use static token to authenticate glbc

2019-04-26 13:16:17 -07:00
parent b3ad4cd6b9
commit 8bd0b45eae
4 changed files with 122 additions and 1 deletions
--- a/cluster/addons/rbac/cluster-loadbalancing/glbc/roles.yaml
+++ b/cluster/addons/rbac/cluster-loadbalancing/glbc/roles.yaml
@@ -0,0 +1,55 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: system:controller:glbc
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "list", "watch", "update", "create", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:controller:glbc
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["get", "list", "watch", "update", "create", "patch"]
+- apiGroups: [""]
+  resources: ["endpoints", "services", "pods", "nodes", "namespaces"]
+  verbs: ["get", "list", "watch"]
+# TODO: switch to patch services/status
+# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L339-L342
+# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L359-L361
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["update", "patch"]
+- apiGroups: ["extensions", "networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get", "list", "watch"]
+# For now, GLBC annotates ingress resources with various state and statuses: 
+# https://github.com/kubernetes/ingress-gce/blob/50d49b077d9ab4362a02fae05f94e433cd3f08dc/pkg/controller/controller.go#L579
+# TODO(rramkumar1): Remove unnecessary `update` permission once statuses are propagated through `ingresses/status`
+- apiGroups: ["extensions", "networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["update"]
+- apiGroups: ["extensions", "networking.k8s.io"]
+  resources: ["ingresses/status"]
+  verbs: ["update"]
+# GLBC ensures that the `cloud.google.com/backendconfigs` CRD exists in a desired state:
+# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/cmd/glbc/main.go#L93
+# TODO(rramkumar1): https://github.com/kubernetes/ingress-gce/issues/744
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get", "list", "watch", "update", "create", "patch"]
+- apiGroups: ["cloud.google.com"]
+  resources: ["backendconfigs"]
+  verbs: ["get", "list", "watch", "update", "create", "patch"]
--- a/cluster/addons/rbac/cluster-loadbalancing/glbc/user-rolebindings.yaml
+++ b/cluster/addons/rbac/cluster-loadbalancing/glbc/user-rolebindings.yaml
@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system:controller:glbc
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: system:controller:glbc
+subjects:
+- kind: User
+  name: system:controller:glbc
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:controller:glbc
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:controller:glbc
+subjects:
+- kind: User
+  name: system:controller:glbc