Remove redundant rbac bootstrapping
Stefan Kiss
parent
bf2850974e
commit
8c0829565e
|
|
@ -277,64 +277,6 @@ ok
|
||||||
|
|
||||||
> Remember to run the above commands on each controller node: `controller-0`, `controller-1`, and `controller-2`.
|
> Remember to run the above commands on each controller node: `controller-0`, `controller-1`, and `controller-2`.
|
||||||
|
|
||||||
## RBAC for Kubelet Authorization
|
|
||||||
|
|
||||||
In this section you will configure RBAC permissions to allow the Kubernetes API Server to access the Kubelet API on each worker node. Access to the Kubelet API is required for retrieving metrics, logs, and executing commands in pods.
|
|
||||||
|
|
||||||
> This tutorial sets the Kubelet `--authorization-mode` flag to `Webhook`. Webhook mode uses the [SubjectAccessReview](https://kubernetes.io/docs/admin/authorization/#checking-api-access) API to determine authorization.
|
|
||||||
|
|
||||||
```
|
|
||||||
gcloud compute ssh controller-0
|
|
||||||
```
|
|
||||||
|
|
||||||
Create the `system:kube-apiserver-to-kubelet` [ClusterRole](https://kubernetes.io/docs/admin/authorization/rbac/#role-and-clusterrole) with permissions to access the Kubelet API and perform most common tasks associated with managing pods:
|
|
||||||
|
|
||||||
```
|
|
||||||
cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
||||||
labels:
|
|
||||||
kubernetes.io/bootstrapping: rbac-defaults
|
|
||||||
name: system:kube-apiserver-to-kubelet
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- nodes/proxy
|
|
||||||
- nodes/stats
|
|
||||||
- nodes/log
|
|
||||||
- nodes/spec
|
|
||||||
- nodes/metrics
|
|
||||||
verbs:
|
|
||||||
- "*"
|
|
||||||
EOF
|
|
||||||
```
|
|
||||||
|
|
||||||
The Kubernetes API Server authenticates to the Kubelet as the `kubernetes` user using the client certificate as defined by the `--kubelet-client-certificate` flag.
|
|
||||||
|
|
||||||
Bind the `system:kube-apiserver-to-kubelet` ClusterRole to the `kubernetes` user:
|
|
||||||
|
|
||||||
```
|
|
||||||
cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: system:kube-apiserver
|
|
||||||
namespace: ""
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: system:kube-apiserver-to-kubelet
|
|
||||||
subjects:
|
|
||||||
- apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: User
|
|
||||||
name: kubernetes
|
|
||||||
EOF
|
|
||||||
```
|
|
||||||
|
|
||||||
## The Kubernetes Frontend Load Balancer
|
## The Kubernetes Frontend Load Balancer
|
||||||
|
|
||||||
In this section you will provision an external load balancer to front the Kubernetes API Servers. The `kubernetes-the-hard-way` static IP address will be attached to the resulting load balancer.
|
In this section you will provision an external load balancer to front the Kubernetes API Servers. The `kubernetes-the-hard-way` static IP address will be attached to the resulting load balancer.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue