Merge pull request #38816 from deads2k/rbac-23-switch-kubedns-sa

Automatic merge from submit-queue

move kube-dns to a separate service account

Switches the kubedns addon to run as a separate service account so that we can subdivide RBAC permission for it.  The RBAC permissions will need a little more refinement which I'm expecting to find in https://github.com/kubernetes/kubernetes/pull/38626 .

@cjcullen @kubernetes/sig-auth since this is directly related to enabling RBAC with subdivided permissions
 @thockin @kubernetes/sig-network since this directly affects now kubedns is added.  


```release-note
`kube-dns` now runs using a separate `system:serviceaccount:kube-system:kube-dns` service account which is automatically bound to the correct RBAC permissions.
```

cluster/addons/dns/kubedns-controller.yaml.base

@@ -157,3 +157,4 @@ spec:
             memory: 20Mi
             cpu: 10m
       dnsPolicy: Default  # Don't use cluster DNS.
+      serviceAccountName: kube-dns

cluster/addons/dns/kubedns-controller.yaml.in

@@ -157,3 +157,4 @@ spec:
             memory: 20Mi
             cpu: 10m
       dnsPolicy: Default  # Don't use cluster DNS.
+      serviceAccountName: kube-dns

cluster/addons/dns/kubedns-controller.yaml.sed

@@ -156,3 +156,4 @@ spec:
             memory: 20Mi
             cpu: 10m
       dnsPolicy: Default  # Don't use cluster DNS.
+      serviceAccountName: kube-dns

cluster/addons/dns/kubedns-sa.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-dns
+  labels:
+    kubernetes.io/cluster-service: "true"

cluster/centos/deployAddons.sh

@@ -33,6 +33,7 @@ function deploy_dns {
       
   if [ ! "$KUBEDNS" ]; then
     # use kubectl to create kube-dns deployment and service
+    ${KUBECTL} --namespace=kube-system create -f kubedns-sa.yaml
     ${KUBECTL} --namespace=kube-system create -f kubedns-controller.yaml
     ${KUBECTL} --namespace=kube-system create -f kubedns-svc.yaml
 

cluster/libvirt-coreos/config-default.sh

@@ -67,6 +67,7 @@ ENABLE_DNS_HORIZONTAL_AUTOSCALER="${KUBE_ENABLE_DNS_HORIZONTAL_AUTOSCALER:-false
 #Generate dns files
 sed -f "${KUBE_ROOT}/cluster/addons/dns/transforms2sed.sed" < "${KUBE_ROOT}/cluster/addons/dns/kubedns-controller.yaml.base" | sed -f "${KUBE_ROOT}/cluster/libvirt-coreos/forShellEval.sed"  > "${KUBE_ROOT}/cluster/libvirt-coreos/kubedns-controller.yaml"
 sed -f "${KUBE_ROOT}/cluster/addons/dns/transforms2sed.sed" < "${KUBE_ROOT}/cluster/addons/dns/kubedns-svc.yaml.base" | sed -f "${KUBE_ROOT}/cluster/libvirt-coreos/forShellEval.sed"  > "${KUBE_ROOT}/cluster/libvirt-coreos/kubedns-svc.yaml"
+cp "${KUBE_ROOT}/cluster/addons/dns/kubedns-sa.yaml" "${KUBE_ROOT}/cluster/libvirt-coreos/kubedns-sa.yaml"
 
 
 #Generate registry files

cluster/libvirt-coreos/util.sh

@@ -187,6 +187,7 @@ function initialize-pool {
       render-template "$ROOT/namespace.yaml" > "$POOL_PATH/kubernetes/addons/namespace.yaml"
       render-template "$ROOT/kubedns-svc.yaml" > "$POOL_PATH/kubernetes/addons/kubedns-svc.yaml"
       render-template "$ROOT/kubedns-controller.yaml"  > "$POOL_PATH/kubernetes/addons/kubedns-controller.yaml"
+      render-template "$ROOT/kubedns-sa.yaml"  > "$POOL_PATH/kubernetes/addons/kubedns-sa.yaml"
   fi
 
   virsh pool-refresh $POOL

cluster/ubuntu/deployAddons.sh

@@ -43,11 +43,13 @@ function deploy_dns {
   echo "Deploying DNS on Kubernetes"
   sed -e "s/\\\$DNS_DOMAIN/${DNS_DOMAIN}/g" "${KUBE_ROOT}/cluster/addons/dns/kubedns-controller.yaml.sed" > kubedns-controller.yaml
   sed -e "s/\\\$DNS_SERVER_IP/${DNS_SERVER_IP}/g" "${KUBE_ROOT}/cluster/addons/dns/kubedns-svc.yaml.sed" > kubedns-svc.yaml
+  cp "${KUBE_ROOT}/cluster/addons/dns/kubedns-sa.yaml" kubedns-sa.yaml
 
   KUBEDNS=`eval "${KUBECTL} get services --namespace=kube-system | grep kube-dns | cat"`
 
   if [ ! "$KUBEDNS" ]; then
     # use kubectl to create kubedns controller and service
+    ${KUBECTL} --namespace=kube-system create -f kubedns-sa.yaml
     ${KUBECTL} --namespace=kube-system create -f kubedns-controller.yaml 
     ${KUBECTL} --namespace=kube-system create -f kubedns-svc.yaml