scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-10-31 10:18:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

allow the kubelet to request certificates

Browse Source 
This allows the rotation process to use the kubelet's credentials.
This commit is contained in:
Mike Danese
2017-02-03 11:51:26 -08:00
parent ab794c6128
commit 074f2da32a
2 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@@ -217,6 +217,9 @@ func ClusterRoles() []rbac.ClusterRole {
// TODO: change glusterfs to use DNS lookup so this isn't needed? // TODO: change glusterfs to use DNS lookup so this isn't needed?
// Needed for glusterfs volumes // Needed for glusterfs volumes
rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints").RuleOrDie(), rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints").RuleOrDie(),
// Used to create a certificatesigningrequest for a node-specific client certificate, and watch
// for it to be signed. This allows the kubelet to rotate it's own certificate.
rbac.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
}, },
}, },
{ {

9
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml vendored
View File

@@ -569,6 +569,15 @@ items:
- endpoints - endpoints
verbs: verbs:
- get - get
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- create
- get
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1beta1 - apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole kind: ClusterRole
metadata: metadata: