From 0568d92a949ce5fc81c918a6c8c712427b005657 Mon Sep 17 00:00:00 2001 From: Song Date: Mon, 23 Dec 2019 14:24:48 +0800 Subject: [PATCH] binding clusterrole system:kube-scheduler to sa tidb-scheduler (#1355) * binding clusterrole system:kube-scheduler to sa tidb-scheduler * add tidb-scheduler cluster role * fix permissions * support cluster scoped is false * remove storageclass permission from tidb-scheduler * update scheduler-rbac.yaml Co-authored-by: Yecheng Fu --- .../templates/scheduler-rbac.yaml | 119 +++++++++--------- 1 file changed, 57 insertions(+), 62 deletions(-) diff --git a/charts/tidb-operator/templates/scheduler-rbac.yaml b/charts/tidb-operator/templates/scheduler-rbac.yaml index c66752d61b..0c702ce13b 100644 --- a/charts/tidb-operator/templates/scheduler-rbac.yaml +++ b/charts/tidb-operator/templates/scheduler-rbac.yaml @@ -22,51 +22,26 @@ metadata: app.kubernetes.io/component: scheduler helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} rules: +# ConfigMap permission for --policy-configmap - apiGroups: [""] - resources: ["pods", "services", "configmaps", "replicationcontrollers", "persistentvolumeclaims", "endpoints"] + resources: ["configmaps"] verbs: ["get", "list", "watch"] - apiGroups: [""] - resources: ["pods/binding"] - verbs: ["create"] -- apiGroups: [""] - resources: ["pods/status"] - verbs: ["patch", "update"] -- apiGroups: [""] - resources: ["endpoints", "events"] - verbs: ["get", "list", "watch", "create", "update", "patch"] -- apiGroups: ["apps"] - resources: ["statefulsets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["policy"] - resources: ["poddisruptionbudgets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps", "extensions"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] + resources: ["pods"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["nodes"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] + verbs: ["get", "list"] - apiGroups: ["pingcap.com"] resources: ["tidbclusters"] verbs: ["get"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "update"] -# followng permissions are required if CSINodeInfo/AttachVolumeLimit features are enabled -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - - list - - watch +# Extra permissions for endpoints other than kube-scheduler +- apiGroups: [""] + resources: ["endpoints"] + verbs: ["delete", "get", "patch", "update"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 @@ -100,45 +75,26 @@ metadata: app.kubernetes.io/component: scheduler helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} rules: +# ConfigMap permission for --policy-configmap - apiGroups: [""] - resources: ["pods", "services", "configmaps", "replicationcontrollers", "persistentvolumeclaims", "endpoints"] + resources: ["configmaps"] verbs: ["get", "list", "watch"] - apiGroups: [""] - resources: ["pods/binding"] - verbs: ["create"] -- apiGroups: [""] - resources: ["pods/status"] - verbs: ["patch", "update"] -- apiGroups: [""] - resources: ["endpoints", "events"] - verbs: ["get", "list", "watch", "create", "update", "patch"] -- apiGroups: ["apps"] - resources: ["statefulsets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["policy"] - resources: ["poddisruptionbudgets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps", "extensions"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] -- apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] + resources: ["pods"] verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list"] - apiGroups: ["pingcap.com"] resources: ["tidbclusters"] verbs: ["get"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "update"] -# followng permissions are required if CSINodeInfo/AttachVolumeLimit features are enabled -- apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - - list - - watch +# Extra permissions for endpoints other than kube-scheduler +- apiGroups: [""] + resources: ["endpoints"] + verbs: ["delete", "get", "patch", "update"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 @@ -153,9 +109,48 @@ metadata: subjects: - kind: ServiceAccount name: {{ .Values.scheduler.serviceAccount }} + namespace: {{ .Release.Namespace }} roleRef: kind: Role name: {{ .Release.Name }}:{{ .Values.scheduler.schedulerName }} apiGroup: rbac.authorization.k8s.io {{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: {{ .Release.Name }}:kube-scheduler + labels: + app.kubernetes.io/name: {{ template "chart.name" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: scheduler + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +subjects: +- kind: ServiceAccount + name: {{ .Values.scheduler.serviceAccount }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: system:kube-scheduler + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: {{ .Release.Name }}:volume-scheduler + labels: + app.kubernetes.io/name: {{ template "chart.name" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: scheduler + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +subjects: +- kind: ServiceAccount + name: {{ .Values.scheduler.serviceAccount }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: system:volume-scheduler + apiGroup: rbac.authorization.k8s.io {{- end }}