search

tczekajlo / kube-consul-register

a tool to register Kubernetes PODs as Consul Services
Apache License 2.0
105 stars 50 forks source link

Add a ful example with RBAC #46

Closed danielmotaleite closed 1 year ago

danielmotaleite commented 5 years ago

In examples, your current setup is incomplete, please update or add this example config with RBAC:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-consul-register
  namespace: consul
data:
  consul_address: "localhost"
  consul_port: "8500"
  consul_scheme: "http"
  consul_ca_file: ""
  consul_cert_file: ""
  consul_key_file: ""
  consul_insecure_skip_verify: "false"
  consul_token: "TOKEN"
  consul_timeout: "2s"
  consul_container_name: "consul"
  consul_node_selector: "consul=enabled"
  pod_label_selector: ""
  k8s_tag: "kubernetes"
  register_mode: "node"
  register_source: "service"
---
apiVersion: extensions/v1beta1
kind: ReplicaSet
metadata:
  name: kube-consul-register
  namespace: consul
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: kube-consul-register
    spec:
      serviceAccount: consul
      containers:
      - name: kube-consul-register
        image: tczekajlo/kube-consul-register:0.1.6
        imagePullPolicy: Always
        resources:
          requests:
            cpu: 1
            memory: 300Mi
        args:
        - -logtostderr=true
        - -configmap=consul/kube-consul-register
        #- -v=1
---
# user for the app
apiVersion: v1
kind: ServiceAccount
metadata:
  name: consul
  namespace: consul
---
# permit kube-register to query kubernetes about resources to map
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: consul-role
rules:
- nonResourceURLs:
  - "/version"
  - "/healthz"
  verbs: ["get"]
- apiGroups: [""]
  resources:
    - "configmaps"
    - "pods"
    - "namespaces"
    - "services"
    - "nodes"
    - "endpoints"
  verbs: ["get", "list", "watch"]
---
# map user to the role
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: consul-clusterrole
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: consul-role
subjects:
- kind: ServiceAccount
  name: consul
  namespace: consul
GoodOldJack12 commented 1 year ago

@tczekajlo This can probably be closed since I added this in my MR