From dc023525e0eca5494ecd3cce17eabf736193badd Mon Sep 17 00:00:00 2001 From: portdirect Date: Tue, 26 Dec 2017 11:57:10 -0500 Subject: [PATCH] Flannel: Fix RBAC definitions This PS fixes the RBAC declarations for the Flannel Chart. Change-Id: I9fab67b6089efcd11cac8a04ec5da0f8451b8f2c --- flannel/templates/clusterrole-flannel.yaml | 44 ------------------- .../templates/clusterrolebinding-flannel.yaml | 32 -------------- .../templates/daemonset-kube-flannel-ds.yaml | 38 ++++++++++++++++ flannel/templates/serviceaccount-flannel.yaml | 24 ---------- flannel/values.yaml | 3 -- 5 files changed, 38 insertions(+), 103 deletions(-) delete mode 100644 flannel/templates/clusterrole-flannel.yaml delete mode 100644 flannel/templates/clusterrolebinding-flannel.yaml delete mode 100644 flannel/templates/serviceaccount-flannel.yaml diff --git a/flannel/templates/clusterrole-flannel.yaml b/flannel/templates/clusterrole-flannel.yaml deleted file mode 100644 index 88062ac72..000000000 --- a/flannel/templates/clusterrole-flannel.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrole_flannel }} -{{- $envAll := . }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: flannel -rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch -{{- end }} diff --git a/flannel/templates/clusterrolebinding-flannel.yaml b/flannel/templates/clusterrolebinding-flannel.yaml deleted file mode 100644 index 05e47f498..000000000 --- a/flannel/templates/clusterrolebinding-flannel.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrolebinding_flannel }} -{{- $envAll := . }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: flannel -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: flannel -subjects: -- kind: ServiceAccount - name: flannel - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/flannel/templates/daemonset-kube-flannel-ds.yaml b/flannel/templates/daemonset-kube-flannel-ds.yaml index 63f6031b1..e6d1160b6 100644 --- a/flannel/templates/daemonset-kube-flannel-ds.yaml +++ b/flannel/templates/daemonset-kube-flannel-ds.yaml @@ -25,6 +25,44 @@ limitations under the License. {{- $serviceAccountName := "flannel"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $serviceAccountName }} +subjects: +- kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- apiVersion: extensions/v1beta1 kind: DaemonSet metadata: diff --git a/flannel/templates/serviceaccount-flannel.yaml b/flannel/templates/serviceaccount-flannel.yaml deleted file mode 100644 index 3b1095833..000000000 --- a/flannel/templates/serviceaccount-flannel.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.serviceaccount_flannel }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: flannel -{{- end }} diff --git a/flannel/values.yaml b/flannel/values.yaml index 7f9e8b761..b1f5007f7 100644 --- a/flannel/values.yaml +++ b/flannel/values.yaml @@ -78,10 +78,7 @@ endpoints: node: 5000 manifests: - clusterrole_flannel: true - clusterrolebinding_flannel: true configmap_bin: true configmap_kube_flannel_cfg: true daemonset_kube_flannel_ds: true job_image_repo_sync: true - serviceaccount_flannel: true