Skip to content
This repository was archived by the owner on Oct 21, 2020. It is now read-only.

Commit 7613414

Browse files
authored
Merge pull request #957 from wongma7/leader-election-config
Make leader-election configurable: default endpoints object namespace to controller's instead of kube-system
2 parents 14acf33 + 8e3bfd3 commit 7613414

File tree

33 files changed

+434
-272
lines changed

33 files changed

+434
-272
lines changed

aws/efs/README.md

+4-8
Original file line numberDiff line numberDiff line change
@@ -137,20 +137,16 @@ If you are not using RBAC or OpenShift you can continue to the usage section.
137137

138138
### Authorization
139139

140-
If your cluster has RBAC enabled or you are running OpenShift you must authorize the provisioner. If you are in a namespace/project other than "default" either edit `deploy/auth/clusterrolebinding.yaml` or edit the `oadm policy` command accordingly.
140+
If your cluster has RBAC enabled or you are running OpenShift you must authorize the provisioner. If you are in a namespace/project other than "default" edit `deploy/rbac.yaml`.
141141

142142
#### RBAC
143143
```console
144+
# Set the subject of the RBAC objects to the current namespace where the provisioner is being deployed
145+
$ NAMESPACE=`kc config get-contexts | grep '^*' | tr -s ' ' | cut -d' ' -f5`
146+
$ sed -i'' "s/namespace:.*/namespace: $NAMESPACE/g" ./deploy/rbac.yaml
144147
$ kubectl create -f deploy/rbac.yaml
145148
```
146149

