RBAC for Calico Typha Horizontal Autoscaler

2017-10-16 11:43:47 -04:00 · 2017-10-16 11:43:47 -04:00 · 24e319c056
parent 328fa9aba2
commit 24e319c056
6 changed files with 67 additions and 0 deletions
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrole.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrole.yaml
@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: typha-cpha
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["list"]
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrolebinding.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrolebinding.yaml
@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: typha-cpha
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: typha-cpha
+subjects:
+  - kind: ServiceAccount
+    name: typha-cpha
+    namespace: kube-system
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-deployment.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-deployment.yaml
@ -31,3 +31,4 @@ spec:
              cpu: 10m
            limits:
              cpu: 10m
+      serviceAccountName: typha-cpha
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-role.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-role.yaml
@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: typha-cpha
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get"]
+  - apiGroups: ["extensions"]
+    resources: ["deployments/scale"]
+    verbs: ["get", "update"]
+
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-rolebinding.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-rolebinding.yaml
@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: typha-cpha
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: typha-cpha
+subjects:
+  - kind: ServiceAccount
+    name: typha-cpha
+    namespace: kube-system
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-serviceaccount.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-serviceaccount.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: typha-cpha
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile