Merge "Splits kuryr-controller and kuryr-cni ServiceAccounts"

This commit is contained in:
Zuul 2020-10-28 03:13:43 +00:00 committed by Gerrit Code Review
commit 0a31327da8
3 changed files with 54 additions and 7 deletions

View File

@ -417,11 +417,14 @@ data:
EOF EOF
} }
# Generates kuryr-controller service account and kuryr-cni service account.
function generate_kuryr_service_account() { function generate_kuryr_service_account() {
output_dir=$1 output_dir=$1
mkdir -p "$output_dir" mkdir -p "$output_dir"
rm -f ${output_dir}/service_account.yml rm -f ${output_dir}/service_account.yml
cat >> "${output_dir}/service_account.yml" << EOF rm -f ${output_dir}/controller_service_account.yml
rm -f ${output_dir}/cni_service_account.yml
cat >> "${output_dir}/controller_service_account.yml" << EOF
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
@ -482,6 +485,45 @@ roleRef:
name: kuryr-controller name: kuryr-controller
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
EOF EOF
cat >> "${output_dir}/cni_service_account.yml" << EOF
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kuryr-cni
namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kuryr-cni
rules:
- apiGroups:
- ""
verbs: ["*"]
resources:
- pods
- nodes
- apiGroups:
- openstack.org
verbs: ["*"]
resources:
- kuryrports
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kuryr-cni-global
subjects:
- kind: ServiceAccount
name: kuryr-cni
namespace: kube-system
roleRef:
kind: ClusterRole
name: kuryr-cni
apiGroup: rbac.authorization.k8s.io
EOF
} }
function generate_controller_deployment() { function generate_controller_deployment() {
@ -622,7 +664,7 @@ spec:
- key: "node.kubernetes.io/not-ready" - key: "node.kubernetes.io/not-ready"
operator: "Exists" operator: "Exists"
effect: "NoSchedule" effect: "NoSchedule"
serviceAccountName: kuryr-controller serviceAccountName: kuryr-cni
containers: containers:
- name: kuryr-cni - name: kuryr-cni
image: kuryr/cni:latest image: kuryr/cni:latest

View File

@ -177,8 +177,11 @@ function run_containerized_kuryr_resources {
"${k8s_data_dir}/certificates_secret.yml" \ "${k8s_data_dir}/certificates_secret.yml" \
|| die $LINENO "Failed to create kuryr-kubernetes certificates Secret." || die $LINENO "Failed to create kuryr-kubernetes certificates Secret."
/usr/local/bin/kubectl create -f \ /usr/local/bin/kubectl create -f \
"${k8s_data_dir}/service_account.yml" \ "${k8s_data_dir}/controller_service_account.yml" \
|| die $LINENO "Failed to create kuryr-kubernetes ServiceAccount." || die $LINENO "Failed to create kuryr-controller ServiceAccount."
/usr/local/bin/kubectl create -f \
"${k8s_data_dir}/cni_service_account.yml" \
|| die $LINENO "Failed to create kuryr-cni ServiceAccount."
if is_service_enabled openshift-master; then if is_service_enabled openshift-master; then
# NOTE(dulek): For OpenShift add privileged SCC to serviceaccount. # NOTE(dulek): For OpenShift add privileged SCC to serviceaccount.

View File

@ -119,11 +119,12 @@ Example run:
$ KURYR_K8S_API_ROOT="192.168.0.1:6443" ./tools/generate_k8s_resource_definitions.sh /tmp $ KURYR_K8S_API_ROOT="192.168.0.1:6443" ./tools/generate_k8s_resource_definitions.sh /tmp
This should generate 5 files in your ``<output_dir>``: This should generate 6 files in your ``<output_dir>``:
* config_map.yml * config_map.yml
* certificates_secret.yml * certificates_secret.yml
* service_account.yml * controller_service_account.yml
* cni_service_account.yml
* controller_deployment.yml * controller_deployment.yml
* cni_ds.yml * cni_ds.yml
@ -150,7 +151,8 @@ To deploy the files on your Kubernetes cluster run:
$ kubectl apply -f config_map.yml -n kube-system $ kubectl apply -f config_map.yml -n kube-system
$ kubectl apply -f certificates_secret.yml -n kube-system $ kubectl apply -f certificates_secret.yml -n kube-system
$ kubectl apply -f service_account.yml -n kube-system $ kubectl apply -f controller_service_account.yml -n kube-system
$ kubectl apply -f cni_service_account.yml -n kube-system
$ kubectl apply -f controller_deployment.yml -n kube-system $ kubectl apply -f controller_deployment.yml -n kube-system
$ kubectl apply -f cni_ds.yml -n kube-system $ kubectl apply -f cni_ds.yml -n kube-system