From 88bafc701b31ecf25461cd384ac7245498bc24b7 Mon Sep 17 00:00:00 2001 From: Shane Peckham Date: Fri, 13 Apr 2018 20:45:25 +0100 Subject: [PATCH] Add RBAC support - issue 107 (#128) * Add RBAC support * RBAC support issue 107 changes requested --- charts/virtual-kubelet-0.1.1-rbac/Chart.yaml | 8 ++++ .../templates/NOTES.txt | 21 ++++++++++ .../templates/_helpers.tpl | 16 +++++++ .../templates/clusterrolebinding.yaml | 14 +++++++ .../templates/deployment.yaml | 42 +++++++++++++++++++ .../templates/secrets.yaml | 9 ++++ .../templates/serviceaccount.yaml | 6 +++ charts/virtual-kubelet-0.1.1-rbac/values.yaml | 25 +++++++++++ providers/azure/README.md | 6 ++- 9 files changed, 145 insertions(+), 2 deletions(-) create mode 100644 charts/virtual-kubelet-0.1.1-rbac/Chart.yaml create mode 100644 charts/virtual-kubelet-0.1.1-rbac/templates/NOTES.txt create mode 100644 charts/virtual-kubelet-0.1.1-rbac/templates/_helpers.tpl create mode 100644 charts/virtual-kubelet-0.1.1-rbac/templates/clusterrolebinding.yaml create mode 100644 charts/virtual-kubelet-0.1.1-rbac/templates/deployment.yaml create mode 100644 charts/virtual-kubelet-0.1.1-rbac/templates/secrets.yaml create mode 100644 charts/virtual-kubelet-0.1.1-rbac/templates/serviceaccount.yaml create mode 100644 charts/virtual-kubelet-0.1.1-rbac/values.yaml diff --git a/charts/virtual-kubelet-0.1.1-rbac/Chart.yaml b/charts/virtual-kubelet-0.1.1-rbac/Chart.yaml new file mode 100644 index 000000000..e6b645e3c --- /dev/null +++ b/charts/virtual-kubelet-0.1.1-rbac/Chart.yaml @@ -0,0 +1,8 @@ +name: virtual-kubelet +version: 0.1.1 +description: a Helm chart to install virtual kubelet inside a Kubernetes cluster. +sources: + - https://github.com/virtual-kubelet/virtual-kubelet +maintainers: + - name: Robbie Zhang + email: junjiez@microsoft.com diff --git a/charts/virtual-kubelet-0.1.1-rbac/templates/NOTES.txt b/charts/virtual-kubelet-0.1.1-rbac/templates/NOTES.txt new file mode 100644 index 000000000..7d7983c02 --- /dev/null +++ b/charts/virtual-kubelet-0.1.1-rbac/templates/NOTES.txt @@ -0,0 +1,21 @@ +{{- if and .Values.env.azureClientId .Values.env.azureClientKey .Values.env.azureTenantId .Values.env.azureSubscriptionId .Values.env.aciResourceGroup -}} + +The virtual kubelet is getting deployed on your cluster. + +To verify that virtual kubelet has started, run: + + kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "fullname" . }}" + +{{- else -}} +############################################################################## +#### ERROR: You are missing required values in the values.yaml file. #### +############################################################################## + +This deployment will be incomplete until all the required fields in the values.yaml file have been provided. + +To update, run: + + helm upgrade {{ .Release.Name }} \ + --set env.azureClientId=,env.azureClientKey=,env.azureTenantId=,env.azureSubscriptionId=,env.aciResourceGroup=,ev.aciOsType=,rbac.install= + +{{- end }} diff --git a/charts/virtual-kubelet-0.1.1-rbac/templates/_helpers.tpl b/charts/virtual-kubelet-0.1.1-rbac/templates/_helpers.tpl new file mode 100644 index 000000000..c199f18f0 --- /dev/null +++ b/charts/virtual-kubelet-0.1.1-rbac/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 24 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/virtual-kubelet-0.1.1-rbac/templates/clusterrolebinding.yaml b/charts/virtual-kubelet-0.1.1-rbac/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..ec9903577 --- /dev/null +++ b/charts/virtual-kubelet-0.1.1-rbac/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +{{ if .Values.rbac.install }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ template "fullname" . }}-role-binding +subjects: +- kind: ServiceAccount + name: {{ template "fullname" . }}-service-account + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.rbac.roleRef }} +{{ end }} \ No newline at end of file diff --git a/charts/virtual-kubelet-0.1.1-rbac/templates/deployment.yaml b/charts/virtual-kubelet-0.1.1-rbac/templates/deployment.yaml new file mode 100644 index 000000000..58095a3a8 --- /dev/null +++ b/charts/virtual-kubelet-0.1.1-rbac/templates/deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ template "fullname" . }} +spec: + replicas: 1 + template: + metadata: + labels: + app: {{ template "fullname" . }} + spec: + containers: + - name: {{ template "fullname" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: KUBELET_PORT + value: "10250" + - name: AZURE_AUTH_LOCATION + value: /etc/virtual-kubelet/credentials.json + - name: ACI_RESOURCE_GROUP + value: {{ .Values.env.aciResourceGroup }} + - name: ACI_REGION + value: {{ default "westus" .Values.env.aciRegion }} + - name: APISERVER_CERT_LOCATION + value: /etc/virtual-kubelet/cert.pem + - name: APISERVER_KEY_LOCATION + value: /etc/virtual-kubelet/key.pem + - name: VKUBELET_POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + volumeMounts: + - name: credentials + mountPath: "/etc/virtual-kubelet" + command: ["virtual-kubelet"] + args: ["--provider", "azure", "--namespace", "default", "--nodename", {{ default "virtual-kubelet" .Values.env.nodeName | quote }} , "--os", {{ default "Linux" .Values.env.nodeOsType | quote }}, "--taint", {{ default "azure.com/aci" .Values.env.nodeTaint | quote }}] + volumes: + - name: credentials + secret: + secretName: {{ template "fullname" . }} + serviceAccountName: {{ if .Values.rbac.install }} "{{ template "fullname" . }}-service-account" {{ end }} diff --git a/charts/virtual-kubelet-0.1.1-rbac/templates/secrets.yaml b/charts/virtual-kubelet-0.1.1-rbac/templates/secrets.yaml new file mode 100644 index 000000000..c3eb8c84c --- /dev/null +++ b/charts/virtual-kubelet-0.1.1-rbac/templates/secrets.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "fullname" . }} +type: Opaque +data: + credentials.json: {{ printf "{ \"clientId\": \"%s\", \"clientSecret\": \"%s\", \"subscriptionId\": \"%s\", \"tenantId\": \"%s\", \"activeDirectoryEndpointUrl\": \"https://login.microsoftonline.com/\", \"resourceManagerEndpointUrl\": \"https://management.azure.com/\", \"activeDirectoryGraphResourceId\": \"https://graph.windows.net/\", \"sqlManagementEndpointUrl\": \"database.windows.net\", \"galleryEndpointUrl\": \"https://gallery.azure.com/\", \"managementEndpointUrl\": \"https://management.core.windows.net/\" }" (default "MISSING" .Values.env.azureClientId) (default "MISSING" .Values.env.azureClientKey) (default "MISSING" .Values.env.azureSubscriptionId) (default "MISSING" .Values.env.azureTenantId) | b64enc | quote }} + cert.pem: {{ (default "TUlTU0lORw==" .Values.env.apiserverCert) | quote }} + key.pem: {{ (default "TUlTU0lORw==" .Values.env.apiserverKey) | quote }} diff --git a/charts/virtual-kubelet-0.1.1-rbac/templates/serviceaccount.yaml b/charts/virtual-kubelet-0.1.1-rbac/templates/serviceaccount.yaml new file mode 100644 index 000000000..450120aa9 --- /dev/null +++ b/charts/virtual-kubelet-0.1.1-rbac/templates/serviceaccount.yaml @@ -0,0 +1,6 @@ +{{ if .Values.rbac.install }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "fullname" . }}-service-account +{{ end }} \ No newline at end of file diff --git a/charts/virtual-kubelet-0.1.1-rbac/values.yaml b/charts/virtual-kubelet-0.1.1-rbac/values.yaml new file mode 100644 index 000000000..48dba14d0 --- /dev/null +++ b/charts/virtual-kubelet-0.1.1-rbac/values.yaml @@ -0,0 +1,25 @@ +image: + repository: microsoft/virtual-kubelet + tag: latest + pullPolicy: Always +env: + azureClientId: + azureClientKey: + azureTenantId: + azureSubscriptionId: + aciResourceGroup: + aciRegion: + nodeName: + nodeTaint: + nodeOsType: + apiserverCert: + apiserverKey: + +# Install Default RBAC roles and bindings +rbac: + install: false + serviceAccountName: virtual-kubelet + # RBAC api version (currently v1beta1) + apiVersion: v1beta1 + # Cluster role reference + roleRef: cluster-admin diff --git a/providers/azure/README.md b/providers/azure/README.md index a760b1f99..0528cce96 100644 --- a/providers/azure/README.md +++ b/providers/azure/README.md @@ -201,7 +201,7 @@ export VK_RELEASE=virtual-kubelet-for-aks-0.1.3 For any other type of Kubernetes cluster: ```cli -export VK_RELEASE=virtual-kubelet-0.1.0 +export VK_RELEASE=virtual-kubelet-0.1.1 ``` ```cli @@ -214,9 +214,11 @@ chmod +x createCertAndKey.sh . ./createCertAndKey.sh helm install "$CHART_URL" --name "$RELEASE_NAME" \ - --set env.azureClientId="$AZURE_CLIENT_ID",env.azureClientKey="$AZURE_CLIENT_SECRET",env.azureTenantId="$AZURE_TENANT_ID",env.azureSubscriptionId="$AZURE_SUBSCRIPTION_ID",env.aciResourceGroup="$AZURE_RG",env.nodeName="$NODE_NAME",env.nodeOsType=,env.apiserverCert=$cert,env.apiserverKey=$key + --set env.azureClientId="$AZURE_CLIENT_ID",env.azureClientKey="$AZURE_CLIENT_SECRET",env.azureTenantId="$AZURE_TENANT_ID",env.azureSubscriptionId="$AZURE_SUBSCRIPTION_ID",env.aciResourceGroup="$AZURE_RG",env.nodeName="$NODE_NAME",env.nodeOsType=,env.apiserverCert=$cert,env.apiserverKey=$key,rbac.install=false ``` +If your cluster has RBAC enabled set ```rbac.install=true``` + Output: ```console