Add kubeapi proxy cluster role and role binding

authz/authz.go

@@ -36,3 +36,19 @@ func ApplySystemNodeClusterRoleBinding(ctx context.Context, kubeConfigPath strin
 	log.Infof(ctx, "[authz] system:node ClusterRoleBinding created successfully")
 	return nil
 }
+
+func ApplyKubeAPIClusterRole(ctx context.Context, kubeConfigPath string, k8sWrapTransport k8s.WrapTransport) error {
+	log.Infof(ctx, "[authz] Creating kube-apiserver proxy ClusterRole and ClusterRoleBinding")
+	k8sClient, err := k8s.NewClient(kubeConfigPath, k8sWrapTransport)
+	if err != nil {
+		return err
+	}
+	if err := k8s.UpdateClusterRoleFromYaml(k8sClient, templates.KubeAPIClusterRole); err != nil {
+		return err
+	}
+	if err := k8s.UpdateClusterRoleBindingFromYaml(k8sClient, templates.KubeAPIClusterRoleBinding); err != nil {
+		return err
+	}
+	log.Infof(ctx, "[authz] kube-apiserver proxy ClusterRole and ClusterRoleBinding created successfully")
+	return nil
+}

cluster/cluster.go

@@ -3,12 +3,13 @@ package cluster
 import (
 	"context"
 	"fmt"
-	"github.com/rancher/rke/metadata"
 	"net"
 	"reflect"
 	"strings"
 	"time"
 
+	"github.com/rancher/rke/metadata"
+
 	"github.com/docker/docker/api/types"
 	"github.com/rancher/rke/authz"
 	"github.com/rancher/rke/docker"
@@ -316,6 +317,9 @@ func ApplyAuthzResources(ctx context.Context, rkeConfig v3.RancherKubernetesEngi
 		if err := authz.ApplySystemNodeClusterRoleBinding(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil {
 			return fmt.Errorf("Failed to apply the ClusterRoleBinding needed for node authorization: %v", err)
 		}
+		if err := authz.ApplyKubeAPIClusterRole(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil {
+			return fmt.Errorf("Failed to apply the ClusterRole and Binding needed for node kubeapi proxy: %v", err)
+		}
 	}
 	if kubeCluster.Authorization.Mode == services.RBACAuthorizationMode && kubeCluster.Services.KubeAPI.PodSecurityPolicy {
 		if err := authz.ApplyDefaultPodSecurityPolicy(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil {

templates/authz.go

@@ -1,6 +1,30 @@
 package templates
 
 const (
+	KubeAPIClusterRole = `
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: proxy-clusterrole-kubeapiserver
+rules:
+- apiGroups: [""]
+  resources:
+  - nodes/metrics
+  - nodes/proxy
+  verbs: ["get", "list", "watch", "create"]`
+	KubeAPIClusterRoleBinding = `
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: proxy-role-binding-kubernetes-master
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: proxy-clusterrole-kubeapiserver
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: kube-apiserver`
 	SystemNodeClusterRoleBinding = `
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding