diff --git a/kustomization.yaml b/kustomization.yaml index 182cf2b8710bf3af9a6b78656a48f7bbc2145b82..1fa48a18c8b7acbc774e26707e08c43f86828609 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -1,6 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: +- manifests/clusterrole.yaml +- manifests/clusterrolebinding.yaml - manifests/system-upgrade-controller.yaml images: - name: rancher/system-upgrade-controller diff --git a/manifests/clusterrole.yaml b/manifests/clusterrole.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f188138336b4f50d1157c1b7768231cb369bc3d4 --- /dev/null +++ b/manifests/clusterrole.yaml @@ -0,0 +1,108 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system-upgrade-controller +rules: +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - update +- apiGroups: + - upgrade.cattle.io + resources: + - plans + - plans/status + verbs: + - get + - list + - watch + - create + - patch + - update + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: system-upgrade-controller +rules: +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - deletecollection + - patch + - update + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +# Borrowed from https://stackoverflow.com/a/63553032 +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system-upgrade-controller-drainer +rules: + # Needed to evict pods + - apiGroups: + - "" + resources: + - "pods/eviction" + verbs: + - "create" + # Needed to list pods by Node + - apiGroups: + - "" + resources: + - "pods" + verbs: + - "get" + - "list" + # Needed to cordon Nodes + - apiGroups: + - "" + resources: + - "nodes" + verbs: + - "get" + - "patch" + # Needed to determine Pod owners + - apiGroups: + - "apps" + resources: + - "statefulsets" + - "daemonsets" + - "replicasets" + verbs: + - "get" + - "list" diff --git a/manifests/clusterrolebinding.yaml b/manifests/clusterrolebinding.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8a74335ea1b2f85dba8f450d4cf9013d9f997a21 --- /dev/null +++ b/manifests/clusterrolebinding.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system-upgrade-drainer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system-upgrade-controller-drainer +subjects: +- kind: ServiceAccount + name: system-upgrade +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system-upgrade +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system-upgrade-controller +subjects: +- kind: ServiceAccount + name: system-upgrade +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system-upgrade +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: system-upgrade-controller +subjects: +- kind: ServiceAccount + name: system-upgrade diff --git a/manifests/system-upgrade-controller.yaml b/manifests/system-upgrade-controller.yaml index b5ce4dbcff3517fb67371fc52e1e7a6dfb4a6967..e3efd9de408ce0d68b11dd26b462da1374426d51 100644 --- a/manifests/system-upgrade-controller.yaml +++ b/manifests/system-upgrade-controller.yaml @@ -11,19 +11,6 @@ metadata: name: system-upgrade namespace: system-upgrade --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system-upgrade -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: system-upgrade - namespace: system-upgrade ---- apiVersion: v1 kind: ConfigMap metadata: