From 20adb15d325cc740b1564e3cbf39bb3df852ceac Mon Sep 17 00:00:00 2001
From: Dalton Hubble <dghubble@gmail.com>
Date: Sat, 3 Feb 2018 05:46:31 +0100
Subject: [PATCH] Add flannel service account and RBAC cluster role

* Define a limited ClusterRole and service account for flannel
* https://github.com/kubernetes-incubator/bootkube/pull/869
---
 ...kube-flannel-cfg.yaml => flannel-cfg.yaml} |  0
 .../flannel/flannel-cluster-role-binding.yaml | 12 ++++++++++
 resources/flannel/flannel-cluster-role.yaml   | 24 +++++++++++++++++++
 resources/flannel/flannel-sa.yaml             |  5 ++++
 .../{kube-flannel.yaml => flannel.yaml}       |  1 +
 5 files changed, 42 insertions(+)
 rename resources/flannel/{kube-flannel-cfg.yaml => flannel-cfg.yaml} (100%)
 create mode 100644 resources/flannel/flannel-cluster-role-binding.yaml
 create mode 100644 resources/flannel/flannel-cluster-role.yaml
 create mode 100644 resources/flannel/flannel-sa.yaml
 rename resources/flannel/{kube-flannel.yaml => flannel.yaml} (98%)

diff --git a/resources/flannel/kube-flannel-cfg.yaml b/resources/flannel/flannel-cfg.yaml
similarity index 100%
rename from resources/flannel/kube-flannel-cfg.yaml
rename to resources/flannel/flannel-cfg.yaml
diff --git a/resources/flannel/flannel-cluster-role-binding.yaml b/resources/flannel/flannel-cluster-role-binding.yaml
new file mode 100644
index 0000000..6efef42
--- /dev/null
+++ b/resources/flannel/flannel-cluster-role-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: flannel
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flannel
+subjects:
+- kind: ServiceAccount
+  name: flannel
+  namespace: kube-system
diff --git a/resources/flannel/flannel-cluster-role.yaml b/resources/flannel/flannel-cluster-role.yaml
new file mode 100644
index 0000000..8868886
--- /dev/null
+++ b/resources/flannel/flannel-cluster-role.yaml
@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flannel
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/status
+    verbs:
+      - patch
diff --git a/resources/flannel/flannel-sa.yaml b/resources/flannel/flannel-sa.yaml
new file mode 100644
index 0000000..7c0411b
--- /dev/null
+++ b/resources/flannel/flannel-sa.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: flannel
+  namespace: kube-system
diff --git a/resources/flannel/kube-flannel.yaml b/resources/flannel/flannel.yaml
similarity index 98%
rename from resources/flannel/kube-flannel.yaml
rename to resources/flannel/flannel.yaml
index 7cc787e..357a603 100644
--- a/resources/flannel/kube-flannel.yaml
+++ b/resources/flannel/flannel.yaml
@@ -17,6 +17,7 @@ spec:
         tier: node
         k8s-app: flannel
     spec:
+      serviceAccountName: flannel
       containers:
       - name: kube-flannel
         image: ${flannel_image}