From 0b3badf3d853f5de0a83bf8effaef0b0423def3b Mon Sep 17 00:00:00 2001
From: jwfang <54740235@qq.com>
Date: Mon, 10 Jul 2017 16:53:11 +0800
Subject: [PATCH] revert calico-related changes
---
.../policy_controller/calico/tasks/main.yml | 25 -------------------
.../calico-policy-controller-clusterrole.yml | 16 ------------
...o-policy-controller-clusterrolebinding.yml | 12 ---------
.../templates/calico-policy-controller-sa.yml | 7 ------
.../templates/calico-policy-controller.yml.j2 | 3 ---
roles/kubespray-defaults/defaults/main.yaml | 2 +-
roles/network_plugin/calico/tasks/main.yml | 22 ----------------
.../templates/calico-node-clusterrole.yml | 12 ---------
.../calico-node-clusterrolebinding.yml | 12 ---------
9 files changed, 1 insertion(+), 110 deletions(-)
delete mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml
delete mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml
delete mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml
delete mode 100644 roles/network_plugin/calico/templates/calico-node-clusterrole.yml
delete mode 100644 roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml
diff --git a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
index 18ac8c18c..8b4271d6a 100644
--- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
@@ -3,31 +3,6 @@
when: kube_network_plugin == 'canal'
tags: [facts, canal]
-- name: Lay Down calico-policy-controller RBAC Template
- template:
- src: "{{item.file}}"
- dest: "{{kube_config_dir}}/{{item.file}}"
- with_items:
- - {name: calico-policy-controller, file: calico-policy-controller-sa.yml, type: sa}
- - {name: calico-policy-controller, file: calico-policy-controller-clusterrole.yml, type: clusterrole}
- - {name: calico-policy-controller, file: calico-policy-controller-clusterrolebinding.yml, type: clusterrolebinding}
- register: manifests
- when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
- tags: canal
-
-- name: Create calico-policy-controller RBAC Resources
- kube:
- name: "{{item.item.name}}"
- namespace: "{{ system_namespace }}"
- kubectl: "{{bin_dir}}/kubectl"
- resource: "{{item.item.type}}"
- filename: "{{kube_config_dir}}/{{item.item.file}}"
- state: "{{item.changed | ternary('latest','present') }}"
- with_items: "{{ manifests.results }}"
- failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg
- when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
- tags: canal
-
- name: Write calico-policy-controller yaml
template:
src: calico-policy-controller.yml.j2
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml
deleted file mode 100644
index 3b71b9001..000000000
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
- name: calico-policy-controller
- namespace: {{ system_namespace }}
-rules:
- - apiGroups:
- - ""
- - extensions
- resources:
- - pods
- - namespaces
- - networkpolicies
- verbs:
- - watch
- - list
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml
deleted file mode 100644
index 535865f01..000000000
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
- name: calico-policy-controller
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: calico-policy-controller
-subjects:
-- kind: ServiceAccount
- name: calico-policy-controller
- namespace: {{ system_namespace }}
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml
deleted file mode 100644
index 388f12977..000000000
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: calico-policy-controller
- namespace: {{ system_namespace }}
- labels:
- kubernetes.io/cluster-service: "true"
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
index 9639fed82..322d3a37b 100644
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
@@ -60,6 +60,3 @@ spec:
- hostPath:
path: {{ calico_cert_dir }}
name: etcd-certs
-{% if rbac_enabled %}
- serviceAccountName: calico-policy-controller
-{% endif %}
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index ed827d27b..db5fc1997 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -118,5 +118,5 @@ enable_network_policy: false
## List of authorization modes that must be configured for
## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and
## 'RBAC' modes are tested.
-authorization_modes: []
+authorization_modes: ['AlwaysAllow']
rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml
index a67cb7fca..38d3ad5db 100644
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -195,28 +195,6 @@
when: secret_changed|default(false) or etcd_secret_changed|default(false)
notify: restart calico-node
-- name: Calico | Lay Down calico-node RBAC Template
- template:
- src: "{{item.file}}"
- dest: "{{kube_config_dir}}/{{item.file}}"
- with_items:
- - {name: calico-node, file: calico-node-clusterrole.yml, type: clusterrole}
- - {name: calico-node, file: calico-node-clusterrolebinding.yml, type: clusterrolebinding}
- register: manifests
- when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
-
-- name: Calico | Create calico-node RBAC Resources
- kube:
- name: "{{item.item.name}}"
- namespace: "{{ system_namespace }}"
- kubectl: "{{bin_dir}}/kubectl"
- resource: "{{item.item.type}}"
- filename: "{{kube_config_dir}}/{{item.item.file}}"
- state: "{{item.changed | ternary('latest','present') }}"
- with_items: "{{ manifests.results }}"
- failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg
- when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
-
- meta: flush_handlers
- name: Calico | Enable calico-node
diff --git a/roles/network_plugin/calico/templates/calico-node-clusterrole.yml b/roles/network_plugin/calico/templates/calico-node-clusterrole.yml
deleted file mode 100644
index b48c74735..000000000
--- a/roles/network_plugin/calico/templates/calico-node-clusterrole.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
- name: calico-node
- namespace: {{ system_namespace }}
-rules:
- - apiGroups: [""]
- resources:
- - pods
- - nodes
- verbs:
- - get
diff --git a/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml b/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml
deleted file mode 100644
index cdbd15685..000000000
--- a/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
- name: calico-node
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: calico-node
-subjects:
-- kind: Group
- name: system:nodes
- namespace: kube-system
--
GitLab