c0a3d26746
Automatic merge from submit-queue Remove e2e-rbac-bindings. Replace todo-grabbag binding w/ more specific heapster roles/bindings. Move kubelet binding. **What this PR does / why we need it**: The "e2e-rbac-bindings" held 2 leftovers from the 1.6 RBAC rollout process: - One is the "kubelet-binding" which grants the "system:node" role to kubelet. This is needed until we enable the node authorizer. I moved this to the folder w/ some other kubelet related bindings. - The other is the "todo-remove-grabbag-cluster-admin" binding, which grants the cluster-admin role to the default service account in the kube-system namespace. This appears to only be required for heapster. Heapster will instead use a "heapster" service account, bound to a "system:heapster" role on the cluster (no write perms), and a "system:pod-nanny" role in the kube-system namespace. **Which issue this PR fixes**: Addresses part of #39990 **Release Note**: ```release-note New and upgraded 1.7 GCE/GKE clusters no longer have an RBAC ClusterRoleBinding that grants the `cluster-admin` ClusterRole to the `default` service account in the `kube-system` namespace. If this permission is still desired, run the following command to explicitly grant it, either before or after upgrading to 1.7: kubectl create clusterrolebinding kube-system-default --serviceaccount=kube-system:default --clusterrole=cluster-admin ``` |
||
|---|---|---|
| .. | ||
| addon-manager | ||
| calico-policy-controller | ||
| cluster-loadbalancing | ||
| cluster-monitoring | ||
| dashboard | ||
| dns | ||
| dns-horizontal-autoscaler | ||
| etcd-empty-dir-cleanup | ||
| fluentd-elasticsearch | ||
| fluentd-gcp | ||
| ip-masq-agent | ||
| metadata-proxy | ||
| node-problem-detector | ||
| podsecuritypolicies | ||
| python-image | ||
| rbac | ||
| registry | ||
| storage-class | ||
| BUILD | ||
| README.md | ||
Cluster add-ons
Overview
Cluster add-ons are resources like Services and Deployments (with pods) that are shipped with the Kubernetes binaries and are considered an inherent part of the Kubernetes clusters.
There are currently two classes of add-ons:
- Add-ons that will be reconciled.
- Add-ons that will be created if they don't exist.
More details could be found in addon-manager/README.md.
Cooperating Horizontal / Vertical Auto-Scaling with "reconcile class addons"
"Reconcile" class addons will be periodically reconciled to the original state given
by the initial config. In order to make Horizontal / Vertical Auto-scaling functional,
the related fields in config should be left unset. More specifically, leave replicas
in ReplicationController / Deployment / ReplicaSet unset for Horizontal Scaling,
leave resources for container unset for Vertical Scaling. The periodic reconcile
won't clobbered these fields, hence they could be managed by Horizontal / Vertical
Auto-scaler.
Add-on naming
The suggested naming for most of the resources is <basename> (with no version number).
Though resources like Pod, ReplicationController and DaemonSet are exceptional.
It would be hard to update Pod because many fields in Pod are immutable. For
ReplicationController and DaemonSet, in-place update may not trigger the underlying
pods to be re-created. You probably need to change their names during update to trigger
a complete deletion and creation.