Use ServiceAccount for netcheker server.
In case of deploying kubernetes with Dashboard and RBAC, every service
account can get,list pods in all namespaces because of the ClusterRole
definition and assignment on all service accounts.
Change-Id: I8a11487296e239d17c94119d4de080e2ab10771e
diff --git a/kubernetes/files/kube-addons/netchecker/netchecker-roles.yml b/kubernetes/files/kube-addons/netchecker/netchecker-roles.yml
index a22da2c..21aed28 100644
--- a/kubernetes/files/kube-addons/netchecker/netchecker-roles.yml
+++ b/kubernetes/files/kube-addons/netchecker/netchecker-roles.yml
@@ -2,9 +2,9 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
- name: netchecker-server
labels:
addonmanager.kubernetes.io/mode: Reconcile
+ name: netchecker-server
rules:
- apiGroups:
- apiextensions.k8s.io
@@ -37,14 +37,14 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
- name: netchecker
labels:
addonmanager.kubernetes.io/mode: Reconcile
+ name: netchecker
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: netchecker-server
subjects:
- - apiGroup: rbac.authorization.k8s.io
- kind: Group
- name: "system:serviceaccounts"
+ - kind: ServiceAccount
+ name: netchecker
+ namespace: netchecker
diff --git a/kubernetes/files/kube-addons/netchecker/netchecker-server.yml b/kubernetes/files/kube-addons/netchecker/netchecker-server.yml
index 181765c..c72a771 100644
--- a/kubernetes/files/kube-addons/netchecker/netchecker-server.yml
+++ b/kubernetes/files/kube-addons/netchecker/netchecker-server.yml
@@ -19,6 +19,7 @@
prometheus.io/scrape: "true"
prometheus.io/port: "{{ common.addons.netchecker.port }}"
spec:
+ serviceAccountName: netchecker
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
@@ -49,4 +50,4 @@
- hostPath:
path: /var/lib/etcd
name: etcd-certs
-{%- endif %}
\ No newline at end of file
+{%- endif %}
diff --git a/kubernetes/files/kube-addons/netchecker/netchecker-serviceaccount.yml b/kubernetes/files/kube-addons/netchecker/netchecker-serviceaccount.yml
new file mode 100644
index 0000000..028a9ba
--- /dev/null
+++ b/kubernetes/files/kube-addons/netchecker/netchecker-serviceaccount.yml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+ name: netchecker
+ namespace: netchecker
diff --git a/kubernetes/master/kube-addons.sls b/kubernetes/master/kube-addons.sls
index 2d7d150..04f13ae 100644
--- a/kubernetes/master/kube-addons.sls
+++ b/kubernetes/master/kube-addons.sls
@@ -132,7 +132,7 @@
{%- if common.addons.get('netchecker', {'enabled': False}).enabled %}
-{%- set netchecker_resources = ['svc', 'server', 'agent'] %}
+{%- set netchecker_resources = ['svc', 'server', 'agent', 'serviceaccount'] %}
{%- if 'RBAC' in master.auth.get('mode', "") %}