From 33c4d64b62761890edbad54f6c4f14f8c35119c1 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <matthew.mosesohn@gmail.com>
Date: Tue, 24 Oct 2017 17:05:58 +0100
Subject: [PATCH] Make ClusterRoleBinding to admit all nodes with right cert
 (#1861)

This is to work around #1856 which can occur when kubelet
hostname and resolvable hostname (or cloud instance name)
do not match.
---
 roles/kubernetes-apps/ansible/tasks/main.yml    | 17 +++++++++++++++++
 .../ansible/templates/node-crb.yml.j2           | 17 +++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 roles/kubernetes-apps/ansible/templates/node-crb.yml.j2

diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml
index 57f98ed86..26a0a1f99 100644
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -8,6 +8,23 @@
   delay: 6
   when: inventory_hostname == groups['kube-master'][0]
 
+- name: Kubernetes Apps | Add ClusterRoleBinding to admit nodes
+  template:
+    src: "node-crb.yml.j2"
+    dest: "{{ kube_config_dir }}/node-crb.yml"
+  register: node_crb_manifest
+  when: rbac_enabled
+
+- name: Apply workaround to allow all nodes with cert O=system:nodes to register
+  kube:
+    name: "system:node"
+    kubectl: "{{bin_dir}}/kubectl"
+    resource: "clusterrolebinding"
+    filename: "{{ kube_config_dir }}/node-crb.yml"
+  when:
+    - rbac_enabled
+    - node_crb_manifest.changed
+
 - name: Kubernetes Apps | Delete old kubedns resources
   kube:
     name: "kubedns"
diff --git a/roles/kubernetes-apps/ansible/templates/node-crb.yml.j2 b/roles/kubernetes-apps/ansible/templates/node-crb.yml.j2
new file mode 100644
index 000000000..98e82dff7
--- /dev/null
+++ b/roles/kubernetes-apps/ansible/templates/node-crb.yml.j2
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:node
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:nodes
-- 
GitLab