From 92ecc2f191ad481611d7f2e17571330e6045a8dc Mon Sep 17 00:00:00 2001 From: Michal Fupso Date: Mon, 19 Dec 2022 09:22:22 -0500 Subject: [PATCH 01/12] calico-cni-plugin user --- charts/calico/templates/calico-node-rbac.yaml | 116 ++++++++++++------ node/pkg/cni/token_watch.go | 15 ++- 2 files changed, 93 insertions(+), 38 deletions(-) diff --git a/charts/calico/templates/calico-node-rbac.yaml b/charts/calico/templates/calico-node-rbac.yaml index 4ffb0213ee2..64d5cc8fe9c 100644 --- a/charts/calico/templates/calico-node-rbac.yaml +++ b/charts/calico/templates/calico-node-rbac.yaml @@ -17,14 +17,6 @@ rules: {{- end }} verbs: - create - # The CNI plugin needs to get pods, nodes, and namespaces. - - apiGroups: [""] - resources: - - pods - - nodes - - namespaces - verbs: - - get # EndpointSlices are used for Service-based network policy rule # enforcement. - apiGroups: ["discovery.k8s.io"] @@ -76,13 +68,6 @@ rules: verbs: - list - watch - # The CNI plugin patches pods/status. - - apiGroups: [""] - resources: - - pods/status - verbs: - - patch - # Calico monitors various CRDs for config. - apiGroups: ["crd.projectcalico.org"] resources: - globalfelixconfigs @@ -138,26 +123,6 @@ rules: - create - update {{- if eq .Values.network "calico" }} - # These permissions are required for Calico CNI to perform IPAM allocations. - - apiGroups: ["crd.projectcalico.org"] - resources: - - blockaffinities - - ipamblocks - - ipamhandles - verbs: - - get - - list - - create - - update - - delete - # The CNI plugin and calico/node need to be able to create a default - # IPAMConfiguration - - apiGroups: ["crd.projectcalico.org"] - resources: - - ipamconfigs - verbs: - - get - - create # Block affinities must also be watchable by confd for route aggregation. - apiGroups: ["crd.projectcalico.org"] resources: @@ -176,6 +141,61 @@ rules: --- +metadata: + name: calico-cni-plugin +rules: + # Used for creating service account tokens to be used by the CNI plugin + - apiGroups: [""] + resources: + - serviceaccounts/token + resourceNames: + {{- if eq .Values.network "flannel" }} +- canal-cni + {{- else }} +- calico-cni-plugin + {{- end }} +verbs: + - create +# The CNI plugin needs to get pods, nodes, and namespaces. +- apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + {{- if eq .Values.datastore "kubernetes" }} +- apiGroups: [""] + resources: + - pods/status + verbs: + - patch + {{- if eq .Values.network "calico" }} +# These permissions are required for Calico CNI to perform IPAM allocations. +- apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete +# The CNI plugin and calico/node need to be able to create a default +# IPAMConfiguration +- apiGroups: ["crd.projectcalico.org"] + resources: + - ipamconfigs + verbs: + - get + - create + {{- end }} + {{- end }} + +--- + {{- if eq .Values.network "flannel" }} # Flannel ClusterRole # Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml @@ -227,6 +247,19 @@ subjects: - kind: ServiceAccount name: canal namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: canal-calico-cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: + - kind: ServiceAccount + name: canal-cni-plugin + namespace: kube-system {{- else }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -240,4 +273,17 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: + - kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system {{- end }} diff --git a/node/pkg/cni/token_watch.go b/node/pkg/cni/token_watch.go index 1f290d712af..2e981445fb4 100644 --- a/node/pkg/cni/token_watch.go +++ b/node/pkg/cni/token_watch.go @@ -22,7 +22,8 @@ import ( ) const ( - defaultServiceAccountName = "calico-node" + defaultNodeAccountName = "calico-node" + defaultCNIPluginAccountName = "calico-cni-plugin" serviceAccountNamespace = "/var/run/secrets/kubernetes.io/serviceaccount/namespace" tokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token" defaultCNITokenValiditySeconds = 24 * 60 * 60 @@ -217,7 +218,7 @@ func Run() { if err != nil { logrus.WithError(err).Fatal("Failed to create in cluster client set") } - tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), CNIServiceAccountName()) + tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), NodeServiceAccountName()) tokenChan := tr.TokenChan() go tr.Run() @@ -244,7 +245,15 @@ func CNIServiceAccountName() string { logrus.WithField("name", sa).Debug("Using service account from CALICO_CNI_SERVICE_ACCOUNT") return sa } - return defaultServiceAccountName + return defaultCNIPluginAccountName +} + +func NodeServiceAccountName() string { + if na := os.Getenv("CALICO_NODE_SERVICE_ACCOUNT"); na != "" { + logrus.WithField("name", na).Debug("Using service account from CALICO_NODE_SERVICE_ACCOUNT") + return na + } + return defaultNodeAccountName } // writeKubeconfig writes an updated kubeconfig file to disk that the CNI plugin can use to access the Kubernetes API. From 2ccfb108ca779d2994e5b15ebdc0994e902b80ef Mon Sep 17 00:00:00 2001 From: Michal Fupso Date: Mon, 19 Dec 2022 09:33:13 -0500 Subject: [PATCH 02/12] add calico-cni-plugin account --- node/tests/k8st/infra/calico-kdd.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/node/tests/k8st/infra/calico-kdd.yaml b/node/tests/k8st/infra/calico-kdd.yaml index 7c7e4b3b65a..722a42aa802 100644 --- a/node/tests/k8st/infra/calico-kdd.yaml +++ b/node/tests/k8st/infra/calico-kdd.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap From 776f61510e7701391177d47dbf4cddee4c0227ca Mon Sep 17 00:00:00 2001 From: Michal Fupso Date: Fri, 13 Jan 2023 14:36:09 -0800 Subject: [PATCH 03/12] calico-cni-plugin updates --- charts/calico/templates/calico-node-rbac.yaml | 143 ++++++++++-------- cni-plugin/pkg/install/install.go | 2 +- node/pkg/cni/token_watch.go | 13 +- 3 files changed, 86 insertions(+), 72 deletions(-) diff --git a/charts/calico/templates/calico-node-rbac.yaml b/charts/calico/templates/calico-node-rbac.yaml index 64d5cc8fe9c..3f05a6df1b8 100644 --- a/charts/calico/templates/calico-node-rbac.yaml +++ b/charts/calico/templates/calico-node-rbac.yaml @@ -12,18 +12,28 @@ rules: resourceNames: {{- if eq .Values.network "flannel" }} - canal + - canal-cni-plugin {{- else }} - calico-node + - calico-cni-plugin {{- end }} verbs: - create + # The CNI plugin needs to get pods, nodes, and namespaces. + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get # EndpointSlices are used for Service-based network policy rule # enforcement. - apiGroups: ["discovery.k8s.io"] resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -68,6 +78,13 @@ rules: verbs: - list - watch +# # The CNI plugin patches pods/status. + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + # Calico monitors various CRDs for config. - apiGroups: ["crd.projectcalico.org"] resources: - globalfelixconfigs @@ -123,6 +140,26 @@ rules: - create - update {{- if eq .Values.network "calico" }} + # These permissions