Etusivu Tutki Apua
Kirjaudu sisään
tzeneto
/
custom-kube-scheduler
Tarkkaile 1
Äänestä 0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Puu: cb14858ef6
Branchit Tagit
custom-kube-...
/
kubernetes
/
cluster
/
addons
/
rbac
/
cluster-loadbalancing
/
glbc
/
roles.yaml

roles.yaml 2.2 KB
Historia Raaka

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 
  1. apiVersion: rbac.authorization.k8s.io/v1
    2. 

  2. kind: Role
    3. 

  3. metadata:
    4. 

  4.   name: system:controller:glbc
    5. 

  5.   namespace: kube-system
    6. 

  6.   labels:
    7. 

  7.     addonmanager.kubernetes.io/mode: Reconcile
    8. 

  8. rules:
    9. 

  9. - apiGroups: [""]
    10. 

  10.   resources: ["configmaps"]
    11. 

  11.   verbs: ["get", "list", "watch", "update", "create", "patch"]
    12. 

  12. ---
    13. 

  13. apiVersion: rbac.authorization.k8s.io/v1
    14. 

  14. kind: ClusterRole
    15. 

  15. metadata:
    16. 

  16.   name: system:controller:glbc
    17. 

  17.   labels:
    18. 

  18.     addonmanager.kubernetes.io/mode: Reconcile
    19. 

  19. rules:
    20. 

  20. - apiGroups: [""]
    21. 

  21.   resources: ["secrets"]
    22. 

  22.   verbs: ["get"]
    23. 

  23. - apiGroups: [""]
    24. 

  24.   resources: ["events"]
    25. 

  25.   verbs: ["get", "list", "watch", "update", "create", "patch"]
    26. 

  26. - apiGroups: [""]
    27. 

  27.   resources: ["endpoints", "services", "pods", "nodes", "namespaces"]
    28. 

  28.   verbs: ["get", "list", "watch"]
    29. 

  29. # TODO: switch to patch services/status
    30. 

  30. # https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L339-L342
    31. 

  31. # https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L359-L361
    32. 

  32. - apiGroups: [""]
    33. 

  33.   resources: ["services"]
    34. 

  34.   verbs: ["update", "patch"]
    35. 

  35. - apiGroups: ["extensions", "networking.k8s.io"]
    36. 

  36.   resources: ["ingresses"]
    37. 

  37.   verbs: ["get", "list", "watch"]
    38. 

  38. # For now, GLBC annotates ingress resources with various state and statuses: 
    39. 

  39. # https://github.com/kubernetes/ingress-gce/blob/50d49b077d9ab4362a02fae05f94e433cd3f08dc/pkg/controller/controller.go#L579
    40. 

  40. # TODO(rramkumar1): Remove unnecessary `update` permission once statuses are propagated through `ingresses/status`
    41. 

  41. - apiGroups: ["extensions", "networking.k8s.io"]
    42. 

  42.   resources: ["ingresses"]
    43. 

  43.   verbs: ["update"]
    44. 

  44. - apiGroups: ["extensions", "networking.k8s.io"]
    45. 

  45.   resources: ["ingresses/status"]
    46. 

  46.   verbs: ["update"]
    47. 

  47. # GLBC ensures that the `cloud.google.com/backendconfigs` CRD exists in a desired state:
    48. 

  48. # https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/cmd/glbc/main.go#L93
    49. 

  49. # TODO(rramkumar1): https://github.com/kubernetes/ingress-gce/issues/744
    50. 

  50. - apiGroups: ["apiextensions.k8s.io"]
    51. 

  51.   resources: ["customresourcedefinitions"]
    52. 

  52.   verbs: ["get", "list", "watch", "update", "create", "patch"]
    53. 

  53. - apiGroups: ["cloud.google.com"]
    54. 

  54.   resources: ["backendconfigs"]
    55. 

  55.   verbs: ["get", "list", "watch", "update", "create", "patch"]
    56. 

  56.