Commit 11780f00 authored by David Miller's avatar David Miller
Browse files

Update provided manifests to support a service account and RBAC

- Added kured service account
- Added kured clusterrole
- Added kured clusterrolebinding
- Updated README.md documentation to include deploying with RBAC support
parent f0f3314f
......@@ -48,12 +48,18 @@ To obtain a default installation without Prometheus alerting interlock
or Slack notifications:
```
kubectl apply -f https://github.com/weaveworks/kured/releases/download/1.0.0/kured-ds.yaml
kubectl apply -f https://raw.githubusercontent.com/weaveworks/kured/master/kured-ds.yaml
```
If you want to customise the installation, download the manifest and
edit it in accordance with the following section before application.
For RBAC support apply the RBAC manifest.
```
kubectl apply -f https://raw.githubusercontent.com/weaveworks/kured/master/kured-rbac.yaml
```
## Configuration
The following arguments can be passed to kured via the daemonset pod template:
......
apiVersion: v1
kind: ServiceAccount
metadata:
name: kured
namespace: kube-system
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
......@@ -9,6 +15,7 @@ spec:
labels:
name: kured
spec:
serviceAccountName: kured
containers:
- name: kured
image: quay.io/weaveworks/kured
......
# ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kured
rules:
# Allow kured to grab it's lock
- apiGroups:
- extensions
resources:
- daemonsets
verbs:
- get
- update
# Allow kured to cordon and uncordon nodes
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- update
# Allow kured to drain nodes
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- delete
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- get
- apiGroups:
- extensions
resources:
- daemonsets
- replicasets
verbs:
- get
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- apiGroups:
- ""
resources:
- pods/eviction
verbs:
- create
---
# CLusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kured
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kured
subjects:
- kind: ServiceAccount
name: kured
namespace: kube-system
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment