From 87a8c21995de5efb0f85fbbafe0080d3b382ff48 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <jliggitt@redhat.com>
Date: Fri, 17 Mar 2017 17:37:17 -0400
Subject: [PATCH] Give apiserver full access to kubelet API

---
 ... => kube-apiserver-kubelet-api-admin-binding.yaml} |  5 +++--
 ...de-proxy-role.yaml => kubelet-api-admin-role.yaml} | 11 +++--------
 2 files changed, 6 insertions(+), 10 deletions(-)
 rename cluster/addons/rbac/{apiserver-node-proxy-binding.yaml => kube-apiserver-kubelet-api-admin-binding.yaml} (69%)
 rename cluster/addons/rbac/{node-proxy-role.yaml => kubelet-api-admin-role.yaml} (77%)

diff --git a/cluster/addons/rbac/apiserver-node-proxy-binding.yaml b/cluster/addons/rbac/kube-apiserver-kubelet-api-admin-binding.yaml
similarity index 69%
rename from cluster/addons/rbac/apiserver-node-proxy-binding.yaml
rename to cluster/addons/rbac/kube-apiserver-kubelet-api-admin-binding.yaml
index 8bfe366edb..65f72f15df 100644
--- a/cluster/addons/rbac/apiserver-node-proxy-binding.yaml
+++ b/cluster/addons/rbac/kube-apiserver-kubelet-api-admin-binding.yaml
@@ -1,14 +1,15 @@
+# This binding gives the kube-apiserver user full access to the kubelet API
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: apiserver-node-proxy
+  name: kube-apiserver-kubelet-api-admin
   labels:
     kubernetes.io/cluster-service: "true"
     addonmanager.kubernetes.io/mode: Reconcile
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: node-proxy
+  name: kubelet-api-admin
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: User
diff --git a/cluster/addons/rbac/node-proxy-role.yaml b/cluster/addons/rbac/kubelet-api-admin-role.yaml
similarity index 77%
rename from cluster/addons/rbac/node-proxy-role.yaml
rename to cluster/addons/rbac/kubelet-api-admin-role.yaml
index 03a7f944c3..09eb1d1b37 100644
--- a/cluster/addons/rbac/node-proxy-role.yaml
+++ b/cluster/addons/rbac/kubelet-api-admin-role.yaml
@@ -1,7 +1,8 @@
+# This role allows full access to the kubelet API
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: node-proxy
+  name: kubelet-api-admin
   labels:
     kubernetes.io/cluster-service: "true"
     addonmanager.kubernetes.io/mode: Reconcile
@@ -10,15 +11,9 @@ rules:
   - ""
   resources:
   - nodes/proxy
-  verbs:
-  - create
-  - get
-- apiGroups:
-  - ""
-  resources:
   - nodes/log
   - nodes/stats
   - nodes/metrics
   - nodes/spec
   verbs:
-  - get
+  - "*"