Merge pull request #1382 from jwfang/rbac

basic rbac support
2026-01-31 17:19:17 -03:30 · 2017-08-07 08:01:51 -05:00
parent 6eacedc443 805d9f22ce
commit 383d582b47
35 changed files with 450 additions and 105 deletions
--- a/roles/kubernetes/node/tasks/install.yml
+++ b/roles/kubernetes/node/tasks/install.yml
@@ -16,7 +16,7 @@
 - include: "install_{{ kubelet_deployment_type }}.yml"

 - name: install | Write kubelet systemd init file
-  template: 
+  template:
    src: "kubelet.{{ kubelet_deployment_type }}.service.j2"
    dest: "/etc/systemd/system/kubelet.service"
    backup: "yes"
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -30,9 +30,12 @@

 - name: write the kubecfg (auth) file for kubelet
  template:
-    src: node-kubeconfig.yaml.j2
-    dest: "{{ kube_config_dir }}/node-kubeconfig.yaml"
+    src: "{{ item }}-kubeconfig.yaml.j2"
+    dest: "{{ kube_config_dir }}/{{ item }}-kubeconfig.yaml"
    backup: yes
+  with_items:
+    - node
+    - kube-proxy
  notify: restart kubelet
  tags: kubelet

--- a/roles/kubernetes/node/templates/kube-proxy-kubeconfig.yaml.j2
+++ b/roles/kubernetes/node/templates/kube-proxy-kubeconfig.yaml.j2
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+clusters:
+- name: local
+  cluster:
+    certificate-authority: {{ kube_cert_dir }}/ca.pem
+    server: {{ kube_apiserver_endpoint }}
+users:
+- name: kube-proxy
+  user:
+    client-certificate: {{ kube_cert_dir }}/kube-proxy-{{ inventory_hostname }}.pem
+    client-key: {{ kube_cert_dir }}/kube-proxy-{{ inventory_hostname }}-key.pem
+contexts:
+- context:
+    cluster: local
+    user: kube-proxy
+  name: kube-proxy-{{ cluster_name }}
+current-context: kube-proxy-{{ cluster_name }}
--- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
@@ -25,10 +25,7 @@ spec:
    - /hyperkube
    - proxy
    - --v={{ kube_log_level }}
-    - --master={{ kube_apiserver_endpoint }}
-{% if not is_kube_master %}
-    - --kubeconfig={{kube_config_dir}}/node-kubeconfig.yaml
-{% endif %}
+    - --kubeconfig={{kube_config_dir}}/kube-proxy-kubeconfig.yaml
    - --bind-address={{ ip | default(ansible_default_ipv4.address) }}
    - --cluster-cidr={{ kube_pods_subnet }}
    - --proxy-mode={{ kube_proxy_mode }}
@@ -41,14 +38,14 @@ spec:
    - mountPath: /etc/ssl/certs
      name: ssl-certs-host
      readOnly: true
-    - mountPath: {{kube_config_dir}}/node-kubeconfig.yaml
-      name: "kubeconfig"
+    - mountPath: "{{ kube_config_dir }}/ssl"
+      name: etc-kube-ssl
      readOnly: true
-    - mountPath: {{kube_config_dir}}/ssl
-      name: "etc-kube-ssl"
+    - mountPath: "{{ kube_config_dir }}/kube-proxy-kubeconfig.yaml"
+      name: kubeconfig
      readOnly: true
    - mountPath: /var/run/dbus
-      name: "var-run-dbus"
+      name: var-run-dbus
      readOnly: false
  volumes:
  - name: ssl-certs-host
@@ -58,12 +55,12 @@ spec:
 {% else %}
      path: /usr/share/ca-certificates
 {% endif %}
-  - name: "kubeconfig"
+  - name: etc-kube-ssl
    hostPath:
-      path: "{{kube_config_dir}}/node-kubeconfig.yaml"
-  - name: "etc-kube-ssl"
+      path: "{{ kube_config_dir }}/ssl"
+  - name: kubeconfig
    hostPath:
-      path: "{{kube_config_dir}}/ssl"
-  - name: "var-run-dbus"
+      path: "{{ kube_config_dir }}/kube-proxy-kubeconfig.yaml"
+  - name: var-run-dbus
    hostPath:
-      path: "/var/run/dbus"
+      path: /var/run/dbus