From 9a4aa4288cc6bcbe4bc1601540c3f466e138dcb9 Mon Sep 17 00:00:00 2001 From: MQasimSarfraz Date: Mon, 12 Mar 2018 18:07:08 +0000 Subject: [PATCH] Fix vsphere cloud_provider RBAC permissions --- .../cluster_roles/tasks/main.yml | 27 ++++++++++++++ .../templates/vsphere-rbac.yml.j2 | 35 +++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2 diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml index 3f696a9fe..f9c5fc9b2 100644 --- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml +++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml @@ -75,6 +75,33 @@ - node_webhook_crb_manifest.changed tags: node-webhook +- name: Write vsphere-cloud-provider ClusterRole manifest + template: + src: "vsphere-rbac.yml.j2" + dest: "{{ kube_config_dir }}/vsphere-rbac.yml" + register: vsphere_rbac_manifest + when: + - rbac_enabled + - cloud_provider is defined + - cloud_provider == 'vsphere' + - kube_version | version_compare('v1.9.0', '>=') + tags: vsphere + +- name: Apply vsphere-cloud-provider ClusterRole + kube: + name: "system:vsphere-cloud-provider" + kubectl: "{{bin_dir}}/kubectl" + resource: "clusterrolebinding" + filename: "{{ kube_config_dir }}/vsphere-rbac.yml" + state: latest + when: + - rbac_enabled + - cloud_provider is defined + - cloud_provider == 'vsphere' + - vsphere_rbac_manifest.changed + - kube_version | version_compare('v1.9.0', '>=') + tags: vsphere + # This is not a cluster role, but should be run after kubeconfig is set on master - name: Write kube system namespace manifest template: diff --git a/roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2 new file mode 100644 index 000000000..99da0462f --- /dev/null +++ b/roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2 @@ -0,0 +1,35 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:vsphere-cloud-provider +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:vsphere-cloud-provider +roleRef: + kind: ClusterRole + name: system:vsphere-cloud-provider + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: vsphere-cloud-provider + namespace: kube-system