Skip to content
Snippets Groups Projects
Commit 33c4d64b authored by Matthew Mosesohn's avatar Matthew Mosesohn Committed by GitHub
Browse files

Make ClusterRoleBinding to admit all nodes with right cert (#1861) 

This is to work around #1856 which can occur when kubelet
hostname and resolvable hostname (or cloud instance name)
do not match.
parent 25de6825
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
roles/kubernetes-apps/ansible/tasks/main.yml
+ 17
0
View file @ 33c4d64b
...@@ -8,6 +8,23 @@ ...@@ -8,6 +8,23 @@
delay: 6 delay: 6
when: inventory_hostname == groups['kube-master'][0] when: inventory_hostname == groups['kube-master'][0]
- name: Kubernetes Apps | Add ClusterRoleBinding to admit nodes
template:
src: "node-crb.yml.j2"
dest: "{{ kube_config_dir }}/node-crb.yml"
register: node_crb_manifest
when: rbac_enabled
- name: Apply workaround to allow all nodes with cert O=system:nodes to register
kube:
name: "system:node"
kubectl: "{{bin_dir}}/kubectl"
resource: "clusterrolebinding"
filename: "{{ kube_config_dir }}/node-crb.yml"
when:
- rbac_enabled
- node_crb_manifest.changed
- name: Kubernetes Apps | Delete old kubedns resources - name: Kubernetes Apps | Delete old kubedns resources
kube: kube:
name: "kubedns" name: "kubedns"
......
roles/kubernetes-apps/ansible/templates/node-crb.yml.j2 0 → 100644
+ 17
0
View file @ 33c4d64b
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:node
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:nodes
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment