diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6a456f9df86f71c1e6c4c515bfe9598831b6f9a0..17851b19c7fa8a340c620b7e86e6ec48e2cb3a42 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -269,9 +269,10 @@ before_script:
##User-data to simply turn off coreos upgrades
STARTUP_SCRIPT: 'systemctl disable locksmithd && systemctl stop locksmithd'
-.ubuntu_canal_ha_variables: &ubuntu_canal_ha_variables
+.ubuntu_canal_ha_rbac_variables: &ubuntu_canal_ha_rbac_variables
# stage: deploy-gce-part1
KUBE_NETWORK_PLUGIN: canal
+ AUTHORIZATION_MODES: "{ 'authorization_modes': [ 'RBAC' ] }"
CLOUD_IMAGE: ubuntu-1604-xenial
CLOUD_REGION: europe-west1-b
CLUSTER_MODE: ha
@@ -445,24 +446,24 @@ ubuntu-weave-sep-triggers:
only: ['triggers']
# More builds for PRs/merges (manual) and triggers (auto)
-ubuntu-canal-ha:
+ubuntu-canal-ha-rbac:
stage: deploy-gce-part1
<<: *job
<<: *gce
variables:
<<: *gce_variables
- <<: *ubuntu_canal_ha_variables
+ <<: *ubuntu_canal_ha_rbac_variables
when: manual
except: ['triggers']
only: ['master', /^pr-.*$/]
-ubuntu-canal-ha-triggers:
+ubuntu-canal-ha-rbac-triggers:
stage: deploy-gce-part1
<<: *job
<<: *gce
variables:
<<: *gce_variables
- <<: *ubuntu_canal_ha_variables
+ <<: *ubuntu_canal_ha_rbac_variables
when: on_success
only: ['triggers']
diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
index c3dbf3cb589577405f592cd443479797c704d463..6e2738e6fc753b0ac210b95db1e412e955cde4fd 100644
--- a/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2
@@ -25,12 +25,14 @@ spec:
memory: {{ netchecker_server_memory_requests }}
ports:
- containerPort: 8081
- hostPort: 8081
args:
- "-v=5"
- "-logtostderr"
- "-kubeproxyinit"
- "-endpoint=0.0.0.0:8081"
+ tolerations:
+ - effect: NoSchedule
+ operator: Exists
{% if rbac_enabled %}
serviceAccountName: netchecker-server
{% endif %}
diff --git a/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml b/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml
index 72956dac905ea4f487c270e3fbce455afea3505b..6f3bb4d85e6760ceaf4762fa9af990d22cde36c3 100644
--- a/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml
+++ b/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml
@@ -1,20 +1,11 @@
---
-- name: Create canal ConfigMap
- run_once: true
+- name: Canal | Start Resources
kube:
- name: "canal-config"
+ name: "{{item.item.name}}"
+ namespace: "{{ system_namespace }}"
kubectl: "{{bin_dir}}/kubectl"
- filename: "{{kube_config_dir}}/canal-config.yaml"
- resource: "configmap"
- namespace: "{{system_namespace}}"
-
-- name: Start flannel and calico-node
- run_once: true
- kube:
- name: "canal-node"
- kubectl: "{{bin_dir}}/kubectl"
- filename: "{{kube_config_dir}}/canal-node.yaml"
- resource: "ds"
- namespace: "{{system_namespace}}"
- state: "{{ item | ternary('latest','present') }}"
- with_items: "{{ canal_node_manifest.changed }}"
+ resource: "{{item.item.type}}"
+ filename: "{{kube_config_dir}}/{{item.item.file}}"
+ state: "{{item.changed | ternary('latest','present') }}"
+ with_items: "{{ canal_manifests.results }}"
+ when: inventory_hostname == groups['kube-master'][0]
diff --git a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
index 93d12c901353196ff441b1d1882199a1316e0a15..0e66359cc18f75ce5864ba15ddb52157d37e3566 100644
--- a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
@@ -8,3 +8,8 @@ calico_policy_controller_memory_requests: 64M
# SSL
calico_cert_dir: "/etc/calico/certs"
canal_cert_dir: "/etc/canal/certs"
+
+rbac_resources:
+ - sa
+ - clusterrole
+ - clusterrolebinding
diff --git a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
index de102f31da0a3845c8657939a7f2b5be662fb8fa..79bb535b7adec8ef04a213ddb053b36d40f0dfae 100644
--- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
@@ -1,22 +1,49 @@
