Adjust heapster addon to work with RBAC
Change-Id: I5b6ac3742cc600d87a0973301f5585e4c7550256
diff --git a/kubernetes/files/kube-addons/heapster-influxdb/heapster-account.yaml b/kubernetes/files/kube-addons/heapster-influxdb/heapster-account.yaml
new file mode 100644
index 0000000..3219428
--- /dev/null
+++ b/kubernetes/files/kube-addons/heapster-influxdb/heapster-account.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+ name: heapster
+ namespace: kube-system
diff --git a/kubernetes/files/kube-addons/heapster-influxdb/heapster-controller.yaml b/kubernetes/files/kube-addons/heapster-influxdb/heapster-controller.yaml
index 6f26727..5949f03 100644
--- a/kubernetes/files/kube-addons/heapster-influxdb/heapster-controller.yaml
+++ b/kubernetes/files/kube-addons/heapster-influxdb/heapster-controller.yaml
@@ -1,3 +1,4 @@
+{%- from "kubernetes/map.jinja" import master with context -%}
apiVersion: v1
kind: ReplicationController
metadata:
@@ -21,6 +22,9 @@
version: v6
kubernetes.io/cluster-service: "true"
spec:
+ {%- if 'RBAC' in master.auth.get('mode', "") %}
+ serviceAccountName: heapster
+ {%- endif %}
containers:
- name: heapster
image: kubernetes/heapster:canary
diff --git a/kubernetes/files/kube-addons/heapster-influxdb/heapster-role.yaml b/kubernetes/files/kube-addons/heapster-influxdb/heapster-role.yaml
new file mode 100644
index 0000000..ba800fc
--- /dev/null
+++ b/kubernetes/files/kube-addons/heapster-influxdb/heapster-role.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+ name: heapster
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: "system:heapster"
+subjects:
+ - kind: ServiceAccount
+ name: heapster
+ namespace: kube-system
diff --git a/kubernetes/master/kube-addons.sls b/kubernetes/master/kube-addons.sls
index 722cd49..b885192 100644
--- a/kubernetes/master/kube-addons.sls
+++ b/kubernetes/master/kube-addons.sls
@@ -291,53 +291,39 @@
{%- if common.addons.get('heapster_influxdb', {'enabled': False}).enabled %}
-/etc/kubernetes/addons/heapster-influxdb/heapster-address.yaml:
+{%- set heapster_resources = ['address', 'controller', 'endpoint', 'service'] %}
+
+{%- if 'RBAC' in master.auth.get('mode', "") %}
+
+{%- set heapster_resources = heapster_resources + ['account', 'role'] %}
+
+{%- endif %}
+
+{%- for resource in heapster_resources %}
+
+/etc/kubernetes/addons/heapster-influxdb/heapster-{{ resource }}.yaml:
file.managed:
- - source: salt://kubernetes/files/kube-addons/heapster-influxdb/heapster-address.yaml
+ - source: salt://kubernetes/files/kube-addons/heapster-influxdb/heapster-{{ resource }}.yaml
- template: jinja
- group: root
- dir_mode: 755
- makedirs: True
-/etc/kubernetes/addons/heapster-influxdb/heapster-controller.yaml:
+{%- endfor %}
+
+{%- set influxdb_resources = ['controller', 'service'] %}
+
+{%- for resource in influxdb_resources %}
+
+/etc/kubernetes/addons/heapster-influxdb/influxdb-{{ resource }}.yaml:
file.managed:
- - source: salt://kubernetes/files/kube-addons/heapster-influxdb/heapster-controller.yaml
+ - source: salt://kubernetes/files/kube-addons/heapster-influxdb/influxdb-{{ resource }}.yaml
- template: jinja
- group: root
- dir_mode: 755
- makedirs: True
-/etc/kubernetes/addons/heapster-influxdb/heapster-endpoint.yaml:
- file.managed:
- - source: salt://kubernetes/files/kube-addons/heapster-influxdb/heapster-endpoint.yaml
- - template: jinja
- - group: root
- - dir_mode: 755
- - makedirs: True
-
-/etc/kubernetes/addons/heapster-influxdb/heapster-service.yaml:
- file.managed:
- - source: salt://kubernetes/files/kube-addons/heapster-influxdb/heapster-service.yaml
- - template: jinja
- - group: root
- - dir_mode: 755
- - makedirs: True
-
-/etc/kubernetes/addons/heapster-influxdb/influxdb-controller.yaml:
- file.managed:
- - source: salt://kubernetes/files/kube-addons/heapster-influxdb/influxdb-controller.yaml
- - template: jinja
- - group: root
- - dir_mode: 755
- - makedirs: True
-
-/etc/kubernetes/addons/heapster-influxdb/influxdb-service.yaml:
- file.managed:
- - source: salt://kubernetes/files/kube-addons/heapster-influxdb/influxdb-service.yaml
- - template: jinja
- - group: root
- - dir_mode: 755
- - makedirs: True
+{%- endfor %}
{% endif %}