Add fixes for RBAC
Each k8s service should use own SSL certificate.
This allows to separate roles for services.
Added RBAC definitions for kube-dns.
Added small fixes.
Change-Id: I202d51c98eb5c0cc5cb97c40b8cb2c0413bf278b
diff --git a/README.rst b/README.rst
index 7f4dedc..37fa482 100644
--- a/README.rst
+++ b/README.rst
@@ -1083,7 +1083,7 @@
kubernetes:
master:
auth:
- mode: RBAC
+ mode: Node,RBAC
Then you can use ``kubernetes.control.role`` state to orchestrate role and
rolebindings. Following example shows how to create brand new role and binding
diff --git a/kubernetes/files/kube-addons/dns/kubedns-autoscaler-rbac.yaml b/kubernetes/files/kube-addons/dns/kubedns-autoscaler-rbac.yaml
new file mode 100644
index 0000000..c718560
--- /dev/null
+++ b/kubernetes/files/kube-addons/dns/kubedns-autoscaler-rbac.yaml
@@ -0,0 +1,44 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+ name: kube-dns-autoscaler
+ namespace: kube-system
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: system:kube-dns-autoscaler
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+rules:
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["list"]
+ - apiGroups: [""]
+ resources: ["replicationcontrollers/scale"]
+ verbs: ["get", "update"]
+ - apiGroups: ["extensions"]
+ resources: ["deployments/scale", "replicasets/scale"]
+ verbs: ["get", "update"]
+# Remove the configmaps rule once below issue is fixed:
+# kubernetes-incubator/cluster-proportional-autoscaler#16
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "create"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: system:kube-dns-autoscaler
+ labels:
+ addonmanager.kubernetes.io/mode: Reconcile
+subjects:
+ - kind: ServiceAccount
+ name: kube-dns-autoscaler
+ namespace: kube-system
+roleRef:
+ kind: ClusterRole
+ name: system:kube-dns-autoscaler
+ apiGroup: rbac.authorization.k8s.io
diff --git a/kubernetes/files/kube-addons/dns/kubedns-autoscaler.yaml b/kubernetes/files/kube-addons/dns/kubedns-autoscaler.yaml
index f8928df..d07f47b 100644
--- a/kubernetes/files/kube-addons/dns/kubedns-autoscaler.yaml
+++ b/kubernetes/files/kube-addons/dns/kubedns-autoscaler.yaml
@@ -37,4 +37,4 @@
- --poll-period-seconds={{ common.addons.dns.autoscaler.get('poll-period-seconds') }}
{%- endif %}
- --v=2
-
+ serviceAccountName: kube-dns-autoscaler
diff --git a/kubernetes/files/kube-addons/dns/kubedns-rc.yaml b/kubernetes/files/kube-addons/dns/kubedns-rc.yaml
index e4cf120..1857aeb 100644
--- a/kubernetes/files/kube-addons/dns/kubedns-rc.yaml
+++ b/kubernetes/files/kube-addons/dns/kubedns-rc.yaml
@@ -152,3 +152,4 @@
memory: 20Mi
cpu: 10m
dnsPolicy: Default # Don't use cluster DNS.
+ serviceAccountName: kube-dns
diff --git a/kubernetes/files/kube-addons/dns/kubedns-sa.yaml b/kubernetes/files/kube-addons/dns/kubedns-sa.yaml
new file mode 100644
index 0000000..7455b2e
--- /dev/null
+++ b/kubernetes/files/kube-addons/dns/kubedns-sa.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: kube-dns
+ namespace: kube-system
+ labels:
+ kubernetes.io/cluster-service: "true"
+ addonmanager.kubernetes.io/mode: Reconcile
diff --git a/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig b/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig
index 9ec6761..85721af 100644
--- a/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig
+++ b/kubernetes/files/kube-controller-manager/controller-manager.kubeconfig
@@ -18,5 +18,5 @@
users:
- name: controller_manager-{{ common.cluster_name }}
user:
- client-certificate: /etc/kubernetes/ssl/kubelet-client.crt
- client-key: /etc/kubernetes/ssl/kubelet-client.key
+ client-certificate: /etc/kubernetes/ssl/kube-controller-manager-client.crt
+ client-key: /etc/kubernetes/ssl/kube-controller-manager-client.key
diff --git a/kubernetes/files/kube-proxy/proxy.kubeconfig b/kubernetes/files/kube-proxy/proxy.kubeconfig
index 307daf8..e6755d4 100644
--- a/kubernetes/files/kube-proxy/proxy.kubeconfig
+++ b/kubernetes/files/kube-proxy/proxy.kubeconfig
@@ -18,5 +18,5 @@
users:
- name: kube_proxy-{{ common.cluster_name }}
user:
- client-certificate: /etc/kubernetes/ssl/kubelet-client.crt
- client-key: /etc/kubernetes/ssl/kubelet-client.key
+ client-certificate: /etc/kubernetes/ssl/kube-proxy-client.crt
+ client-key: /etc/kubernetes/ssl/kube-proxy-client.key
diff --git a/kubernetes/files/kube-scheduler/scheduler.kubeconfig b/kubernetes/files/kube-scheduler/scheduler.kubeconfig
index 8a87e39..439bd05 100644
--- a/kubernetes/files/kube-scheduler/scheduler.kubeconfig
+++ b/kubernetes/files/kube-scheduler/scheduler.kubeconfig
@@ -17,5 +17,5 @@
users:
- name: scheduler-{{ common.cluster_name }}
user:
- client-certificate: /etc/kubernetes/ssl/kubelet-client.crt
- client-key: /etc/kubernetes/ssl/kubelet-client.key
+ client-certificate: /etc/kubernetes/ssl/kube-scheduler-client.crt
+ client-key: /etc/kubernetes/ssl/kube-scheduler-client.key
diff --git a/kubernetes/master/controller.sls b/kubernetes/master/controller.sls
index 282fd36..38b170e 100644
--- a/kubernetes/master/controller.sls
+++ b/kubernetes/master/controller.sls
@@ -176,6 +176,7 @@
--leader-elect=true
--root-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
--service-account-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
+ --use-service-account-credentials
{%- if common.get('cloudprovider', {}).get('enabled') %}
--cloud-provider={{ common.cloudprovider.provider }}
{%- if common.get('cloudprovider', {}).get('provider') == 'openstack' %}