From 2cf6f73427c84eb42d95f67ab22bb8d9aa8df9b7 Mon Sep 17 00:00:00 2001 From: Chris Mark Date: Thu, 8 Apr 2021 10:38:36 +0300 Subject: [PATCH] Update k8s manifests to use proper roles' scope for leaderelection (#24958) (cherry picked from commit 531bf81560b54c52e01fb43e0cbf7cb41408e854) --- deploy/kubernetes/metricbeat-kubernetes.yaml | 34 +++++++++++++++---- .../metricbeat/metricbeat-role-binding.yaml | 14 ++++++++ .../metricbeat/metricbeat-role.yaml | 20 +++++++---- 3 files changed, 56 insertions(+), 12 deletions(-) diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index ed000ddbfa2..8315cb0d739 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -231,6 +231,20 @@ roleRef: apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: metricbeat + namespace: kube-system +subjects: + - kind: ServiceAccount + name: metricbeat + namespace: kube-system +roleRef: + kind: Role + name: metricbeat + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: metricbeat @@ -270,12 +284,20 @@ rules: - "/metrics" verbs: - get -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: metricbeat + namespace: kube-system + labels: + k8s-app: metricbeat +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: ["get", "create", "update"] --- apiVersion: v1 kind: ServiceAccount diff --git a/deploy/kubernetes/metricbeat/metricbeat-role-binding.yaml b/deploy/kubernetes/metricbeat/metricbeat-role-binding.yaml index 3f6f7b62439..a3a4438e068 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-role-binding.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-role-binding.yaml @@ -10,3 +10,17 @@ roleRef: kind: ClusterRole name: metricbeat apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: metricbeat + namespace: kube-system +subjects: + - kind: ServiceAccount + name: metricbeat + namespace: kube-system +roleRef: + kind: Role + name: metricbeat + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/metricbeat/metricbeat-role.yaml b/deploy/kubernetes/metricbeat/metricbeat-role.yaml index 0eb2e89c7bd..74a97e1d38d 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-role.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-role.yaml @@ -38,9 +38,17 @@ rules: - "/metrics" verbs: - get -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: metricbeat + namespace: kube-system + labels: + k8s-app: metricbeat +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: ["get", "create", "update"]