From 2cda982345405739dd56180ffe301188d44f235f Mon Sep 17 00:00:00 2001
From: jwfang <54740235@qq.com>
Date: Fri, 7 Jul 2017 15:43:48 +0800
Subject: [PATCH] binding group system:nodes to clusterrole calico-role

---
 roles/download/tasks/main.yml                 |  2 +-
 .../policy_controller/calico/tasks/main.yml   |  4 ++--
 roles/network_plugin/calico/tasks/main.yml    | 22 +++++++++++++++++++
 .../templates/calico-node-clusterrole.yml     | 12 ++++++++++
 .../calico-node-clusterrolebinding.yml        | 12 ++++++++++
 5 files changed, 49 insertions(+), 3 deletions(-)
 create mode 100644 roles/network_plugin/calico/templates/calico-node-clusterrole.yml
 create mode 100644 roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml

diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml
index 24d1b5bca..cc244619e 100644
--- a/roles/download/tasks/main.yml
+++ b/roles/download/tasks/main.yml
@@ -191,7 +191,7 @@
     src: "{{ fname }}"
     dest: "{{ fname }}"
     mode: push
-  delegate_to: localhost
+  #delegate_to: localhost
   become: false
   register: get_task
   until: get_task|succeeded
diff --git a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
index 02aac8988..18ac8c18c 100644
--- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
@@ -3,7 +3,7 @@
   when: kube_network_plugin == 'canal'
   tags: [facts, canal]
 
-- name: Lay Down calico-policy-controller Template
+- name: Lay Down calico-policy-controller RBAC Template
   template:
     src: "{{item.file}}"
     dest: "{{kube_config_dir}}/{{item.file}}"
@@ -15,7 +15,7 @@
   when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
   tags: canal
 
-- name: Create calico-policy-controller Resources
+- name: Create calico-policy-controller RBAC Resources
   kube:
     name: "{{item.item.name}}"
     namespace: "{{ system_namespace }}"
diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml
index 38d3ad5db..59ae25e17 100644
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -195,6 +195,28 @@
   when: secret_changed|default(false) or etcd_secret_changed|default(false)
   notify: restart calico-node
 
+- name: Lay Down calico-node RBAC Template
+  template:
+    src: "{{item.file}}"
+    dest: "{{kube_config_dir}}/{{item.file}}"
+  with_items:
+    - {name: calico-node, file: calico-node-clusterrole.yml, type: clusterrole}
+    - {name: calico-node, file: calico-node-clusterrolebinding.yml, type: clusterrolebinding}
+  register: manifests
+  when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
+
+- name: Create calico-node RBAC Resources
+  kube:
+    name: "{{item.item.name}}"
+    namespace: "{{ system_namespace }}"
+    kubectl: "{{bin_dir}}/kubectl"
+    resource: "{{item.item.type}}"
+    filename: "{{kube_config_dir}}/{{item.item.file}}"
+    state: "{{item.changed | ternary('latest','present') }}"
+  with_items: "{{ manifests.results }}"
+  failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg
+  when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
+
 - meta: flush_handlers
 
 - name: Calico | Enable calico-node
diff --git a/roles/network_plugin/calico/templates/calico-node-clusterrole.yml b/roles/network_plugin/calico/templates/calico-node-clusterrole.yml
new file mode 100644
index 000000000..b48c74735
--- /dev/null
+++ b/roles/network_plugin/calico/templates/calico-node-clusterrole.yml
@@ -0,0 +1,12 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: calico-node
+  namespace: {{ system_namespace }}
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+      - nodes
+    verbs:
+      - get
diff --git a/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml b/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml
new file mode 100644
index 000000000..cdbd15685
--- /dev/null
+++ b/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-node
+subjects:
+- kind: Group
+  name: system:nodes
+  namespace: kube-system
-- 
GitLab