Skip to content

Commit

Permalink
fix kube-dns CrashLoopBackOff issue with RBAC enabled minikube
Browse files Browse the repository at this point in the history
  • Loading branch information
@dangula
dangula committed Oct 19, 2017
1 parent 84593aa commit b8af903
Showing 1 changed file with 80 additions and 1 deletion.
81 changes: 80 additions & 1 deletion tests/scripts/minikube.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,85 @@ EOF
minikube start --memory=3000 --kubernetes-version ${KUBE_VERSION} --extra-config=apiserver.Authorization.Mode=RBAC
}

# workaround for kube-dns CrashLoopBackOff issue with RBAC enabled
#issue https://github.com/kubernetes/minikube/issues/1734 and https://github.com/kubernetes/minikube/issues/1722
enable_roles_for_RBAC() {
cat <<EOF | kubectl create -f -
# Wide open access to the cluster (mostly for kubelet)
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cluster-writer
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
- nonResourceURLs: ["*"]
verbs: ["*"]
---
# Full read access to the api and resources
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cluster-reader
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- nonResourceURLs: ["*"]
verbs: ["*"]
---
# Give admin, kubelet, kube-system, kube-proxy god access
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cluster-write
subjects:
- kind: User
name: admin
- kind: User
name: kubelet
- kind: ServiceAccount
name: default
namespace: kube-system
- kind: User
name: kube-proxy
roleRef:
kind: ClusterRole
name: cluster-writer
apiGroup: rbac.authorization.k8s.io
---
# Setup sd-build as a reader. This has to be a
# ClusterRoleBinding to get access to non-resource URLs
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cluster-read
subjects:
- kind: ServiceAccount
name: sd-build
namespace: default
roleRef:
kind: ClusterRole
name: cluster-reader
apiGroup: rbac.authorization.k8s.io
---
# Setup sd-build as a writer in its namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: sd-build-write
subjects:
- kind: ServiceAccount
name: sd-build
namespace: default
roleRef:
kind: ClusterRole
name: cluster-writer
apiGroup: rbac.authorization.k8s.io
EOF
}

wait_for_ssh() {
local tries=100
while (( ${tries} > 0 )) ; do
Expand Down Expand Up @@ -45,7 +124,7 @@ case "${1:-}" in

copy_image_to_cluster ${BUILD_REGISTRY}/rook-amd64 rook/rook:master
copy_image_to_cluster ${BUILD_REGISTRY}/toolbox-amd64 rook/toolbox:master

enable_roles_for_RBAC
if [[ $KUBE_VERSION == v1.5* ]] || [[ $KUBE_VERSION == v1.6* ]] || [[ $KUBE_VERSION == v1.7* ]] ;
then
echo "initializing flexvolume for rook"
Expand Down

0 comments on commit b8af903

Please sign in to comment.