Skip to content

Commit

Permalink
binding clusterrole system:kube-scheduler to sa tidb-scheduler (#1355)
Browse files Browse the repository at this point in the history
* binding clusterrole system:kube-scheduler to sa tidb-scheduler

* add tidb-scheduler cluster role

* fix permissions

* support cluster scoped is false

* remove storageclass permission from tidb-scheduler

* update scheduler-rbac.yaml

Co-authored-by: Yecheng Fu <cofyc.jackson@gmail.com>
  • Loading branch information
shonge and cofyc committed Dec 23, 2019
1 parent c781ba1 commit 0568d92
Showing 1 changed file with 57 additions and 62 deletions.
119 changes: 57 additions & 62 deletions charts/tidb-operator/templates/scheduler-rbac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,51 +22,26 @@ metadata:
app.kubernetes.io/component: scheduler
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
rules:
# ConfigMap permission for --policy-configmap
- apiGroups: [""]
resources: ["pods", "services", "configmaps", "replicationcontrollers", "persistentvolumeclaims", "endpoints"]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/binding"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods/status"]
verbs: ["patch", "update"]
- apiGroups: [""]
resources: ["endpoints", "events"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps", "extensions"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "update"]
verbs: ["get", "list"]
- apiGroups: ["pingcap.com"]
resources: ["tidbclusters"]
verbs: ["get"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "update"]
# followng permissions are required if CSINodeInfo/AttachVolumeLimit features are enabled
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
# Extra permissions for endpoints other than kube-scheduler
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["delete", "get", "patch", "update"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
Expand Down Expand Up @@ -100,45 +75,26 @@ metadata:
app.kubernetes.io/component: scheduler
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
rules:
# ConfigMap permission for --policy-configmap
- apiGroups: [""]
resources: ["pods", "services", "configmaps", "replicationcontrollers", "persistentvolumeclaims", "endpoints"]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/binding"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods/status"]
verbs: ["patch", "update"]
- apiGroups: [""]
resources: ["endpoints", "events"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps", "extensions"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list"]
- apiGroups: ["pingcap.com"]
resources: ["tidbclusters"]
verbs: ["get"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "update"]
# followng permissions are required if CSINodeInfo/AttachVolumeLimit features are enabled
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- list
- watch
# Extra permissions for endpoints other than kube-scheduler
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["delete", "get", "patch", "update"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
Expand All @@ -153,9 +109,48 @@ metadata:
subjects:
- kind: ServiceAccount
name: {{ .Values.scheduler.serviceAccount }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: {{ .Release.Name }}:{{ .Values.scheduler.schedulerName }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: {{ .Release.Name }}:kube-scheduler
labels:
app.kubernetes.io/name: {{ template "chart.name" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: scheduler
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
subjects:
- kind: ServiceAccount
name: {{ .Values.scheduler.serviceAccount }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: system:kube-scheduler
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: {{ .Release.Name }}:volume-scheduler
labels:
app.kubernetes.io/name: {{ template "chart.name" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: scheduler
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
subjects:
- kind: ServiceAccount
name: {{ .Values.scheduler.serviceAccount }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: system:volume-scheduler
apiGroup: rbac.authorization.k8s.io
{{- end }}

0 comments on commit 0568d92

Please sign in to comment.