mirror of
https://github.com/k3s-io/k3s.git
synced 2024-06-07 19:41:36 +00:00
Set controller authn/authz kubeconfigs
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This commit is contained in:
parent
199424b608
commit
dc556cbb72
@ -78,3 +78,30 @@ subjects:
|
|||||||
- kind: User
|
- kind: User
|
||||||
name: k3s-cloud-controller-manager
|
name: k3s-cloud-controller-manager
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: k3s-cloud-controller-manager-auth-delegator
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:auth-delegator
|
||||||
|
subjects:
|
||||||
|
- kind: User
|
||||||
|
name: k3s-cloud-controller-manager
|
||||||
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: k3s-cloud-controller-manager-authentication-reader
|
||||||
|
namespace: kube-system
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: extension-apiserver-authentication-reader
|
||||||
|
subjects:
|
||||||
|
- kind: User
|
||||||
|
name: k3s-cloud-controller-manager
|
||||||
|
namespace: kube-system
|
||||||
|
@ -93,6 +93,8 @@ func Server(ctx context.Context, cfg *config.Control) error {
|
|||||||
func controllerManager(ctx context.Context, cfg *config.Control, runtime *config.ControlRuntime) error {
|
func controllerManager(ctx context.Context, cfg *config.Control, runtime *config.ControlRuntime) error {
|
||||||
argsMap := map[string]string{
|
argsMap := map[string]string{
|
||||||
"kubeconfig": runtime.KubeConfigController,
|
"kubeconfig": runtime.KubeConfigController,
|
||||||
|
"authorization-kubeconfig": runtime.KubeConfigController,
|
||||||
|
"authentication-kubeconfig": runtime.KubeConfigController,
|
||||||
"service-account-private-key-file": runtime.ServiceKey,
|
"service-account-private-key-file": runtime.ServiceKey,
|
||||||
"allocate-node-cidrs": "true",
|
"allocate-node-cidrs": "true",
|
||||||
"cluster-cidr": util.JoinIPNets(cfg.ClusterIPRanges),
|
"cluster-cidr": util.JoinIPNets(cfg.ClusterIPRanges),
|
||||||
@ -126,10 +128,12 @@ func controllerManager(ctx context.Context, cfg *config.Control, runtime *config
|
|||||||
|
|
||||||
func scheduler(ctx context.Context, cfg *config.Control, runtime *config.ControlRuntime) error {
|
func scheduler(ctx context.Context, cfg *config.Control, runtime *config.ControlRuntime) error {
|
||||||
argsMap := map[string]string{
|
argsMap := map[string]string{
|
||||||
"kubeconfig": runtime.KubeConfigScheduler,
|
"kubeconfig": runtime.KubeConfigScheduler,
|
||||||
"bind-address": localhostIP.String(),
|
"authorization-kubeconfig": runtime.KubeConfigScheduler,
|
||||||
"secure-port": "10259",
|
"authentication-kubeconfig": runtime.KubeConfigScheduler,
|
||||||
"profiling": "false",
|
"bind-address": localhostIP.String(),
|
||||||
|
"secure-port": "10259",
|
||||||
|
"profiling": "false",
|
||||||
}
|
}
|
||||||
if cfg.NoLeaderElect {
|
if cfg.NoLeaderElect {
|
||||||
argsMap["leader-elect"] = "false"
|
argsMap["leader-elect"] = "false"
|
||||||
@ -290,6 +294,8 @@ func cloudControllerManager(ctx context.Context, cfg *config.Control, runtime *c
|
|||||||
"cluster-cidr": util.JoinIPNets(cfg.ClusterIPRanges),
|
"cluster-cidr": util.JoinIPNets(cfg.ClusterIPRanges),
|
||||||
"configure-cloud-routes": "false",
|
"configure-cloud-routes": "false",
|
||||||
"kubeconfig": runtime.KubeConfigCloudController,
|
"kubeconfig": runtime.KubeConfigCloudController,
|
||||||
|
"authorization-kubeconfig": runtime.KubeConfigCloudController,
|
||||||
|
"authentication-kubeconfig": runtime.KubeConfigCloudController,
|
||||||
"node-status-update-frequency": "1m0s",
|
"node-status-update-frequency": "1m0s",
|
||||||
"bind-address": "127.0.0.1",
|
"bind-address": "127.0.0.1",
|
||||||
"port": "0",
|
"port": "0",
|
||||||
|
@ -90,7 +90,7 @@ func (fi bindataFileInfo) Sys() interface{} {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ccmYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x9c\x93\xc1\xab\xdb\x30\x0c\xc6\xef\xfe\x2b\x4c\x2f\x85\x81\x5b\xc6\x2e\x23\xc7\xed\xb0\x7b\x61\xbb\x2b\xb6\xd6\x7a\x75\x2c\x23\xc9\x29\xdb\x5f\x3f\xd2\xf4\x3d\x4a\xf2\x5a\x92\xde\x44\x90\x7e\xdf\xa7\xc8\x1f\x94\xf8\x0b\x59\x22\xe5\xc6\x72\x0b\x7e\x07\x55\x4f\xc4\xf1\x1f\x68\xa4\xbc\x3b\x7f\x95\x5d\xa4\x7d\xff\xd9\x9c\x63\x0e\x8d\xfd\x9e\xaa\x28\xf2\x81\x12\x9a\x0e\x15\x02\x28\x34\xc6\xda\x0c\x1d\x36\xf6\xfc\x45\x9c\x4f\x54\x83\xf3\x94\x95\x29\x25\x64\xd7\x41\x86\x23\xb2\xe1\x9a\x50\x1a\xe3\x2c\x94\xf8\x83\xa9\x16\x19\x06\x9d\xf5\x44\x1c\x62\xbe\xd7\x33\xd6\x32\x0a\x55\xf6\x78\x6b\x4a\x08\x82\x62\xac\xed\x91\xdb\xdb\xb7\x23\xea\x08\x60\x04\xc5\x6b\x59\x4b\x18\xca\x99\xc6\x66\x33\x47\x62\x8f\x59\x27\xc8\x3b\x54\x01\xf5\xa7\xd5\xd0\x4c\x61\x6a\x73\xfb\x69\xbb\x62\x76\x2f\x0a\x5a\x27\x88\xd1\xcb\x22\x88\x20\xf7\xd1\x4f\x3d\xa4\x28\xfa\xf1\x56\x43\x79\x59\x8d\x07\xef\xa9\x3e\xfa\x7b\x8b\x40\x65\x78\x74\xa2\x98\xb5\xa7\x54\xbb\x47\xb7\x7d\x37\xfe\x9a\x5d\xcc\xa1\x50\x7c\x76\xe6\x99\xd0\x65\x76\x77\xe7\xcc\xeb\x29\xf9\x16\x73\x88\xf9\xb8\x3a\x2c\x94\xf0\x80\xbf\x87\xee\xb7\x35\x9f\x28\x1b\x6b\xe7\xf1\x5c\xa4\x23\xb5\xfd\x83\x5e\xaf\xb9\x1c\x11\x3f\x05\x79\xd9\xec\xd8\x24\x05\xfc\xd0\x59\x5b\x74\xf2\x57\x14\x3b\xf3\x3f\x00\x00\xff\xff\x37\xa3\x5f\x88\x54\x04\x00\x00")
|
var _ccmYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xcc\x94\x41\x8f\x13\x31\x0c\x85\xef\xf9\x15\xd1\x5e\x56\x42\x4a\x57\x88\x0b\x9a\x23\x1c\xb8\xaf\x04\x77\x37\x79\x74\x43\x33\x71\x14\x3b\xb3\xc0\xaf\x47\xe9\x2c\x68\x99\xa1\x55\x5b\x40\x70\x8b\x2a\xfb\x7b\xcf\xcf\xf5\x50\x89\x1f\x50\x25\x72\x1e\x6c\xdd\x92\xdf\x50\xd3\x07\xae\xf1\x2b\x69\xe4\xbc\xd9\xbf\x96\x4d\xe4\xbb\xe9\xa5\xd9\xc7\x1c\x06\xfb\x36\x35\x51\xd4\x7b\x4e\x30\x23\x94\x02\x29\x0d\xc6\xda\x4c\x23\x06\xbb\x7f\x25\xce\x27\x6e\xc1\x79\xce\x5a\x39\x25\x54\x37\x52\xa6\x1d\xaa\xa9\x2d\x41\x06\xe3\x2c\x95\xf8\xae\x72\x2b\xd2\x1b\x9d\xf5\xcc\x35\xc4\xfc\x5c\xcf\x58\x5b\x21\xdc\xaa\xc7\x53\x51\x02\x09\xc4\x58\x3b\xa1\x6e\x9f\x7e\xdb\x41\x67\x40\x05\x29\x0e\xcf\x56\x42\x7f\xae\x34\x6e\x6e\xd6\x48\x4c\xc8\xba\x40\x3e\x43\x15\x52\xff\x70\x31\x34\x73\x58\xda\xbc\x7d\x71\x7b\x41\xef\x9d\x28\x69\x5b\x20\x66\x2f\x67\x41\x04\x75\x8a\x7e\xe9\x21\x45\xd1\x5f\x4f\xd5\x9f\x8f\x17\xe3\xc9\x7b\x6e\xc7\xd2\x3b\x0b\x54\xfa\x9f\x4e\x14\x59\x27\x4e\x6d\x3c\xb6\xdb\x1f\xc6\xaf\xb3\x8b\x1c\x0a\xc7\x53\x6b\x5e\x09\x3d\xae\xf6\xee\x9c\xb9\xfe\x4a\xde\xc4\x1c\x62\xde\x5d\x7c\x2c\x9c\x70\x8f\x8f\xbd\xfa\xfb\x98\x27\x94\x8d\xb5\xeb\xf3\x3c\x4b\x47\xda\xf6\x13\xbc\x1e\xee\x72\x46\xbc\x17\xd4\xf3\x7a\xe7\x22\x29\xe4\x7b\x65\xdb\xc2\xc9\x17\x51\x8c\xff\x24\x31\xd7\xf9\x2e\x20\x61\x47\xca\x7f\x34\xc0\x79\xaa\x61\x21\xf0\xbf\x24\xf7\x9b\x91\x21\x6b\xf4\x07\xb2\xab\xa0\x70\xca\xdc\x95\x91\xfe\x94\x25\x3e\x2b\x72\x9f\xcd\x51\x89\xfd\x63\x72\xd4\xc6\x5f\xc9\xf7\x5b\x00\x00\x00\xff\xff\xc2\xa7\x17\xb8\xee\x06\x00\x00")
|
||||||
|
|
||||||
func ccmYamlBytes() ([]byte, error) {
|
func ccmYamlBytes() ([]byte, error) {
|
||||||
return bindataRead(
|
return bindataRead(
|
||||||
|
Loading…
Reference in New Issue
Block a user