search

rabbitmq / rabbitmq-autocluster

RabbitMQ peer discovery and cluster formation plugin, supports RabbitMQ 3.6.x
BSD 3-Clause "New" or "Revised" License
242 stars 54 forks source link

Add new example supporting RBAC #60

Closed rfancn closed 6 years ago

rfancn commented 6 years ago

Proposed Changes

Since kubernetes 1.6, RBAC was introduced and kubeadm enabled RBAC by default in the latest releases. If RBAC is enabled and autocluster backend using k8s, when autocluster try to find_best_node_to_join, it will access endpoints resource on kubernetes API server, if no corresponding role/rolebinding/serviceaccount exist at this time, the https request will be failed as below:

=INFO REPORT==== 14-Nov-2017::10:12:30 ===
autocluster: GET https://kubernetes.default.svc.cluster.local:443/api/v1/namespaces/default/endpoints/rabbitmq

=INFO REPORT==== 14-Nov-2017::10:12:30 ===
autocluster: Response: [{ok,{{"HTTP/1.1",403,"Forbidden"},
                             [{"date","Tue, 14 Nov 2017 10:12:30 GMT"},
                              {"content-length","93"},
                              {"content-type","text/plain"},
                              {"x-content-type-options","nosniff"}],
                             "User \"system:serviceaccount:default:default\" cannot get endpoints in the namespace \"default\"."}}]

Below files changed and added to suport RBAC when compared the examples/k8s_statefulsets:

Types of Changes

Checklist

Further Comments

N/A

michaelklishin commented 6 years ago

Again, can we rebase this on top of stable and submit against stable?

michaelklishin commented 6 years ago

Thank you!