From a81445572adad4c7d53ff427a53ba1bab4907f8e Mon Sep 17 00:00:00 2001 From: Zihong Zheng Date: Mon, 6 Mar 2017 18:43:30 -0800 Subject: [PATCH] Moves dns-horizontal-autoscaler to a separate service account --- .../dns-horizontal-autoscaler-rbac.yaml | 58 +++++++++++++++++++ .../dns-horizontal-autoscaler.yaml | 1 + 2 files changed, 59 insertions(+) create mode 100644 cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler-rbac.yaml diff --git a/cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler-rbac.yaml b/cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler-rbac.yaml new file mode 100644 index 0000000000..1550181c7d --- /dev/null +++ b/cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler-rbac.yaml @@ -0,0 +1,58 @@ +# Copyright 2016 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: kube-dns-autoscaler + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: system:kube-dns-autoscaler + labels: + addonmanager.kubernetes.io/mode: Reconcile +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["list"] + - apiGroups: [""] + resources: ["replicationcontrollers/scale"] + verbs: ["get", "update"] + - apiGroups: ["extensions"] + resources: ["deployments/scale", "replicasets/scale"] + verbs: ["get", "update"] +# Remove the configmaps rule once below issue is fixed: +# kubernetes-incubator/cluster-proportional-autoscaler#16 + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: system:kube-dns-autoscaler + labels: + addonmanager.kubernetes.io/mode: Reconcile +subjects: + - kind: ServiceAccount + name: kube-dns-autoscaler + namespace: kube-system +roleRef: + kind: ClusterRole + name: system:kube-dns-autoscaler + apiGroup: rbac.authorization.k8s.io diff --git a/cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml b/cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml index bbbfee63c4..35634670c9 100644 --- a/cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml +++ b/cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml @@ -50,3 +50,4 @@ spec: tolerations: - key: "CriticalAddonsOnly" operator: "Exists" + serviceAccountName: kube-dns-autoscaler