Add flannel service account and RBAC cluster role

* Define a limited ClusterRole and service account for flannel * https://github.com/kubernetes-incubator/bootkube/pull/869
2026-01-27 10:20:45 +00:00 · 2018-02-03 05:46:31 +01:00
parent 8d40d6c64d
commit 20adb15d32
5 changed files with 42 additions and 0 deletions
--- a/resources/flannel/kube-flannel-cfg.yaml
+++ b/resources/flannel/kube-flannel-cfg.yaml
--- a/resources/flannel/flannel-cluster-role-binding.yaml
+++ b/resources/flannel/flannel-cluster-role-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: flannel
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flannel
+subjects:
+- kind: ServiceAccount
+  name: flannel
+  namespace: kube-system
--- a/resources/flannel/flannel-cluster-role.yaml
+++ b/resources/flannel/flannel-cluster-role.yaml
@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flannel
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/status
+    verbs:
+      - patch
--- a/resources/flannel/flannel-sa.yaml
+++ b/resources/flannel/flannel-sa.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: flannel
+  namespace: kube-system
--- a/resources/flannel/kube-flannel.yaml
+++ b/resources/flannel/kube-flannel.yaml
@@ -17,6 +17,7 @@ spec:
        tier: node
        k8s-app: flannel
    spec:
+      serviceAccountName: flannel
      containers:
      - name: kube-flannel
        image: ${flannel_image}