Since kubernetes 1.6, RBAC was introduced and kubeadm enabled RBAC by default in the latest releases.
If RBAC is enabled and autocluster backend using k8s, when autocluster try to find_best_node_to_join, it will access endpoints resource on kubernetes API server, if no corresponding role/rolebinding/serviceaccount exist at this time, the https request will be failed as below:
=INFO REPORT==== 14-Nov-2017::10:12:30 ===
autocluster: GET https://kubernetes.default.svc.cluster.local:443/api/v1/namespaces/default/endpoints/rabbitmq
=INFO REPORT==== 14-Nov-2017::10:12:30 ===
autocluster: Response: [{ok,{{"HTTP/1.1",403,"Forbidden"},
[{"date","Tue, 14 Nov 2017 10:12:30 GMT"},
{"content-length","93"},
{"content-type","text/plain"},
{"x-content-type-options","nosniff"}],
"User \"system:serviceaccount:default:default\" cannot get endpoints in the namespace \"default\"."}}]
Below files changed and added to suport RBAC when compared the examples/k8s_statefulsets:
Created rabbitmq-rbac.yaml to setup new role/rolebinding/serviceaccount for rabbitmq
Changed README.md(add instruction to apply rabbitmq-rbac.yaml)
Add "serviceAccountName" in rabbitmq.yaml
Types of Changes
[ ] Bugfix (non-breaking change which fixes issue #NNNN)
[ ] New feature (non-breaking change which adds functionality)
[x ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
Proposed Changes
Since kubernetes 1.6, RBAC was introduced and kubeadm enabled RBAC by default in the latest releases. If RBAC is enabled and autocluster backend using k8s, when autocluster try to find_best_node_to_join, it will access endpoints resource on kubernetes API server, if no corresponding role/rolebinding/serviceaccount exist at this time, the https request will be failed as below:
Below files changed and added to suport RBAC when compared the examples/k8s_statefulsets:
Types of Changes
Checklist
CONTRIBUTING.md
documentFurther Comments
N/A