Sergiusz Bazanski | 4d9e72c | 2019-01-13 22:06:33 +0100 | [diff] [blame] | 1 | # Top level cluster configuration. |
| 2 | |
| 3 | local kube = import "../../kube/kube.libsonnet"; |
| 4 | |
| 5 | local Cluster(fqdn) = { |
| 6 | local cluster = self, |
| 7 | |
| 8 | // These are required to let the API Server contact kubelets. |
| 9 | crAPIServerToKubelet: kube.ClusterRole("system:kube-apiserver-to-kubelet") { |
| 10 | metadata+: { |
| 11 | annotations+: { |
| 12 | "rbac.authorization.kubernetes.io/autoupdate": "true", |
| 13 | }, |
| 14 | labels+: { |
| 15 | "kubernets.io/bootstrapping": "rbac-defaults", |
| 16 | }, |
| 17 | }, |
| 18 | rules: [ |
| 19 | { |
| 20 | apiGroups: [""], |
| 21 | resources: ["nodes/%s" % r for r in [ "proxy", "stats", "log", "spec", "metrics" ]], |
| 22 | verbs: ["*"], |
| 23 | }, |
| 24 | ], |
| 25 | }, |
Sergiusz Bazanski | 5bebbeb | 2019-01-13 22:08:05 +0100 | [diff] [blame^] | 26 | crbAPIServer: kube.ClusterRoleBinding("system:kube-apiserver") { |
Sergiusz Bazanski | 4d9e72c | 2019-01-13 22:06:33 +0100 | [diff] [blame] | 27 | roleRef: { |
| 28 | apiGroup: "rbac.authorization.k8s.io", |
| 29 | kind: "ClusterRole", |
| 30 | name: cluster.crAPIServerToKubelet.metadata.name, |
| 31 | }, |
| 32 | subjects: [ |
| 33 | { |
| 34 | apiGroup: "rbac.authorization.k8s.io", |
| 35 | kind: "User", |
| 36 | # A cluster API Server authenticates with a certificate whose CN is == to the FQDN of the cluster. |
| 37 | name: fqdn, |
| 38 | }, |
| 39 | ], |
| 40 | } |
| 41 | }; |
| 42 | |
| 43 | { |
| 44 | k0: Cluster("k0.hswaw.net"), |
| 45 | } |