Always create service account even rbac_enabled = false

2026-05-19 23:07:47 -02:30 · 2018-08-22 11:41:29 +08:00
parent 7398858572
commit c3b3572025
34 changed files with 3 additions and 78 deletions
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -66,8 +66,3 @@ dashboard_token_ttl: 900
 # SSL
 etcd_cert_dir: "/etc/ssl/etcd/ssl"
 canal_cert_dir: "/etc/canal/certs"
-
-rbac_resources:
-  - sa
-  - clusterrole
-  - clusterrolebinding
--- a/roles/kubernetes-apps/ansible/tasks/coredns.yml
+++ b/roles/kubernetes-apps/ansible/tasks/coredns.yml
@@ -16,7 +16,6 @@
  when:
    - dns_mode in ['coredns', 'coredns_dual']
    - inventory_hostname == groups['kube-master'][0]
-    - rbac_enabled or item.type not in rbac_resources
  tags:
    - coredns

@@ -34,6 +33,5 @@
  when:
    - dns_mode == 'coredns_dual'
    - inventory_hostname == groups['kube-master'][0]
-    - rbac_enabled or item.type not in rbac_resources
  tags:
    - coredns
--- a/roles/kubernetes-apps/ansible/tasks/kubedns.yml
+++ b/roles/kubernetes-apps/ansible/tasks/kubedns.yml
@@ -16,7 +16,6 @@
  when:
    - dns_mode in ['kubedns','dnsmasq_kubedns']
    - inventory_hostname == groups['kube-master'][0]
-    - rbac_enabled or item.type not in rbac_resources
  tags:
    - dnsmasq
    - kubedns
--- a/roles/kubernetes-apps/ansible/tasks/netchecker.yml
+++ b/roles/kubernetes-apps/ansible/tasks/netchecker.yml
@@ -35,7 +35,6 @@
  register: manifests
  when:
    - inventory_hostname == groups['kube-master'][0]
-    - rbac_enabled or item.type not in rbac_resources

 - name: Kubernetes Apps | Purge old Netchecker server
  kube:
--- a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
@@ -26,9 +26,7 @@ spec:
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
-{% if rbac_enabled %}
      serviceAccountName: coredns
-{% endif %}
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
--- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2
@@ -64,6 +64,4 @@ spec:
        - --default-params={"linear":{"nodesPerReplica":{{ kubedns_nodes_per_replica }},"min":{{ kubedns_min_replicas }}}}
        - --logtostderr=true
        - --v=2
-{% if rbac_enabled %}
      serviceAccountName: cluster-proportional-autoscaler
-{% endif %}
--- a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2
@@ -172,6 +172,4 @@ spec:
            memory: 20Mi
            cpu: 10m
      dnsPolicy: Default  # Don't use cluster DNS.
-{% if rbac_enabled %}
      serviceAccountName: kube-dns
-{% endif %}
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
@@ -33,6 +33,4 @@ spec:
      tolerations:
        - effect: NoSchedule
          operator: Exists
-{% if rbac_enabled %}
      serviceAccountName: netchecker-server
-{% endif %}