From 7b5ffd0085c99bde28f72585067a2ef4f36b8901 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Sat, 14 Oct 2017 19:35:06 -0700 Subject: [PATCH] Add Container Linux reboot-coordinator RBAC * Add a reboot-coordinator namespace for CLUO components * Define an RBAC ClusterRole for update-operator and update-agent * Replace the older-style where CLUO ran in kube-system, with admin privilege --- addons/cluo/cluster-role-binding.yaml | 12 ++++++++ addons/cluo/cluster-role.yaml | 44 +++++++++++++++++++++++++++ addons/cluo/namespace.yaml | 4 +++ addons/cluo/update-agent.yaml | 2 +- addons/cluo/update-operator.yaml | 2 +- 5 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 addons/cluo/cluster-role-binding.yaml create mode 100644 addons/cluo/cluster-role.yaml create mode 100644 addons/cluo/namespace.yaml diff --git a/addons/cluo/cluster-role-binding.yaml b/addons/cluo/cluster-role-binding.yaml new file mode 100644 index 00000000..e243ffd0 --- /dev/null +++ b/addons/cluo/cluster-role-binding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: reboot-coordinator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: reboot-coordinator +subjects: + - kind: ServiceAccount + namespace: reboot-coordinator + name: default diff --git a/addons/cluo/cluster-role.yaml b/addons/cluo/cluster-role.yaml new file mode 100644 index 00000000..8c041860 --- /dev/null +++ b/addons/cluo/cluster-role.yaml @@ -0,0 +1,44 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: reboot-coordinator +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - update + - apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - get + - update + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - list + - delete + - apiGroups: + - "extensions" + resources: + - daemonsets + verbs: + - get diff --git a/addons/cluo/namespace.yaml b/addons/cluo/namespace.yaml new file mode 100644 index 00000000..ab77e1f2 --- /dev/null +++ b/addons/cluo/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: reboot-coordinator diff --git a/addons/cluo/update-agent.yaml b/addons/cluo/update-agent.yaml index 2eb75967..31313b39 100644 --- a/addons/cluo/update-agent.yaml +++ b/addons/cluo/update-agent.yaml @@ -2,7 +2,7 @@ apiVersion: extensions/v1beta1 kind: DaemonSet metadata: name: container-linux-update-agent - namespace: kube-system + namespace: reboot-coordinator spec: updateStrategy: type: RollingUpdate diff --git a/addons/cluo/update-operator.yaml b/addons/cluo/update-operator.yaml index 3fac35ca..40713d20 100644 --- a/addons/cluo/update-operator.yaml +++ b/addons/cluo/update-operator.yaml @@ -2,7 +2,7 @@ apiVersion: extensions/v1beta1 kind: Deployment metadata: name: container-linux-update-operator - namespace: kube-system + namespace: reboot-coordinator spec: replicas: 1 template: