From ee07557c5272ecd1f71a37cdacb1ff09df0a0ad8 Mon Sep 17 00:00:00 2001 From: Nader Ziada Date: Fri, 9 Oct 2020 14:28:17 -0400 Subject: [PATCH] user azure identity instead of principal --- Makefile | 2 +- api/v1alpha2/azurecluster_conversion.go | 2 +- api/v1alpha2/zz_generated.conversion.go | 2 +- api/v1alpha3/azurecluster_types.go | 15 +-- api/v1alpha3/azureserviceprincipal_types.go | 72 ----------- api/v1alpha3/zz_generated.deepcopy.go | 96 +------------- cloud/scope/clients.go | 3 - cloud/scope/cluster.go | 4 +- cloud/scope/{principal.go => identity.go} | 120 ++++++++---------- ...ucture.cluster.x-k8s.io_azureclusters.yaml | 25 +--- config/rbac/role.yaml | 12 -- controllers/azurecluster_controller.go | 1 - go.sum | 1 + .../addons/aad-pod-identity-deployment.yaml | 15 ++- 14 files changed, 76 insertions(+), 294 deletions(-) delete mode 100644 api/v1alpha3/azureserviceprincipal_types.go rename cloud/scope/{principal.go => identity.go} (53%) diff --git a/Makefile b/Makefile index 7d7d653ee3f..658dc7d5359 100644 --- a/Makefile +++ b/Makefile @@ -426,7 +426,7 @@ create-management-cluster: $(KUSTOMIZE) $(ENVSUBST) kubectl wait --for=condition=Available --timeout=5m -n capi-kubeadm-bootstrap-system deployment -l cluster.x-k8s.io/provider=bootstrap-kubeadm kubectl wait --for=condition=Available --timeout=5m -n capi-kubeadm-control-plane-system deployment -l cluster.x-k8s.io/provider=control-plane-kubeadm - sleep 5 + sleep 10 # apply CNI ClusterResourceSets kubectl create configmap calico-addon --from-file=templates/addons/calico.yaml kubectl create configmap calico-ipv6-addon --from-file=templates/addons/calico-ipv6.yaml diff --git a/api/v1alpha2/azurecluster_conversion.go b/api/v1alpha2/azurecluster_conversion.go index cf8627a2f22..a71c696e69f 100644 --- a/api/v1alpha2/azurecluster_conversion.go +++ b/api/v1alpha2/azurecluster_conversion.go @@ -60,7 +60,7 @@ func (src *AzureCluster) ConvertTo(dstRaw conversion.Hub) error { // nolint dst.Status.FailureDomains = restored.Status.FailureDomains dst.Spec.NetworkSpec.Vnet.CIDRBlocks = restored.Spec.NetworkSpec.Vnet.CIDRBlocks - dst.Spec.PrincipalRef = restored.Spec.PrincipalRef + dst.Spec.IdentityName = restored.Spec.IdentityName for _, restoredSubnet := range restored.Spec.NetworkSpec.Subnets { if restoredSubnet != nil { diff --git a/api/v1alpha2/zz_generated.conversion.go b/api/v1alpha2/zz_generated.conversion.go index 37dcd6b7862..6530d6519cb 100644 --- a/api/v1alpha2/zz_generated.conversion.go +++ b/api/v1alpha2/zz_generated.conversion.go @@ -434,7 +434,7 @@ func autoConvert_v1alpha3_AzureClusterSpec_To_v1alpha2_AzureClusterSpec(in *v1al out.Location = in.Location // WARNING: in.ControlPlaneEndpoint requires manual conversion: does not exist in peer-type out.AdditionalTags = *(*Tags)(unsafe.Pointer(&in.AdditionalTags)) - // WARNING: in.PrincipalRef requires manual conversion: does not exist in peer-type + // WARNING: in.IdentityName requires manual conversion: does not exist in peer-type return nil } diff --git a/api/v1alpha3/azurecluster_types.go b/api/v1alpha3/azurecluster_types.go index c9d3d9793e9..7ce92ecd769 100644 --- a/api/v1alpha3/azurecluster_types.go +++ b/api/v1alpha3/azurecluster_types.go @@ -27,17 +27,6 @@ const ( ClusterFinalizer = "azurecluster.infrastructure.cluster.x-k8s.io" ) -// AzurePrincipalKind defines allowed Azure cluster principal types -// +kubebuilder:validation:Enum=AzureSystemAssigned;AzureUserAssigned;AzureServicePrincipal -type AzurePrincipalKind string - -// AzurePrincipalRef is a reference to a principal -type AzurePrincipalRef struct { - Kind AzurePrincipalKind `json:"kind"` - Name string `json:"name"` - Namespace string `json:"namespace"` -} - // AzureClusterSpec defines the desired state of AzureCluster type AzureClusterSpec struct { // NetworkSpec encapsulates all things related to Azure network. @@ -60,9 +49,9 @@ type AzureClusterSpec struct { // +optional AdditionalTags Tags `json:"additionalTags,omitempty"` - // PrincipalRef is a reference to a principal to be used when reconciling this cluster + // IdentityName is a reference to a AzureIdentity to be used when reconciling this cluster // +optional - PrincipalRef *AzurePrincipalRef `json:"principalRef,omitempty"` + IdentityName *string `json:"identityName,omitempty"` } // AzureClusterStatus defines the observed state of AzureCluster diff --git a/api/v1alpha3/azureserviceprincipal_types.go b/api/v1alpha3/azureserviceprincipal_types.go deleted file mode 100644 index f5b13cfaf07..00000000000 --- a/api/v1alpha3/azureserviceprincipal_types.go +++ /dev/null @@ -1,72 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha3 - -import ( - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// +kubebuilder:object:root=true -// +kubebuilder:resource:path=azureclusterprincipals,scope=Namespaced,categories=cluster-api -// +kubebuilder:storageversion - -// AzureClusterPrincipal represents a reference to an Azure access key ID and -// secret access key, stored in a secret. -type AzureClusterPrincipal struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` - - // Spec for this AzureClusterPrincipalSpec. - Spec AzureClusterPrincipalSpec `json:"spec,omitempty"` -} - -// +kubebuilder:object:root=true - -// AzureClusterPrincipalList contains a list of AzureClusterPrincipal -type AzureClusterPrincipalList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty"` - Items []AzureClusterPrincipal `json:"items"` -} - -// AzureClusterPrincipalSpec defines the fileds of the Azure cluster principal -type AzureClusterPrincipalSpec struct { - Name string `json:"name"` - // Reference to a secret containing the credentials. The secret should - // contain the following data keys: - // tenantID - // clientID - // clientSecret - SecretRef corev1.SecretReference `json:"secretRef"` - // AllowedNamespaces is a selector of namespaces that AzureClusters can - // use this ClusterPrincipal from. This is a standard Kubernetes LabelSelector, - // a label query over a set of resources. The result of matchLabels and - // matchExpressions are ANDed. Controllers must not support AzureClusters in - // namespaces outside this selector. - // - // An empty selector (default) indicates that AzureClusters can use this - // AzureClusterPrincipal from any namespace. This field is intentionally not a - // pointer because the nil behavior (no namespaces) is undesirable here. - // - // +optional - AllowedNamespaces metav1.LabelSelector `json:"allowedNamespaces"` -} - -func init() { - SchemeBuilder.Register(&AzureClusterPrincipal{}, &AzureClusterPrincipalList{}) -} diff --git a/api/v1alpha3/zz_generated.deepcopy.go b/api/v1alpha3/zz_generated.deepcopy.go index 493941720b6..a10e1697ec9 100644 --- a/api/v1alpha3/zz_generated.deepcopy.go +++ b/api/v1alpha3/zz_generated.deepcopy.go @@ -111,81 +111,6 @@ func (in *AzureClusterList) DeepCopyObject() runtime.Object { return nil } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AzureClusterPrincipal) DeepCopyInto(out *AzureClusterPrincipal) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureClusterPrincipal. -func (in *AzureClusterPrincipal) DeepCopy() *AzureClusterPrincipal { - if in == nil { - return nil - } - out := new(AzureClusterPrincipal) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *AzureClusterPrincipal) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AzureClusterPrincipalList) DeepCopyInto(out *AzureClusterPrincipalList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]AzureClusterPrincipal, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureClusterPrincipalList. -func (in *AzureClusterPrincipalList) DeepCopy() *AzureClusterPrincipalList { - if in == nil { - return nil - } - out := new(AzureClusterPrincipalList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *AzureClusterPrincipalList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AzureClusterPrincipalSpec) DeepCopyInto(out *AzureClusterPrincipalSpec) { - *out = *in - out.SecretRef = in.SecretRef - in.AllowedNamespaces.DeepCopyInto(&out.AllowedNamespaces) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureClusterPrincipalSpec. -func (in *AzureClusterPrincipalSpec) DeepCopy() *AzureClusterPrincipalSpec { - if in == nil { - return nil - } - out := new(AzureClusterPrincipalSpec) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AzureClusterSpec) DeepCopyInto(out *AzureClusterSpec) { *out = *in @@ -198,9 +123,9 @@ func (in *AzureClusterSpec) DeepCopyInto(out *AzureClusterSpec) { (*out)[key] = val } } - if in.PrincipalRef != nil { - in, out := &in.PrincipalRef, &out.PrincipalRef - *out = new(AzurePrincipalRef) + if in.IdentityName != nil { + in, out := &in.IdentityName, &out.IdentityName + *out = new(string) **out = **in } } @@ -512,21 +437,6 @@ func (in *AzureMarketplaceImage) DeepCopy() *AzureMarketplaceImage { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AzurePrincipalRef) DeepCopyInto(out *AzurePrincipalRef) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzurePrincipalRef. -func (in *AzurePrincipalRef) DeepCopy() *AzurePrincipalRef { - if in == nil { - return nil - } - out := new(AzurePrincipalRef) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AzureSharedGalleryImage) DeepCopyInto(out *AzureSharedGalleryImage) { *out = *in diff --git a/cloud/scope/clients.go b/cloud/scope/clients.go index 659b4d878f5..bcbb4828021 100644 --- a/cloud/scope/clients.go +++ b/cloud/scope/clients.go @@ -104,10 +104,7 @@ func (c *AzureClients) setCredentialsWithProvider(ctx context.Context, subscript c.EnvironmentSettings = settings c.ResourceManagerEndpoint = settings.Environment.ResourceManagerEndpoint c.ResourceManagerVMDNSSuffix = settings.Environment.ResourceManagerVMDNSSuffix - c.Values[auth.ClientID] = strings.TrimSuffix(c.Values[auth.ClientID], "\n") - c.Values[auth.ClientSecret] = strings.TrimSuffix(c.Values[auth.ClientSecret], "\n") c.Values[auth.SubscriptionID] = strings.TrimSuffix(subscriptionID, "\n") - c.Values[auth.TenantID] = strings.TrimSuffix(c.Values[auth.TenantID], "\n") c.Authorizer, err = credentialsProvider.GetAuthorizer(ctx) return err diff --git a/cloud/scope/cluster.go b/cloud/scope/cluster.go index 3a377ee2a9d..153bdf271fa 100644 --- a/cloud/scope/cluster.go +++ b/cloud/scope/cluster.go @@ -59,13 +59,13 @@ func NewClusterScope(ctx context.Context, params ClusterScopeParams) (*ClusterSc params.Logger = klogr.New() } - if params.AzureCluster.Spec.PrincipalRef == nil { + if params.AzureCluster.Spec.IdentityName == nil { err := params.AzureClients.setCredentials(params.AzureCluster.Spec.SubscriptionID) if err != nil { return nil, errors.Wrap(err, "failed to configure azure settings and credentials from environment") } } else { - credentailsProvider, err := NewAzureCredentialsProvider(ctx, params.Client, params.ResourceManagerEndpoint, params.AzureCluster.Spec.PrincipalRef) + credentailsProvider, err := NewAzureCredentialsProvider(ctx, params.Client, params.AzureCluster.Namespace, params.ResourceManagerEndpoint, to.String(params.AzureCluster.Spec.IdentityName)) if err != nil { return nil, errors.Wrap(err, "failed to init credentials provider") } diff --git a/cloud/scope/principal.go