Add service account and generate kubernetes config

This PR adds a new service account for kubestack. It also

- creates essential cluster role for the service account
- generate kubernetes config based on the service account secrets
- add KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT env varibles

Change-Id: I33679efba982f23dd32c9e5632b3e16580f177ea
Signed-off-by: Pengfei Ni <feiskyer@gmail.com>
This commit is contained in:
Pengfei Ni 2017-08-01 11:14:26 +08:00
parent 82b659963e
commit 48f674094c
3 changed files with 96 additions and 11 deletions

View File

@ -2,6 +2,6 @@
"cniVersion": "0.3.1",
"name": "net",
"type": "kubestack",
"kubestack-config": "/etc/kubestack.conf"
"kubernetes-config": "/etc/kubernetes/admin.conf"
"kubestack-config": "/etc/kubestack/kubestack.conf",
"kubernetes-config": "/etc/kubestack/kubernetes.conf"
}

View File

@ -34,6 +34,10 @@ if [ -w "/host/opt/cni/bin/" ]; then
echo "CNI plugin version: $(/host/opt/cni/bin/kubestack -v)"
fi
if [ ! -d /host/etc/kubestack ]; then
mkdir -p /host/etc/kubestack
fi
# Place the new CNI network config if the directory is writeable.
if [ -w "/host/etc/cni/net.d/" ]; then
cp /etc/cni/net.d/10-kubestack.conf /host/etc/cni/net.d/
@ -63,10 +67,34 @@ sed -i s/_PLUGIN_NAME_/${PLUGIN_NAME:-}/g $TMP_CONF
sed -i s/_INTEGRATION_BRIDGE_/${INTEGRATION_BRIDGE:-}/g $TMP_CONF
# Move the temporary kubestack config into place.
KUBESTACK_CONFIG_PATH='/host/etc/kubestack.conf'
KUBESTACK_CONFIG_PATH='/host/etc/kubestack/kubestack.conf'
mv $TMP_CONF $KUBESTACK_CONFIG_PATH
echo "Wrote kubestack config: $(cat ${KUBESTACK_CONFIG_PATH})"
KUBERNETES_CONFIG_PATH='/host/etc/kubestack/kubernetes.conf'
token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
cacert=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 | tr -d '\n')
cat > ${KUBERNETES_CONFIG_PATH} <<EOF
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ${cacert}
server: https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes
user:
token: ${token}
EOF
while true; do
sleep 3600;
done

View File

@ -29,8 +29,8 @@ data:
integration-bridge: "br-int"
user-cidr: "10.244.0.0/16"
user-gateway: "10.244.0.1"
kubernetes-host: "<Your-external-kubernetes-host>"
kubernetes-port: "<Your-external-kubernetes-port>"
kubernetes-host: "<Your-kubernetes-host>"
kubernetes-port: "<Your-kubernetes-port>"
---
@ -58,6 +58,7 @@ spec:
{"key":"CriticalAddonsOnly", "operator":"Exists"}]
spec:
hostNetwork: true
serviceAccountName: kubestack
containers:
# This container installs the kubestack CNI binaries
# and CNI network config file on each node.
@ -113,6 +114,18 @@ spec:
configMapKeyRef:
name: stackube-config
key: integration-bridge
# The kubernetes service host.
- name: KUBERNETES_SERVICE_HOST
valueFrom:
configMapKeyRef:
name: stackube-config
key: kubernetes-host
# The kubernetes service port.
- name: KUBERNETES_SERVICE_PORT
valueFrom:
configMapKeyRef:
name: stackube-config
key: kubernetes-port
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
@ -215,13 +228,13 @@ spec:
configMapKeyRef:
name: stackube-config
key: user-gateway
# The kubernetes external service host.
# The kubernetes service host.
- name: KUBERNETES_SERVICE_HOST
valueFrom:
configMapKeyRef:
name: stackube-config
key: kubernetes-host
# The kubernetes external service port.
# The kubernetes service port.
- name: KUBERNETES_SERVICE_PORT
valueFrom:
configMapKeyRef:
@ -299,3 +312,47 @@ kind: ServiceAccount
metadata:
name: stackube-controller
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubestack
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubestack
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubestack
subjects:
- kind: ServiceAccount
name: kubestack
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kubestack
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "*"
- apiGroups:
- stackube.kubernetes.io
resources:
- tenants
- networks
verbs:
- "*"