Merge "Splits kuryr-controller and kuryr-cni ServiceAccounts"
This commit is contained in:
commit
0a31327da8
|
@ -417,11 +417,14 @@ data:
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Generates kuryr-controller service account and kuryr-cni service account.
|
||||||
function generate_kuryr_service_account() {
|
function generate_kuryr_service_account() {
|
||||||
output_dir=$1
|
output_dir=$1
|
||||||
mkdir -p "$output_dir"
|
mkdir -p "$output_dir"
|
||||||
rm -f ${output_dir}/service_account.yml
|
rm -f ${output_dir}/service_account.yml
|
||||||
cat >> "${output_dir}/service_account.yml" << EOF
|
rm -f ${output_dir}/controller_service_account.yml
|
||||||
|
rm -f ${output_dir}/cni_service_account.yml
|
||||||
|
cat >> "${output_dir}/controller_service_account.yml" << EOF
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ServiceAccount
|
kind: ServiceAccount
|
||||||
|
@ -482,6 +485,45 @@ roleRef:
|
||||||
name: kuryr-controller
|
name: kuryr-controller
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
cat >> "${output_dir}/cni_service_account.yml" << EOF
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: kuryr-cni
|
||||||
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: kuryr-cni
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
verbs: ["*"]
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
- nodes
|
||||||
|
- apiGroups:
|
||||||
|
- openstack.org
|
||||||
|
verbs: ["*"]
|
||||||
|
resources:
|
||||||
|
- kuryrports
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: kuryr-cni-global
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: kuryr-cni
|
||||||
|
namespace: kube-system
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: kuryr-cni
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
function generate_controller_deployment() {
|
function generate_controller_deployment() {
|
||||||
|
@ -622,7 +664,7 @@ spec:
|
||||||
- key: "node.kubernetes.io/not-ready"
|
- key: "node.kubernetes.io/not-ready"
|
||||||
operator: "Exists"
|
operator: "Exists"
|
||||||
effect: "NoSchedule"
|
effect: "NoSchedule"
|
||||||
serviceAccountName: kuryr-controller
|
serviceAccountName: kuryr-cni
|
||||||
containers:
|
containers:
|
||||||
- name: kuryr-cni
|
- name: kuryr-cni
|
||||||
image: kuryr/cni:latest
|
image: kuryr/cni:latest
|
||||||
|
|
|
@ -177,8 +177,11 @@ function run_containerized_kuryr_resources {
|
||||||
"${k8s_data_dir}/certificates_secret.yml" \
|
"${k8s_data_dir}/certificates_secret.yml" \
|
||||||
|| die $LINENO "Failed to create kuryr-kubernetes certificates Secret."
|
|| die $LINENO "Failed to create kuryr-kubernetes certificates Secret."
|
||||||
/usr/local/bin/kubectl create -f \
|
/usr/local/bin/kubectl create -f \
|
||||||
"${k8s_data_dir}/service_account.yml" \
|
"${k8s_data_dir}/controller_service_account.yml" \
|
||||||
|| die $LINENO "Failed to create kuryr-kubernetes ServiceAccount."
|
|| die $LINENO "Failed to create kuryr-controller ServiceAccount."
|
||||||
|
/usr/local/bin/kubectl create -f \
|
||||||
|
"${k8s_data_dir}/cni_service_account.yml" \
|
||||||
|
|| die $LINENO "Failed to create kuryr-cni ServiceAccount."
|
||||||
|
|
||||||
if is_service_enabled openshift-master; then
|
if is_service_enabled openshift-master; then
|
||||||
# NOTE(dulek): For OpenShift add privileged SCC to serviceaccount.
|
# NOTE(dulek): For OpenShift add privileged SCC to serviceaccount.
|
||||||
|
|
|
@ -119,11 +119,12 @@ Example run:
|
||||||
|
|
||||||
$ KURYR_K8S_API_ROOT="192.168.0.1:6443" ./tools/generate_k8s_resource_definitions.sh /tmp
|
$ KURYR_K8S_API_ROOT="192.168.0.1:6443" ./tools/generate_k8s_resource_definitions.sh /tmp
|
||||||
|
|
||||||
This should generate 5 files in your ``<output_dir>``:
|
This should generate 6 files in your ``<output_dir>``:
|
||||||
|
|
||||||
* config_map.yml
|
* config_map.yml
|
||||||
* certificates_secret.yml
|
* certificates_secret.yml
|
||||||
* service_account.yml
|
* controller_service_account.yml
|
||||||
|
* cni_service_account.yml
|
||||||
* controller_deployment.yml
|
* controller_deployment.yml
|
||||||
* cni_ds.yml
|
* cni_ds.yml
|
||||||
|
|
||||||
|
@ -150,7 +151,8 @@ To deploy the files on your Kubernetes cluster run:
|
||||||
|
|
||||||
$ kubectl apply -f config_map.yml -n kube-system
|
$ kubectl apply -f config_map.yml -n kube-system
|
||||||
$ kubectl apply -f certificates_secret.yml -n kube-system
|
$ kubectl apply -f certificates_secret.yml -n kube-system
|
||||||
$ kubectl apply -f service_account.yml -n kube-system
|
$ kubectl apply -f controller_service_account.yml -n kube-system
|
||||||
|
$ kubectl apply -f cni_service_account.yml -n kube-system
|
||||||
$ kubectl apply -f controller_deployment.yml -n kube-system
|
$ kubectl apply -f controller_deployment.yml -n kube-system
|
||||||
$ kubectl apply -f cni_ds.yml -n kube-system
|
$ kubectl apply -f cni_ds.yml -n kube-system
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue