From 0b3badf3d853f5de0a83bf8effaef0b0423def3b Mon Sep 17 00:00:00 2001 From: jwfang <54740235@qq.com> Date: Mon, 10 Jul 2017 16:53:11 +0800 Subject: [PATCH] revert calico-related changes --- .../policy_controller/calico/tasks/main.yml | 25 ------------------- .../calico-policy-controller-clusterrole.yml | 16 ------------ ...o-policy-controller-clusterrolebinding.yml | 12 --------- .../templates/calico-policy-controller-sa.yml | 7 ------ .../templates/calico-policy-controller.yml.j2 | 3 --- roles/kubespray-defaults/defaults/main.yaml | 2 +- roles/network_plugin/calico/tasks/main.yml | 22 ---------------- .../templates/calico-node-clusterrole.yml | 12 --------- .../calico-node-clusterrolebinding.yml | 12 --------- 9 files changed, 1 insertion(+), 110 deletions(-) delete mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml delete mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml delete mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml delete mode 100644 roles/network_plugin/calico/templates/calico-node-clusterrole.yml delete mode 100644 roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml diff --git a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml index 18ac8c18c..8b4271d6a 100644 --- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml +++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml @@ -3,31 +3,6 @@ when: kube_network_plugin == 'canal' tags: [facts, canal] -- name: Lay Down calico-policy-controller RBAC Template - template: - src: "{{item.file}}" - dest: "{{kube_config_dir}}/{{item.file}}" - with_items: - - {name: calico-policy-controller, file: calico-policy-controller-sa.yml, type: sa} - - {name: calico-policy-controller, file: calico-policy-controller-clusterrole.yml, type: clusterrole} - - {name: calico-policy-controller, file: calico-policy-controller-clusterrolebinding.yml, type: clusterrolebinding} - register: manifests - when: inventory_hostname == groups['kube-master'][0] and rbac_enabled - tags: canal - -- name: Create calico-policy-controller RBAC Resources - kube: - name: "{{item.item.name}}" - namespace: "{{ system_namespace }}" - kubectl: "{{bin_dir}}/kubectl" - resource: "{{item.item.type}}" - filename: "{{kube_config_dir}}/{{item.item.file}}" - state: "{{item.changed | ternary('latest','present') }}" - with_items: "{{ manifests.results }}" - failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg - when: inventory_hostname == groups['kube-master'][0] and rbac_enabled - tags: canal - - name: Write calico-policy-controller yaml template: src: calico-policy-controller.yml.j2 diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml deleted file mode 100644 index 3b71b9001..000000000 --- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml +++ /dev/null @@ -1,16 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: calico-policy-controller - namespace: {{ system_namespace }} -rules: - - apiGroups: - - "" - - extensions - resources: - - pods - - namespaces - - networkpolicies - verbs: - - watch - - list diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml deleted file mode 100644 index 535865f01..000000000 --- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: calico-policy-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-policy-controller -subjects: -- kind: ServiceAccount - name: calico-policy-controller - namespace: {{ system_namespace }} diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml deleted file mode 100644 index 388f12977..000000000 --- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: calico-policy-controller - namespace: {{ system_namespace }} - labels: - kubernetes.io/cluster-service: "true" diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 index 9639fed82..322d3a37b 100644 --- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 +++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 @@ -60,6 +60,3 @@ spec: - hostPath: path: {{ calico_cert_dir }} name: etcd-certs -{% if rbac_enabled %} - serviceAccountName: calico-policy-controller -{% endif %} diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index ed827d27b..db5fc1997 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -118,5 +118,5 @@ enable_network_policy: false ## List of authorization modes that must be configured for ## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and ## 'RBAC' modes are tested. -authorization_modes: [] +authorization_modes: ['AlwaysAllow'] rbac_enabled: "{{ 'RBAC' in authorization_modes }}" diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml index a67cb7fca..38d3ad5db 100644 --- a/roles/network_plugin/calico/tasks/main.yml +++ b/roles/network_plugin/calico/tasks/main.yml @@ -195,28 +195,6 @@ when: secret_changed|default(false) or etcd_secret_changed|default(false) notify: restart calico-node -- name: Calico | Lay Down calico-node RBAC Template - template: - src: "{{item.file}}" - dest: "{{kube_config_dir}}/{{item.file}}" - with_items: - - {name: calico-node, file: calico-node-clusterrole.yml, type: clusterrole} - - {name: calico-node, file: calico-node-clusterrolebinding.yml, type: clusterrolebinding} - register: manifests - when: inventory_hostname == groups['kube-master'][0] and rbac_enabled - -- name: Calico | Create calico-node RBAC Resources - kube: - name: "{{item.item.name}}" - namespace: "{{ system_namespace }}" - kubectl: "{{bin_dir}}/kubectl" - resource: "{{item.item.type}}" - filename: "{{kube_config_dir}}/{{item.item.file}}" - state: "{{item.changed | ternary('latest','present') }}" - with_items: "{{ manifests.results }}" - failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg - when: inventory_hostname == groups['kube-master'][0] and rbac_enabled - - meta: flush_handlers - name: Calico | Enable calico-node diff --git a/roles/network_plugin/calico/templates/calico-node-clusterrole.yml b/roles/network_plugin/calico/templates/calico-node-clusterrole.yml deleted file mode 100644 index b48c74735..000000000 --- a/roles/network_plugin/calico/templates/calico-node-clusterrole.yml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: calico-node - namespace: {{ system_namespace }} -rules: - - apiGroups: [""] - resources: - - pods - - nodes - verbs: - - get diff --git a/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml b/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml deleted file mode 100644 index cdbd15685..000000000 --- a/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: calico-node -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-node -subjects: -- kind: Group - name: system:nodes - namespace: kube-system