-
Notifications
You must be signed in to change notification settings - Fork 65
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
For an unknown reason OpenStack was different in CCCMO and had it's OpenStack-specific `kube-system` ServiceAccount defined in `manifests/`. This was because OCCM for some reason was making number of API calls from the `kube-system/cloud-controller-manager` ServiceAccount, so a bunch of permissions needed to be defined there. This commit attempts to clean up this situation. To make OCCM use the main SA of `openshift-cloud-controller-manager/cloud-controller-manager`, I change the `--use-service-account-credentials` to `false`. I believe that we only had `true` because that's what upstream sets and upstream has it because it wrongly copied `cloud-provider-aws` manifest without including the patches. Now OCCM still needs a bunch of special permissions - ability to patch `services` and `services/status`. In order to do that I add 2 more OpenStack-specific manifests in `pkg/cloud/openstack` with a ClusterRole and the binding.
- Loading branch information
Showing
8 changed files
with
33 additions
and
56 deletions.
There are no files selected for viewing
File renamed without changes.
53 changes: 0 additions & 53 deletions
53
manifests/0000_26_cloud-controller-manager-operator_04_rbac_provider_openstack.yaml
This file was deleted.
Oops, something went wrong.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 changes: 15 additions & 0 deletions
15
pkg/cloud/openstack/assets/openstack-cloud-controller-manager-clusterrole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: openstack-cloud-controller-manager | ||
annotations: | ||
include.release.openshift.io/self-managed-high-availability: "true" | ||
include.release.openshift.io/single-node-developer: "true" | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- services | ||
- services/status | ||
verbs: | ||
- patch |
12 changes: 12 additions & 0 deletions
12
pkg/cloud/openstack/assets/openstack-cloud-controller-manager-clusterrolebinding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: cloud-controller-manager:openstack-cloud-controller-manager | ||
roleRef: | ||
kind: ClusterRole | ||
name: openstack-cloud-controller-manager | ||
apiGroup: rbac.authorization.k8s.io | ||
subjects: | ||
- kind: ServiceAccount | ||
namespace: openshift-cloud-controller-manager | ||
name: cloud-controller-manager |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters