From 9a4aa4288cc6bcbe4bc1601540c3f466e138dcb9 Mon Sep 17 00:00:00 2001
From: MQasimSarfraz <syed.qasim.sarfraz@gmail.com>
Date: Mon, 12 Mar 2018 18:07:08 +0000
Subject: [PATCH] Fix vsphere cloud_provider RBAC permissions

---
 .../cluster_roles/tasks/main.yml              | 27 ++++++++++++++
 .../templates/vsphere-rbac.yml.j2             | 35 +++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2

diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
index 3f696a9fe..f9c5fc9b2 100644
--- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml
+++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
@@ -75,6 +75,33 @@
     - node_webhook_crb_manifest.changed
   tags: node-webhook
 
+- name: Write vsphere-cloud-provider ClusterRole manifest
+  template:
+    src: "vsphere-rbac.yml.j2"
+    dest: "{{ kube_config_dir }}/vsphere-rbac.yml"
+  register: vsphere_rbac_manifest
+  when:
+    - rbac_enabled
+    - cloud_provider is defined
+    - cloud_provider == 'vsphere'
+    - kube_version | version_compare('v1.9.0', '>=')
+  tags: vsphere
+
+- name: Apply vsphere-cloud-provider ClusterRole
+  kube:
+    name: "system:vsphere-cloud-provider"
+    kubectl: "{{bin_dir}}/kubectl"
+    resource: "clusterrolebinding"
+    filename: "{{ kube_config_dir }}/vsphere-rbac.yml"
+    state: latest
+  when:
+    - rbac_enabled
+    - cloud_provider is defined
+    - cloud_provider == 'vsphere'
+    - vsphere_rbac_manifest.changed
+    - kube_version | version_compare('v1.9.0', '>=')
+  tags: vsphere
+
 # This is not a cluster role, but should be run after kubeconfig is set on master
 - name: Write kube system namespace manifest
   template:
diff --git a/roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2
new file mode 100644
index 000000000..99da0462f
--- /dev/null
+++ b/roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2
@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:vsphere-cloud-provider
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:vsphere-cloud-provider
+roleRef:
+  kind: ClusterRole
+  name: system:vsphere-cloud-provider
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: vsphere-cloud-provider
+  namespace: kube-system
-- 
GitLab