-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use system:kube-router User for clusterrole binding #3522
Use system:kube-router User for clusterrole binding #3522
Conversation
Hi @murali-reddy. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/assign @zmerlynn |
Is |
@liggitt or @erictune either of you guys have a chance to review? My RBAC-fu is not quite on par yet. /ok-to-test @murali-reddy e2e only starts for k8s members automatically. One of us has to add the above line for the bot to fire off the test. How many k8s prs have you done? |
@chrislovecnm 3 PR's so far all to the kops |
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: kube-router | ||
subjects: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can add this as a second subject to the existing kube-router
binding
subjects:
- kind: ServiceAccount
name: kube-router
namespace: kube-system
- kind: User
name: system:kube-router
apiGroup: rbac.authorization.k8s.io
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@murali-reddy nit pick but do we need apiGroup: rbac.authorization.k8s.io Write
subjects: | ||
- kind: User | ||
name: system:kube-router | ||
namespace: kube-system |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
users don't have namespaces
nit on combining subjects into a single binding, other changes look fine |
system:kube-router need to be given necessary RBAC permissions Fixes kubernetes#3463
082a090
to
a43df55
Compare
Updated the patch as per the comments. Thanks @liggitt |
@liggitt really appreciate all of the RBAC reviews you do for us! |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. |
Kube-router as it provides service proxy as well, it has a chicken-egg problem (can not
access api server till it can setup service proxy), so service account are not usable. certificate generated for kube-router has CN
system:kube-router
, so usersystem:kube-router
need to be given necessary RBAC permissionsFixes #3463