Skip to content
This repository has been archived by the owner on Mar 22, 2018. It is now read-only.

RBAC rules needed for running as pod/daemonset #12

Open
dims opened this issue Jan 15, 2018 · 3 comments
Open

RBAC rules needed for running as pod/daemonset #12

dims opened this issue Jan 15, 2018 · 3 comments

Comments

@dims
Copy link
Owner

dims commented Jan 15, 2018
edited

hack we can use for now is ... we need a better way

# Hack for RBAC for all for the new cloud-controller process, we need to do better than this
cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:default kube-system-cluster-admin-1 --clusterrole cluster-admin
cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:pvl-controller kube-system-cluster-admin-2 --clusterrole cluster-admin
cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:cloud-node-controller kube-system-cluster-admin-3 --clusterrole cluster-admin
cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:cloud-controller-manager kube-system-cluster-admin-4 --clusterrole cluster-admin
cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:shared-informers kube-system-cluster-admin-5 --clusterrole cluster-admin
cluster/kubectl.sh create clusterrolebinding --user system:kube-controller-manager  kube-system-cluster-admin-6 --clusterrole cluster-admin
cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:attachdetach-controller kube-system-cluster-admin-7 --clusterrole cluster-admin
cluster/kubectl.sh set subject clusterrolebinding system:node --group=system:nodes
@dims dims mentioned this issue Jan 22, 2018
Closed
@arthur0
Copy link

arthur0 commented Jan 31, 2018

I would like work on it.

@dims
Copy link
Owner Author

dims commented Feb 2, 2018

The following logs are from openstack-cloud-controller-manager

   1552  nodes is forbidden: User "system:serviceaccount:kube-system:shared-informers" cannot list nodes at the cluster scope
   1552  persistentvolumes is forbidden: User "system:serviceaccount:kube-system:pvl-controller" cannot list persistentvolumes at the cluster scope
   1552  services is forbidden: User "system:serviceaccount:kube-system:shared-informers" cannot list services at the cluster scope
    317 serviceaccount:kube-system:cloud-node-controller" cannot list nodes at the cluster scope

@dims
Copy link
Owner Author

dims commented Feb 16, 2018

getting the ball rolling here - kubernetes/kubernetes#59945

@dims dims mentioned this issue Mar 22, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dims @arthur0