are required for Calico CNI to perform IPAM allocations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + # The CNI plugin and calico/node need to be able to create a default + # IPAMConfiguration + - apiGroups: ["crd.projectcalico.org"] + resources: + - ipamconfigs + verbs: + - get + - create # Block affinities must also be watchable by confd for route aggregation. - apiGroups: ["crd.projectcalico.org"] resources: @@ -141,59 +178,45 @@ rules: --- -metadata: +#CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadate: name: calico-cni-plugin rules: - # Used for creating service account tokens to be used by the CNI plugin - apiGroups: [""] resources: - - serviceaccounts/token - resourceNames: - {{- if eq .Values.network "flannel" }} -- canal-cni - {{- else }} -- calico-cni-plugin - {{- end }} -verbs: - - create -# The CNI plugin needs to get pods, nodes, and namespaces. -- apiGroups: [""] - resources: - - pods - - nodes - - namespaces - verbs: - - get - {{- if eq .Values.datastore "kubernetes" }} -- apiGroups: [""] - resources: - - pods/status - verbs: - - patch - {{- if eq .Values.network "calico" }} -# These permissions are required for Calico CNI to perform IPAM allocations. -- apiGroups: ["crd.projectcalico.org"] - resources: - - blockaffinities - - ipamblocks - - ipamhandles - verbs: - - get - - list - - create - - update - - delete -# The CNI plugin and calico/node need to be able to create a default -# IPAMConfiguration -- apiGroups: ["crd.projectcalico.org"] - resources: - - ipamconfigs - verbs: - - get - - create - {{- end }} - {{- end }} - + - pods + - nodes + - namespaces + verbs: + - get +{{- if eq .Values.datastore "kubernetes" }} + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch +{{- if eq .Values.network "calico" }} + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - apiGroups: [ "crd.projectcalico.org" ] + resources: + - ipamconfigs + verbs: + - get + - create +{{- end }} +{{- end }} --- {{- if eq .Values.network "flannel" }} @@ -251,15 +274,15 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: canal-calico-cni + name: canal-cni-plugin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin -subjects: - - kind: ServiceAccount - name: canal-cni-plugin - namespace: kube-system +subject: + kind: ServiceAccount + name: canal-cni-plugin + namespace: kube-system {{- else }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -282,8 +305,8 @@ roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin -subjects: - - kind: ServiceAccount - name: calico-cni-plugin - namespace: kube-system -{{- end }} +subject: + kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +{{- end }} \ No newline at end of file diff --git a/cni-plugin/pkg/install/install.go b/cni-plugin/pkg/install/install.go index 3378e769e9d..a22709b666a 100644 --- a/cni-plugin/pkg/install/install.go +++ b/cni-plugin/pkg/install/install.go @@ -486,7 +486,7 @@ current-context: calico-context` if err != nil { logrus.WithError(err).Fatal("Unable to create client for generating CNI token") } - tr := cni.NewTokenRefresher(clientset, cni.NamespaceOfUsedServiceAccount(), cni.CNIServiceAccountName()) + tr := cni.NewTokenRefresher(clientset, cni.NamespaceOfUsedServiceAccount(), cni.NodeServiceAccountName()) tu, err := tr.UpdateToken() if err != nil { logrus.WithError(err).Fatal("Unable to create token for CNI kubeconfig") diff --git a/node/pkg/cni/token_watch.go b/node/pkg/cni/token_watch.go index 2e981445fb4..6d4aa17c09f 100644 --- a/node/pkg/cni/token_watch.go +++ b/node/pkg/cni/token_watch.go @@ -22,8 +22,7 @@ import ( ) const ( - defaultNodeAccountName = "calico-node" - defaultCNIPluginAccountName = "calico-cni-plugin" + defaultNodeAccountName = "calico-cni-plugin" serviceAccountNamespace = "/var/run/secrets/kubernetes.io/serviceaccount/namespace" tokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token" defaultCNITokenValiditySeconds = 24 * 60 * 60 @@ -239,15 +238,7 @@ func Run() { } // CNIServiceAccountName returns the name of the serviceaccount to use for the CNI plugin token request. -// This can be set via the CALICO_CNI_SERVICE_ACCOUNT environment variable, and defaults to "calico-node" otherwise. -func CNIServiceAccountName() string { - if sa := os.Getenv("CALICO_CNI_SERVICE_ACCOUNT"); sa != "" { - logrus.WithField("name", sa).Debug("Using service account from CALICO_CNI_SERVICE_ACCOUNT") - return sa - } - return defaultCNIPluginAccountName -} - +// This can be set via the CALICO_CNI_SERVICE_ACCOUNT environment variable, and defaults to "calico-cni-plugin" otherwise. func NodeServiceAccountName() string { if na := os.Getenv("CALICO_NODE_SERVICE_ACCOUNT"); na != "" { logrus.WithField("name", na).Debug("Using service account from CALICO_NODE_SERVICE_ACCOUNT") From 27829612333b0511bab734e3e5c10bddcaa31622 Mon Sep 17 00:00:00 2001 From: Michal Fupso Date: Fri, 13 Jan 2023 14:42:44 -0800 Subject: [PATCH 04/12] cni account name update --- cni-plugin/pkg/install/install.go | 2 +- node/pkg/cni/token_watch.go | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cni-plugin/pkg/install/install.go b/cni-plugin/pkg/install/install.go index a22709b666a..3378e769e9d 100644 --- a/cni-plugin/pkg/install/install.go +++ b/cni-plugin/pkg/install/install.go @@ -486,7 +486,7 @@ current-context: calico-context` if err != nil { logrus.WithError(err).Fatal("Unable to create client for generating CNI token") } - tr := cni.NewTokenRefresher(clientset, cni.NamespaceOfUsedServiceAccount(), cni.NodeServiceAccountName()) + tr := cni.NewTokenRefresher(clientset, cni.NamespaceOfUsedServiceAccount(), cni.CNIServiceAccountName()) tu, err := tr.UpdateToken() if err != nil { logrus.WithError(err).Fatal("Unable to create token for CNI kubeconfig") diff --git a/node/pkg/cni/token_watch.go b/node/pkg/cni/token_watch.go index 6d4aa17c09f..3cf22f8fd9f 100644 --- a/node/pkg/cni/token_watch.go +++ b/node/pkg/cni/token_watch.go @@ -22,7 +22,7 @@ import ( ) const ( - defaultNodeAccountName = "calico-cni-plugin" + defaultServiceAccountName = "calico-cni-plugin" serviceAccountNamespace = "/var/run/secrets/kubernetes.io/serviceaccount/namespace" tokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token" defaultCNITokenValiditySeconds = 24 * 60 * 60 @@ -217,7 +217,7 @@ func Run() { if err != nil { logrus.WithError(err).Fatal("Failed to create in cluster client set") } - tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), NodeServiceAccountName()) + tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), CNIServiceAccountName()) tokenChan := tr.TokenChan() go tr.Run() @@ -239,12 +239,12 @@ func Run() { // CNIServiceAccountName returns the name of the serviceaccount to use for the CNI plugin token request. // This can be set via the CALICO_CNI_SERVICE_ACCOUNT environment variable, and defaults to "calico-cni-plugin" otherwise. -func NodeServiceAccountName() string { +func