save
This commit is contained in:
Jun-te Kim
parent
76372862cd
commit
17c75e160b
2 changed files with 76 additions and 9 deletions
|
|
@ -7,7 +7,7 @@ set -ex
|
|||
# sudo microk8s reset --destroy-storage
|
||||
# sudo snap remove microk8s
|
||||
# sudo snap install microk8s --classic
|
||||
# sudo microk8s enable dns rbac hostpath-storage host-access metrics-server
|
||||
# sudo microk8s enable dns rbac hostpath-storage host-access metrics-server ingress
|
||||
#
|
||||
# # Rebuild kubeconfig for your local user (optional)
|
||||
# microk8s kubectl config view --raw > ~/.kube/config
|
||||
|
|
@ -50,7 +50,7 @@ RUNNER_NAME="mealcraft-runners"
|
|||
# # Grants permissions to the exact ARC runner SA detected earlier.
|
||||
# # =====================================================================
|
||||
|
||||
echo "=== Applying RBAC for all ARC runners ==="
|
||||
echo "=== Applying RBAC for all ARC runners + Traefik ==="
|
||||
|
||||
microk8s kubectl apply -f - <<EOF
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
@ -58,37 +58,73 @@ kind: ClusterRole
|
|||
metadata:
|
||||
name: mealcraft-bootstrap-role
|
||||
rules:
|
||||
# ----------------------------------------------------
|
||||
# Storage
|
||||
# ----------------------------------------------------
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["storageclasses"]
|
||||
verbs: ["*"]
|
||||
|
||||
# Core API: PV, PVC, namespaces, secrets, configmaps, services, serviceaccounts (NEW)
|
||||
# ----------------------------------------------------
|
||||
# Core API
|
||||
# PV, PVC, Namespaces, Secrets, ConfigMaps, Services,
|
||||
# ServiceAccounts (added for runner + Traefik needs)
|
||||
# ----------------------------------------------------
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes", "persistentvolumeclaims", "namespaces", "secrets", "configmaps", "services", "serviceaccounts"]
|
||||
resources:
|
||||
- persistentvolumes
|
||||
- persistentvolumeclaims
|
||||
- namespaces
|
||||
- secrets
|
||||
- configmaps
|
||||
- services
|
||||
- serviceaccounts
|
||||
- endpoints # <-- Traefik requires
|
||||
- pods # <-- Traefik requires
|
||||
- nodes # <-- Traefik requires for node discovery
|
||||
verbs: ["*"]
|
||||
|
||||
# Apps (Deployments, DS, etc)
|
||||
# ----------------------------------------------------
|
||||
# Apps: Deployments, DaemonSets, RS, StatefulSets
|
||||
# ----------------------------------------------------
|
||||
- apiGroups: ["apps"]
|
||||
resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
|
||||
verbs: ["*"]
|
||||
|
||||
# ----------------------------------------------------
|
||||
# Networking & Ingress
|
||||
# (Traefik needs watch on ingresses & ingressclasses)
|
||||
# ----------------------------------------------------
|
||||
- apiGroups: ["networking.k8s.io", "extensions"]
|
||||
resources: ["ingresses", "ingressclasses", "*"]
|
||||
verbs: ["*"]
|
||||
|
||||
# Traefik v1
|
||||
# ----------------------------------------------------
|
||||
# Traefik v1 CRDs (old MicroK8s installs)
|
||||
# ----------------------------------------------------
|
||||
- apiGroups: ["traefik.containo.us"]
|
||||
resources: ["*"]
|
||||
verbs: ["*"]
|
||||
|
||||
# Traefik v2
|
||||
# ----------------------------------------------------
|
||||
# Traefik v2 CRDs (modern)
|
||||
# ----------------------------------------------------
|
||||
- apiGroups: ["traefik.io"]
|
||||
resources: ["*"]
|
||||
resources:
|
||||
- ingressroutes
|
||||
- ingressroutetcps
|
||||
- ingressrouteudps
|
||||
- middlewares
|
||||
- middlewaretcps
|
||||
- traefikservices
|
||||
- tlsoptions
|
||||
- tlsstores
|
||||
- serverstransports
|
||||
verbs: ["*"]
|
||||
|
||||
# ----------------------------------------------------
|
||||
# CRDs
|
||||
# ----------------------------------------------------
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["*"]
|
||||
|
|
@ -108,5 +144,35 @@ subjects:
|
|||
namespace: arc-systems
|
||||
EOF
|
||||
|
||||
microk8s kubectl apply -f - <<EOF
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: traefik-real-binding
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: mealcraft-bootstrap-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: traefik-ingress-controller
|
||||
namespace: default
|
||||
EOF
|
||||
|
||||
microk8s kubectl apply -f - <<EOF
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: traefik-rbac-fix
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: mealcraft-bootstrap-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: traefik-ingress-controller
|
||||
namespace: default
|
||||
EOF
|
||||
|
||||
|
||||
echo "=== ARC installation + RBAC complete ==="
|
||||
|
|
|
|||
|
|
@ -6,3 +6,4 @@ metadata:
|
|||
spec:
|
||||
basicAuth:
|
||||
secret: authsecret
|
||||
namespace: default
|
||||
Loading…
Add table
Reference in a new issue