Fix kubernetes#798 - RBAC for leader election

Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7 the nginx-controller needs to handle leader-election via configmaps. To perform the leader-election the nginx-controller needs to have the appropiate RBAC permissions. Previously to this fix, the following errors occured: - cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx) - initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps) fix ingress rbac roles There was 2 things that the current IC (0.9 beta7) needs. The ClusterRole was missing `get nodes`: ``` RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "get" resource "nodes" named "xxx" cluster-wide ``` The Role was missing `update configmaps`: ```RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "update" resource "configmaps" named "ingress-controller-leader-nginx" in namespace "kube-system"``` removed update configmap because of kubernetes#798 rebased on master, moved get nodes to own rule added get nodes to cluster permissions
puja108 · Jun 2, 2017 · cf4ad26 · cf4ad26
1 parent a6bba68
commit cf4ad26
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/examples/rbac/nginx/README.md b/examples/rbac/nginx/README.md
@@ -37,6 +37,7 @@ able to function as an ingress across the cluster.  These permissions are
 granted to the ClusterRole named `nginx-ingress-clusterrole`
 
 * `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch
+* `nodes`: get
 * `services`, `ingresses`: get, list, watch
 * `events`: create, patch
 * `ingresses/status`: update
@@ -49,6 +50,21 @@ permissions are granted to the Role named `nginx-ingress-role`
 * `configmaps`, `pods`, `secrets`: get
 * `endpoints`: create, get, update
 
+Furthermore to support leader-election, the nginx-ingress-controller needs to
+have access to a `configmap` using the resourceName `ingress-controller-leader-nginx`
+
+* `configmaps`: create, get, update (for resourceName `ingress-controller-leader-nginx`)
+
+This resourceName is the concatenation of the `election-id` and the
+`ingress-class` as defined by the ingress-controller, which default to:
+
+* `election-id`: `ingress-controller-leader`
+* `ingress-class`: `nginx`
+* `resourceName` : `<election-id>-<ingress-class>`
+
+Please adapt accordingly if you overwrite either parameter when launching the
+nginx-ingress-controller.
+
 ### Bindings
 
 The ServiceAccount `nginx-ingress-serviceaccount` is bound to the Role

diff --git a/examples/rbac/nginx/nginx-ingress-controller-rbac.yml b/examples/rbac/nginx/nginx-ingress-controller-rbac.yml
@@ -25,6 +25,12 @@ rules:
     verbs:
       - list
       - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
   - apiGroups:
       - ""
     resources:
@@ -69,6 +75,20 @@ rules:
       - secrets
     verbs:
       - get
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    resourceNames:
+      # Defaults to "<election-id>-<ingress-class>"
+      # Here: "<ingress-controller-leader>-<nginx>"
+      # This has to be adapted if you change either parameter
+      # when launching the nginx-ingress-controller.
+      - "ingress-controller-leader-nginx"
+    verbs:
+      - create
+      - get
+      - update
   - apiGroups:
       - ""
     resources: