New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for ClusterRoleBinding #73
Add support for ClusterRoleBinding #73
Conversation
Any update on this? This is a missing piece for a number of projects of mine! I'd be happy to take on the rebasing work etc. |
Hey @micahhausler and @radeksimko! I'm in a similar position as @munnerz above. Anything I can do to help? |
@Mistobaan nothing great to report currently. Been playing around with the Kubernetes Ansible module to apply a declaration we wrote, but it's far from bulletproof and means we need multiple tools and then glue code to tie them together in the right order. This feature would be super helpful. |
27b29cc
to
94f6c18
Compare
It looks like this resource is a blocker to being able to setup helm / use the tf helm provider with any k8s cluster that has RBAC enabled, which includes gke from at least 1.7.x-gke on. |
Is the travis setup broken? |
@jhoblitt I believe it's throwing an error from a non-vendored package.
Checking the tree, that package doesn't appear to be present: https://github.com/micahhausler/terraform-provider-kubernetes/tree/f-k8s-clusterrolebinding/vendor/k8s.io |
Good catch. It looks like #117 will pull that in. |
Yea the Travis error is a package problem. I didn't want to bloat this PR with upgrading the whole k8s client. |
Hey @micahhausler and @radeksimko, wanted to see if support for this might be coming any time soon? Any workaround you'd suggest in the meantime? |
@micahhausler and @radeksimko, Do you think that this functionnality will arrive soon ? RBAC is need to be able to deploy Kubernetes dashboard for example. |
Working with AWS EKS through Terraform and finding the kubernetes provider is currently unusable in this set up (k8s cluster is 1.10) as the user grabbed from the generated kubeconfig has no permissions. I gather it's due to recent k8s RBAC changes which renders the user
I would guess there's a separate issue (or user error) of being able to authenticate using the provided user specified in the kubeconfig and leveraging heptio-authenticator but also, the first steps to creating a useful demo requires creating an admin user that can access the dashboard which requires calls to both ClusterRoleBinding and ServiceAccount. |
Hey guys! What's the status on adding support for ClusterRoleBinding in the terraform k8s provider? |
Another month has passed! Clearly there is a lot of interest in getting this merged - can we at least have the steps required to get this included listed out so we can start working through them? |
It looks like the dependencies need to be updated. Could someone with access to the PR bump those? |
Yes, we need ClusterRole and ClusterRoleBinding in order to set up dynamic Persistent Volume Claims using Azure File 😄 |
@micahhausler Many apologies for the amount of time this PR has been sitting still. I will be taking care of the K8S provider moving forward. I would like to help you get this merged. The PR to update K8S client packages to 1.10 has been merge, so from that POV you're unblocked. diff --git a/kubernetes/resource_kubernetes_cluster_role_binding.go b/kubernetes/resource_kubernetes_cluster_role_binding.go
index c43c181a6..f7d915784 100644
--- a/kubernetes/resource_kubernetes_cluster_role_binding.go
+++ b/kubernetes/resource_kubernetes_cluster_role_binding.go
@@ -5,11 +5,11 @@ import (
"log"
"github.com/hashicorp/terraform/helper/schema"
+ api "k8s.io/api/rbac/v1"
"k8s.io/apimachinery/pkg/api/errors"
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
pkgApi "k8s.io/apimachinery/pkg/types"
- api "k8s.io/kubernetes/pkg/apis/rbac/v1"
- kubernetes "k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
+ kubernetes "k8s.io/client-go/kubernetes"
)
func resourceKubernetesClusterRoleBinding() *schema.Resource {