b/cloud/scope/identity.go similarity index 53% rename from cloud/scope/principal.go rename to cloud/scope/identity.go index 5f22aabdf00..13257272797 100644 --- a/cloud/scope/principal.go +++ b/cloud/scope/identity.go @@ -27,12 +27,9 @@ import ( "github.com/pkg/errors" aadpodid "github.com/Azure/aad-pod-identity/pkg/apis/aadpodidentity" - corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" - - infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1alpha3" client "sigs.k8s.io/controller-runtime/pkg/client" ) @@ -47,114 +44,103 @@ import ( // AzureCredentialsProvider provides type AzureCredentialsProvider struct { Client client.Client - Principal *infrav1.AzureClusterPrincipal - PrincipalRef *infrav1.AzurePrincipalRef + Identity *aadpodid.AzureIdentity ResourceManagerEndpoint string - TenantID string - ClientID string - ClientSecret string } // NewAzureCredentialsProvider creates a new AzureCredentialsProvider from the supplied inputs. -func NewAzureCredentialsProvider(ctx context.Context, kubeclient client.Client, resourceManagerEndpoint string, ref *infrav1.AzurePrincipalRef) (*AzureCredentialsProvider, error) { - principal := infrav1.AzureClusterPrincipal{} - if ref == nil { - return nil, errors.New("failed to generate new AzureCredentialsProvider from nil PrincipalRef") - } - err := kubeclient.Get(ctx, client.ObjectKey{Name: ref.Name, Namespace: ref.Namespace}, &principal) - if err != nil { - return nil, errors.Wrap(err, "failed to get AzureClusterPrincipal") - } - - secret := &corev1.Secret{} - key := types.NamespacedName{Name: principal.Spec.SecretRef.Name, Namespace: principal.Spec.SecretRef.Namespace} - if err := kubeclient.Get(ctx, key, secret); err != nil { - return nil, errors.Wrapf(err, "failed to retrieve bootstrap data secret for AzureMachine %s", key) +func NewAzureCredentialsProvider(ctx context.Context, kubeclient client.Client, namespace, resourceManagerEndpoint, identityName string) (*AzureCredentialsProvider, error) { + azureIdentity := aadpodid.AzureIdentity{} + if identityName == "" { + return nil, errors.New("failed to generate new AzureCredentialsProvider from empty identityName") } - tenantID, err := getValueFromSecret(secret, "tenantID") + err := kubeclient.Get(ctx, client.ObjectKey{Name: identityName, Namespace: namespace}, &azureIdentity) if err != nil { - return nil, err + return nil, errors.Wrap(err, "failed to get AzureIdentity") } - clientID, _ := getValueFromSecret(secret, "clientID") - clientSecret, _ := getValueFromSecret(secret, "clientSecret") return &AzureCredentialsProvider{ Client: kubeclient, - Principal: &principal, - PrincipalRef: ref, + Identity: &azureIdentity, ResourceManagerEndpoint: resourceManagerEndpoint, - TenantID: tenantID, - ClientID: clientID, - ClientSecret: clientSecret, }, nil } -// GetAuthorizer returnes Azure authorizer based on the provided principal +// GetAuthorizer returnes Azure authorizer based on the provided azure identity func (p *AzureCredentialsProvider) GetAuthorizer(ctx context.Context) (autorest.Authorizer, error) { settings, err := auth.GetSettingsFromEnvironment() if err != nil { return nil, err } - if p.PrincipalRef == nil { + if p.Identity == nil { return settings.GetAuthorizer() } - oauthConfig, err := adal.NewOAuthConfig(settings.Environment.ActiveDirectoryEndpoint, p.TenantID) + + copiedIdentity := p.Identity.DeepCopy() + if copiedIdentity.Annotations == nil { + copiedIdentity.Annotations = map[string]string{} + } + copiedIdentity.Annotations[aadpodid.BehaviorKey] = "namespaced" + copiedIdentity.ObjectMeta.Namespace = "capz-system" + err = p.Client.Create(ctx, copiedIdentity) + if err != nil { + return nil, errors.Wrapf(err, "failed to create copied