From 0e9705da55202356edc0fae13ee4c0528d61bb15 Mon Sep 17 00:00:00 2001 From: Davanum Srinivas Date: Mon, 26 Mar 2018 20:27:53 -0400 Subject: [PATCH] RBAC info for external cloud provider / CCM CCM has a couple of ClusterRoleBinding/ClusterRole(s) that it needs for cloud-controller-manager, cloud-node-controller, pvl-controller and shared-informers service accounts. --- ...loud-controller-manager-role-bindings.yaml | 40 +++++++ .../rbac/cloud-controller-manager-roles.yaml | 113 ++++++++++++++++++ 2 files changed, 153 insertions(+) create mode 100644 cluster/addons/rbac/cloud-controller-manager-role-bindings.yaml create mode 100644 cluster/addons/rbac/cloud-controller-manager-roles.yaml diff --git a/cluster/addons/rbac/cloud-controller-manager-role-bindings.yaml b/cluster/addons/rbac/cloud-controller-manager-role-bindings.yaml new file mode 100644 index 0000000000..4f102516fe --- /dev/null +++ b/cluster/addons/rbac/cloud-controller-manager-role-bindings.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +items: +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: system:cloud-node-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:cloud-node-controller + subjects: + - kind: ServiceAccount + name: cloud-node-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: system:pvl-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:pvl-controller + subjects: + - kind: ServiceAccount + name: pvl-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: system:cloud-controller-manager + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:cloud-controller-manager + subjects: + - kind: ServiceAccount + name: cloud-controller-manager + namespace: kube-system +kind: List +metadata: {} \ No newline at end of file diff --git a/cluster/addons/rbac/cloud-controller-manager-roles.yaml b/cluster/addons/rbac/cloud-controller-manager-roles.yaml new file mode 100644 index 0000000000..ef95e922de --- /dev/null +++ b/cluster/addons/rbac/cloud-controller-manager-roles.yaml @@ -0,0 +1,113 @@ +apiVersion: v1 +items: +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: cloud-controller-manager + rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - "" + resources: + - nodes + verbs: + - '*' + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - "" + resources: + - services + verbs: + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - update + - watch + - apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - get + - list + - watch + - update +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: system:cloud-node-controller + rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - delete + - get + - patch + - update + - list + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: system:pvl-controller + rules: + - apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +kind: List +metadata: {} \ No newline at end of file