Skip to content

Commit

Permalink
Merge pull request #3522 from murali-reddy/3463-kube-router-rbac
Browse files Browse the repository at this point in the history 
Automatic merge from submit-queue.

Use system:kube-router User for clusterrole binding

Kube-router as it provides service proxy as well, it has a chicken-egg problem (can not
access api server till it can setup service proxy), so service account are not usable. certificate generated for kube-router has CN `system:kube-router`, so user  `system:kube-router` need to be given necessary RBAC permissions

Fixes #3463
  • Loading branch information
Kubernetes Submit Queue committed Oct 9, 2017
2 parents 4440001 + a43df55 commit 211dab1
Showing 1 changed file with 12 additions and 3 deletions.
15 changes: 12 additions & 3 deletions upup/models/cloudup/resources/addons/networking.kuberouter/k8s-1.6.yaml.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,14 +125,21 @@ rules:
- apiGroups: [""]
resources:
- namespaces
- pod
- service
- node
- pods
- services
- nodes
- endpoints
verbs:
- get
- list
- watch
- apiGroups: ["networking.k8s.io"]
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups: ["extensions"]
resources:
- networkpolicies
Expand All @@ -153,3 +160,5 @@ subjects:
- kind: ServiceAccount
name: kube-router
namespace: kube-system
- kind: User
name: system:kube-router

0 comments on commit 211dab1

Please sign in to comment.