Single file for creating an RBAC service mesh

nfisher · nfisher · commit 85f346d5b6f5 · 2019-10-21T16:13:15.000-03:00
Signed-off-by: Nathan Fisher &lt;nfisher@junctionbox.ca&gt;
diff --git a/k8s-daemonset/k8s/linkerd-rbac.yml b/k8s-daemonset/k8s/linkerd-rbac.yml
@@ -30,7 +30,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: default
-    namespace: default
+    namespace: linkerd
 roleRef:
   kind: ClusterRole
   name: linkerd-endpoints-reader
@@ -43,7 +43,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: default
-    namespace: default
+    namespace: linkerd
 roleRef:
   kind: ClusterRole
   name: namerd-dtab-storage
diff --git a/k8s-daemonset/k8s/servicemesh-rbac.yml b/k8s-daemonset/k8s/servicemesh-rbac.yml
@@ -38,6 +38,64 @@
 # * Automatic retries
 # * Zipkin tracing
 ################################################################################
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: linkerd
+  labels:
+    name: linkerd
+# RBAC configs for linkerd
+---
+# grant linkerd/namerd permissions to enable service discovery
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: linkerd-endpoints-reader
+rules:
+  - apiGroups: [""] # "" indicates the core API group
+    resources: ["endpoints", "services", "pods"] # pod access is required for the *-legacy.yml examples in this folder
+    verbs: ["get", "watch", "list"]
+  - apiGroups: [ "extensions" ]
+    resources: [ "ingresses" ]
+    verbs: ["get", "watch", "list"]
+---
+# grant namerd permissions to custom resource definitions in k8s 1.8+ and third party resources in k8s < 1.8 for dtab storage
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: namerd-dtab-storage
+rules:
+  - apiGroups: ["l5d.io"]
+    resources: ["dtabs"]
+    verbs: ["get", "watch", "list", "update", "create"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: linkerd-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: linkerd
+roleRef:
+  kind: ClusterRole
+  name: linkerd-endpoints-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: namerd-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: linkerd
+roleRef:
+  kind: ClusterRole
+  name: namerd-dtab-storage
+  apiGroup: rbac.authorization.k8s.io
+
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -285,7 +343,7 @@ spec:
         app: l5d
     spec:
       # hostNetwork: true # Uncomment to use host networking (eg for CNI)
-      serviceAccountName: linkerd-endpoints-reader
+      serviceAccountName: default
       volumes:
       - name: l5d-config
         configMap:
