From 702ce446dffae3a17c0a427398986eb38764f2da Mon Sep 17 00:00:00 2001
From: Dann <whereismyjetpack@users.noreply.github.com>
Date: Sun, 3 Sep 2017 03:53:45 -0400
Subject: [PATCH] Apply ClusterRoleBinding to dnsmaq when rbac_enabled (#1592)

* Add RBAC policies to dnsmasq

* fix merge conflict

* yamllint

* use .j2 extension for dnsmasq autoscaler
---
 roles/dnsmasq/tasks/main.yml                  | 22 ++++++++++++++++++-
 ...toscaler.yml => dnsmasq-autoscaler.yml.j2} |  3 +++
 .../templates/dnsmasq-clusterrolebinding.yml  | 14 ++++++++++++
 roles/dnsmasq/templates/dnsmasq-deploy.yml    |  1 -
 .../templates/dnsmasq-serviceaccount.yml      |  8 +++++++
 5 files changed, 46 insertions(+), 2 deletions(-)
 rename roles/dnsmasq/templates/{dnsmasq-autoscaler.yml => dnsmasq-autoscaler.yml.j2} (96%)
 create mode 100644 roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml
 create mode 100644 roles/dnsmasq/templates/dnsmasq-serviceaccount.yml

diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml
index 56ec80d98..a06afbdce 100644
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@@ -56,6 +56,26 @@
     dest: /etc/dnsmasq.d/01-kube-dns.conf
     state: link
 
+- name: Create dnsmasq RBAC manifests
+  template:
+    src: "{{ item }}"
+    dest: "{{ kube_config_dir }}/{{ item }}"
+  with_items:
+    - "dnsmasq-clusterrolebinding.yml"
+    - "dnsmasq-serviceaccount.yml"
+  when: rbac_enabled
+  delegate_to: "{{ groups['kube-master'][0] }}"
+  run_once: true
+
+- name: Apply dnsmasq RBAC manifests
+  command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/{{ item }}"
+  with_items:
+    - "dnsmasq-clusterrolebinding.yml"
+    - "dnsmasq-serviceaccount.yml"
+  when: rbac_enabled
+  delegate_to: "{{ groups['kube-master'][0] }}"
+  run_once: true
+
 - name: Create dnsmasq manifests
   template:
     src: "{{item.file}}"
@@ -63,7 +83,7 @@
   with_items:
     - {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment}
     - {name: dnsmasq, file: dnsmasq-svc.yml, type: svc}
-    - {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml, type: deployment}
+    - {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml.j2, type: deployment}
   register: manifests
   delegate_to: "{{ groups['kube-master'][0] }}"
   run_once: true
diff --git a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2
similarity index 96%
rename from roles/dnsmasq/templates/dnsmasq-autoscaler.yml
rename to roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2
index 85b357950..d9e7b10f3 100644
--- a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml
+++ b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2
@@ -31,6 +31,9 @@ spec:
         scheduler.alpha.kubernetes.io/critical-pod: ''
         scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
     spec:
+{% if rbac_enabled %}
+      serviceAccountName: dnsmasq
+{% endif %}
       tolerations:
         - effect: NoSchedule
           operator: Exists
diff --git a/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml b/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml
new file mode 100644
index 000000000..817de877b
--- /dev/null
+++ b/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml
@@ -0,0 +1,14 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: dnsmasq
+  namespace: "{{ system_namespace }}"
+subjects:
+  - kind: ServiceAccount
+    name: dnsmasq
+    namespace: "{{ system_namespace}}"
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
diff --git a/roles/dnsmasq/templates/dnsmasq-deploy.yml b/roles/dnsmasq/templates/dnsmasq-deploy.yml
index 94b15206b..838471050 100644
--- a/roles/dnsmasq/templates/dnsmasq-deploy.yml
+++ b/roles/dnsmasq/templates/dnsmasq-deploy.yml
@@ -57,7 +57,6 @@ spec:
               mountPath: /etc/dnsmasq.d
             - name: etcdnsmasqdavailable
               mountPath: /etc/dnsmasq.d-available
-
       volumes:
         - name: etcdnsmasqd
           hostPath:
diff --git a/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml b/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml
new file mode 100644
index 000000000..bce8a232f
--- /dev/null
+++ b/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dnsmasq
+  namespace: "{{ system_namespace }}"
+  labels:
+    kubernetes.io/cluster-service: "true"
-- 
GitLab