diff --git a/charts/calico/templates/calico-node-rbac.yaml b/charts/calico/templates/calico-node-rbac.yaml index 5fc395ba0c3..eb84ffb3b61 100644 --- a/charts/calico/templates/calico-node-rbac.yaml +++ b/charts/calico/templates/calico-node-rbac.yaml @@ -12,8 +12,9 @@ rules: resourceNames: {{- if eq .Values.network "flannel" }} - canal + - calico-cni-plugin {{- else }} - - calico-node + - calico-cni-plugin {{- end }} verbs: - create @@ -177,6 +178,45 @@ rules: --- +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get +{{- if eq .Values.datastore "kubernetes" }} + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch +{{- if eq .Values.network "calico" }} + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs + verbs: + - get + - list + - create + - update + - delete +{{- end }} +{{- end }} +--- + {{- if eq .Values.network "flannel" }} # Flannel ClusterRole # Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml @@ -242,3 +282,17 @@ subjects: name: calico-node namespace: kube-system {{- end }} +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system diff --git a/charts/calico/templates/calico-node.yaml b/charts/calico/templates/calico-node.yaml index 57dc091d552..b79cdad2ece 100644 --- a/charts/calico/templates/calico-node.yaml +++ b/charts/calico/templates/calico-node.yaml @@ -657,6 +657,13 @@ kind: ServiceAccount metadata: name: {{include "nodeName" . }} namespace: kube-system +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system {{- if and (eq .Values.datastore "etcd") (eq .Values.network "flannel") }} --- diff --git a/manifests/calico-bpf.yaml b/manifests/calico-bpf.yaml index 02dc97fe795..21d1724e7af 100644 --- a/manifests/calico-bpf.yaml +++ b/manifests/calico-bpf.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -4359,7 +4366,7 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4514,6 +4521,41 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs + verbs: + - get + - list + - create + - update + - delete +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4542,6 +4584,20 @@ subjects: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well # as the CNI plugins and network config on diff --git a/manifests/calico-etcd.yaml b/manifests/calico-etcd.yaml index c77d402ddb0..6263444e376 100644 --- a/manifests/calico-etcd.yaml +++ b/manifests/calico-etcd.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-etcd-secrets.yaml # The following contains k8s Secrets for use with a TLS enabled etcd cluster. # For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/ @@ -153,7 +160,7 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -193,6 +200,21 @@ rules: # Needed for clearing NodeNetworkUnavailable flag. - patch --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -221,6 +243,20 @@ subjects: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well # as the CNI plugins and network config on diff --git a/manifests/calico-policy-only.yaml b/manifests/calico-policy-only.yaml index ca95edc9d13..818cd1434e3 100644 --- a/manifests/calico-policy-only.yaml +++ b/manifests/calico-policy-only.yaml @@ -45,6 +45,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -4369,7 +4376,7 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4491,6 +4498,26 @@ rules: - create - update --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4519,6 +4546,20 @@ subjects: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-typha.yaml # This manifest creates a Service, which will be backed by Calico's Typha daemon. # Typha sits in between Felix and the API server, reducing Calico's load on the API server. diff --git a/manifests/calico-typha.yaml b/manifests/calico-typha.yaml index 4a3ca571c7b..0f07f0d6a47 100644 --- a/manifests/calico-typha.yaml +++ b/manifests/calico-typha.yaml @@ -45,6 +45,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -4370,7 +4377,7 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4525,6 +4532,41 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs + verbs: + - get + - list + - create + - update + - delete +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4553,6 +4595,20 @@ subjects: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-typha.yaml # This manifest creates a Service, which will be backed by Calico's Typha daemon. # Typha sits in between Felix and the API server, reducing Calico's load on the API server. diff --git a/manifests/calico-vxlan.yaml b/manifests/calico-vxlan.yaml index 9e92fd8edac..1b7c036a188 100644 --- a/manifests/calico-vxlan.yaml +++ b/manifests/calico-vxlan.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -4354,7 +4361,7 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4509,6 +4516,41 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs + verbs: + - get + - list + - create + - update + - delete +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4537,6 +4579,20 @@ subjects: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well # as the CNI plugins and network config on diff --git a/manifests/calico.yaml b/manifests/calico.yaml index 12d7c424f12..49e3df1ea62 100644 --- a/manifests/calico.yaml +++ b/manifests/calico.