---
-- set_fact:
+- name: Set cert dir
+ set_fact:
calico_cert_dir: "{{ canal_cert_dir }}"
when: kube_network_plugin == 'canal'
tags: [facts, canal]
-- name: Write calico-policy-controller yaml
+- name: Get calico-policy-controller version if running
+ shell: "{{ bin_dir }}/kubectl -n {{ system_namespace }} get rs calico-policy-controller -o=jsonpath='{$.spec.template.spec.containers[:1].image}' | cut -d':' -f2"
+ register: existing_calico_policy_version
+ run_once: true
+ failed_when: false
+
+# FIXME(mattymo): This should not be necessary
+- name: Delete calico-policy-controller if an old one is installed
+ kube:
+ name: calico-policy-controller
+ kubectl: "{{bin_dir}}/kubectl"
+ resource: rs
+ namespace: "{{ system_namespace }}"
+ state: absent
+ run_once: true
+ when:
+ - not "NotFound" in existing_calico_policy_version.stderr
+ - existing_calico_policy_version.stdout | version_compare('v0.7.0', '<')
+
+- name: Create calico-policy-controller manifests
template:
- src: calico-policy-controller.yml.j2
- dest: "{{kube_config_dir}}/calico-policy-controller.yml"
- when: inventory_hostname == groups['kube-master'][0]
- tags: canal
+ src: "{{item.file}}.j2"
+ dest: "{{kube_config_dir}}/{{item.file}}"
+ with_items:
+ - {name: calico-policy-controller, file: calico-policy-controller.yml, type: rs}
+ - {name: calico-policy-controller, file: calico-policy-sa.yml, type: sa}
+ - {name: calico-policy-controller, file: calico-policy-cr.yml, type: clusterrole}
+ - {name: calico-policy-controller, file: calico-policy-crb.yml, type: clusterrolebinding}
+ register: calico_policy_manifests
+ when:
+ - rbac_enabled or item.type not in rbac_resources
- name: Start of Calico policy controller
kube:
- name: "calico-policy-controller"
+ name: "{{item.item.name}}"
+ namespace: "{{ system_namespace }}"
kubectl: "{{bin_dir}}/kubectl"
- filename: "{{kube_config_dir}}/calico-policy-controller.yml"
- namespace: "{{system_namespace}}"
- resource: "rs"
+ resource: "{{item.item.type}}"
+ filename: "{{kube_config_dir}}/{{item.item.file}}"
+ state: "{{item.changed | ternary('latest','present') }}"
+ with_items: "{{ calico_policy_manifests.results }}"
when: inventory_hostname == groups['kube-master'][0]
- tags: canal
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
index 4722cbc53bd6bb73830f12cf64456b5f2042926c..ca17114630ea21bdb5bfccfcc2ffb6afc3a6b9ba 100644
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
@@ -15,15 +15,18 @@ spec:
template:
metadata:
name: calico-policy-controller
- namespace: {{system_namespace}}
+ namespace: {{ system_namespace }}
labels:
kubernetes.io/cluster-service: "true"
k8s-app: calico-policy
spec:
hostNetwork: true
+{% if rbac_enabled %}
+ serviceAccountName: calico-policy-controller
+{% endif %}
tolerations:
- - effect: NoSchedule
- operator: Exists
+ - effect: NoSchedule
+ operator: Exists
containers:
- name: calico-policy-controller
image: {{ calico_policy_image_repo }}:{{ calico_policy_image_tag }}
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-cr.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-cr.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..aac341ca6dbe3a190df828d510d51bd6e02ca5b8
--- /dev/null
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-cr.yml.j2
@@ -0,0 +1,17 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: calico-policy-controller
+ namespace: {{ system_namespace }}
+rules:
+ - apiGroups:
+ - ""
+ - extensions
+ resources:
+ - pods
+ - namespaces
+ - networkpolicies
+ verbs:
+ - watch
+ - list
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-crb.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-crb.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..d5c192018afb1f5bb53631d0cd0c510c2c009757
--- /dev/null