AzureIdentity %s in capz-system", copiedIdentity.Name) + } + + azureIdentityBinding := &aadpodid.AzureIdentityBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: copiedIdentity.Name, + Namespace: copiedIdentity.Namespace, + }, + Spec: aadpodid.AzureIdentityBindingSpec{ + AzureIdentity: copiedIdentity.Name, + Selector: fmt.Sprintf("%s-selector", copiedIdentity.Name), + }, + } + err = p.Client.Create(ctx, azureIdentityBinding) + if err != nil { + return nil, errors.Wrapf(err, "failed to create copied AzureIdentityBinding %s in capz-system", copiedIdentity.Name) + } + + oauthConfig, err := adal.NewOAuthConfig(settings.Environment.ActiveDirectoryEndpoint, p.Identity.Spec.TenantID) if err != nil { return nil, errors.Wrap(err, "failed to create OAuth config") } var spt *adal.ServicePrincipalToken - if p.PrincipalRef.Kind == "AzureServicePrincipal" { - azureIdentityBinding := &aadpodid.AzureIdentityBinding{ - ObjectMeta: metav1.ObjectMeta{ - Name: p.PrincipalRef.Name, - Namespace: p.PrincipalRef.Namespace, - }, - Spec: aadpodid.AzureIdentityBindingSpec{ - AzureIdentity: p.PrincipalRef.Name, - Selector: fmt.Sprintf("%s-selector", p.PrincipalRef.Name), - }, - } + if p.Identity.Spec.Type == aadpodid.ServicePrincipal { - err = p.Client.Create(ctx, azureIdentityBinding) + secret := &corev1.Secret{} + key := types.NamespacedName{Name: copiedIdentity.Spec.ClientPassword.Name, Namespace: copiedIdentity.Spec.ClientPassword.Namespace} + if err := p.Client.Get(ctx, key, secret); err != nil { + return nil, errors.Wrapf(err, "failed to retrieve bootstrap data secret for AzureMachine %s", key) + } + clientSecret, err := getValueFromSecret(secret, "clientSecret") if err != nil { - return nil, err + return nil, errors.Wrapf(err, "failed to retrieve bootstrap data secret for AzureMachine %s", key) } - spt, err = adal.NewServicePrincipalToken( *oauthConfig, - p.ClientID, - p.ClientSecret, + p.Identity.Spec.ClientID, + clientSecret, p.ResourceManagerEndpoint, ) if err != nil { return nil, errors.Wrap(err, "failed to get service principal token") } - } else { + } else if p.Identity.Spec.Type == aadpodid.UserAssignedMSI { msiEndpoint, err := adal.GetMSIVMEndpoint() if err != nil { return nil, errors.Wrap(err, "failed to get MSI endpoint") } - if p.PrincipalRef.Kind == "AzureSystemAssigned" { - - // create AzureIdentity - // create AzureIdentityBinding - - spt, err = adal.NewServicePrincipalTokenFromMSI(msiEndpoint, p.ResourceManagerEndpoint) - if err != nil { - return nil, errors.Wrap(err, "failed to get token from system-assigned identity") - } - } else if p.PrincipalRef.Kind == "AzureUserAssigned" { - // create AzureIdentityBinding - - spt, err = adal.NewServicePrincipalTokenFromMSIWithUserAssignedID(msiEndpoint, p.ResourceManagerEndpoint, p.PrincipalRef.Name) - if err != nil { - return nil, errors.Wrap(err, "failed to get token from user-assigned identity") - } + spt, err = adal.NewServicePrincipalTokenFromMSIWithUserAssignedID(msiEndpoint, p.ResourceManagerEndpoint, p.Identity.Name) + if err != nil { + return nil, errors.Wrap(err, "failed to get token from user-assigned identity") } } + return autorest.NewBearerAuthorizer(spt), nil } diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml index adcd8e26e4f..816cd0efeb9 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_azureclusters.yaml @@ -459,6 +459,10 @@ spec: - host - port type: object + identityName: + description: IdentityName is a reference to a AzureIdentity to be + used when reconciling this cluster + type: string location: type: string networkSpec: @@ -615,27 +619,6 @@ spec: - name type: object type: object - principalRef: - description: PrincipalRef is a reference to a principal to be used - when reconciling this cluster - properties: - kind: - description: AzurePrincipalKind defines allowed Azure cluster - principal types - enum: - - AzureSystemAssigned - - AzureUserAssigned - - AzureServicePrincipal - type: string - name: - type: string - namespace: - type: string - required: - - kind - - name - - namespace - type: object resourceGroup: type: string subscriptionID: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 03f2463c698..329b7e27c7b 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -137,18 +137,6 @@ rules: - get - patch - update -- apiGroups: - - infrastructure.cluster.x-k8s.io - resources: - - azureclusterprincipals - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - apiGroups: - infrastructure.cluster.x-k8s.io resources: diff --git a/controllers/azurecluster_controller.go b/controllers/azurecluster_controller.go index 377342697b9..5b0f95723b3 100644 --- a/controllers/azurecluster_controller.go +++ b/controllers/azurecluster_controller.go @@ -81,7 +81,6 @@ func (r *AzureClusterReconciler) SetupWithManager(mgr ctrl.Manager, options cont // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=azureclusters/status,verbs=get;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status,verbs=get;list;watch // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=azuremachinetemplates;azuremachinetemplates/status,verbs=get;list;watch -// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=azureclusterprincipals,verbs=get;list;watch;create;update;patch;delete func (r *AzureClusterReconciler) Reconcile(req ctrl.Request) (_ ctrl.Result, reterr error) { ctx, cancel := context.WithTimeout(context.Background(), reconciler.DefaultedLoopTimeout(r.ReconcileTimeout)) diff --git a/go.sum b/go.sum index 53a5b1c2815..65719adf21f 100644 --- a/go.sum +++ b/go.sum @@ -376,6 +376,7 @@ github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQL github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= +github.com/knative/pkg v0.0.0-20201009175121-3c4df8c27293 h1:EPP3k5RVp5+4Spq0cnemB0tnRR/WIOlwwICtey9hagQ= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= diff --git a/templates/addons/aad-pod-identity-deployment.yaml b/templates/addons/aad-pod-identity-deployment.yaml index 007bf2d567d..a7a52192b31 100644 --- a/templates/addons/aad-pod-identity-deployment.yaml +++ b/templates/addons/aad-pod-identity-deployment.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: aad-pod-id-nmi-service-account - namespace: default + namespace: capz-system --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition @@ -84,7 +84,7 @@ metadata: subjects: - kind: ServiceAccount name: aad-pod-id-nmi-service-account - namespace: default + namespace: capz-system roleRef: kind: ClusterRole name: aad-pod-id-nmi-role @@ -98,7 +98,7 @@ metadata: tier: node k8s-app: aad-pod-id name: nmi - namespace: default + namespace: capz-system spec: updateStrategy: type: RollingUpdate @@ -171,13 +171,13 @@ data: kind: Secret metadata: name: aadpodidentity-admin-secret - namespace: default + namespace: capz-system --- apiVersion: v1 kind: ServiceAccount metadata: name: aad-pod-id-mic-service-account - namespace: default + namespace: capz-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -218,7 +218,7 @@ metadata: subjects: - kind: ServiceAccount name: aad-pod-id-mic-service-account - namespace: default + namespace: capz-system roleRef: kind: ClusterRole name: aad-pod-id-mic-role @@ -231,7 +231,7 @@ metadata: component: mic k8s-app: aad-pod-id name: mic - namespace: default + namespace: capz-system spec: replicas: 2 selector: @@ -251,6 +251,7 @@ spec: imagePullPolicy: Always args: - "--logtostderr" + - "--forceNamespaced" env: - name: MIC_POD_NAMESPACE valueFrom: