diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml
index 24d1b5bcabd24405d49172c28f592cf9705b50ae..cc244619e7c16b69c951450319239d08a41471e0 100644
--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -191,7 +191,7 @@
src: "{{ fname }}"
dest: "{{ fname }}"
mode: push
- delegate_to: localhost
+ #delegate_to: localhost
become: false
register: get_task
until: get_task|succeeded
diff --git a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
index 02aac8988c39d49faa070b96c39b20cb8e22e952..18ac8c18cc63ff27d8c453873f1cf917678c71a5 100644
--- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
@@ -3,7 +3,7 @@
when: kube_network_plugin == 'canal'
tags: [facts, canal]
-- name: Lay Down calico-policy-controller Template
+- name: Lay Down calico-policy-controller RBAC Template
template:
src: "{{item.file}}"
dest: "{{kube_config_dir}}/{{item.file}}"
@@ -15,7 +15,7 @@
when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
tags: canal
-- name: Create calico-policy-controller Resources
+- name: Create calico-policy-controller RBAC Resources
kube:
name: "{{item.item.name}}"
namespace: "{{ system_namespace }}"
diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml
index 38d3ad5db69a6cbac39a37fdd10e7d5468c22d53..59ae25e17e3c059169665c90c185f62c581f3c16 100644
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -195,6 +195,28 @@
when: secret_changed|default(false) or etcd_secret_changed|default(false)
notify: restart calico-node
+- name: Lay Down calico-node RBAC Template
+ template:
+ src: "{{item.file}}"
+ dest: "{{kube_config_dir}}/{{item.file}}"
+ with_items:
+ - {name: calico-node, file: calico-node-clusterrole.yml, type: clusterrole}
+ - {name: calico-node, file: calico-node-clusterrolebinding.yml, type: clusterrolebinding}
+ register: manifests
+ when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
+
+- name: Create calico-node RBAC Resources
+ kube:
+ name: "{{item.item.name}}"
+ namespace: "{{ system_namespace }}"
+ kubectl: "{{bin_dir}}/kubectl"
+ resource: "{{item.item.type}}"
+ filename: "{{kube_config_dir}}/{{item.item.file}}"
+ state: "{{item.changed | ternary('latest','present') }}"
+ with_items: "{{ manifests.results }}"
+ failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg
+ when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
+
- meta: flush_handlers
- name: Calico | Enable calico-node
diff --git a/roles/network_plugin/calico/templates/calico-node-clusterrole.yml b/roles/network_plugin/calico/templates/calico-node-clusterrole.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b48c747355aceda2451d808dc5c3ed0a3d5aae32
--- /dev/null
+++ b/roles/network_plugin/calico/templates/calico-node-clusterrole.yml
@@ -0,0 +1,12 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: calico-node
+ namespace: {{ system_namespace }}
+rules:
+ - apiGroups: [""]
+ resources:
+ - pods
+ - nodes
+ verbs:
+ - get
diff --git a/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml b/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml
new file mode 100644
index 0000000000000000000000000000000000000000..cdbd1568577affcb849101434e3d610c12476ea7
--- /dev/null
+++ b/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: calico-node
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: calico-node
+subjects:
+- kind: Group
+ name: system:nodes
+ namespace: kube-system