Add fixes for RBAC Each k8s service should use own SSL certificate. This allows to separate roles for services. Added RBAC definitions for kube-dns. Added small fixes. Change-Id: I202d51c98eb5c0cc5cb97c40b8cb2c0413bf278b

commit: f32d7078f27bed1ce8c267964dbbf4eb4f8fc96b [log] [tgz]
author: Andrey Shestakov <ashestakov@mirantis.com> Wed Dec 27 22:18:51 2017 +0200
committer: Andrey Shestakov <ashestakov@mirantis.com> Tue Jan 02 17:59:34 2018 +0200
tree: 5869dc8440264e28d9cadcafe2ddf13aadc609ec
parent: 9b2941a47e97718993f37bbc79e53b7a62bad847 [diff] [blame]
diff --git a/kubernetes/master/controller.sls b/kubernetes/master/controller.sls
index 282fd36..38b170e 100644
--- a/kubernetes/master/controller.sls
+++ b/kubernetes/master/controller.sls

@@ -176,6 +176,7 @@
         --leader-elect=true
         --root-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
         --service-account-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
+        --use-service-account-credentials
 {%- if common.get('cloudprovider', {}).get('enabled') %}
         --cloud-provider={{ common.cloudprovider.provider }}
 {%- if common.get('cloudprovider', {}).get('provider') == 'openstack' %}
commit	f32d7078f27bed1ce8c267964dbbf4eb4f8fc96b	[log] [tgz]
author	Andrey Shestakov <ashestakov@mirantis.com>	Wed Dec 27 22:18:51 2017 +0200
committer	Andrey Shestakov <ashestakov@mirantis.com>	Tue Jan 02 17:59:34 2018 +0200
tree	5869dc8440264e28d9cadcafe2ddf13aadc609ec
parent	9b2941a47e97718993f37bbc79e53b7a62bad847 [diff] [blame]