Skip to content
This repository has been archived by the owner on Dec 1, 2018. It is now read-only.

Add RBAC rules to the heapster manifests and combine logical API objects into the same file #1612

Merged
merged 1 commit into from
Apr 28, 2017
Merged

Add RBAC rules to the heapster manifests and combine logical API objects into the same file #1612

merged 1 commit into from
Apr 28, 2017

Conversation

luxas
Copy link
Contributor

@luxas luxas commented Apr 25, 2017

A lot of these manifests are/were obsolete, I'd be very happy to remove/cleanup things here.
RBAC is turned on by default in v1.6 and heapster is broken without credentials granted to it

I didn't touch standalone-test nor standalone-with-apiserver, are those relevant anymore?

fixes: kubernetes/kubeadm#248 cc @sebgoa

PTAL @DirectXMan12 @piosz @mwielgus and please merge ASAP

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Apr 25, 2017
@k8s-reviewable
Copy link

This change is Reviewable

@luxas luxas mentioned this pull request Apr 25, 2017
Closed
liggitt
liggitt reviewed Apr 25, 2017
View reviewed changes
deploy/kube-config/google/heapster.yaml Outdated
name: heapster
namespace: kube-system
---
kind: ClusterRoleBinding
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the service account and deployment are logically paired. the RBAC objects are not, since they would not apply if RBAC authz was not in use.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any harm done if it's applied/created when RBAC is not in use?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if RBAC is not in use, default roles/rolebindings are not created

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, gotcha. Updated

@piosz
Copy link
Contributor

piosz commented Apr 28, 2017

/lgtm
thanks for the fix!

@k8s-ci-robot k8s-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 28, 2017
@piosz piosz merged commit 59225f3 into kubernetes-retired:master Apr 28, 2017
@jeffery9
Copy link

can not find where defined the clusterRole system:heapster


apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: 2017-05-19T01:29:35Z
  name: heapster
  resourceVersion: "48623"
  selfLink: /apis/rbac.authorization.k8s.io/v1beta1/clusterrolebindingsheapster
  uid: 9dbf4447-3c32-11e7-8db8-0050562a8439
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:heapster
subjects:
- kind: ServiceAccount
  name: heapster
  namespace: kube-system

can't found clusterRole definition.

kubectl get clusterrole heapster
Error from server (NotFound): clusterroles.rbac.authorization.k8s.io "heapster" not found

@x13n x13n mentioned this pull request Jan 31, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@liggitt liggitt liggitt left review comments

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Heapster default deployment does not support RBAC in v1.6.0 setup
7 participants
@luxas @k8s-reviewable @piosz @jeffery9 @liggitt @googlebot @k8s-ci-robot