ones we're going to make bootstrap roles for
 # and bind those particular roles in the addon yaml itself.  This just gets us started
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: todo-remove-grabbag-cluster-admin
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: default
  namespace: kube-system
--- a/cluster/addons/e2e-rbac-bindings/kubelet-binding.yaml
+++ b/cluster/addons/e2e-rbac-bindings/kubelet-binding.yaml
@@ -1,8 +1,7 @@
 # The GKE environments don't have kubelets with certificates that
 # identify the system:nodes group.  They use the kubelet identity
-# TODO cjcullen should figure out how wants to manage his upgrade
+# TODO: remove this once new nodes are granted individual identities and the
-# this will only hold the e2e tests until we get an authorizer
+# NodeAuthorizer is enabled.
 # which authorizes particular nodes
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
--- a/cluster/gce/container-linux/configure-helper.sh
+++ b/cluster/gce/container-linux/configure-helper.sh
@@ -1126,8 +1126,8 @@ function start-kube-addons {
  local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
  local -r dst_dir="/etc/kubernetes/addons"
-  # prep the additional bindings that are particular to e2e users and groups
+  # prep addition kube-up specific rbac objects
-  setup-addon-manifests "addons" "e2e-rbac-bindings"
+  setup-addon-manifests "addons" "rbac"
  # Set up manifests of other addons.
  if [[ "${ENABLE_CLUSTER_MONITORING:-}" == "influxdb" ]] || \
@@ -1136,6 +1136,7 @@ function start-kube-addons {
     [[ "${ENABLE_CLUSTER_MONITORING:-}" == "standalone" ]] || \
     [[ "${ENABLE_CLUSTER_MONITORING:-}" == "googleinfluxdb" ]]; then
    local -r file_dir="cluster-monitoring/${ENABLE_CLUSTER_MONITORING}"
    setup-addon-manifests "addons" "cluster-monitoring"
    setup-addon-manifests "addons" "${file_dir}"
    # Replace the salt configurations with variable values.
    base_metrics_memory="140Mi"
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -1481,10 +1481,6 @@ function start-kube-addons {
  local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
  local -r dst_dir="/etc/kubernetes/addons"
  # TODO(mikedanese): only enable these in e2e
  # prep the additional bindings that are particular to e2e users and groups
  setup-addon-manifests "addons" "e2e-rbac-bindings"
  # prep addition kube-up specific rbac objects
  setup-addon-manifests "addons" "rbac"
@@ -1495,6 +1491,7 @@ function start-kube-addons {
     [[ "${ENABLE_CLUSTER_MONITORING:-}" == "standalone" ]] || \
     [[ "${ENABLE_CLUSTER_MONITORING:-}" == "googleinfluxdb" ]]; then
    local -r file_dir="cluster-monitoring/${ENABLE_CLUSTER_MONITORING}"
    setup-addon-manifests "addons" "cluster-monitoring"
    setup-addon-manifests "addons" "${file_dir}"
    # Replace the salt configurations with variable values.
    base_metrics_memory="140Mi"