Merge b515853 into e413513

linode · Aug 3, 2021 · 7508efb · 7508efb
2 parents e413513 + b515853
commit 7508efb
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 3 deletions.
diff --git a/deploy/ccm-linode-template.yaml b/deploy/ccm-linode-template.yaml
@@ -15,15 +15,44 @@ metadata:
   name: ccm-linode
   namespace: kube-system
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ccm-linode-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["endpoints"]
+  verbs: ["get", "watch", "list", "update", "create"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "watch", "list", "update", "delete", "patch"]
+- apiGroups: [""]
+  resources: ["nodes/status"]
+  verbs: ["get", "watch", "list", "update", "delete", "patch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["get", "watch", "list", "update", "create", "patch"]
+- apiGroups: [""]
+  resources: ["persistentvolumes"]
+  verbs: ["get", "watch", "list", "update"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: [""]
+  resources: ["services/status"]
+  verbs: ["get", "watch", "list", "update", "patch"]
+---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: system:ccm-linode
+  name: ccm-linode-clusterrolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  # TODO: make these permissions more fine-grained
-  name: cluster-admin
+  name: ccm-linode-clusterrole
 subjects:
 - kind: ServiceAccount
   name: ccm-linode

diff --git a/main.go b/main.go
@@ -69,6 +69,28 @@ func main() {
 	// Add Linode-specific flags
 	command.Flags().BoolVar(&linode.Options.LinodeGoDebug, "linodego-debug", false, "enables debug output for the LinodeAPI wrapper")
 
+	// Set static flags
+	command.Flags().VisitAll(func(fl *pflag.Flag) {
+		var err error
+		switch fl.Name {
+		case "cloud-provider":
+			err = fl.Value.Set(linode.ProviderName)
+		case
+			// Prevent reaching out to an authentication-related ConfigMap that
+			// we do not need, and thus do not intend to create RBAC permissions
+			// for. See also
+			// https://github.com/linode/linode-cloud-controller-manager/issues/91
+			// and https://github.com/kubernetes/cloud-provider/issues/29.
+			"authentication-skip-lookup":
+			err = fl.Value.Set("true")
+		}
+
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "failed to set flag %q: %s\n", fl.Name, err)
+			os.Exit(1)
+		}
+	})
+
 	// Make the Linode-specific CCM bits aware of the kubeconfig flag
 	linode.Options.KubeconfigFlag = command.Flags().Lookup("kubeconfig")
 	if linode.Options.KubeconfigFlag == nil {