Always create service account even rbac_enabled = false

2026-03-06 03:01:13 -03:30 · 2018-08-22 11:41:29 +08:00
parent 7398858572
commit c3b3572025
34 changed files with 3 additions and 78 deletions
--- a/roles/network_plugin/calico/defaults/main.yml
+++ b/roles/network_plugin/calico/defaults/main.yml
@@ -41,11 +41,6 @@ calico_felix_prometheusprocessmetricsenabled: "true"
 # see https://github.com/projectcalico/felix/blob/ab8799eaea66627e5db7717e62fca61fd9c08646/python/calico/felix/config.py#L198
 calico_node_ignorelooserpf: false

-rbac_resources:
-  - sa
-  - clusterrole
-  - clusterrolebinding
-
 # If you want to use non default IP_AUTODETECTION_METHOD for calico node set this option to one of:
 # * can-reach=DESTINATION
 # * interface=INTERFACE-REGEX
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -191,4 +191,3 @@
  register: calico_node_manifests
  when:
    - inventory_hostname in groups['kube-master']
-    - rbac_enabled or item.type not in rbac_resources
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -22,9 +22,7 @@ spec:
        kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}"
    spec:
      hostNetwork: true
-{% if rbac_enabled %}
      serviceAccountName: calico-node
-{% endif %}
      tolerations:
        - effect: NoSchedule
          operator: Exists