Splits kuryr-controller and kuryr-cni ServiceAccounts
The same ServiceAccount was used for kuryr-controller and kuryr-cni. This change splits the ServiceAccount, generates two ServiceAccounts, controller_service_account.yaml and cni_service_account.yaml and applies them.The documentation, Kuryr installation as kubernetes addon network addon was also updated to reflect this change. Change-Id: I567aaa38f5498af4641e06002b808915dd467aec Closes-Bug: #1764783
This commit is contained in:
parent
ba12753374
commit
6a6e4907e5
|
@ -417,11 +417,14 @@ data:
|
|||
EOF
|
||||
}
|
||||
|
||||
# Generates kuryr-controller service account and kuryr-cni service account.
|
||||
function generate_kuryr_service_account() {
|
||||
output_dir=$1
|
||||
mkdir -p "$output_dir"
|
||||
rm -f ${output_dir}/service_account.yml
|
||||
cat >> "${output_dir}/service_account.yml" << EOF
|
||||
rm -f ${output_dir}/controller_service_account.yml
|
||||
rm -f ${output_dir}/cni_service_account.yml
|
||||
cat >> "${output_dir}/controller_service_account.yml" << EOF
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
|
@ -482,6 +485,45 @@ roleRef:
|
|||
name: kuryr-controller
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
EOF
|
||||
|
||||
cat >> "${output_dir}/cni_service_account.yml" << EOF
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kuryr-cni
|
||||
namespace: kube-system
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: kuryr-cni
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
verbs: ["*"]
|
||||
resources:
|
||||
- pods
|
||||
- nodes
|
||||
- apiGroups:
|
||||
- openstack.org
|
||||
verbs: ["*"]
|
||||
resources:
|
||||
- kuryrports
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: kuryr-cni-global
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kuryr-cni
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: kuryr-cni
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
EOF
|
||||
}
|
||||
|
||||
function generate_controller_deployment() {
|
||||
|
@ -622,7 +664,7 @@ spec:
|
|||
- key: "node.kubernetes.io/not-ready"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
serviceAccountName: kuryr-controller
|
||||
serviceAccountName: kuryr-cni
|
||||
containers:
|
||||
- name: kuryr-cni
|
||||
image: kuryr/cni:latest
|
||||
|
|
|
@ -177,8 +177,11 @@ function run_containerized_kuryr_resources {
|
|||
"${k8s_data_dir}/certificates_secret.yml" \
|
||||
|| die $LINENO "Failed to create kuryr-kubernetes certificates Secret."
|
||||
/usr/local/bin/kubectl create -f \
|
||||
"${k8s_data_dir}/service_account.yml" \
|
||||
|| die $LINENO "Failed to create kuryr-kubernetes ServiceAccount."
|
||||
"${k8s_data_dir}/controller_service_account.yml" \
|
||||
|| die $LINENO "Failed to create kuryr-controller ServiceAccount."
|
||||
/usr/local/bin/kubectl create -f \
|
||||
"${k8s_data_dir}/cni_service_account.yml" \
|
||||
|| die $LINENO "Failed to create kuryr-cni ServiceAccount."
|
||||
|
||||
if is_service_enabled openshift-master; then
|
||||
# NOTE(dulek): For OpenShift add privileged SCC to serviceaccount.
|
||||
|
|
|
@ -119,11 +119,12 @@ Example run:
|
|||
|
||||
$ KURYR_K8S_API_ROOT="192.168.0.1:6443" ./tools/generate_k8s_resource_definitions.sh /tmp
|
||||
|
||||
This should generate 5 files in your ``<output_dir>``:
|
||||
This should generate 6 files in your ``<output_dir>``:
|
||||
|
||||
* config_map.yml
|
||||
* certificates_secret.yml
|
||||
* service_account.yml
|
||||
* controller_service_account.yml
|
||||
* cni_service_account.yml
|
||||
* controller_deployment.yml
|
||||
* cni_ds.yml
|
||||
|
||||
|
@ -150,7 +151,8 @@ To deploy the files on your Kubernetes cluster run:
|
|||
|
||||
$ kubectl apply -f config_map.yml -n kube-system
|
||||
$ kubectl apply -f certificates_secret.yml -n kube-system
|
||||
$ kubectl apply -f service_account.yml -n kube-system
|
||||
$ kubectl apply -f controller_service_account.yml -n kube-system
|
||||
$ kubectl apply -f cni_service_account.yml -n kube-system
|
||||
$ kubectl apply -f controller_deployment.yml -n kube-system
|
||||
$ kubectl apply -f cni_ds.yml -n kube-system
|
||||
|
||||
|
|
Loading…
Reference in New Issue