147-
#### OpenShift
148-
```console
149-
$ oc create -f deploy/openshift-clusterrole.yaml
150-
clusterrole "efs-provisioner-runner" created
151-
$ oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:default:efs-provisioner
152-
$ oadm policy add-cluster-role-to-user efs-provisioner-runner system:serviceaccount:default:efs-provisioner
153-
```
154150
### SELinux
155151
If SELinux is enforcing on the node where the provisioner runs, you must enable writing from a pod to a remote NFS server (EFS in this case) on the node by running:
156152
```console

aws/efs/deploy/openshift-clusterrole.yaml

-20
This file was deleted.

aws/efs/deploy/rbac.yaml

+25-4
Original file line numberDiff line numberDiff line change
@@ -15,9 +15,6 @@ rules:
1515
- apiGroups: [""]
1616
resources: ["events"]
1717
verbs: ["create", "update", "patch"]
18-
- apiGroups: [""]
19-
resources: ["endpoints"]
20-
verbs: ["get", "list", "watch", "create", "update", "patch"]
2118
---
2219
kind: ClusterRoleBinding
2320
apiVersion: rbac.authorization.k8s.io/v1
@@ -26,8 +23,32 @@ metadata:
2623
subjects:
2724
- kind: ServiceAccount
2825
name: efs-provisioner
26+
# replace with namespace where provisioner is deployed
2927
namespace: default
3028
roleRef:
3129
kind: ClusterRole
3230
name: efs-provisioner-runner
33-
apiGroup: rbac.authorization.k8s.io
31+
apiGroup: rbac.authorization.k8s.io
32+
---
33+
kind: Role
34+
apiVersion: rbac.authorization.k8s.io/v1
35+
metadata:
36+
name: leader-locking-efs-provisioner
37+
rules:
38+
- apiGroups: [""]
39+
resources: ["endpoints"]
40+
verbs: ["get", "list", "watch", "create", "update", "patch"]
41+
---
42+
kind: RoleBinding
43+
apiVersion: rbac.authorization.k8s.io/v1
44+
metadata:
45+
name: leader-locking-efs-provisioner
46+
subjects:
47+
- kind: ServiceAccount
48+
name: efs-provisioner
49+
# replace with namespace where provisioner is deployed
50+
namespace: default
51+
roleRef:
52+
kind: Role
53+
name: leader-locking-efs-provisioner
54+
apiGroup: rbac.authorization.k8s.io

ceph/cephfs/deploy/rbac/clusterrole.yaml

-3
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,3 @@ rules:
1616
- apiGroups: [""]
1717
resources: ["events"]
1818
verbs: ["create", "update", "patch"]
19-
- apiGroups: [""]
20-
resources: ["endpoints"]
21-
verbs: ["get", "list", "watch", "create", "update", "patch"]

ceph/cephfs/deploy/rbac/role.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,6 @@ rules:
77
- apiGroups: [""]
88
resources: ["secrets"]
99
verbs: ["create", "get", "delete"]
10+
- apiGroups: [""]
11+
resources: ["endpoints"]
12+
verbs: ["get", "list", "watch", "create", "update", "patch"]

ceph/rbd/deploy/rbac/clusterrole.yaml

-3
Original file line numberDiff line numberDiff line change
@@ -15,9 +15,6 @@ rules:
1515
- apiGroups: [""]
1616
resources: ["events"]
1717
verbs: ["create", "update", "patch"]
18-
- apiGroups: [""]
19-
resources: ["endpoints"]
20-
verbs: ["get", "list", "watch", "create", "update", "patch"]
2118
- apiGroups: [""]
2219
resources: ["services"]
2320
resourceNames: ["kube-dns","coredns"]

ceph/rbd/deploy/rbac/role.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -6,3 +6,6 @@ rules:
66
- apiGroups: [""]
77
resources: ["secrets"]
88
verbs: ["get"]
9+
- apiGroups: [""]
10+
resources: ["endpoints"]
11+
verbs: ["get", "list", "watch", "create", "update", "patch"]

digitalocean/manifests/rbac/clusterrole.yaml

-3
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,3 @@ rules:
1616
- apiGroups: [""]
1717
resources: ["events"]
1818
verbs: ["create", "update", "patch"]
19-
- apiGroups: [""]
20-
resources: ["endpoints"]
21-
verbs: ["get", "list", "watch", "create", "update", "patch"]

digitalocean/manifests/rbac/role.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,6 @@ rules:
77
- apiGroups: [""]
88
resources: ["secrets"]
99
verbs: ["get"]
10+
- apiGroups: [""]
11+
resources: ["endpoints"]
12+
verbs: ["get", "list", "watch", "create", "update", "patch"]

flex/deploy/manifests/rbac.yaml

+26-3
Original file line numberDiff line numberDiff line change
@@ -15,9 +15,6 @@ rules:
1515
- apiGroups: [""]
1616
resources: ["events"]
1717
verbs: ["create", "update", "patch"]
18-
- apiGroups: [""]
19-
resources: ["endpoints"]
20-
verbs: ["get", "list", "watch", "create", "update", "patch"]
2118

2219
---
2320

@@ -41,3 +38,29 @@ apiVersion: v1
4138
metadata:
4239
name: flex-provisioner
4340

41+
---
42+
43+
kind: Role
44+
apiVersion: rbac.authorization.k8s.io/v1
45+
metadata:
46+
name: leader-locking-flex-provisioner
47+
rules:
48+
- apiGroups: [""]
49+
