jmorcar
commented
4 years ago Here only is applied serviceaccount call in chart... but the complete serviceaccount creation where is it? Only use a call to serviceaccount in yaml deployment is not sufficient, and documentation chart not include any of that.
I refer to ClusterRole , ClusterRolebinding etc... like this
apiVersion: v1
kind: ServiceAccount
metadata:
name: telegraf-reader
namespace: default
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: telegraf-cluster-reader
labels:
rbac.authorization.k8s.io/aggregate-view-telegraf: "true"
rbac.authorization.k8s.io/aggregate-view-telegraf-stats: "true"
rules:
- nonResourceURLs: ["/stats", "/stats/*"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["persistentvolumes", "nodes", "pods", "deployments", "statefulsets", "nodes/proxy"]
verbs: ["get", "watch", "list"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: telegraf-reader-role
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-view-telegraf-stats: "true"
- matchLabels:
rbac.authorization.k8s.io/aggregate-view-telegraf: "true"
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules: [] # Rules are automatically filled in by the controller manager.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: telegraf-reader-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: telegraf-reader-role
subjects:
- kind: ServiceAccount
name: telegraf-reader
namespace: defaultI am using this config with kube_inventory plugin is fine, but with kubernetes input not working... I think is related with rbac definitions or maybe kubernetes plugin problem. I comment this in issues/6959#
nsteinmetz
This is the same change from #92 applied to the telegraf-ds chart.
Fixes #105