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-crb.yml.j2
@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: calico-policy-controller
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: calico-policy-controller
+subjects:
+- kind: ServiceAccount
+ name: calico-policy-controller
+ namespace: {{ system_namespace }}
diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-sa.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-sa.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c6bc07fbbf506f5b60bc9a8e647221d376dadf9f
--- /dev/null
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-sa.yml.j2
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: calico-policy-controller
+ namespace: {{ system_namespace }}
+ labels:
+ kubernetes.io/cluster-service: "true"
diff --git a/roles/network_plugin/canal/defaults/main.yml b/roles/network_plugin/canal/defaults/main.yml
index 38696b87a1a5af788ab45f9eef0b8b486303b280..bf74653c78b0582a64d8fb2df11c982a8a9da3c8 100644
--- a/roles/network_plugin/canal/defaults/main.yml
+++ b/roles/network_plugin/canal/defaults/main.yml
@@ -31,3 +31,8 @@ calicoctl_memory_limit: 170M
calicoctl_cpu_limit: 100m
calicoctl_memory_requests: 32M
calicoctl_cpu_requests: 25m
+
+rbac_resources:
+ - sa
+ - clusterrole
+ - clusterrolebinding
diff --git a/roles/network_plugin/canal/tasks/main.yml b/roles/network_plugin/canal/tasks/main.yml
index ea67e20cd5079dc740b995d8ae4aebc69027df06..2cc1a8ffe081c091659f85d7a6ce3967859a37fc 100644
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -32,16 +32,22 @@
delegate_to: "{{groups['etcd'][0]}}"
run_once: true
-- name: Canal | Write canal configmap
+- name: Canal | Create canal node manifests
template:
- src: canal-config.yml.j2
- dest: "{{kube_config_dir}}/canal-config.yaml"
-
-- name: Canal | Write canal node configuration
- template:
- src: canal-node.yml.j2
- dest: "{{kube_config_dir}}/canal-node.yaml"
- register: canal_node_manifest
+ src: "{{item.file}}.j2"
+ dest: "{{kube_config_dir}}/{{item.file}}"
+ with_items:
+ - {name: canal-config, file: canal-config.yaml, type: cm}
+ - {name: canal-node, file: canal-node.yaml, type: ds}
+ - {name: canal, file: canal-node-sa.yml, type: sa}
+ - {name: calico, file: canal-cr-calico.yml, type: clusterrole}
+ - {name: flannel, file: canal-cr-flannel.yml, type: clusterrole}
+ - {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding}
+ - {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding}
+ register: canal_manifests
+ when:
+ - inventory_hostname in groups['kube-master']
+ - rbac_enabled or item.type not in rbac_resources
- name: Canal | Copy cni plugins from hyperkube
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -ac /opt/cni/bin/ /cnibindir/"
diff --git a/roles/network_plugin/canal/templates/canal-config.yml.j2 b/roles/network_plugin/canal/templates/canal-config.yaml.j2
similarity index 100%
rename from roles/network_plugin/canal/templates/canal-config.yml.j2
rename to roles/network_plugin/canal/templates/canal-config.yaml.j2
diff --git a/roles/network_plugin/canal/templates/canal-cr-calico.yml.j2 b/roles/network_plugin/canal/templates/canal-cr-calico.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..e3b048c640fe682e9d549db22ef82a2d5669fc0c
--- /dev/null
+++ b/roles/network_plugin/canal/templates/canal-cr-calico.yml.j2
@@ -0,0 +1,80 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: calico
+ namespace: {{ system_namespace }}
+rules:
+ - apiGroups: [""]
+ resources:
+ - namespaces
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups: [""]
+ resources:
+ - pods/status
+ verbs:
+ - update
+ - apiGroups: [""]
+ resources:
+ - pods
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups: [""]
+ resources:
+ - nodes
+ verbs:
+ - get