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -4354,7 +4361,7 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4509,6 +4516,41 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs + verbs: + - get + - list + - create + - update + - delete +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4537,6 +4579,20 @@ subjects: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well # as the CNI plugins and network config on diff --git a/manifests/canal-etcd.yaml b/manifests/canal-etcd.yaml index 7283276d102..38ba8902e9b 100644 --- a/manifests/canal-etcd.yaml +++ b/manifests/canal-etcd.yaml @@ -29,6 +29,13 @@ metadata: name: canal-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-etcd-secrets.yaml # The following contains k8s Secrets for use with a TLS enabled etcd cluster. # For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/ @@ -159,6 +166,7 @@ rules: - serviceaccounts/token resourceNames: - canal + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -199,6 +207,21 @@ rules: - patch --- # Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get +--- +# Source: calico/templates/calico-node-rbac.yaml # Flannel ClusterRole # Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml kind: ClusterRole @@ -286,6 +309,20 @@ subjects: name: canal namespace: kube-system --- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-node.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/manifests/canal.yaml b/manifests/canal.yaml index f80d020d22f..ca54186a51f 100644 --- a/manifests/canal.yaml +++ b/manifests/canal.yaml @@ -29,6 +29,13 @@ metadata: name: canal namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Canal installation. kind: ConfigMap @@ -4372,6 +4379,7 @@ rules: - serviceaccounts/token resourceNames: - canal + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4494,6 +4502,26 @@ rules: - update --- # Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch +--- +# Source: calico/templates/calico-node-rbac.yaml # Flannel ClusterRole # Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml kind: ClusterRole @@ -4561,6 +4589,20 @@ subjects: name: canal namespace: kube-system --- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-node.yaml # This manifest installs the canal container, as well # as the CNI plugins and network config on diff --git a/manifests/flannel-migration/calico.yaml b/manifests/flannel-migration/calico.yaml index 5d579784e9c..617c5623ed6 100644 --- a/manifests/flannel-migration/calico.yaml +++ b/manifests/flannel-migration/calico.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -4354,7 +4361,7 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4509,6 +4516,41 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs + verbs: + - get + - list + - create + - update + - delete +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4537,6 +4579,20 @@ subjects: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well # as the CNI plugins and network config on diff --git a/node/pkg/cni/token_watch.go b/node/pkg/cni/token_watch.go index aa13d5fe241..91915780b64 100644 --- a/node/pkg/cni/token_watch.go +++ b/node/pkg/cni/token_watch.go @@ -21,7 +21,7 @@ import ( ) const ( - defaultServiceAccountName = "calico-node" + defaultServiceAccountName = "calico-cni-plugin" serviceAccountNamespace = "/var/run/secrets/kubernetes.io/serviceaccount/namespace" tokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token" defaultCNITokenValiditySeconds = 24 * 60 * 60 @@ -237,7 +237,7 @@ func Run() { } // CNIServiceAccountName returns the name of the serviceaccount to use for the CNI plugin token request. -// This can be set via the CALICO_CNI_SERVICE_ACCOUNT environment variable, and defaults to "calico-node" otherwise. +// This can be set via the CALICO_CNI_SERVICE_ACCOUNT environment variable, and defaults to "calico-cni-plugin" otherwise. func CNIServiceAccountName() string { if sa := os.Getenv("CALICO_CNI_SERVICE_ACCOUNT"); sa != "" { logrus.WithField("name", sa).Debug("Using service account from CALICO_CNI_SERVICE_ACCOUNT") diff --git a/node/pkg/cni/token_watch_test.go b/node/pkg/cni/token_watch_test.go index 57ccd5225ae..85e67bb971a 100644 --- a/node/pkg/cni/token_watch_test.go +++ b/node/pkg/cni/token_watch_test.go @@ -2,8 +2,10 @@ package cni_test import ( "context" + "encoding/base64" "fmt" "os" + "strings" "time" . "github.com/onsi/ginkgo" @@ -38,6 +40,18 @@ var _ = Describe("FV tests", func() { Expect(tu.Token).NotTo(BeEmpty()) }) + It("should bind a token to service account successfully", func() { + os.Setenv("CALICO_CNI_SERVICE_ACCOUNT", serviceAccountName) + tr := cni.NewTokenRefresher(clientset, namespace, cni.CNIServiceAccountName()) + tu, err := tr.UpdateToken() + Expect(err).ShouldNot(HaveOccurred()) + tokenSegments := strings.Split(tu.Token, ".") + decodedClaims, err := base64.StdEncoding.DecodeString(tokenSegments[1]) + stringClaims := fmt.Sprintf("%q\n", decodedClaims) + Expect(err).ShouldNot(HaveOccurred()) + Expect(stringClaims).To(ContainSubstring(serviceAccountName)) + }) + It("should create a token successfully and deliver it through the channel", func() { tr := cni.NewTokenRefresher(clientset, namespace, serviceAccountName) tokenChan := tr.TokenChan() diff --git a/node/tests/k8st/infra/calico-kdd.yaml b/node/tests/k8st/infra/calico-kdd.yaml index b21a1f9c709..4ae817e119c 100644 --- a/node/tests/k8st/infra/calico-kdd.yaml +++ b/node/tests/k8st/infra/calico-kdd.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -179,7 +186,7 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -334,6 +341,41 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs + verbs: + - get + - list + - create + - update + - delete +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -362,6 +404,20 @@ subjects: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well # as the CNI plugins and network config on