Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Signed-off-by: tu1h <lihai.tu@daocloud.io>
  • Loading branch information
tu1h committed Aug 2, 2024
1 parent 0fdcd60 commit 167e973
Show file tree
Hide file tree
Showing 5 changed files with 45 additions and 22 deletions.
28 changes: 7 additions & 21 deletions charts/kubean/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,10 @@ kind: ClusterRole
metadata:
name: {{ $name }}
rules:
- apiGroups: ['*']
resources: ['*']
verbs: ['*']
- nonResourceURLs: ['*']
verbs: ['*']
- apiGroups: ['certificates.k8s.io']
resourceNames: ['kubernetes.io/*']
resources: ['signers']
verbs: ['approve']
- apiGroups: ['rbac.authorization.k8s.io']
resources: ['clusterroles']
verbs: ['*']
- apiGroups: ['authentication.k8s.io']
resources: ['*']
verbs: ['*']
- apiGroups: ['authorization.k8s.io']
resources: ['*']
verbs: ['*']
- apiGroups: ['admissionregistration.k8s.io']
resources: ['*']
verbs: ['*']
- apiGroups: [ 'kubean.io' ]
resources: [ 'clusteroperations','clusteroperations/status','clusters','clusters/status','localartifactsets','localartifactsets/status','manifests','manifest/status' ]
verbs: [ '*' ]
- apiGroups: [ 'admissionregistration.k8s.io' ]
resources: [ 'validatingwebhookconfigurations' ]
resourceNames: [ 'kubean-admission-webhook' ]
verbs: [ 'get', 'create', 'update' ]
23 changes: 23 additions & 0 deletions charts/kubean/templates/role.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{{- $name := include "kubean.name" . -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $name }}
namespace: {{ include "kubean.namespace" . }}
rules:
- apiGroups: [ '' ]
resources: [ 'pods', 'serviceaccounts' ]
verbs: [ 'list' ]
- apiGroups: [ '' ]
resources: [ 'configmaps','secrets' ]
verbs: [ "get", "create", "update" ]
- apiGroups: [ '' ]
resources: [ 'events' ]
verbs: [ "create" ]
- apiGroups: [ 'batch' ]
resources: [ 'jobs' ]
verbs: [ "get", "create", "update" ]
- apiGroups: [ 'coordination.k8s.io' ]
resources: [ 'leases' ]
resourceNames: [ 'kubean-controller', 'lease-for-kubean-webhook-ca-create' ]
verbs: [ "get", "create", "update", "delete" ]
14 changes: 14 additions & 0 deletions charts/kubean/templates/rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{{- $name := include "kubean.name" . -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $name }}
namespace: {{ include "kubean.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $name }}
subjects:
- kind: ServiceAccount
name: {{ include "kubean.serviceAccountName" . }}
namespace: {{ include "kubean.namespace" . }}
1 change: 1 addition & 0 deletions cmd/kubean-operator/app/app.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ func StartManager(ctx context.Context, opt *Options) error {
LeaderElectionResourceLock: opt.LeaderElection.ResourceLock,
HealthProbeBindAddress: net.JoinHostPort(opt.BindAddress, strconv.Itoa(opt.SecurePort)),
LivenessEndpointName: "/healthz",
Namespace: util.GetCurrentNSOrDefault(),
})
if err != nil {
klog.Errorf("Failed to build controllerManager ,%s", err)
Expand Down
1 change: 0 additions & 1 deletion cmd/kubean-operator/app/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ func (o *Options) AddFlags(flags *pflag.FlagSet) {
flags.IntVar(&o.SecurePort, "secure-port", defaultPort,
"The secure port on which to serve HTTPS.")
flags.BoolVar(&o.LeaderElection.LeaderElect, "leader-elect", true, "Start a leader election client and gain leadership before executing the main loop. Enable this when running replicated components for high availability.")
flags.StringVar(&o.LeaderElection.ResourceNamespace, "leader-elect-resource-namespace", "default", "The namespace of resource object that is used for locking during leader election.")
flags.Float32Var(&o.KubeAPIQPS, "kube-api-qps", 100.0, "QPS to use while talking with kubean-apiserver. Doesn't cover events and node heartbeat apis which rate limiting is controlled by a different set of flags.")
flags.IntVar(&o.KubeAPIBurst, "kube-api-burst", 100, "Burst to use while talking with kubean-apiserver. Doesn't cover events and node heartbeat apis which rate limiting is controlled by a different set of flags.")
}
Expand Down

0 comments on commit 167e973

Please sign in to comment.