Use system:kube-router User for clusterrole binding. Kube-router as it

provides service proxy as well, it has a chicken-egg problem ( can not access api server till it can setup service proxy), so service account are not usable. Fixes #3463
kubernetes · Oct 3, 2017 · 082a090 · 082a090
1 parent 518e97d
commit 082a090
Showing 1 changed file with 23 additions and 3 deletions.
diff --git a/upup/models/cloudup/resources/addons/networking.kuberouter/k8s-1.6.yaml.template b/upup/models/cloudup/resources/addons/networking.kuberouter/k8s-1.6.yaml.template
@@ -125,14 +125,21 @@ rules:
   - apiGroups: [""]
     resources:
       - namespaces
-      - pod
-      - service
-      - node
+      - pods
+      - services
+      - nodes
       - endpoints
     verbs:
       - get
       - list
       - watch
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups: ["extensions"]
     resources:
       - networkpolicies
@@ -153,3 +160,16 @@ subjects:
 - kind: ServiceAccount
   name: kube-router
   namespace: kube-system
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: system:kube-router
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-router
+subjects:
+- kind: User
+  name: system:kube-router
+  namespace: kube-system