Always create service account even rbac_enabled = false

2026-02-01 01:28:11 -03:30 · 2018-08-22 11:41:29 +08:00
parent 7398858572
commit c3b3572025
34 changed files with 3 additions and 78 deletions
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -41,11 +41,6 @@ calico_felix_prometheusprocessmetricsenabled: "true"
 # see https://github.com/projectcalico/felix/blob/ab8799eaea66627e5db7717e62fca61fd9c08646/python/calico/felix/config.py#L198
 calico_node_ignorelooserpf: false

-rbac_resources:
-  - sa
-  - clusterrole
-  - clusterrolebinding
-
 # If you want to use non default IP_AUTODETECTION_METHOD for calico node set this option to one of:
 # * can-reach=DESTINATION
 # * interface=INTERFACE-REGEX
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -191,4 +191,3 @@
  register: calico_node_manifests
  when:
    - inventory_hostname in groups['kube-master']
-    - rbac_enabled or item.type not in rbac_resources
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -22,9 +22,7 @@ spec:
        kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}"
    spec:
      hostNetwork: true
-{% if rbac_enabled %}
      serviceAccountName: calico-node
-{% endif %}
      tolerations:
        - effect: NoSchedule
          operator: Exists
--- a/roles/network_plugin/canal/defaults/main.yml
+++ b/roles/network_plugin/canal/defaults/main.yml
@@ -31,8 +31,3 @@ calicoctl_memory_limit: 170M
 calicoctl_cpu_limit: 100m
 calicoctl_memory_requests: 32M
 calicoctl_cpu_requests: 25m
-
-rbac_resources:
-  - sa
-  - clusterrole
-  - clusterrolebinding
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -53,7 +53,6 @@
  register: canal_manifests
  when:
    - inventory_hostname in groups['kube-master']
-    - rbac_enabled or item.type not in rbac_resources

 - name: Canal | Copy cni plugins from hyperkube
  command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp -rf /opt/cni/bin/. /cnibindir/"
--- a/roles/network_plugin/canal/templates/canal-node.yaml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yaml.j2
@@ -19,9 +19,7 @@ spec:
        k8s-app: canal-node
    spec:
      hostNetwork: true
-{% if rbac_enabled %}
      serviceAccountName: canal
-{% endif %}
      tolerations:
        - effect: NoSchedule
          operator: Exists
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -18,8 +18,3 @@ cilium_cpu_requests: 100m

 # Optional features
 cilium_enable_prometheus: false
-
-rbac_resources:
-  - sa
-  - clusterrole
-  - clusterrolebinding
--- a/roles/network_plugin/cilium/tasks/main.yml
+++ b/roles/network_plugin/cilium/tasks/main.yml
@@ -38,7 +38,6 @@
  register: cilium_node_manifests
  when:
    - inventory_hostname in groups['kube-master']
-    - rbac_enabled or item.type not in rbac_resources

 - name: Cilium | Set CNI directory permissions
  file:
--- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
@@ -34,9 +34,7 @@ spec:
        prometheus.io/port: "9090"
 {% endif %}
    spec:
-{% if rbac_enabled %}
      serviceAccountName: cilium
-{% endif %}
      initContainers:
        - name: clean-cilium-state
          image: docker.io/library/busybox:1.28.4
--- a/roles/network_plugin/contiv/templates/contiv-api-proxy.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-api-proxy.yml.j2
@@ -27,9 +27,7 @@ spec:
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
-{% if rbac_enabled %}
      serviceAccountName: contiv-netmaster
-{% endif %}
      containers:
        - name: contiv-api-proxy
          image: {{ contiv_auth_proxy_image_repo }}:{{ contiv_auth_proxy_image_tag }}
--- a/roles/network_plugin/contiv/templates/contiv-netmaster.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-netmaster.yml.j2
@@ -27,9 +27,7 @@ spec:
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
-{% if rbac_enabled %}
      serviceAccountName: contiv-netmaster
-{% endif %}
      containers:
        - name: contiv-netmaster
          image: {{ contiv_image_repo }}:{{ contiv_image_tag }}
--- a/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2
+++ b/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2
@@ -26,9 +26,7 @@ spec:
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
-{% if rbac_enabled %}
      serviceAccountName: contiv-netplugin
-{% endif %}
      containers:
        # Runs netplugin container on each Kubernetes node. This
        # container programs network policy and routes on each
--- a/roles/network_plugin/flannel/tasks/main.yml
+++ b/roles/network_plugin/flannel/tasks/main.yml
@@ -11,4 +11,3 @@
  register: flannel_node_manifests
  when:
    - inventory_hostname in groups['kube-master']
-    - rbac_enabled or item.type not in rbac_resources
--- a/roles/network_plugin/flannel/templates/cni-flannel.yml.j2
+++ b/roles/network_plugin/flannel/templates/cni-flannel.yml.j2
@@ -52,9 +52,7 @@ spec:
        tier: node
        k8s-app: flannel
    spec:
-{% if rbac_enabled %}
      serviceAccountName: flannel
-{% endif %}
      containers:
      - name: kube-flannel
        image: {{ flannel_image_repo }}:{{ flannel_image_tag }}