Adding a ClusterRoleBinding to make default users admins in kube-system

This is so components like the dashboard work when RBAC is turned on

pkg/minikube/bootstrapper/localkube/localkube.go

@@ -19,6 +19,7 @@ package localkube
 import (
 	"fmt"
 	"strings"
+	"time"
 
 	"k8s.io/minikube/pkg/minikube/assets"
 	"k8s.io/minikube/pkg/minikube/bootstrapper"
@@ -29,6 +30,7 @@ import (
 	"github.com/docker/machine/libmachine"
 	"github.com/docker/machine/libmachine/state"
 	"github.com/pkg/errors"
+	"k8s.io/minikube/pkg/util"
 )
 
 type LocalkubeBootstrapper struct {
@@ -97,6 +99,11 @@ func (lk *LocalkubeBootstrapper) StartCluster(kubernetesConfig bootstrapper.Kube
 	if err != nil {
 		return errors.Wrapf(err, "Error running ssh command: %s", startCommand)
 	}
+	// try to elevate kube-system privileges so that the dashboard (among other
+	// components) can execute queries
+	if err := util.RetryAfter(100, elevateKubeSystemPrivileges, time.Millisecond*500); err != nil {
+		return errors.Wrap(err, "timed out waiting to elevate kube-system RBAC privileges")
+	}
 	return nil
 }
 

pkg/minikube/bootstrapper/localkube/privileges.go

@@ -0,0 +1,41 @@
+package localkube
+
+import (
+	"github.com/pkg/errors"
+	apierrs "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/strategicpatch"
+	clientv1 "k8s.io/client-go/pkg/api/v1"
+	rbacv1beta1 "k8s.io/client-go/pkg/apis/rbac/v1beta1"
+	"k8s.io/minikube/pkg/minikube/service"
+)
+
+func elevateKubeSystemPrivileges() error {
+	k8s := service.K8sClientGetter{}
+	client, err := k8s.GetRBACV1Beta1Client()
+	if err != nil {
+		return err
+	}
+	clusterRoleBinding := &rbacv1beta1.ClusterRoleBinding{
+		ObjectMeta: v1.ObjectMeta{
+			Name: "minikube-rbac",
+		},
+		Subjects: []rbacv1beta1.Subject{
+			{
+				Kind:      "ServiceAccount",
+				Name:      "default",
+				Namespace: "kube-system",
+			},
+		},
+		RoleRef: rbacv1beta1.RoleRef{
+			Kind: "ClusterRole",
+			Name: "cluster-admin",
+		},
+	}
+
+	if _, err := client.ClusterRoleBindings().Create(clusterRoleBinding); err != nil {
+		return errors.Wrap(err, "creating clusterrolebinding")
+	}
+	return nil
+}

pkg/minikube/service/service.go

@@ -30,6 +30,7 @@ import (
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	rbacv1beta1typed "k8s.io/client-go/kubernetes/typed/rbac/v1beta1"
 	"k8s.io/client-go/pkg/api/v1"
 	"k8s.io/client-go/tools/clientcmd"
 
@@ -52,7 +53,9 @@ func init() {
 	k8s = &K8sClientGetter{}
 }
 
-func (*K8sClientGetter) GetCoreClient() (corev1.CoreV1Interface, error) {
+// getClientset returns the root Kubernetes Clientset from the default loaded
+// configuration
+func (*K8sClientGetter) getClientset() (*kubernetes.Clientset, error) {
 	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
 	configOverrides := &clientcmd.ConfigOverrides{}
 	kubeConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, configOverrides)
@@ -64,7 +67,27 @@ func (*K8sClientGetter) GetCoreClient() (corev1.CoreV1Interface, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "Error creating new client from kubeConfig.ClientConfig()")
 	}
-	return client.Core(), nil
+	return client, nil
+}
+
+// GetRBACV1Beta1Client returns an RbacV1beta1Interface from the default Kubernetes
+// Clientset
+func (k *K8sClientGetter) GetRBACV1Beta1Client() (rbacv1beta1typed.RbacV1beta1Interface, error) {
+	clientset, err := k.getClientset()
+	if err != nil {
+		return nil, err
+	}
+	return clientset.RbacV1beta1(), nil
+}
+
+// GetCoreClient returns a CoreV1Interface from the default Kubernetes
+// Clientset
+func (k *K8sClientGetter) GetCoreClient() (corev1.CoreV1Interface, error) {
+	clientset, err := k.getClientset()
+	if err != nil {
+		return nil, err
+	}
+	return clientset.Core(), nil
 }
 
 type ServiceURL struct {