CNIServiceAccountName() string { if na := os.Getenv("CALICO_NODE_SERVICE_ACCOUNT"); na != "" { logrus.WithField("name", na).Debug("Using service account from CALICO_NODE_SERVICE_ACCOUNT") return na } - return defaultNodeAccountName + return defaultServiceAccountName } // writeKubeconfig writes an updated kubeconfig file to disk that the CNI plugin can use to access the Kubernetes API. From a1d66ef0baba5c9a9aaccc2e93208acb5cd4fa1c Mon Sep 17 00:00:00 2001 From: Michal Fupso Date: Fri, 13 Jan 2023 14:45:24 -0800 Subject: [PATCH 05/12] naming update --- charts/calico/templates/calico-node-rbac.yaml | 2 +- node/pkg/cni/token_watch.go | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/calico/templates/calico-node-rbac.yaml b/charts/calico/templates/calico-node-rbac.yaml index 3f05a6df1b8..00396018eab 100644 --- a/charts/calico/templates/calico-node-rbac.yaml +++ b/charts/calico/templates/calico-node-rbac.yaml @@ -309,4 +309,4 @@ subject: kind: ServiceAccount name: calico-cni-plugin namespace: kube-system -{{- end }} \ No newline at end of file +{{- end }} diff --git a/node/pkg/cni/token_watch.go b/node/pkg/cni/token_watch.go index 3cf22f8fd9f..e9af3dd4cf1 100644 --- a/node/pkg/cni/token_watch.go +++ b/node/pkg/cni/token_watch.go @@ -240,9 +240,9 @@ func Run() { // CNIServiceAccountName returns the name of the serviceaccount to use for the CNI plugin token request. // This can be set via the CALICO_CNI_SERVICE_ACCOUNT environment variable, and defaults to "calico-cni-plugin" otherwise. func CNIServiceAccountName() string { - if na := os.Getenv("CALICO_NODE_SERVICE_ACCOUNT"); na != "" { - logrus.WithField("name", na).Debug("Using service account from CALICO_NODE_SERVICE_ACCOUNT") - return na + if sa := os.Getenv("CALICO_CNI_SERVICE_ACCOUNT"); sa != "" { + logrus.WithField("name", sa).Debug("Using service account from CALICO_NODE_SERVICE_ACCOUNT") + return sa } return defaultServiceAccountName } From e53ca6c1862514f336058ccad35801485831b65f Mon Sep 17 00:00:00 2001 From: Michal Fupso Date: Fri, 13 Jan 2023 14:52:25 -0800 Subject: [PATCH 06/12] naming --- node/pkg/cni/token_watch.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node/pkg/cni/token_watch.go b/node/pkg/cni/token_watch.go index e9af3dd4cf1..6d811c06285 100644 --- a/node/pkg/cni/token_watch.go +++ b/node/pkg/cni/token_watch.go @@ -241,7 +241,7 @@ func Run() { // This can be set via the CALICO_CNI_SERVICE_ACCOUNT environment variable, and defaults to "calico-cni-plugin" otherwise. func CNIServiceAccountName() string { if sa := os.Getenv("CALICO_CNI_SERVICE_ACCOUNT"); sa != "" { - logrus.WithField("name", sa).Debug("Using service account from CALICO_NODE_SERVICE_ACCOUNT") + logrus.WithField("name", sa).Debug("Using service account from CALICO_CNI_SERVICE_ACCOUNT") return sa } return defaultServiceAccountName From 658126e2a1de20d9d1c4b6ebd755447ec1a14939 Mon Sep 17 00:00:00 2001 From: Michal Fupso Date: Wed, 25 Jan 2023 16:53:37 +0100 Subject: [PATCH 07/12] manifest files update --- charts/calico/templates/calico-node-rbac.yaml | 24 ++---- manifests/calico-bpf.yaml | 73 ++++++++++++++++++- manifests/calico-etcd.yaml | 30 +++++++- manifests/calico-policy-only.yaml | 56 +++++++++++++- manifests/calico-typha.yaml | 73 ++++++++++++++++++- manifests/calico-vxlan.yaml | 73 ++++++++++++++++++- manifests/calico.yaml | 73 ++++++++++++++++++- manifests/canal-etcd.yaml | 30 +++++++- manifests/canal.yaml | 56 +++++++++++++- manifests/crds.yaml | 21 ++++++ manifests/flannel-migration/calico.yaml | 73 ++++++++++++++++++- manifests/tigera-operator.yaml | 22 ++++++ 12 files changed, 576 insertions(+), 28 deletions(-) diff --git a/charts/calico/templates/calico-node-rbac.yaml b/charts/calico/templates/calico-node-rbac.yaml index 00396018eab..20f8296759f 100644 --- a/charts/calico/templates/calico-node-rbac.yaml +++ b/charts/calico/templates/calico-node-rbac.yaml @@ -12,7 +12,7 @@ rules: resourceNames: {{- if eq .Values.network "flannel" }} - canal - - canal-cni-plugin + - calico-cni-plugin {{- else }} - calico-node - calico-cni-plugin @@ -78,7 +78,7 @@ rules: verbs: - list - watch -# # The CNI plugin patches pods/status. + # The CNI plugin patches pods/status. - apiGroups: [""] resources: - pods/status @@ -178,7 +178,7 @@ rules: --- -#CNI cluster role +# CNI cluster role kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadate: @@ -270,19 +270,6 @@ subjects: - kind: ServiceAccount name: canal namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: canal-cni-plugin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-cni-plugin -subject: - kind: ServiceAccount - name: canal-cni-plugin - namespace: kube-system {{- else }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -296,9 +283,9 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 +{{- end }} kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: calico-cni-plugin roleRef: @@ -309,4 +296,3 @@ subject: kind: ServiceAccount name: calico-cni-plugin namespace: kube-system -{{- end }} diff --git a/manifests/calico-bpf.yaml b/manifests/calico-bpf.yaml index 190c8878a1c..895d9ceb3b7 100644 --- a/manifests/calico-bpf.yaml +++ b/manifests/calico-bpf.yaml @@ -91,6 +91,27 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null +spec: + group: "" + names: + kind: "" + plural: "" + scope: "" + versions: null +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: calico/templates/kdd-crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: @@ -4212,6 +4233,7 @@ rules: - serviceaccounts/token resourceNames: - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4228,7 +4250,7 @@ rules: resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -4365,6 +4387,43 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadate: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - apiGroups: [ "crd.projectcalico.org" ] + resources: + - ipamconfigs + verbs: + - get + - create +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4392,6 +4451,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subject: + kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system --- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well diff --git a/manifests/calico-etcd.yaml b/manifests/calico-etcd.yaml index a331da5e177..78daf2b6c2d 100644 --- a/manifests/calico-etcd.yaml +++ b/manifests/calico-etcd.yaml @@ -154,6 +154,7 @@ rules: - serviceaccounts/token resourceNames: - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -170,7 +171,7 @@ rules: resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -193,6 +194,21 @@ rules: # Needed for clearing NodeNetworkUnavailable flag. - patch --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadate: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -220,6 +236,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subject: + kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system --- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well diff --git a/manifests/calico-policy-only.yaml b/manifests/calico-policy-only.yaml index 37341e1c7dc..5c5d2dfea0b 100644 --- a/manifests/calico-policy-only.yaml +++ b/manifests/calico-policy-only.yaml @@ -101,6 +101,27 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null +spec: + group: "" + names: + kind: "" + plural: "" + scope: "" + versions: null +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: calico/templates/kdd-crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: @@ -4222,6 +4243,7 @@ rules: - serviceaccounts/token resourceNames: - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4238,7 +4260,7 @@ rules: resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -4342,6 +4364,26 @@ rules: - create - update --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadate: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4369,6 +4411,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subject: + kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system --- # Source: calico/templates/calico-typha.yaml # This manifest creates a Service, which will be backed by Calico's Typha daemon. diff --git a/manifests/calico-typha.yaml b/manifests/calico-typha.yaml index 3c2c097cd69..4daaee800fa 100644 --- a/manifests/calico-typha.yaml +++ b/manifests/calico-typha.yaml @@ -102,6 +102,27 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null +spec: + group: "" + names: + kind: "" + plural: "" + scope: "" + versions: null +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: calico/templates/kdd-crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: @@ -4223,6 +4244,7 @@ rules: - serviceaccounts/token resourceNames: - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4239,7 +4261,7 @@ rules: resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -4376,6 +4398,43 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadate: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - apiGroups: [ "crd.projectcalico.org" ] + resources: + - ipamconfigs + verbs: + - get + - create +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4403,6 +4462,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subject: + kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system --- # Source: calico/templates/calico-typha.yaml # This manifest creates a Service, which will be backed by Calico's Typha daemon. diff --git a/manifests/calico-vxlan.yaml b/manifests/calico-vxlan.yaml index d3a0b021c1b..af6734b3a71 100644 --- a/manifests/calico-vxlan.yaml +++ b/manifests/calico-vxlan.yaml @@ -86,6 +86,27 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null +spec: + group: "" + names: + kind: "" + plural: "" + scope: "" + versions: null +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: calico/templates/kdd-crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: @@ -4207,6 +4228,7 @@ rules: - serviceaccounts/token resourceNames: - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4223,7 +4245,7 @@ rules: resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -4360,6 +4382,43 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadate: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - apiGroups: [ "crd.projectcalico.org" ] + resources: + - ipamconfigs + verbs: + - get + - create +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4387,6 +4446,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subject: + kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system --- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well diff --git a/manifests/calico.yaml b/manifests/calico.yaml index fe5d4fc2263..27fed5ce3c5 100644 --- a/manifests/calico.yaml +++ b/manifests/calico.yaml @@ -86,6 +86,27 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null +spec: + group: "" + names: + kind: "" + plural: "" + scope: "" + versions: null +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: calico/templates/kdd-crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: @@ -4207,6 +4228,7 @@ rules: - serviceaccounts/token resourceNames: - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4223,7 +4245,7 @@ rules: resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -4360,6 +4382,43 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadate: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - apiGroups: [ "crd.projectcalico.org" ] + resources: + - ipamconfigs + verbs: + - get + - create +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4387,6 +4446,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subject: + kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system --- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well diff --git a/manifests/canal-etcd.yaml b/manifests/canal-etcd.yaml index a73dafa628a..eddfe2e58e1 100644 --- a/manifests/canal-etcd.yaml +++ b/manifests/canal-etcd.yaml @@ -159,6 +159,7 @@ rules: - serviceaccounts/token resourceNames: - canal + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -175,7 +176,7 @@ rules: resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -199,6 +200,21 @@ rules: - patch --- # Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadate: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get +--- +# Source: calico/templates/calico-node-rbac.yaml # Flannel ClusterRole # Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml kind: ClusterRole @@ -285,6 +301,18 @@ subjects: - kind: ServiceAccount name: canal namespace: kube-system +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subject: + kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system --- # Source: calico/templates/calico-node.yaml apiVersion: rbac.authorization.k8s.io/v1 diff --git a/manifests/canal.yaml b/manifests/canal.yaml index 4ed0da89722..362c3d5eebc 100644 --- a/manifests/canal.yaml +++ b/manifests/canal.yaml @@ -103,6 +103,27 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null +spec: + group: "" + names: + kind: "" + plural: "" + scope: "" + versions: null +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: calico/templates/kdd-crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: @@ -4224,6 +4245,7 @@ rules: - serviceaccounts/token resourceNames: - canal + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4240,7 +4262,7 @@ rules: resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -4345,6 +4367,26 @@ rules: - update --- # Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadate: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch +--- +# Source: calico/templates/calico-node-rbac.yaml # Flannel ClusterRole # Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml kind: ClusterRole @@ -4411,6 +4453,18 @@ subjects: - kind: ServiceAccount name: canal namespace: kube-system +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subject: + kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system --- # Source: calico/templates/calico-node.yaml # This manifest installs the canal container, as well diff --git a/manifests/crds.yaml b/manifests/crds.yaml index 84ff7278bc5..fa5f3fb5027 100644 --- a/manifests/crds.yaml +++ b/manifests/crds.yaml @@ -4026,3 +4026,24 @@ status: plural: "" conditions: [] storedVersions: [] +--- +# Source: crds/_.