Merge pull request #221 from nckturner/use-kustomize-to-reduce-permis…

…sions Use kustomize for example manifest
kubernetes · May 20, 2021 · 54f2b5c · 54f2b5c
2 parents 94ab99f + 064d63b
commit 54f2b5c
Show file tree

Hide file tree

Showing 10 changed files with 123 additions and 54 deletions.
diff --git a/docs/getting_started.md b/docs/getting_started.md
@@ -13,10 +13,8 @@ Follow these steps when upgrading an existing cluster by launching the aws-cloud
 1. Add the `--cloud-provider=external` to the kube-apiserver config.
 1. Add the `--cloud-provider=external` to each the kubelet's config.
 1. Add the tag kubernetes.io/cluster/your_cluster_id=owned (if resources are owned and managed by the cluster) or kubernetes.io/cluster/your_cluster_id=shared (if resources are shared between clusters, and should not be destroyed if the cluster is destroyed) to your instances.
-1. Deploy the required RBAC to your cluster:
-    `kubectl apply -f https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/master/manifests/rbac.yaml`
-1. Deploy the cloud-controller-manager to your cluster:
-    `kubectl apply -f https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/master/manifests/aws-cloud-controller-manager-daemonset.yaml`
+1. Apply the kustomize configuration:
+   `kubectl apply -k 'github.com/kubernetes/cloud-provider-aws/manifests/base/?ref=master'`
 
 ### Flags
 

diff --git a/manifests/base/apiserver-authentication-reader-role-binding.yaml b/manifests/base/apiserver-authentication-reader-role-binding.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cloud-controller-manager:apiserver-authentication-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cloud-controller-manager
+  namespace: kube-system
diff --git a/...s-cloud-controller-manager-daemonset.yaml → ...s-cloud-controller-manager-daemonset.yaml b/...s-cloud-controller-manager-daemonset.yaml → ...s-cloud-controller-manager-daemonset.yaml
@@ -28,10 +28,14 @@ spec:
       serviceAccountName: cloud-controller-manager
       containers:
         - name: aws-cloud-controller-manager
-          image: gcr.io/k8s-staging-provider-aws/cloud-controller-manager:v1.20.0-alpha.0
+          image: gcr.io/k8s-staging-provider-aws/cloud-controller-manager:v1.21.0-alpha.0
           args:
             - --v=2
             - --cloud-provider=aws
+            # Use the superset-role overlay if you don't want a token per controller
+            - --use-service-account-credentials=true
+            # Set --configure-cloud-routes=true if required by your CNI
+            - --configure-cloud-routes=false
           resources:
             requests:
               cpu: 200m

diff --git a/manifests/base/cluster-role-binding.yaml b/manifests/base/cluster-role-binding.yaml
@@ -0,0 +1,14 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:cloud-controller-manager
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: cloud-controller-manager
+  namespace: kube-system
diff --git a/manifests/base/cluster-role.yaml b/manifests/base/cluster-role.yaml
@@ -0,0 +1,39 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:cloud-controller-manager
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - node-controller
+  - service-controller
+  - route-controller
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
diff --git a/manifests/base/kustomization.yaml b/manifests/base/kustomization.yaml
@@ -0,0 +1,7 @@
+resources:
+- apiserver-authentication-reader-role-binding.yaml
+- aws-cloud-controller-manager-daemonset.yaml
+- cluster-role-binding.yaml
+- cluster-role.yaml
+- service-account.yaml
+
diff --git a/manifests/base/service-account.yaml b/manifests/base/service-account.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-controller-manager
+  namespace: kube-system
diff --git a/manifests/overlays/superset-role/aws-cloud-controller-manager-daemonset-patch.yaml b/manifests/overlays/superset-role/aws-cloud-controller-manager-daemonset-patch.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: aws-cloud-controller-manager
+  namespace: kube-system
+spec:
+  template:
+    spec:
+      serviceAccountName: cloud-controller-manager
+      containers:
+        - name: aws-cloud-controller-manager
+          args:
+            - --v=2
+            - --cloud-provider=aws
+            - --use-service-account-credentials=false
+            # Set --configure-cloud-routes=true if required by your CNI
+            - --configure-cloud-routes=false
diff --git a/manifests/rbac.yaml → ...ays/superset-role/cluster-role-patch.yaml b/manifests/rbac.yaml → ...ays/superset-role/cluster-role-patch.yaml
@@ -1,25 +1,4 @@
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: cloud-controller-manager
-  namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: cloud-controller-manager:apiserver-authentication-reader
-  namespace: kube-system
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: extension-apiserver-authentication-reader
-subjects:
-- apiGroup: ""
-  kind: ServiceAccount
-  name: cloud-controller-manager
-  namespace: kube-system
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -38,7 +17,11 @@ rules:
   resources:
   - nodes
   verbs:
-  - '*'
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -59,25 +42,14 @@ rules:
   resources:
   - services/status
   verbs:
-  - list
   - patch
   - update
-  - watch
 - apiGroups:
   - ""
   resources:
   - serviceaccounts
   verbs:
   - create
-- apiGroups:
-  - ""
-  resources:
-  - persistentvolumes
-  verbs:
-  - get
-  - list
-  - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -86,8 +58,8 @@ rules:
   - create
   - get
   - list
-  - watch
   - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:
@@ -96,25 +68,15 @@ rules:
   - create
   - get
   - list
-  - watch
   - update
+  - watch
 - apiGroups:
   - ""
+  resourceNames:
+  - node-controller
+  - service-controller
+  - route-controller
   resources:
   - serviceaccounts/token
   verbs:
   - create
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: system:cloud-controller-manager
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:cloud-controller-manager
-subjects:
-- apiGroup: ""
-  kind: ServiceAccount
-  name: cloud-controller-manager
-  namespace: kube-system
diff --git a/manifests/overlays/superset-role/kustomization.yaml b/manifests/overlays/superset-role/kustomization.yaml
@@ -0,0 +1,6 @@
+resources:
+- ../../base
+
+patches:
+- cluster-role-patch.yaml
+- aws-cloud-controller-manager-daemonset-patch.yaml