diff --git a/kubernetes/resource_kubernetes_cluster_role_binding_test.go b/kubernetes/resource_kubernetes_cluster_role_binding_test.go
index 401573072..16467eff6 100644
--- a/kubernetes/resource_kubernetes_cluster_role_binding_test.go
+++ b/kubernetes/resource_kubernetes_cluster_role_binding_test.go
@@ -7,9 +7,9 @@ import (
"github.com/hashicorp/terraform/helper/acctest"
"github.com/hashicorp/terraform/helper/resource"
"github.com/hashicorp/terraform/terraform"
+ api "k8s.io/api/rbac/v1"
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- api "k8s.io/kubernetes/pkg/apis/rbac/v1"
- kubernetes "k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
+ kubernetes "k8s.io/client-go/kubernetes"
)
func TestAccKubernetesClusterRoleBinding(t *testing.T) {
diff --git a/kubernetes/structures_rbac.go b/kubernetes/structures_rbac.go
index fabb29e59..dd7f54e54 100644
--- a/kubernetes/structures_rbac.go
+++ b/kubernetes/structures_rbac.go
@@ -4,7 +4,7 @@ import (
"strconv"
"github.com/hashicorp/terraform/helper/schema"
- api "k8s.io/kubernetes/pkg/apis/rbac/v1"
+ api "k8s.io/api/rbac/v1"
)
func expandRBACRoleRef(in interface{}) api.RoleRef { |
Also please have a look at the acceptance tests specific to this new resouce. On a quick run on my machine they fail.
|
LGTM
|
Woot! Thanks folks! |
Yes, thanks everyone for the work to push this through! |
i cloned master and tried using this: resource "kubernetes_cluster_role_binding" "helm" { I am getting this: Error: kubernetes_cluster_role_binding.helm: Provider doesn't support resource: kubernetes_cluster_role_binding |
Thanks... YES --that was the issue. The version downloaded automatically from the web was being used. I did something similar to fix it. Will try your way next time :) Thanks for this work. -john |
Hi, I built the provider and moved it to module.platform-cluster.kubernetes_cluster_role_binding.tiller: Creating...
metadata.#: "" => "1"
metadata.0.generation: "" => "<computed>"
metadata.0.name: "" => "tiller-clusterrolebinding"
metadata.0.resource_version: "" => "<computed>"
metadata.0.self_link: "" => "<computed>"
metadata.0.uid: "" => "<computed>"
role_ref.%: "" => "3"
role_ref.api_group: "" => "rbac.authorization.k8s.io"
role_ref.kind: "" => "ClusterRole"
role_ref.name: "" => "cluster-admin"
subject.#: "" => "1"
subject.0.api_group: "" => "rbac.authorization.k8s.io"
subject.0.kind: "" => "ServiceAccount"
subject.0.name: "" => "tiller"
subject.0.namespace: "" => "kube-system"
Error: Error applying plan:
1 error(s) occurred:
* module.platform-cluster.kubernetes_cluster_role_binding.tiller: 1 error(s) occurred:
* kubernetes_cluster_role_binding.tiller: ClusterRoleBinding.rbac.authorization.k8s.io "tiller-clusterrolebinding" is invalid: subjects[0].apiGroup: Unsupported value: "rbac.authorization.k8s.io": supported values: "" Recource declaration is: resource "kubernetes_cluster_role_binding" "tiller" {
metadata {
name = "tiller-clusterrolebinding"
}
role_ref {
kind = "ClusterRole"
name = "cluster-admin"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "ServiceAccount"
name = "tiller"
api_group = "rbac.authorization.k8s.io"
namespace = "kube-system"
}
} Any idea? |
@cdaguerre I believe the |
@cdaguerre This is because this resource right now defaults to |
I think a better approach would be to set default empty and allow users to configure it for the On top of that here is written that it applies only to |
As part of this PR was a resource added for "kubernetes_cluster_role"?
and I can't see it in the docs |
I would like to know this too, it looks like the Kubernetes provider can do most of the things I need, but it's missing a few core features like roles and daemonsets. Is there a rough timeline for how long it takes before they are added in? |
Re-create of #1, Fixes hashicorp/terraform#15194
@radeksimko I'll rebase once 1.8 is in
/vendor