From 883194afecab15a7fd2694e07754e3d45f3d120b Mon Sep 17 00:00:00 2001 From: Chris Date: Sat, 11 Apr 2020 08:47:48 +0200 Subject: [PATCH] Fix Cilium permissions (#5923) * added required permissions for querying endpointslice resources * copy-pasted role permissions from cilium install manifests * bumped cilium version to v1.7.2 --- roles/download/defaults/main.yml | 2 +- .../cilium/templates/cilium-cr.yml.j2 | 150 ++++++++++-------- 2 files changed, 82 insertions(+), 70 deletions(-) diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index 8d735a0d6..4e4291762 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -80,7 +80,7 @@ cni_version: "v0.8.5" weave_version: 2.5.2 pod_infra_version: 3.1 contiv_version: 1.2.1 -cilium_version: "v1.7.1" +cilium_version: "v1.7.2" kube_ovn_version: "v0.6.0" kube_router_version: "v0.4.0" multus_version: "v3.4.1" diff --git a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 index 94be6867a..d9481b49f 100644 --- a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 +++ b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 @@ -4,13 +4,6 @@ kind: ClusterRole metadata: name: cilium-operator rules: -- apiGroups: - - "" - resources: - # to get k8s version and status - - componentstatuses - verbs: - - get - apiGroups: - "" resources: @@ -22,6 +15,14 @@ rules: - list - watch - delete +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -32,6 +33,8 @@ rules: # to perform the translation of a CNP that contains `ToGroup` to its endpoints - services - endpoints + # to check apiserver connectivity + - namespaces verbs: - get - list @@ -41,6 +44,8 @@ rules: resources: - ciliumnetworkpolicies - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies + - ciliumclusterwidenetworkpolicies/status - ciliumendpoints - ciliumendpoints/status - ciliumnodes @@ -55,65 +60,72 @@ kind: ClusterRole metadata: name: cilium rules: - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces - - services - - nodes - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - pods - - nodes - verbs: - - get - - list - - watch - - update - - apiGroups: - - "" - resources: - - nodes - - nodes/status - verbs: - - patch - - apiGroups: - - apiextensions.k8s.io - resources: - - ingresses - - customresourcedefinitions - verbs: - - create - - get - - list - - watch - - update - - apiGroups: - - cilium.io - resources: - - ciliumnetworkpolicies - - ciliumnetworkpolicies/status - - ciliumclusterwidenetworkpolicies - - ciliumclusterwidenetworkpolicies/status - - ciliumendpoints - - ciliumendpoints/status - - ciliumnodes - - ciliumnodes/status - - ciliumidentities - - ciliumidentities/status - verbs: - - '*' +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + - services + - nodes + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + - nodes + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - nodes + - nodes/status + verbs: + - patch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get + - list + - watch + - update +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies + - ciliumclusterwidenetworkpolicies/status + - ciliumendpoints + - ciliumendpoints/status + - ciliumnodes + - ciliumnodes/status + - ciliumidentities + - ciliumidentities/status + verbs: + - '*'