+ - list
+ - update
+ - watch
+ - apiGroups: ["extensions"]
+ resources:
+ - thirdpartyresources
+ verbs:
+ - create
+ - get
+ - list
+ - watch
+ - apiGroups: ["extensions"]
+ resources:
+ - networkpolicies
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups: ["projectcalico.org"]
+ resources:
+ - globalbgppeers
+ verbs:
+ - get
+ - list
+ - apiGroups: ["projectcalico.org"]
+ resources:
+ - globalconfigs
+ - globalbgpconfigs
+ verbs:
+ - create
+ - get
+ - list
+ - update
+ - watch
+ - apiGroups: ["projectcalico.org"]
+ resources:
+ - ippools
+ verbs:
+ - create
+ - get
+ - list
+ - update
+ - watch
+ - apiGroups: ["alpha.projectcalico.org"]
+ resources:
+ - systemnetworkpolicies
+ verbs:
+ - get
+ - list
diff --git a/roles/network_plugin/canal/templates/canal-cr-flannel.yml.j2 b/roles/network_plugin/canal/templates/canal-cr-flannel.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..0be8e938cb91018acd78d067f4147708149c825b
--- /dev/null
+++ b/roles/network_plugin/canal/templates/canal-cr-flannel.yml.j2
@@ -0,0 +1,26 @@
+---
+# Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: flannel
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - nodes/status
+ verbs:
+ - patch
diff --git a/roles/network_plugin/canal/templates/canal-crb-calico.yml.j2 b/roles/network_plugin/canal/templates/canal-crb-calico.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..e1c1f5050a5d871ee43de2aa36b51615c325c906
--- /dev/null
+++ b/roles/network_plugin/canal/templates/canal-crb-calico.yml.j2
@@ -0,0 +1,14 @@
+---
+# Bind the calico ClusterRole to the canal ServiceAccount.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: canal-calico
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: calico
+subjects:
+- kind: ServiceAccount
+ name: canal
+ namespace: {{ system_namespace }}
diff --git a/roles/network_plugin/canal/templates/canal-crb-flannel.yml.j2 b/roles/network_plugin/canal/templates/canal-crb-flannel.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..3b00017b13e02b48f6b89c42f38311d4c46b2383
--- /dev/null
+++ b/roles/network_plugin/canal/templates/canal-crb-flannel.yml.j2
@@ -0,0 +1,14 @@
+---
+# Bind the flannel ClusterRole to the canal ServiceAccount.
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: canal-flannel
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: flannel
+subjects:
+- kind: ServiceAccount
+ name: canal
+ namespace: {{ system_namespace }}
diff --git a/roles/network_plugin/canal/templates/canal-node-sa.yml.j2 b/roles/network_plugin/canal/templates/canal-node-sa.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..d5b9a6e971ae3b055d8289f19cef25e5c828acb8
--- /dev/null
+++ b/roles/network_plugin/canal/templates/canal-node-sa.yml.j2
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: canal
+ namespace: {{ system_namespace }}
+ labels:
+ kubernetes.io/cluster-service: "true"
+
diff --git a/roles/network_plugin/canal/templates/canal-node.yml.j2 b/roles/network_plugin/canal/templates/canal-node.yaml.j2
similarity index 97%
rename from roles/network_plugin/canal/templates/canal-node.yml.j2
rename to roles/network_plugin/canal/templates/canal-node.yaml.j2
index cd9312832a8de644d6732e147272e6c82ffa4bf5..972b02d5febeea3e625b6043dcad948b9c5744f2 100644
--- a/roles/network_plugin/canal/templates/canal-node.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yaml.j2
@@ -19,6 +19,9 @@ spec:
k8s-app: canal-node
spec:
hostNetwork: true
+{% if rbac_enabled %}
+ serviceAccountName: canal
+{% endif %}
tolerations:
- effect: NoSchedule
operator: Exists
@@ -169,6 +172,10 @@ spec:
configMapKeyRef:
name: canal-config
key: etcd_keyfile
+ - name: NODENAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
securityContext:
privileged: true
volumeMounts: