Add service account and generate kubernetes config
This PR adds a new service account for kubestack. It also - creates essential cluster role for the service account - generate kubernetes config based on the service account secrets - add KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT env varibles Change-Id: I33679efba982f23dd32c9e5632b3e16580f177ea Signed-off-by: Pengfei Ni <feiskyer@gmail.com>
This commit is contained in:
parent
82b659963e
commit
48f674094c
@ -2,6 +2,6 @@
|
||||
"cniVersion": "0.3.1",
|
||||
"name": "net",
|
||||
"type": "kubestack",
|
||||
"kubestack-config": "/etc/kubestack.conf"
|
||||
"kubernetes-config": "/etc/kubernetes/admin.conf"
|
||||
"kubestack-config": "/etc/kubestack/kubestack.conf",
|
||||
"kubernetes-config": "/etc/kubestack/kubernetes.conf"
|
||||
}
|
@ -34,6 +34,10 @@ if [ -w "/host/opt/cni/bin/" ]; then
|
||||
echo "CNI plugin version: $(/host/opt/cni/bin/kubestack -v)"
|
||||
fi
|
||||
|
||||
if [ ! -d /host/etc/kubestack ]; then
|
||||
mkdir -p /host/etc/kubestack
|
||||
fi
|
||||
|
||||
# Place the new CNI network config if the directory is writeable.
|
||||
if [ -w "/host/etc/cni/net.d/" ]; then
|
||||
cp /etc/cni/net.d/10-kubestack.conf /host/etc/cni/net.d/
|
||||
@ -63,10 +67,34 @@ sed -i s/_PLUGIN_NAME_/${PLUGIN_NAME:-}/g $TMP_CONF
|
||||
sed -i s/_INTEGRATION_BRIDGE_/${INTEGRATION_BRIDGE:-}/g $TMP_CONF
|
||||
|
||||
# Move the temporary kubestack config into place.
|
||||
KUBESTACK_CONFIG_PATH='/host/etc/kubestack.conf'
|
||||
KUBESTACK_CONFIG_PATH='/host/etc/kubestack/kubestack.conf'
|
||||
mv $TMP_CONF $KUBESTACK_CONFIG_PATH
|
||||
echo "Wrote kubestack config: $(cat ${KUBESTACK_CONFIG_PATH})"
|
||||
|
||||
KUBERNETES_CONFIG_PATH='/host/etc/kubestack/kubernetes.conf'
|
||||
token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
|
||||
cacert=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 | tr -d '\n')
|
||||
cat > ${KUBERNETES_CONFIG_PATH} <<EOF
|
||||
apiVersion: v1
|
||||
clusters:
|
||||
- cluster:
|
||||
certificate-authority-data: ${cacert}
|
||||
server: https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}
|
||||
name: kubernetes
|
||||
contexts:
|
||||
- context:
|
||||
cluster: kubernetes
|
||||
user: kubernetes
|
||||
name: kubernetes
|
||||
current-context: kubernetes
|
||||
kind: Config
|
||||
preferences: {}
|
||||
users:
|
||||
- name: kubernetes
|
||||
user:
|
||||
token: ${token}
|
||||
EOF
|
||||
|
||||
while true; do
|
||||
sleep 3600;
|
||||
done
|
||||
|
@ -29,8 +29,8 @@ data:
|
||||
integration-bridge: "br-int"
|
||||
user-cidr: "10.244.0.0/16"
|
||||
user-gateway: "10.244.0.1"
|
||||
kubernetes-host: "<Your-external-kubernetes-host>"
|
||||
kubernetes-port: "<Your-external-kubernetes-port>"
|
||||
kubernetes-host: "<Your-kubernetes-host>"
|
||||
kubernetes-port: "<Your-kubernetes-port>"
|
||||
|
||||
---
|
||||
|
||||
@ -58,6 +58,7 @@ spec:
|
||||
{"key":"CriticalAddonsOnly", "operator":"Exists"}]
|
||||
spec:
|
||||
hostNetwork: true
|
||||
serviceAccountName: kubestack
|
||||
containers:
|
||||
# This container installs the kubestack CNI binaries
|
||||
# and CNI network config file on each node.
|
||||
@ -113,6 +114,18 @@ spec:
|
||||
configMapKeyRef:
|
||||
name: stackube-config
|
||||
key: integration-bridge
|
||||
# The kubernetes service host.
|
||||
- name: KUBERNETES_SERVICE_HOST
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: stackube-config
|
||||
key: kubernetes-host
|
||||
# The kubernetes service port.
|
||||
- name: KUBERNETES_SERVICE_PORT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: stackube-config
|
||||
key: kubernetes-port
|
||||
volumeMounts:
|
||||
- mountPath: /host/opt/cni/bin
|
||||
name: cni-bin-dir
|
||||
@ -215,13 +228,13 @@ spec:
|
||||
configMapKeyRef:
|
||||
name: stackube-config
|
||||
key: user-gateway
|
||||
# The kubernetes external service host.
|
||||
# The kubernetes service host.
|
||||
- name: KUBERNETES_SERVICE_HOST
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
name: stackube-config
|
||||
key: kubernetes-host
|
||||
# The kubernetes external service port.
|
||||
# The kubernetes service port.
|
||||
- name: KUBERNETES_SERVICE_PORT
|
||||
valueFrom:
|
||||
configMapKeyRef:
|
||||
@ -299,3 +312,47 @@ kind: ServiceAccount
|
||||
metadata:
|
||||
name: stackube-controller
|
||||
namespace: kube-system
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kubestack
|
||||
namespace: kube-system
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kubestack
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kubestack
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kubestack
|
||||
namespace: kube-system
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kubestack
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "*"
|
||||
resources:
|
||||
- "*"
|
||||
verbs:
|
||||
- "*"
|
||||
- apiGroups:
|
||||
- stackube.kubernetes.io
|
||||
resources:
|
||||
- tenants
|
||||
- networks
|
||||
verbs:
|
||||
- "*"
|
||||
|
Loading…
Reference in New Issue
Block a user