From 6e2cbeb1026313836419408ca53d7f8572af6641 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 30 Jun 2025 16:16:28 -0500 Subject: [PATCH] ansible: Add service account for host-provisioner The _k8s-worker_ Ansible role in the configuration policy now uses the Kubernetes API to create bootstrap tokens for adding worker nodes to the cluster. For this to work, the pod running the host-provisioner must be associated with a service account that has the correct permissions to create secrets and access the `cluster-info` ConfigMap. --- ansible/kustomization.yaml | 15 ++++- ansible/rbac.yaml | 109 ++++++++++++++++++++++++++++++++++ dch-webhooks/ansible-job.yaml | 4 ++ 3 files changed, 126 insertions(+), 2 deletions(-) diff --git a/ansible/kustomization.yaml b/ansible/kustomization.yaml index 3d21bc9..3fad65c 100644 --- a/ansible/kustomization.yaml +++ b/ansible/kustomization.yaml @@ -1,6 +1,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +transformers: +- | + apiVersion: builtin + kind: NamespaceTransformer + metadata: + name: namespace-transformer + namespace: ansible + unsetOnly: true + setRoleBindingSubjects: allServiceAccounts + fieldSpecs: + - path: metadata/namespace + create: true + labels: - pairs: app.kubernetes.io/instance: ansible @@ -9,8 +22,6 @@ labels: - pairs: app.kubernetes.io/part-of: ansible -namespace: ansible - resources: - ../dch-root-ca - ../ssh-host-keys diff --git a/ansible/rbac.yaml b/ansible/rbac.yaml index 4067edf..4b9de79 100644 --- a/ansible/rbac.yaml +++ b/ansible/rbac.yaml @@ -23,3 +23,112 @@ subjects: - kind: ServiceAccount name: dch-webhooks namespace: default + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: host-provisioner + labels: + app.kubernetes.io/name: host-provisioner + app.kubernetes.io/component: host-provisioner + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: host-provisioner + namespace: kube-public + annotations: + kubernetes.io/description: >- + Allows the host-provisioner to access the _cluster-info_ ConfigMap, + which it uses to get the connection details for the Kubernetes API + server, including the issuing CA certificate, to pass to `kubeadm + join` on a new worker node. +rules: +- apiGroups: + - '' + resources: + - configmaps + verbs: + - get + resourceNames: + - cluster-info + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: host-provisioner + annotations: + kubernetes.io/description: >- + Allows the host-provisioner to manipulate labels, taints, etc. on + nodes it adds to the cluster. +rules: +- apiGroups: + - '' + resources: + - nodes + verbs: + - get + - patch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: host-provisioner +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: host-provisioner +subjects: +- kind: ServiceAccount + name: host-provisioner + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: host-provisioner + namespace: kube-system + annotations: + kubernetes.io/description: >- + Allows the host-provisioner to create bootstrap tokens in order to + add new nodes to the Kubernetes cluster. +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - create + - get + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: host-provisioner + namespace: kube-public +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: host-provisioner +subjects: +- kind: ServiceAccount + name: host-provisioner + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: host-provisioner + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: host-provisioner +subjects: +- kind: ServiceAccount + name: host-provisioner diff --git a/dch-webhooks/ansible-job.yaml b/dch-webhooks/ansible-job.yaml index 8805676..9cb907e 100644 --- a/dch-webhooks/ansible-job.yaml +++ b/dch-webhooks/ansible-job.yaml @@ -90,11 +90,15 @@ spec: - mountPath: /tmp name: tmp subPath: tmp + - mountPath: /var/tmp + name: tmp + subPath: tmp securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 + serviceAccountName: host-provisioner volumes: - name: dch-root-ca configMap: