Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7
the nginx-controller needs to handle leader-election via configmaps.
To perform the leader-election the nginx-controller needs to have the
appropiate RBAC permissions.
Previously to this fix, the following errors occured:
- cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx)
- initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps)
fix ingress rbac roles
There was 2 things that the current IC (0.9 beta7) needs.
The ClusterRole was missing `get nodes`:
```
RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "get" resource "nodes" named "xxx" cluster-wide
```
The Role was missing `update configmaps`:
```RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "update" resource "configmaps" named "ingress-controller-leader-nginx" in namespace "kube-system"```
removed update configmap because of #798
rebased on master, moved get nodes to own rule
added get nodes to cluster permissions
Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7
the nginx-controller needs to handle leader-election via configmaps.
To perform the leader-election the nginx-controller needs to have the
appropiate RBAC permissions.
Previously to this fix, the following errors occured:
- cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx)
- initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps)
Per discussion in #770 and on Slack, create a list of known annotations across
various Ingress controller implementations. This will (hopefully) increase
compatibility across implementations and reduce the need for users to change
all their annotations when changing Ingress controllers.
