github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #46750 from cjcullen/grabbag 

Automatic merge from submit-queue

Remove e2e-rbac-bindings.

Replace todo-grabbag binding w/ more specific heapster roles/bindings.
Move kubelet binding.

**What this PR does / why we need it**:
The "e2e-rbac-bindings" held 2 leftovers from the 1.6 RBAC rollout process:
 - One is the "kubelet-binding" which grants the "system:node" role to kubelet. This is needed until we enable the node authorizer. I moved this to the folder w/ some other kubelet related bindings.
 - The other is the "todo-remove-grabbag-cluster-admin" binding, which grants the cluster-admin role to the default service account in the kube-system namespace. This appears to only be required for heapster. Heapster will instead use a "heapster" service account, bound to a "system:heapster" role on the cluster (no write perms), and a "system:pod-nanny" role in the kube-system namespace.

**Which issue this PR fixes**: Addresses part of #39990

**Release Note**: 
```release-note
New and upgraded 1.7 GCE/GKE clusters no longer have an RBAC ClusterRoleBinding that grants the `cluster-admin` ClusterRole to the `default` service account in the `kube-system` namespace.
If this permission is still desired, run the following command to explicitly grant it, either before or after upgrading to 1.7:
    kubectl create clusterrolebinding kube-system-default --serviceaccount=kube-system:default --clusterrole=cluster-admin
```
pull/6/head
Kubernetes Submit Queue 2017-06-09 13:06:30 -07:00 committed by GitHub
parent 2be7a18ead eba50dfeb6
commit c0a3d26746
11 changed files with 114 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cluster/addons/cluster-monitoring/google/heapster-controller.yaml
View File

@ -11,6 +11,15 @@
{% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
{% endif -%}
apiVersion: v1
kind: ServiceAccount
metadata:
name: heapster
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
@ -134,6 +143,7 @@ spec:
- name: usr-ca-certs
hostPath:
path: "/usr/share/ca-certificates"
serviceAccountName: heapster
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"

10
cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml
View File

@ -11,6 +11,15 @@
{% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
{% endif -%}
apiVersion: v1
kind: ServiceAccount
metadata:
name: heapster
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
@ -135,6 +144,7 @@ spec:
- name: usr-ca-certs
hostPath:
path: "/usr/share/ca-certificates"
serviceAccountName: heapster
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"

58
cluster/addons/cluster-monitoring/heapster-rbac.yaml Normal file
View File

@ -0,0 +1,58 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: heapster-binding
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:heapster
subjects:
- kind: ServiceAccount
name: heapster
namespace: kube-system
---
# Heapster's pod_nanny monitors the heapster deployment & its pod(s), and scales
# the resources of the deployment if necessary.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: system:pod-nanny
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- "extensions"
resources:
- deployments
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: heapster-binding
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: system:pod-nanny
subjects:
- kind: ServiceAccount
name: heapster
namespace: kube-system
---

10
cluster/addons/cluster-monitoring/influxdb/heapster-controller.yaml
View File

@ -11,6 +11,15 @@
{% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
{% endif -%}
apiVersion: v1
kind: ServiceAccount
metadata:
name: heapster
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
@ -113,6 +122,7 @@ spec:
- --container=eventer
- --poll-period=300000
- --estimator=exponential
serviceAccountName: heapster
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"

10
cluster/addons/cluster-monitoring/stackdriver/heapster-controller.yaml
View File

@ -9,6 +9,15 @@
{% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
{% endif -%}
apiVersion: v1
kind: ServiceAccount
metadata:
name: heapster
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
@ -91,6 +100,7 @@ spec:
- name: usr-ca-certs
hostPath:
path: "/usr/share/ca-certificates"
serviceAccountName: heapster
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"

10
cluster/addons/cluster-monitoring/standalone/heapster-controller.yaml
View File

@ -9,6 +9,15 @@
{% set nanny_memory = (90 * 1024 + num_nodes * nanny_memory_per_node)|string + "Ki" -%}
{% endif -%}
apiVersion: v1
kind: ServiceAccount
metadata:
name: heapster
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
@ -75,6 +84,7 @@ spec:
- --container=heapster
- --poll-period=300000
- --estimator=exponential
serviceAccountName: heapster
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"

5
cluster/addons/e2e-rbac-bindings/README.md
View File

@ -1,5 +0,0 @@
These resources are used to add extra (non-default) bindings to e2e to match users and groups
that are particular to the e2e environment. These are not standard bootstrap bindings and
not standard users they are bound to. This is not a recipe for adding bootstrap bindings.
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/e2e-rbac-bindings/README.md?pixel)]()

20
cluster/addons/e2e-rbac-bindings/random-addon-grabbag.yaml
View File

@ -1,20 +0,0 @@
# TODO remove this
# currently, the kube-addon-manager is adding lots of pods which all share
# the system:serviceaccount:kube-system:default identity. We need to subdivide
# those service accounts, figure out which ones we're going to make bootstrap roles for
# and bind those particular roles in the addon yaml itself. This just gets us started
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: todo-remove-grabbag-cluster-admin
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: default
namespace: kube-system

5
cluster/addons/e2e-rbac-bindings/kubelet-binding.yaml → cluster/addons/rbac/kubelet-binding.yaml
View File

@ -1,8 +1,7 @@
# The GKE environments don't have kubelets with certificates that
# identify the system:nodes group. They use the kubelet identity
# TODO cjcullen should figure out how wants to manage his upgrade
# this will only hold the e2e tests until we get an authorizer
# which authorizes particular nodes
# TODO: remove this once new nodes are granted individual identities and the
# NodeAuthorizer is enabled.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:

5
cluster/gce/container-linux/configure-helper.sh
View File

@ -1126,8 +1126,8 @@ function start-kube-addons {
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
local -r dst_dir="/etc/kubernetes/addons"
# prep the additional bindings that are particular to e2e users and groups
setup-addon-manifests "addons" "e2e-rbac-bindings"
# prep addition kube-up specific rbac objects
setup-addon-manifests "addons" "rbac"
# Set up manifests of other addons.
if [[ "${ENABLE_CLUSTER_MONITORING:-}" == "influxdb" ]] || \
@ -1136,6 +1136,7 @@ function start-kube-addons {
[[ "${ENABLE_CLUSTER_MONITORING:-}" == "standalone" ]] || \
[[ "${ENABLE_CLUSTER_MONITORING:-}" == "googleinfluxdb" ]]; then
local -r file_dir="cluster-monitoring/${ENABLE_CLUSTER_MONITORING}"
setup-addon-manifests "addons" "cluster-monitoring"
setup-addon-manifests "addons" "${file_dir}"
# Replace the salt configurations with variable values.
base_metrics_memory="140Mi"

5
cluster/gce/gci/configure-helper.sh
View File

@ -1520,10 +1520,6 @@ function start-kube-addons {
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
local -r dst_dir="/etc/kubernetes/addons"
# TODO(mikedanese): only enable these in e2e
# prep the additional bindings that are particular to e2e users and groups
setup-addon-manifests "addons" "e2e-rbac-bindings"
# prep addition kube-up specific rbac objects
setup-addon-manifests "addons" "rbac"
@ -1534,6 +1530,7 @@ function start-kube-addons {
[[ "${ENABLE_CLUSTER_MONITORING:-}" == "standalone" ]] || \
[[ "${ENABLE_CLUSTER_MONITORING:-}" == "googleinfluxdb" ]]; then
local -r file_dir="cluster-monitoring/${ENABLE_CLUSTER_MONITORING}"
setup-addon-manifests "addons" "cluster-monitoring"
setup-addon-manifests "addons" "${file_dir}"
# Replace the salt configurations with variable values.
base_metrics_memory="140Mi"