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null +spec: + group: "" + names: + kind: "" + plural: "" + scope: "" + versions: null +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/manifests/flannel-migration/calico.yaml b/manifests/flannel-migration/calico.yaml index 8355d14e2f3..eade675fde6 100644 --- a/manifests/flannel-migration/calico.yaml +++ b/manifests/flannel-migration/calico.yaml @@ -86,6 +86,27 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null +spec: + group: "" + names: + kind: "" + plural: "" + scope: "" + versions: null +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# Source: calico/templates/kdd-crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: @@ -4207,6 +4228,7 @@ rules: - serviceaccounts/token resourceNames: - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4223,7 +4245,7 @@ rules: resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -4360,6 +4382,43 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadate: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - apiGroups: [ "crd.projectcalico.org" ] + resources: + - ipamconfigs + verbs: + - get + - create +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4387,6 +4446,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subject: + kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system --- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well diff --git a/manifests/tigera-operator.yaml b/manifests/tigera-operator.yaml index 6c2098a221c..eb8f94b6b8c 100644 --- a/manifests/tigera-operator.yaml +++ b/manifests/tigera-operator.yaml @@ -5,6 +5,28 @@ metadata: labels: name: tigera-operator --- +# Source: crds/calico/_.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null +spec: + group: "" + names: + kind: "" + plural: "" + scope: "" + versions: null +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null + +--- # Source: crds/calico/crd.projectcalico.org_bgpconfigurations.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition From df303f6407e6e7a35f6bd54a2aa00ff59d9eb734 Mon Sep 17 00:00:00 2001 From: Michal Fupso Date: Tue, 28 Feb 2023 08:28:12 -0800 Subject: [PATCH 08/12] calico-cni token test --- manifests/calico-bpf.yaml | 21 --------- manifests/calico-policy-only.yaml | 21 --------- manifests/calico-typha.yaml | 21 --------- manifests/calico-vxlan.yaml | 21 --------- manifests/calico.yaml | 21 --------- manifests/canal.yaml | 21 --------- manifests/crds.yaml | 21 --------- manifests/flannel-migration/calico.yaml | 21 --------- manifests/tigera-operator.yaml | 22 --------- node/pkg/cni/token_watch_test.go | 13 ++++++ node/tests/k8st/infra/calico-kdd.yaml | 59 +++++++++++++++++++++---- 11 files changed, 64 insertions(+), 198 deletions(-) diff --git a/manifests/calico-bpf.yaml b/manifests/calico-bpf.yaml index 5e04608bffa..f5a878221c0 100644 --- a/manifests/calico-bpf.yaml +++ b/manifests/calico-bpf.yaml @@ -91,27 +91,6 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null -spec: - group: "" - names: - kind: "" - plural: "" - scope: "" - versions: null -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: calico/templates/kdd-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: diff --git a/manifests/calico-policy-only.yaml b/manifests/calico-policy-only.yaml index c4c0d055af9..05d6b50b3de 100644 --- a/manifests/calico-policy-only.yaml +++ b/manifests/calico-policy-only.yaml @@ -101,27 +101,6 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null -spec: - group: "" - names: - kind: "" - plural: "" - scope: "" - versions: null -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: calico/templates/kdd-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: diff --git a/manifests/calico-typha.yaml b/manifests/calico-typha.yaml index f365a4679b9..4d667ebc888 100644 --- a/manifests/calico-typha.yaml +++ b/manifests/calico-typha.yaml @@ -102,27 +102,6 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null -spec: - group: "" - names: - kind: "" - plural: "" - scope: "" - versions: null -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: calico/templates/kdd-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: diff --git a/manifests/calico-vxlan.yaml b/manifests/calico-vxlan.yaml index 5ced1f66bee..42b36dd9007 100644 --- a/manifests/calico-vxlan.yaml +++ b/manifests/calico-vxlan.yaml @@ -86,27 +86,6 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null -spec: - group: "" - names: - kind: "" - plural: "" - scope: "" - versions: null -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: calico/templates/kdd-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: diff --git a/manifests/calico.yaml b/manifests/calico.yaml index d9219788530..776ede115d8 100644 --- a/manifests/calico.yaml +++ b/manifests/calico.yaml @@ -86,27 +86,6 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null -spec: - group: "" - names: - kind: "" - plural: "" - scope: "" - versions: null -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: calico/templates/kdd-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: diff --git a/manifests/canal.yaml b/manifests/canal.yaml index 86a7bb6bddf..9013ae05fa8 100644 --- a/manifests/canal.yaml +++ b/manifests/canal.yaml @@ -103,27 +103,6 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null -spec: - group: "" - names: - kind: "" - plural: "" - scope: "" - versions: null -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: calico/templates/kdd-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: diff --git a/manifests/crds.yaml b/manifests/crds.yaml index 344601a6af5..85dfef98c79 100644 --- a/manifests/crds.yaml +++ b/manifests/crds.yaml @@ -4174,24 +4174,3 @@ status: plural: "" conditions: [] storedVersions: [] ---- -# Source: crds/_.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null -spec: - group: "" - names: - kind: "" - plural: "" - scope: "" - versions: null -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/manifests/flannel-migration/calico.yaml b/manifests/flannel-migration/calico.yaml index c61f9cdda41..ccb08e8b4e5 100644 --- a/manifests/flannel-migration/calico.yaml +++ b/manifests/flannel-migration/calico.yaml @@ -86,27 +86,6 @@ data: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null -spec: - group: "" - names: - kind: "" - plural: "" - scope: "" - versions: null -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null ---- -# Source: calico/templates/kdd-crds.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: diff --git a/manifests/tigera-operator.yaml b/manifests/tigera-operator.yaml index 156afea7bdc..3c09c9c7d11 100644 --- a/manifests/tigera-operator.yaml +++ b/manifests/tigera-operator.yaml @@ -5,28 +5,6 @@ metadata: labels: name: tigera-operator --- -# Source: crds/calico/_.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null -spec: - group: "" - names: - kind: "" - plural: "" - scope: "" - versions: null -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null - ---- # Source: crds/calico/crd.projectcalico.org_bgpconfigurations.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/node/pkg/cni/token_watch_test.go b/node/pkg/cni/token_watch_test.go index 57ccd5225ae..a8598ea43e8 100644 --- a/node/pkg/cni/token_watch_test.go +++ b/node/pkg/cni/token_watch_test.go @@ -2,8 +2,10 @@ package cni_test import ( "context" + "encoding/base64" "fmt" "os" + "strings" "time" . "github.com/onsi/ginkgo" @@ -38,6 +40,17 @@ var _ = Describe("FV tests", func() { Expect(tu.Token).NotTo(BeEmpty()) }) + It("should bind a token to service account successfully", func() { + os.Setenv("CALICO_CNI_SERVICE_ACCOUNT", serviceAccountName) + tr := cni.NewTokenRefresher(clientset, namespace, cni.CNIServiceAccountName()) + tu, err := tr.UpdateToken() + Expect(err).ShouldNot(HaveOccurred()) + tokenSegments := strings.Split(tu.Token, ".") + decodedClaims, err := base64.StdEncoding.DecodeString(tokenSegments[1]) + stringClaims := fmt.Sprintf("%q\n", decodedClaims) + Expect(stringClaims).To(ContainSubstring(serviceAccountName)) + }) + It("should create a token successfully and deliver it through the channel", func() { tr := cni.NewTokenRefresher(clientset, namespace, serviceAccountName) tokenChan := tr.TokenChan() diff --git a/node/tests/k8st/infra/calico-kdd.yaml b/node/tests/k8st/infra/calico-kdd.yaml index 4f89ef892f5..89bc913e901 100644 --- a/node/tests/k8st/infra/calico-kdd.yaml +++ b/node/tests/k8st/infra/calico-kdd.yaml @@ -29,13 +29,6 @@ metadata: name: calico-node namespace: kube-system --- -# Source: calico/templates/calico-node.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: calico-cni-plugin - namespace: kube-system ---- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -187,6 +180,7 @@ rules: - serviceaccounts/token resourceNames: - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -203,7 +197,7 @@ rules: resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -341,6 +335,43 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadate: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - apiGroups: [ "crd.projectcalico.org" ] + resources: + - ipamconfigs + verbs: + - get + - create +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -368,6 +399,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subject: + kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system --- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well From 3c61908db8d976478defea5aab2f75500c4fad03 Mon Sep 17 00:00:00 2001 From: Michal Fupso Date: Mon, 13 Mar 2023 15:41:36 -0700 Subject: [PATCH 09/12] calico-node token --- charts/calico/templates/calico-node-rbac.yaml | 1 - manifests/calico-bpf.yaml | 1 - manifests/calico-etcd.yaml | 1 - manifests/calico-policy-only.yaml | 1 - manifests/calico-typha.yaml | 1 - manifests/calico-vxlan.yaml | 1 - manifests/calico.yaml | 1 - manifests/flannel-migration/calico.yaml | 1 - node/tests/k8st/infra/calico-kdd.yaml | 1 - 9 files changed, 9 deletions(-) diff --git a/charts/calico/templates/calico-node-rbac.yaml b/charts/calico/templates/calico-node-rbac.yaml index 03b40ddf1d1..e8cabeb3326 100644 --- a/charts/calico/templates/calico-node-rbac.yaml +++ b/charts/calico/templates/calico-node-rbac.yaml @@ -14,7 +14,6 @@ rules: - canal - calico-cni-plugin {{- else }} - - calico-node - calico-cni-plugin {{- end }} verbs: diff --git a/manifests/calico-bpf.yaml b/manifests/calico-bpf.yaml index f5a878221c0..28c53132bf5 100644 --- a/manifests/calico-bpf.yaml +++ b/manifests/calico-bpf.yaml @@ -4359,7 +4359,6 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node - calico-cni-plugin verbs: - create diff --git a/manifests/calico-etcd.yaml b/manifests/calico-etcd.yaml index 78daf2b6c2d..90c259f8e01 100644 --- a/manifests/calico-etcd.yaml +++ b/manifests/calico-etcd.yaml @@ -153,7 +153,6 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node - calico-cni-plugin verbs: - create diff --git a/manifests/calico-policy-only.yaml b/manifests/calico-policy-only.yaml index 05d6b50b3de..a7bcaf78d49 100644 --- a/manifests/calico-policy-only.yaml +++ b/manifests/calico-policy-only.yaml @@ -4369,7 +4369,6 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node - calico-cni-plugin verbs: - create diff --git a/manifests/calico-typha.yaml b/manifests/calico-typha.yaml index 4d667ebc888..6f69f9e04f8 100644 --- a/manifests/calico-typha.yaml +++ b/manifests/calico-typha.yaml @@ -4370,7 +4370,6 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node - calico-cni-plugin verbs: - create diff --git a/manifests/calico-vxlan.yaml b/manifests/calico-vxlan.yaml index 42b36dd9007..53c58613bc7 100644 --- a/manifests/calico-vxlan.yaml +++ b/manifests/calico-vxlan.yaml @@ -4354,7 +4354,6 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node - calico-cni-plugin verbs: - create diff --git a/manifests/calico.yaml b/manifests/calico.yaml index 776ede115d8..f1b7f273d4c 100644 --- a/manifests/calico.yaml +++ b/manifests/calico.yaml @@ -4354,7 +4354,6 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node - calico-cni-plugin verbs: - create diff --git a/manifests/flannel-migration/calico.yaml b/manifests/flannel-migration/calico.yaml index ccb08e8b4e5..4b151af70b2 100644 --- a/manifests/flannel-migration/calico.yaml +++ b/manifests/flannel-migration/calico.yaml @@ -4354,7 +4354,6 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node - calico-cni-plugin verbs: - create diff --git a/node/tests/k8st/infra/calico-kdd.yaml b/node/tests/k8st/infra/calico-kdd.yaml index 89bc913e901..fb7e8832e53 100644 --- a/node/tests/k8st/infra/calico-kdd.yaml +++ b/node/tests/k8st/infra/calico-kdd.yaml @@ -179,7 +179,6 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node - calico-cni-plugin verbs: - create From bdf436aded45adf286d4412676138b960d48bbee Mon Sep 17 00:00:00 2001 From: Michal Fupso Date: Tue, 21 Mar 2023 16:08:11 -0700 Subject: [PATCH 10/12] calico-cni-plugin service account --- charts/calico/templates/calico-node-rbac.yaml | 20 +++++++------- charts/calico/templates/calico-node.yaml | 7 +++++ manifests/calico-bpf.yaml | 27 ++++++++++++------- manifests/calico-etcd.yaml | 17 +++++++++--- manifests/calico-policy-only.yaml | 17 +++++++++--- manifests/calico-typha.yaml | 27 ++++++++++++------- manifests/calico-vxlan.yaml | 27 ++++++++++++------- manifests/calico.yaml | 27 ++++++++++++------- manifests/canal-etcd.yaml | 17 +++++++++--- manifests/canal.yaml | 17 +++++++++--- manifests/flannel-migration/calico.yaml | 27 ++++++++++++------- node/tests/k8st/infra/calico-kdd.yaml | 27 ++++++++++++------- 12 files changed, 171 insertions(+), 86 deletions(-) diff --git a/charts/calico/templates/calico-node-rbac.yaml b/charts/calico/templates/calico-node-rbac.yaml index e8cabeb3326..eb84ffb3b61 100644 --- a/charts/calico/templates/calico-node-rbac.yaml +++ b/charts/calico/templates/calico-node-rbac.yaml @@ -181,7 +181,7 @@ rules: # CNI cluster role kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadate: +metadata: name: calico-cni-plugin rules: - apiGroups: [""] @@ -203,18 +203,16 @@ rules: - blockaffinities - ipamblocks - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs verbs: - get - list - create - update - delete - - apiGroups: [ "crd.projectcalico.org" ] - resources: - - ipamconfigs - verbs: - - get - - create {{- end }} {{- end }} --- @@ -284,15 +282,17 @@ subjects: name: calico-node namespace: kube-system {{- end }} -kind: ClusterRoleBinding +--- + apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: calico-cni-plugin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin -subject: - kind: ServiceAccount +subjects: +- kind: ServiceAccount name: calico-cni-plugin namespace: kube-system diff --git a/charts/calico/templates/calico-node.yaml b/charts/calico/templates/calico-node.yaml index 57dc091d552..b79cdad2ece 100644 --- a/charts/calico/templates/calico-node.yaml +++ b/charts/calico/templates/calico-node.yaml @@ -657,6 +657,13 @@ kind: ServiceAccount metadata: name: {{include "nodeName" . }} namespace: kube-system +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system {{- if and (eq .Values.datastore "etcd") (eq .Values.network "flannel") }} --- diff --git a/manifests/calico-bpf.yaml b/manifests/calico-bpf.yaml index 28c53132bf5..21d1724e7af 100644 --- a/manifests/calico-bpf.yaml +++ b/manifests/calico-bpf.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -4518,7 +4525,7 @@ rules: # CNI cluster role kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadate: +metadata: name: calico-cni-plugin rules: - apiGroups: [""] @@ -4538,18 +4545,16 @@ rules: - blockaffinities - ipamblocks - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs verbs: - get - list - create - update - delete - - apiGroups: [ "crd.projectcalico.org" ] - resources: - - ipamconfigs - verbs: - - get - - create --- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding @@ -4578,16 +4583,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system -kind: ClusterRoleBinding +--- +# Source: calico/templates/calico-node-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: calico-cni-plugin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin -subject: - kind: ServiceAccount +subjects: +- kind: ServiceAccount name: calico-cni-plugin namespace: kube-system --- diff --git a/manifests/calico-etcd.yaml b/manifests/calico-etcd.yaml index 90c259f8e01..6263444e376 100644 --- a/manifests/calico-etcd.yaml +++ b/manifests/calico-etcd.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-etcd-secrets.yaml # The following contains k8s Secrets for use with a TLS enabled etcd cluster. # For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/ @@ -197,7 +204,7 @@ rules: # CNI cluster role kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadate: +metadata: name: calico-cni-plugin rules: - apiGroups: [""] @@ -235,16 +242,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system -kind: ClusterRoleBinding +--- +# Source: calico/templates/calico-node-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: calico-cni-plugin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin -subject: - kind: ServiceAccount +subjects: +- kind: ServiceAccount name: calico-cni-plugin namespace: kube-system --- diff --git a/manifests/calico-policy-only.yaml b/manifests/calico-policy-only.yaml index a7bcaf78d49..818cd1434e3 100644 --- a/manifests/calico-policy-only.yaml +++ b/manifests/calico-policy-only.yaml @@ -45,6 +45,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -4495,7 +4502,7 @@ rules: # CNI cluster role kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadate: +metadata: name: calico-cni-plugin rules: - apiGroups: [""] @@ -4538,16 +4545,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system -kind: ClusterRoleBinding +--- +# Source: calico/templates/calico-node-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: calico-cni-plugin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin -subject: - kind: ServiceAccount +subjects: +- kind: ServiceAccount name: calico-cni-plugin namespace: kube-system --- diff --git a/manifests/calico-typha.yaml b/manifests/calico-typha.yaml index 6f69f9e04f8..0f07f0d6a47 100644 --- a/manifests/calico-typha.yaml +++ b/manifests/calico-typha.yaml @@ -45,6 +45,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -4529,7 +4536,7 @@ rules: # CNI cluster role kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadate: +metadata: name: calico-cni-plugin rules: - apiGroups: [""] @@ -4549,18 +4556,16 @@ rules: - blockaffinities - ipamblocks - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs verbs: - get - list - create - update - delete - - apiGroups: [ "crd.projectcalico.org" ] - resources: - - ipamconfigs - verbs: - - get - - create --- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding @@ -4589,16 +4594,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system -kind: ClusterRoleBinding +--- +# Source: calico/templates/calico-node-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: calico-cni-plugin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin -subject: - kind: ServiceAccount +subjects: +- kind: ServiceAccount name: calico-cni-plugin namespace: kube-system --- diff --git a/manifests/calico-vxlan.yaml b/manifests/calico-vxlan.yaml index 53c58613bc7..1b7c036a188 100644 --- a/manifests/calico-vxlan.yaml +++ b/manifests/calico-vxlan.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -4513,7 +4520,7 @@ rules: # CNI cluster role kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadate: +metadata: name: calico-cni-plugin rules: - apiGroups: [""] @@ -4533,18 +4540,16 @@ rules: - blockaffinities - ipamblocks - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs verbs: - get - list - create - update - delete - - apiGroups: [ "crd.projectcalico.org" ] - resources: - - ipamconfigs - verbs: - - get - - create --- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding @@ -4573,16 +4578,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system -kind: ClusterRoleBinding +--- +# Source: calico/templates/calico-node-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: calico-cni-plugin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin -subject: - kind: ServiceAccount +subjects: +- kind: ServiceAccount name: calico-cni-plugin namespace: kube-system --- diff --git a/manifests/calico.yaml b/manifests/calico.yaml index f1b7f273d4c..49e3df1ea62 100644 --- a/manifests/calico.yaml +++ b/manifests/calico.