Open typhoonzero opened 7 years ago
And I think there's a small bug of default clusterroles, kube-proxy need to "list" and "watch" resource type "endpoints", so add the below file modify_nodes_clusterrole.yaml
and run:
kubectl replace -f modify_nodes_clusterrole.yaml
to update the clusterrole.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:node
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- nodes
verbs:
- delete
- patch
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- apiGroups:
- ""
resources:
- pods/status
verbs:
- update
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- get
- apiGroups:
- ""
resources:
- persistentvolumeclaims
- persistentvolumes
verbs:
- get
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- create
- get
- list
- watch
When RBAC is enabled, the worker joins the cluster need to be of the group "system:nodes". This is due to the default
clusterrolebinding
system:node
can assign permissions to worker nodes.Get the role binding details by
kubectl get clusterrolebinding system:nodes -o yaml
So when creating keys for workers, we can use below command to generate X509 certs for a worker node: