mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-14 13:45:06 +00:00
Replace todo-grabbag binding w/ more specific heapster roles/bindings.
Move kubelet binding to the rbac folder.
This commit is contained in:
CJ Cullen
@@ -11,6 +11,15 @@
|
||||
{% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
|
||||
{% endif -%}
|
||||
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: heapster
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
@@ -134,6 +143,7 @@ spec:
|
||||
- name: usr-ca-certs
|
||||
hostPath:
|
||||
path: "/usr/share/ca-certificates"
|
||||
serviceAccountName: heapster
|
||||
tolerations:
|
||||
- key: "CriticalAddonsOnly"
|
||||
operator: "Exists"
|
||||
|
||||
@@ -11,6 +11,15 @@
|
||||
{% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
|
||||
{% endif -%}
|
||||
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: heapster
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
@@ -135,6 +144,7 @@ spec:
|
||||
- name: usr-ca-certs
|
||||
hostPath:
|
||||
path: "/usr/share/ca-certificates"
|
||||
serviceAccountName: heapster
|
||||
tolerations:
|
||||
- key: "CriticalAddonsOnly"
|
||||
operator: "Exists"
|
||||
|
||||
58
cluster/addons/cluster-monitoring/heapster-rbac.yaml
Normal file
58
cluster/addons/cluster-monitoring/heapster-rbac.yaml
Normal file
@@ -0,0 +1,58 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: heapster-binding
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: system:heapster
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: heapster
|
||||
namespace: kube-system
|
||||
---
|
||||
# Heapster's pod_nanny monitors the heapster deployment & its pod(s), and scales
|
||||
# the resources of the deployment if necessary.
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: system:pod-nanny
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods
|
||||
verbs:
|
||||
- get
|
||||
- apiGroups:
|
||||
- "extensions"
|
||||
resources:
|
||||
- deployments
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: heapster-binding
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: system:pod-nanny
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: heapster
|
||||
namespace: kube-system
|
||||
---
|
||||
@@ -11,6 +11,15 @@
|
||||
{% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
|
||||
{% endif -%}
|
||||
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: heapster
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
@@ -113,6 +122,7 @@ spec:
|
||||
- --container=eventer
|
||||
- --poll-period=300000
|
||||
- --estimator=exponential
|
||||
serviceAccountName: heapster
|
||||
tolerations:
|
||||
- key: "CriticalAddonsOnly"
|
||||
operator: "Exists"
|
||||
|
||||
@@ -9,6 +9,15 @@
|
||||
{% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
|
||||
{% endif -%}
|
||||
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: heapster
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
@@ -91,6 +100,7 @@ spec:
|
||||
- name: usr-ca-certs
|
||||
hostPath:
|
||||
path: "/usr/share/ca-certificates"
|
||||
serviceAccountName: heapster
|
||||
tolerations:
|
||||
- key: "CriticalAddonsOnly"
|
||||
operator: "Exists"
|
||||
|
||||
@@ -9,6 +9,15 @@
|
||||
{% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
|
||||
{% endif -%}
|
||||
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: heapster
|
||||
namespace: kube-system
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
@@ -75,6 +84,7 @@ spec:
|
||||
- --container=heapster
|
||||
- --poll-period=300000
|
||||
- --estimator=exponential
|
||||
serviceAccountName: heapster
|
||||
tolerations:
|
||||
- key: "CriticalAddonsOnly"
|
||||
operator: "Exists"
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
These resources are used to add extra (non-default) bindings to e2e to match users and groups
|
||||
that are particular to the e2e environment. These are not standard bootstrap bindings and
|
||||
not standard users they are bound to. This is not a recipe for adding bootstrap bindings.
|
||||
|
||||
[]()
|
||||
@@ -1,20 +0,0 @@
|
||||
# TODO remove this
|
||||
# currently, the kube-addon-manager is adding lots of pods which all share
|
||||
# the system:serviceaccount:kube-system:default identity. We need to subdivide
|
||||
# those service accounts, figure out which ones we're going to make bootstrap roles for
|
||||
# and bind those particular roles in the addon yaml itself. This just gets us started
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: todo-remove-grabbag-cluster-admin
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: default
|
||||
namespace: kube-system
|
||||
@@ -1,8 +1,7 @@
|
||||
# The GKE environments don't have kubelets with certificates that
|
||||
# identify the system:nodes group. They use the kubelet identity
|
||||
# TODO cjcullen should figure out how wants to manage his upgrade
|
||||
# this will only hold the e2e tests until we get an authorizer
|
||||
# which authorizes particular nodes
|
||||
# TODO: remove this once new nodes are granted individual identities and the
|
||||
# NodeAuthorizer is enabled.
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
@@ -1126,8 +1126,8 @@ function start-kube-addons {
|
||||
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
|
||||
local -r dst_dir="/etc/kubernetes/addons"
|
||||
|
||||
# prep the additional bindings that are particular to e2e users and groups
|
||||
setup-addon-manifests "addons" "e2e-rbac-bindings"
|
||||
# prep addition kube-up specific rbac objects
|
||||
setup-addon-manifests "addons" "rbac"
|
||||
|
||||
# Set up manifests of other addons.
|
||||
if [[ "${ENABLE_CLUSTER_MONITORING:-}" == "influxdb" ]] || \
|
||||
@@ -1136,6 +1136,7 @@ function start-kube-addons {
|
||||
[[ "${ENABLE_CLUSTER_MONITORING:-}" == "standalone" ]] || \
|
||||
[[ "${ENABLE_CLUSTER_MONITORING:-}" == "googleinfluxdb" ]]; then
|
||||
local -r file_dir="cluster-monitoring/${ENABLE_CLUSTER_MONITORING}"
|
||||
setup-addon-manifests "addons" "cluster-monitoring"
|
||||
setup-addon-manifests "addons" "${file_dir}"
|
||||
# Replace the salt configurations with variable values.
|
||||
base_metrics_memory="140Mi"
|
||||
|
||||
@@ -1481,10 +1481,6 @@ function start-kube-addons {
|
||||
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
|
||||
local -r dst_dir="/etc/kubernetes/addons"
|
||||
|
||||
# TODO(mikedanese): only enable these in e2e
|
||||
# prep the additional bindings that are particular to e2e users and groups
|
||||
setup-addon-manifests "addons" "e2e-rbac-bindings"
|
||||
|
||||
# prep addition kube-up specific rbac objects
|
||||
setup-addon-manifests "addons" "rbac"
|
||||
|
||||
@@ -1495,6 +1491,7 @@ function start-kube-addons {
|
||||
[[ "${ENABLE_CLUSTER_MONITORING:-}" == "standalone" ]] || \
|
||||
[[ "${ENABLE_CLUSTER_MONITORING:-}" == "googleinfluxdb" ]]; then
|
||||
local -r file_dir="cluster-monitoring/${ENABLE_CLUSTER_MONITORING}"
|
||||
setup-addon-manifests "addons" "cluster-monitoring"
|
||||
setup-addon-manifests "addons" "${file_dir}"
|
||||
# Replace the salt configurations with variable values.
|
||||
base_metrics_memory="140Mi"
|
||||
|
||||
Reference in New Issue
Block a user