From 464bbd967ad8cc5283a72c72bc65ac0de8609d1a Mon Sep 17 00:00:00 2001 From: Maxim Filatov Date: Sun, 7 May 2017 19:15:04 +0300 Subject: [PATCH] RBAC support With this change deis-logger-fluentd became available to work in RBAC-only clusters Works with both Kubernetes 1.5 and 1.6 (see templates/_helpers.tmpl for details) Actually tested with 1.5.7 and 1.6.2 ClusterRole allows deis-logger-fluentd: - pods: get, list and watch --- charts/fluentd/templates/_helpers.tmpl | 10 ++++++++++ .../templates/logger-fluentd-clusterrole.yaml | 15 +++++++++++++++ .../logger-fluentd-clusterrolebinding.yaml | 19 +++++++++++++++++++ charts/fluentd/values.yaml | 6 +++++- 4 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 charts/fluentd/templates/_helpers.tmpl create mode 100644 charts/fluentd/templates/logger-fluentd-clusterrole.yaml create mode 100644 charts/fluentd/templates/logger-fluentd-clusterrolebinding.yaml diff --git a/charts/fluentd/templates/_helpers.tmpl b/charts/fluentd/templates/_helpers.tmpl new file mode 100644 index 0000000..0b9deb0 --- /dev/null +++ b/charts/fluentd/templates/_helpers.tmpl @@ -0,0 +1,10 @@ +{{/* +Set apiVersion based on Kubernetes version +*/}} +{{- define "rbacAPIVersion" -}} +{{- if ge .Capabilities.KubeVersion.Minor "6" -}} +rbac.authorization.k8s.io/v1beta1 +{{- else -}} +rbac.authorization.k8s.io/v1alpha1 +{{- end -}} +{{- end -}} diff --git a/charts/fluentd/templates/logger-fluentd-clusterrole.yaml b/charts/fluentd/templates/logger-fluentd-clusterrole.yaml new file mode 100644 index 0000000..56f92e1 --- /dev/null +++ b/charts/fluentd/templates/logger-fluentd-clusterrole.yaml @@ -0,0 +1,15 @@ +{{- if (.Values.global.use_rbac) -}} +{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}} +kind: ClusterRole +apiVersion: {{ template "rbacAPIVersion" . }} +metadata: + name: deis:deis-logger-fluentd + labels: + app: deis-logger-fluentd + heritage: deis +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["list", "get", "watch"] +{{- end -}} +{{- end -}} diff --git a/charts/fluentd/templates/logger-fluentd-clusterrolebinding.yaml b/charts/fluentd/templates/logger-fluentd-clusterrolebinding.yaml new file mode 100644 index 0000000..a1c0880 --- /dev/null +++ b/charts/fluentd/templates/logger-fluentd-clusterrolebinding.yaml @@ -0,0 +1,19 @@ +{{- if (.Values.global.use_rbac) -}} +{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}} +kind: ClusterRoleBinding +apiVersion: {{ template "rbacAPIVersion" . }} +metadata: + name: deis:deis-logger-fluentd + labels: + app: deis-logger-fluentd + heritage: deis +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: deis:deis-logger-fluentd +subjects: +- kind: ServiceAccount + name: deis-logger-fluentd + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/charts/fluentd/values.yaml b/charts/fluentd/values.yaml index 3419a72..d1cf6a2 100644 --- a/charts/fluentd/values.yaml +++ b/charts/fluentd/values.yaml @@ -20,7 +20,7 @@ sources: output: disable_deis: false - + boot: install_build_tools: false @@ -28,3 +28,7 @@ boot: # can be specified as key-value pairs under daemon_environment. daemon_environment: #: + +# Role-Based Access Control for Kubernetes >= 1.5 +global: + use_rbac: false