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -4513,7 +4520,7 @@ rules: # CNI cluster role kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadate: +metadata: name: calico-cni-plugin rules: - apiGroups: [""] @@ -4533,18 +4540,16 @@ rules: - blockaffinities - ipamblocks - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs verbs: - get - list - create - update - delete - - apiGroups: [ "crd.projectcalico.org" ] - resources: - - ipamconfigs - verbs: - - get - - create --- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding @@ -4573,16 +4578,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system -kind: ClusterRoleBinding +--- +# Source: calico/templates/calico-node-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: calico-cni-plugin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin -subject: - kind: ServiceAccount +subjects: +- kind: ServiceAccount name: calico-cni-plugin namespace: kube-system --- diff --git a/manifests/canal-etcd.yaml b/manifests/canal-etcd.yaml index 42de0ab98fb..38ba8902e9b 100644 --- a/manifests/canal-etcd.yaml +++ b/manifests/canal-etcd.yaml @@ -29,6 +29,13 @@ metadata: name: canal-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-etcd-secrets.yaml # The following contains k8s Secrets for use with a TLS enabled etcd cluster. # For information on populating Secrets, see http://kubernetes.io/docs/user-guide/secrets/ @@ -203,7 +210,7 @@ rules: # CNI cluster role kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadate: +metadata: name: calico-cni-plugin rules: - apiGroups: [""] @@ -301,16 +308,18 @@ subjects: - kind: ServiceAccount name: canal namespace: kube-system -kind: ClusterRoleBinding +--- +# Source: calico/templates/calico-node-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: calico-cni-plugin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin -subject: - kind: ServiceAccount +subjects: +- kind: ServiceAccount name: calico-cni-plugin namespace: kube-system --- diff --git a/manifests/canal.yaml b/manifests/canal.yaml index 97a39bdaf66..ca54186a51f 100644 --- a/manifests/canal.yaml +++ b/manifests/canal.yaml @@ -29,6 +29,13 @@ metadata: name: canal namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Canal installation. kind: ConfigMap @@ -4498,7 +4505,7 @@ rules: # CNI cluster role kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadate: +metadata: name: calico-cni-plugin rules: - apiGroups: [""] @@ -4581,16 +4588,18 @@ subjects: - kind: ServiceAccount name: canal namespace: kube-system -kind: ClusterRoleBinding +--- +# Source: calico/templates/calico-node-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: calico-cni-plugin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin -subject: - kind: ServiceAccount +subjects: +- kind: ServiceAccount name: calico-cni-plugin namespace: kube-system --- diff --git a/manifests/flannel-migration/calico.yaml b/manifests/flannel-migration/calico.yaml index 4b151af70b2..617c5623ed6 100644 --- a/manifests/flannel-migration/calico.yaml +++ b/manifests/flannel-migration/calico.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -4513,7 +4520,7 @@ rules: # CNI cluster role kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadate: +metadata: name: calico-cni-plugin rules: - apiGroups: [""] @@ -4533,18 +4540,16 @@ rules: - blockaffinities - ipamblocks - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs verbs: - get - list - create - update - delete - - apiGroups: [ "crd.projectcalico.org" ] - resources: - - ipamconfigs - verbs: - - get - - create --- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding @@ -4573,16 +4578,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system -kind: ClusterRoleBinding +--- +# Source: calico/templates/calico-node-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: calico-cni-plugin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin -subject: - kind: ServiceAccount +subjects: +- kind: ServiceAccount name: calico-cni-plugin namespace: kube-system --- diff --git a/node/tests/k8st/infra/calico-kdd.yaml b/node/tests/k8st/infra/calico-kdd.yaml index fb7e8832e53..4ae817e119c 100644 --- a/node/tests/k8st/infra/calico-kdd.yaml +++ b/node/tests/k8st/infra/calico-kdd.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -338,7 +345,7 @@ rules: # CNI cluster role kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadate: +metadata: name: calico-cni-plugin rules: - apiGroups: [""] @@ -358,18 +365,16 @@ rules: - blockaffinities - ipamblocks - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs verbs: - get - list - create - update - delete - - apiGroups: [ "crd.projectcalico.org" ] - resources: - - ipamconfigs - verbs: - - get - - create --- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding @@ -398,16 +403,18 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system -kind: ClusterRoleBinding +--- +# Source: calico/templates/calico-node-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: calico-cni-plugin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: calico-cni-plugin -subject: - kind: ServiceAccount +subjects: +- kind: ServiceAccount name: calico-cni-plugin namespace: kube-system --- From 6649e2741ff2482fc6cb026f5c9f048d01003827 Mon Sep 17 00:00:00 2001 From: Michal Fupso Date: Thu, 23 Mar 2023 16:10:09 -0700 Subject: [PATCH 11/12] static check fix --- node/pkg/cni/token_watch_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/node/pkg/cni/token_watch_test.go b/node/pkg/cni/token_watch_test.go index a8598ea43e8..98f5c9dea13 100644 --- a/node/pkg/cni/token_watch_test.go +++ b/node/pkg/cni/token_watch_test.go @@ -4,16 +4,15 @@ import ( "context" "encoding/base64" "fmt" - "os" - "strings" - "time" - . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/clientcmd" + "os" + "strings" + "time" "github.com/projectcalico/calico/node/pkg/cni" ) @@ -48,6 +47,7 @@ var _ = Describe("FV tests", func() { tokenSegments := strings.Split(tu.Token, ".") decodedClaims, err := base64.StdEncoding.DecodeString(tokenSegments[1]) stringClaims := fmt.Sprintf("%q\n", decodedClaims) + Expect(err).ShouldNot(HaveOccurred()) Expect(stringClaims).To(ContainSubstring(serviceAccountName)) }) From e373cea1f2ebedd2b869856454c656e47fe39faf Mon Sep 17 00:00:00 2001 From: Michal Fupso Date: Thu, 23 Mar 2023 17:10:06 -0700 Subject: [PATCH 12/12] imports --- node/pkg/cni/token_watch_test.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/node/pkg/cni/token_watch_test.go b/node/pkg/cni/token_watch_test.go index 98f5c9dea13..85e67bb971a 100644 --- a/node/pkg/cni/token_watch_test.go +++ b/node/pkg/cni/token_watch_test.go @@ -4,15 +4,16 @@ import ( "context" "encoding/base64" "fmt" + "os" + "strings" + "time" + . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/clientcmd" - "os" - "strings" - "time" "github.com/projectcalico/calico/node/pkg/cni" )