From 8b3a8adb17f744ccf78bb1e1d0794acbcaace460 Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Wed, 18 Oct 2017 09:55:40 -0700 Subject: [PATCH 1/2] reorganize rbac addon dir into subdirectories --- .../kube-apiserver-kubelet-api-admin-binding.yaml | 0 .../rbac/{ => kubelet-api-auth}/kubelet-api-admin-role.yaml | 0 .../kubelet-certificate-management.yaml | 0 .../addons/rbac/{ => legacy-kubelet-user}/kubelet-binding.yaml | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename cluster/addons/rbac/{ => kubelet-api-auth}/kube-apiserver-kubelet-api-admin-binding.yaml (100%) rename cluster/addons/rbac/{ => kubelet-api-auth}/kubelet-api-admin-role.yaml (100%) rename cluster/addons/rbac/{ => kubelet-cert-rotation}/kubelet-certificate-management.yaml (100%) rename cluster/addons/rbac/{ => legacy-kubelet-user}/kubelet-binding.yaml (100%) diff --git a/cluster/addons/rbac/kube-apiserver-kubelet-api-admin-binding.yaml b/cluster/addons/rbac/kubelet-api-auth/kube-apiserver-kubelet-api-admin-binding.yaml similarity index 100% rename from cluster/addons/rbac/kube-apiserver-kubelet-api-admin-binding.yaml rename to cluster/addons/rbac/kubelet-api-auth/kube-apiserver-kubelet-api-admin-binding.yaml diff --git a/cluster/addons/rbac/kubelet-api-admin-role.yaml b/cluster/addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml similarity index 100% rename from cluster/addons/rbac/kubelet-api-admin-role.yaml rename to cluster/addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml diff --git a/cluster/addons/rbac/kubelet-certificate-management.yaml b/cluster/addons/rbac/kubelet-cert-rotation/kubelet-certificate-management.yaml similarity index 100% rename from cluster/addons/rbac/kubelet-certificate-management.yaml rename to cluster/addons/rbac/kubelet-cert-rotation/kubelet-certificate-management.yaml diff --git a/cluster/addons/rbac/kubelet-binding.yaml b/cluster/addons/rbac/legacy-kubelet-user/kubelet-binding.yaml similarity index 100% rename from cluster/addons/rbac/kubelet-binding.yaml rename to cluster/addons/rbac/legacy-kubelet-user/kubelet-binding.yaml From 3f7e1cccd2604167f2cdd621eac98010b0eeb99a Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Wed, 18 Oct 2017 09:56:19 -0700 Subject: [PATCH 2/2] don't add kubelet legacy binding if we aren't registering the master kubelet --- .../kubelet-binding.yaml | 14 ++++++++++++++ cluster/gce/gci/configure-helper.sh | 8 +++++++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 cluster/addons/rbac/legacy-kubelet-user-disable/kubelet-binding.yaml diff --git a/cluster/addons/rbac/legacy-kubelet-user-disable/kubelet-binding.yaml b/cluster/addons/rbac/legacy-kubelet-user-disable/kubelet-binding.yaml new file mode 100644 index 0000000000..8cb0dbea05 --- /dev/null +++ b/cluster/addons/rbac/legacy-kubelet-user-disable/kubelet-binding.yaml @@ -0,0 +1,14 @@ +# This is required so that old clusters don't remove required bindings for 1.5 +# kubelets to function. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubelet-cluster-admin + labels: + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: EnsureExists +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:node +subjects: diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index e23db09c14..fb7b2ca669 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1743,7 +1743,13 @@ function start-kube-addons { local -r dst_dir="/etc/kubernetes/addons" # prep addition kube-up specific rbac objects - setup-addon-manifests "addons" "rbac" + setup-addon-manifests "addons" "rbac/kubelet-api-auth" + setup-addon-manifests "addons" "rbac/kubelet-cert-rotation" + if [[ "${REGISTER_MASTER_KUBELET:-false}" == "true" ]]; then + setup-addon-manifests "addons" "rbac/legacy-kubelet-user" + else + setup-addon-manifests "addons" "rbac/legacy-kubelet-user-disabled" + fi # Set up manifests of other addons. if [[ "${KUBE_PROXY_DAEMONSET:-}" == "true" ]]; then