From 84f62875f3114cfd7536af1040c37f0df6ac7c0a Mon Sep 17 00:00:00 2001 From: Somtochi Onyekwere Date: Sun, 21 Jun 2020 14:39:58 +0100 Subject: [PATCH] Adds role for manager --- .../patches/apiserver_endpoint.patch.yaml | 2 +- kubeproxy/config/rbac/kustomization.yaml | 2 ++ kubeproxy/config/rbac/manager_role.yaml | 27 +++++++++++++++++++ .../config/rbac/manager_rolebinding.yaml | 12 +++++++++ kubeproxy/main.go | 1 + 5 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 kubeproxy/config/rbac/manager_role.yaml create mode 100644 kubeproxy/config/rbac/manager_rolebinding.yaml diff --git a/kubeproxy/config/manager/patches/apiserver_endpoint.patch.yaml b/kubeproxy/config/manager/patches/apiserver_endpoint.patch.yaml index bb33fc4b..f6ab16fb 100644 --- a/kubeproxy/config/manager/patches/apiserver_endpoint.patch.yaml +++ b/kubeproxy/config/manager/patches/apiserver_endpoint.patch.yaml @@ -10,6 +10,6 @@ spec: - name: manager env: - name: KUBERNETES_SERVICE_HOST - value: "172.17.0.2" + value: "172.17.0.3" - name: KUBERNETES_SERVICE_PORT value: "6443" diff --git a/kubeproxy/config/rbac/kustomization.yaml b/kubeproxy/config/rbac/kustomization.yaml index 817f1fe6..e0f65dbf 100644 --- a/kubeproxy/config/rbac/kustomization.yaml +++ b/kubeproxy/config/rbac/kustomization.yaml @@ -3,6 +3,8 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml +- manager_role.yaml +- manager_rolebinding.yaml # Comment the following 3 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. diff --git a/kubeproxy/config/rbac/manager_role.yaml b/kubeproxy/config/rbac/manager_role.yaml new file mode 100644 index 00000000..ac7e5bbb --- /dev/null +++ b/kubeproxy/config/rbac/manager_role.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: main-manager-role +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["events", "serviceaccounts"] + verbs: ["create", "patch", "update"] +- apiGroups: ["apps", "extensions"] + resources: ["daemonsets"] + verbs: ["get", "watch", "list", "create", "patch"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterrolebindings"] + verbs: ["get", "watch", "list", "create"] +- apiGroups: ["app.k8s.io"] + resources: ["applications"] + verbs: ["get", "watch", "list", "create", "patch"] +- apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["list", "watch"] +- apiGroups: ["events.k8s.io"] + resources: ["events"] + verbs: ["create", "patch", "update"] diff --git a/kubeproxy/config/rbac/manager_rolebinding.yaml b/kubeproxy/config/rbac/manager_rolebinding.yaml new file mode 100644 index 00000000..39fe22c4 --- /dev/null +++ b/kubeproxy/config/rbac/manager_rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: main-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: main-manager-role +subjects: + - kind: ServiceAccount + name: default + namespace: system diff --git a/kubeproxy/main.go b/kubeproxy/main.go index edf0503c..b06ffa51 100644 --- a/kubeproxy/main.go +++ b/kubeproxy/main.go @@ -57,6 +57,7 @@ func main() { Scheme: scheme, MetricsBindAddress: metricsAddr, LeaderElection: enableLeaderElection, + LeaderElectionID: "kubeproxy-operator", Port: 9443, }) if err != nil {