Use system:kube-router User for clusterrole binding #3522
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @murali-reddy. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
needs-ok-to-test
|
/assign @zmerlynn |
|
Is |
|
@liggitt or @erictune either of you guys have a chance to review? My RBAC-fu is not quite on par yet. /ok-to-test @murali-reddy e2e only starts for k8s members automatically. One of us has to add the above line for the bot to fire off the test. How many k8s prs have you done? |
k8s-ci-robot
removed
the
needs-ok-to-test
|
@chrislovecnm 3 PR's so far all to the kops |
| apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: kube-router | ||
| subjects: |
There was a problem hiding this comment.
can add this as a second subject to the existing kube-router binding
subjects:
- kind: ServiceAccount
name: kube-router
namespace: kube-system
- kind: User
name: system:kube-router
apiGroup: rbac.authorization.k8s.io
There was a problem hiding this comment.
@murali-reddy nit pick but do we need apiGroup: rbac.authorization.k8s.io Write
| subjects: | ||
| - kind: User | ||
| name: system:kube-router | ||
| namespace: kube-system |
|
nit on combining subjects into a single binding, other changes look fine |
system:kube-router need to be given necessary RBAC permissions Fixes kubernetes#3463
murali-reddy
force-pushed
the
3463-kube-router-rbac
branch
from
082a090
to
a43df55
Compare
|
Updated the patch as per the comments. Thanks @liggitt |
|
@liggitt really appreciate all of the RBAC reviews you do for us! |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. |
Kube-router as it provides service proxy as well, it has a chicken-egg problem (can not
access api server till it can setup service proxy), so service account are not usable. certificate generated for kube-router has CN
system:kube-router, so usersystem:kube-routerneed to be given necessary RBAC permissionsFixes #3463