resources: ["endpoints"]
50+
verbs: ["get", "list", "watch", "create", "update", "patch"]
51+
52+
---
53+
54+
kind: RoleBinding
55+
apiVersion: rbac.authorization.k8s.io/v1
56+
metadata:
57+
name: leader-locking-flex-provisioner
58+
subjects:
59+
- kind: ServiceAccount
60+
name: flex-provisioner
61+
# replace with namespace where provisioner is deployed
62+
namespace: default
63+
roleRef:
64+
kind: Role
65+
name: leader-locking-flex-provisioner
66+
apiGroup: rbac.authorization.k8s.io

gluster/block/deploy/clusterrole.yaml

-26
This file was deleted.

gluster/block/deploy/clusterrolebinding.yaml

-12
This file was deleted.

gluster/block/deploy/openshift/openshift-clusterrole.yaml

-26
This file was deleted.

gluster/block/deploy/rbac.yaml

+59
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
kind: ClusterRole
2+
apiVersion: rbac.authorization.k8s.io/v1
3+
metadata:
4+
name: glusterblock-provisioner-runner
5+
rules:
6+
- apiGroups: [""]
7+
resources: ["persistentvolumes"]
8+
verbs: ["get", "list", "watch", "create", "delete"]
9+
- apiGroups: [""]
10+
resources: ["persistentvolumeclaims"]
11+
verbs: ["get", "list", "watch", "update"]
12+
- apiGroups: ["storage.k8s.io"]
13+
resources: ["storageclasses"]
14+
verbs: ["get", "list", "watch"]
15+
- apiGroups: [""]
16+
resources: ["events"]
17+
verbs: ["create", "update", "patch"]
18+
- apiGroups: [""]
19+
resources: ["services"]
20+
verbs: ["get"]
21+
- apiGroups: [""]
22+
resources: ["secrets"]
23+
verbs: ["get", "create", "delete"]
24+
---
25+
kind: ClusterRoleBinding
26+
apiVersion: rbac.authorization.k8s.io/v1
27+
metadata:
28+
name: run-glusterblock-provisioner
29+
subjects:
30+
- kind: ServiceAccount
31+
name: glusterblock-provisioner
32+
namespace: default
33+
roleRef:
34+
kind: ClusterRole
35+
name: glusterblock-provisioner-runner
36+
apiGroup: rbac.authorization.k8s.io
37+
---
38+
kind: Role
39+
apiVersion: rbac.authorization.k8s.io/v1
40+
metadata:
41+
name: leader-locking-glusterblock-provisioner
42+
rules:
43+
- apiGroups: [""]
44+
resources: ["endpoints"]
45+
verbs: ["get", "list", "watch", "create", "update", "patch"]
46+
---
47+
kind: RoleBinding
48+
apiVersion: rbac.authorization.k8s.io/v1
49+
metadata:
50+
name: leader-locking-glusterblock-provisioner
51+
subjects:
52+
- kind: ServiceAccount
53+
name: glusterblock-provisioner
54+
# replace with namespace where provisioner is deployed
55+
namespace: default
56+
roleRef:
57+
kind: Role
58+
name: leader-locking-glusterblock-provisioner
59+
apiGroup: rbac.authorization.k8s.io

gluster/file/deploy/openshift/openshift-clusterrole.yaml

-26
This file was deleted.

gluster/file/deploy/rbac.yaml

+62
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
kind: ClusterRole
2+
apiVersion: rbac.authorization.k8s.io/v1
3+
metadata:
4+
name: glusterfile-provisioner-runner
5+
rules:
6+
- apiGroups: [""]
7+
resources: ["persistentvolumes"]
8+
verbs: ["get", "list", "watch", "create", "delete"]
9+
- apiGroups: [""]
10+
resources: ["persistentvolumeclaims"]
11+
verbs: ["get", "list", "watch", "update"]
12+
- apiGroups: ["storage.k8s.io"]
13+
resources: ["storageclasses"]
14+
verbs: ["get", "list", "watch"]
15+
- apiGroups: [""]
16+
resources: ["events"]
17+
verbs: ["create", "update", "patch"]
18+
- apiGroups: [""]
19+
resources: ["services"]
20+
verbs: ["get"]
21+
- apiGroups: [""]
22+
resources: ["secrets"]
23+
verbs: ["get", "create", "delete"]
24+
- apiGroups: [""]
25+
resources: ["endpoints"]
26+
verbs: ["get", "create", "delete"]
27+
---
28+
kind: ClusterRoleBinding
29+
apiVersion: rbac.authorization.k8s.io/v1
30+
metadata:
31+
name: run-glusterfile-provisioner
32+
subjects:
33+
- kind: ServiceAccount
34+
name: glusterfile-provisioner
35+
namespace: default
36+
roleRef:
37+
kind: ClusterRole
38+
name: glusterfile-provisioner-runner
39+
apiGroup: rbac.authorization.k8s.io
40+
---
41+
kind: Role
42+
apiVersion: rbac.authorization.k8s.io/v1
43+
metadata:
44+
name: leader-locking-glusterfile-provisioner
45+
rules:
46+
- apiGroups: [""]
47+
resources: ["endpoints"]
48+
verbs: ["get", "list", "watch", "create", "update", "patch"]
49+
---
50+
kind: RoleBinding
51+
apiVersion: rbac.authorization.k8s.io/v1
52+
metadata:
53+
name: leader-locking-glusterfile-provisioner
54+
subjects:
55+
- kind: ServiceAccount
56+
name: glusterfile-provisioner
57+
# replace with namespace where provisioner is deployed
58+
namespace: default
59+
roleRef:
60+
kind: Role
61+
name: leader-locking-glusterfile-provisioner
62+
apiGroup: rbac.authorization.k8s.io

0 commit comments

Comments
 (0)