-
Notifications
You must be signed in to change notification settings - Fork 376
/
Copy pathvm-agent-rbac.yml
112 lines (112 loc) · 2.77 KB
/
vm-agent-rbac.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vm-agent
namespace: vm-ns # Change the Namespace to where vm-agent is expected to run.
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: vm-agent
rules:
# antrea-controller distributes the CA certificate as a ConfigMap named `antrea-ca` in the Antrea deployment Namespace.
# vm-agent needs to access `antrea-ca` to connect with antrea-controller.
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- antrea-ca
verbs:
- get
- watch
- list
# This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
# But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (vm-agent) will
# have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
# See https://github.com/kubernetes/kubernetes/pull/85375
# To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
# the extension-apiserver-authentication role.
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- crd.antrea.io
resources:
- antreaagentinfos
verbs:
- get
- update
- apiGroups:
- controlplane.antrea.io
resources:
- networkpolicies
- appliedtogroups
- addressgroups
verbs:
- get
- watch
- list
- apiGroups:
- controlplane.antrea.io
resources:
- nodestatssummaries
verbs:
- create
- apiGroups:
- controlplane.antrea.io
resources:
- networkpolicies/status
verbs:
- create
- get
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: vm-agent
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vm-agent
subjects:
- kind: ServiceAccount
name: vm-agent
namespace: vm-ns # Change the Namespace to where vm-agent is expected to run.
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: vm-agent
namespace: vm-ns # Change the Namespace to where vm-agent is expected to run.
rules:
- apiGroups:
- crd.antrea.io
resources:
- externalnodes
verbs:
- get
- watch
- list
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: vm-agent
namespace: vm-ns # Change the Namespace to where vm-agent is expected to run.
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: vm-agent
subjects:
- kind: ServiceAccount
name: vm-agent
namespace: vm-ns # Change the Namespace to where vm-agent is expected to run.