scl/kubespray
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix Cilium permissions (#5923)

Browse Source 
* added required permissions for querying endpointslice resources

* copy-pasted role permissions from cilium install manifests

* bumped cilium version to v1.7.2
This commit is contained in:
Chris
2020-04-11 08:47:48 +02:00
committed by GitHub
parent 3a63aa6b1e
commit 883194afec
2 changed files with 82 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/download/defaults/main.yml
View File

@ -80,7 +80,7 @@ cni_version: "v0.8.5"
weave_version: 2.5.2 weave_version: 2.5.2
pod_infra_version: 3.1 pod_infra_version: 3.1
contiv_version: 1.2.1 contiv_version: 1.2.1
cilium_version: "v1.7.1" cilium_version: "v1.7.2"
kube_ovn_version: "v0.6.0" kube_ovn_version: "v0.6.0"
kube_router_version: "v0.4.0" kube_router_version: "v0.4.0"
multus_version: "v3.4.1" multus_version: "v3.4.1"

158
roles/network_plugin/cilium/templates/cilium-cr.yml.j2
View File

@ -4,13 +4,6 @@ kind: ClusterRole
metadata: metadata:
name: cilium-operator name: cilium-operator
rules: rules:
- apiGroups:
- ""
resources:
# to get k8s version and status
- componentstatuses
verbs:
- get
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
@ -22,6 +15,14 @@ rules:
- list - list
- watch - watch
- delete - delete
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
@ -32,78 +33,89 @@ rules:
# to perform the translation of a CNP that contains `ToGroup` to its endpoints # to perform the translation of a CNP that contains `ToGroup` to its endpoints
- services - services
- endpoints - endpoints
# to check apiserver connectivity
- namespaces
verbs: verbs:
- get - get
- list - list
- watch - watch
- apiGroups: - apiGroups:
- cilium.io - cilium.io
resources: resources:
- ciliumnetworkpolicies - ciliumnetworkpolicies
- ciliumnetworkpolicies/status - ciliumnetworkpolicies/status
- ciliumendpoints - ciliumclusterwidenetworkpolicies
- ciliumendpoints/status - ciliumclusterwidenetworkpolicies/status
- ciliumnodes - ciliumendpoints
- ciliumnodes/status - ciliumendpoints/status
- ciliumidentities - ciliumnodes
- ciliumidentities/status - ciliumnodes/status
verbs: - ciliumidentities
- '*' - ciliumidentities/status
--- verbs:
apiVersion: rbac.authorization.k8s.io/v1 - '*'
kind: ClusterRole ---
metadata: apiVersion: rbac.authorization.k8s.io/v1
name: cilium kind: ClusterRole
rules: metadata:
- apiGroups: name: cilium
- networking.k8s.io rules:
resources: - apiGroups:
- networkpolicies - networking.k8s.io
verbs: resources:
- get - networkpolicies
- list verbs:
- watch - get
- apiGroups: - list
- "" - watch
resources: - apiGroups:
- namespaces - discovery.k8s.io
- services resources:
- nodes - endpointslices
- endpoints verbs:
verbs: - get
- get - list
- list - watch
- watch - apiGroups:
- apiGroups: - ""
- "" resources:
resources: - namespaces
- pods - services
- nodes - nodes
verbs: - endpoints
- get verbs:
- list - get
- watch - list
- update - watch
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
- nodes - pods
- nodes/status - nodes
verbs: verbs:
- patch - get
- apiGroups: - list
- apiextensions.k8s.io - watch
resources: - update
- ingresses - apiGroups:
- customresourcedefinitions - ""
verbs: resources:
- create - nodes
- get - nodes/status
- list verbs:
- watch - patch
- update - apiGroups:
- apiGroups: - apiextensions.k8s.io
- cilium.io resources:
- customresourcedefinitions
verbs:
- create
- get
- list
- watch
- update
- apiGroups:
- cilium.io
resources: resources:
- ciliumnetworkpolicies - ciliumnetworkpolicies
- ciliumnetworkpolicies/status - ciliumnetworkpolicies/status