add rbac rule to fix system:serviceaccount:kube-system:default can not access kube-system

2017-07-12 18:18:37 +08:00 · 2017-07-12 18:18:37 +08:00 · da76b11992
commit da76b11992
parent 26fccdc48b
2 changed files with 135 additions and 3 deletions
--- a/examples/deployment/nginx/kubeadm/nginx-ingress-controller-rbac.yml
+++ b/examples/deployment/nginx/kubeadm/nginx-ingress-controller-rbac.yml
@ -0,0 +1,131 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: nginx-ingress
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: nginx-ingress-serviceaccount
  namespace: nginx-ingress
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
  name: nginx-ingress-clusterrole
 rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
        - events
    verbs:
        - create
        - patch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses/status
    verbs:
      - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
  name: nginx-ingress-role
  namespace: nginx-ingress
 rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      # Defaults to "<election-id>-<ingress-class>"
      # Here: "<ingress-controller-leader>-<nginx>"
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
      - "ingress-controller-leader-nginx"
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get
      - create
      - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
  name: nginx-ingress-role-nisa-binding
  namespace: nginx-ingress
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
 subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: nginx-ingress
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: nginx-ingress-clusterrole-nisa-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
 subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: nginx-ingress
--- a/examples/deployment/nginx/kubeadm/nginx-ingress-controller.yaml
+++ b/examples/deployment/nginx/kubeadm/nginx-ingress-controller.yaml
@ -4,7 +4,7 @@ metadata:
  name: default-http-backend
  labels:
    k8s-app: default-http-backend
-  namespace: kube-system
+  namespace: nginx-ingress
 spec:
  replicas: 1
  template:
@ -40,7 +40,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: default-http-backend
-  namespace: kube-system
+  namespace: nginx-ingress
  labels:
    k8s-app: default-http-backend
 spec:
@ -56,7 +56,7 @@ metadata:
  name: nginx-ingress-controller
  labels:
    k8s-app: nginx-ingress-controller
-  namespace: kube-system
+  namespace: nginx-ingress
 spec:
  replicas: 1
  template:
@ -69,6 +69,7 @@ spec:
      # that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
      # like with kubeadm
      hostNetwork: true
      serviceAccountName: nginx-ingress-serviceaccount
      terminationGracePeriodSeconds: 60
      containers:
      - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.10