Merge pull request #957 from wongma7/leader-election-config

Make leader-election configurable: default endpoints object namespace to controller's instead of kube-system
kubernetes-retired · Aug 30, 2018 · 7613414 · 7613414
2 parents 14acf33 + 8e3bfd3
commit 7613414
Show file tree

Hide file tree

Showing 33 changed files with 434 additions and 272 deletions.
diff --git a/aws/efs/README.md b/aws/efs/README.md
@@ -137,20 +137,16 @@ If you are not using RBAC or OpenShift you can continue to the usage section.
 
 ### Authorization
 
-If your cluster has RBAC enabled or you are running OpenShift you must authorize the provisioner. If you are in a namespace/project other than "default" either edit `deploy/auth/clusterrolebinding.yaml` or edit the `oadm policy` command accordingly.
+If your cluster has RBAC enabled or you are running OpenShift you must authorize the provisioner. If you are in a namespace/project other than "default" edit `deploy/rbac.yaml`.
 
 #### RBAC
 ```console
+# Set the subject of the RBAC objects to the current namespace where the provisioner is being deployed
+$ NAMESPACE=`kc config get-contexts | grep '^*' | tr -s ' ' | cut -d' ' -f5`
+$ sed -i'' "s/namespace:.*/namespace: $NAMESPACE/g" ./deploy/rbac.yaml
 $ kubectl create -f deploy/rbac.yaml
 ```
 
-#### OpenShift
-```console
-$ oc create -f deploy/openshift-clusterrole.yaml
-clusterrole "efs-provisioner-runner" created
-$ oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:default:efs-provisioner
-$ oadm policy add-cluster-role-to-user efs-provisioner-runner system:serviceaccount:default:efs-provisioner
-```
 ### SELinux
 If SELinux is enforcing on the node where the provisioner runs, you must enable writing from a pod to a remote NFS server (EFS in this case) on the node by running:
 ```console

diff --git a/aws/efs/deploy/openshift-clusterrole.yaml b/aws/efs/deploy/openshift-clusterrole.yaml
diff --git a/aws/efs/deploy/rbac.yaml b/aws/efs/deploy/rbac.yaml
@@ -15,9 +15,6 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["endpoints"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -26,8 +23,32 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: efs-provisioner
+     # replace with namespace where provisioner is deployed
     namespace: default
 roleRef:
   kind: ClusterRole
   name: efs-provisioner-runner
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-efs-provisioner
+rules:
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-efs-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: efs-provisioner
+    # replace with namespace where provisioner is deployed
+    namespace: default
+roleRef:
+  kind: Role
+  name: leader-locking-efs-provisioner
+  apiGroup: rbac.authorization.k8s.io
diff --git a/ceph/cephfs/deploy/rbac/clusterrole.yaml b/ceph/cephfs/deploy/rbac/clusterrole.yaml
@@ -16,6 +16,3 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["endpoints"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
diff --git a/ceph/cephfs/deploy/rbac/role.yaml b/ceph/cephfs/deploy/rbac/role.yaml
@@ -7,3 +7,6 @@ rules:
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["create", "get", "delete"]
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
diff --git a/ceph/rbd/deploy/rbac/clusterrole.yaml b/ceph/rbd/deploy/rbac/clusterrole.yaml
@@ -15,9 +15,6 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["endpoints"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
   - apiGroups: [""]
     resources: ["services"]
     resourceNames: ["kube-dns","coredns"]

diff --git a/ceph/rbd/deploy/rbac/role.yaml b/ceph/rbd/deploy/rbac/role.yaml
@@ -6,3 +6,6 @@ rules:
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get"]
+- apiGroups: [""]
+  resources: ["endpoints"]
+  verbs: ["get", "list", "watch", "create", "update", "patch"]
diff --git a/digitalocean/manifests/rbac/clusterrole.yaml b/digitalocean/manifests/rbac/clusterrole.yaml
@@ -16,6 +16,3 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["endpoints"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
diff --git a/digitalocean/manifests/rbac/role.yaml b/digitalocean/manifests/rbac/role.yaml
@@ -7,3 +7,6 @@ rules:
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
diff --git a/flex/deploy/manifests/rbac.yaml b/flex/deploy/manifests/rbac.yaml
@@ -15,9 +15,6 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["endpoints"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
 
 ---
 
@@ -41,3 +38,29 @@ apiVersion: v1
 metadata:
   name: flex-provisioner
 
+---
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-flex-provisioner
+rules:
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+
+---
+
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-flex-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: flex-provisioner
+    # replace with namespace where provisioner is deployed
+    namespace: default
+roleRef:
+  kind: Role
+  name: leader-locking-flex-provisioner
+  apiGroup: rbac.authorization.k8s.io
diff --git a/gluster/block/deploy/clusterrole.yaml b/gluster/block/deploy/clusterrole.yaml
diff --git a/gluster/block/deploy/clusterrolebinding.yaml b/gluster/block/deploy/clusterrolebinding.yaml
diff --git a/gluster/block/deploy/openshift/openshift-clusterrole.yaml b/gluster/block/deploy/openshift/openshift-clusterrole.yaml
diff --git a/gluster/block/deploy/rbac.yaml b/gluster/block/deploy/rbac.yaml
@@ -0,0 +1,59 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: glusterblock-provisioner-runner
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "delete"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: run-glusterblock-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: glusterblock-provisioner
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: glusterblock-provisioner-runner
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-glusterblock-provisioner
+rules:
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-glusterblock-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: glusterblock-provisioner
+    # replace with namespace where provisioner is deployed
+    namespace: default
+roleRef:
+  kind: Role
+  name: leader-locking-glusterblock-provisioner
+  apiGroup: rbac.authorization.k8s.io
diff --git a/gluster/file/deploy/openshift/openshift-clusterrole.yaml b/gluster/file/deploy/openshift/openshift-clusterrole.yaml
diff --git a/gluster/file/deploy/rbac.yaml b/gluster/file/deploy/rbac.yaml
@@ -0,0 +1,62 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: glusterfile-provisioner-runner
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "create", "delete"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: run-glusterfile-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: glusterfile-provisioner
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: glusterfile-provisioner-runner
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-glusterfile-provisioner
+rules:
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-glusterfile-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: glusterfile-provisioner
+    # replace with namespace where provisioner is deployed
+    namespace: default
+roleRef:
+  kind: Role
+  name: leader-locking-glusterfile-provisioner
+  apiGroup: rbac.authorization.k8s.io