Merge pull request #53993 from JonPulsifer/typha-rbac

Automatic merge from submit-queue (batch tested with PRs 53946, 53993, 54315, 54143, 54532). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. RBAC for Calico Typha Horizontal Autoscaler **What this PR does / why we need it**: On v1.8.0-gke.1 I noticed a number of RBAC failures for `default` in kube-system. Turns out the only container missing the serviceAccountName was the typha-horizontal-autoscaler. **Special notes for your reviewer**: cc @caseydavenport seems like this is up your alley **Release note**: ```release-note NONE ```
2017-10-25 21:20:29 -07:00 · 2017-10-25 21:20:29 -07:00 · 7cadcd0558
parent 93e6f08772 24e319c056
commit 7cadcd0558
6 changed files with 67 additions and 0 deletions
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrole.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrole.yaml
@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: typha-cpha
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["list"]
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrolebinding.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrolebinding.yaml
@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: typha-cpha
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: typha-cpha
+subjects:
+  - kind: ServiceAccount
+    name: typha-cpha
+    namespace: kube-system
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-deployment.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-deployment.yaml
@ -31,3 +31,4 @@ spec:
              cpu: 10m
            limits:
              cpu: 10m
+      serviceAccountName: typha-cpha
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-role.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-role.yaml
@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: typha-cpha
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get"]
+  - apiGroups: ["extensions"]
+    resources: ["deployments/scale"]
+    verbs: ["get", "update"]
+
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-rolebinding.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-rolebinding.yaml
@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: typha-cpha
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: typha-cpha
+subjects:
+  - kind: ServiceAccount
+    name: typha-cpha
+    namespace: kube-system
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-serviceaccount.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-serviceaccount.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: typha-cpha
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile