For clusters using RBAC, we should add documentation/examples of a ClusterRole that ca

Here's a ClusterRole I've used before <div class="highlight highlight-source-yaml

Can use a similar as <a href="https://github.com/digitalocean/digitalocean-clou

The list of required roles has changed. Based on <a href="https://github.com/kubernete

Document RBAC requirements about digitalocean-cloud-controller-manager HOT 3 CLOSED

digitalocean commented on May 14, 2024

Document RBAC requirements

from digitalocean-cloud-controller-manager.

Comments (3)

andrewsykim commented on May 14, 2024

Here's a ClusterRole I've used before

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: system:cloud-controller-manager
  labels:
    kubernetes.io/cluster-service: "true"
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - "*"
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - list
  - watch
  - patch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
  - update
# For leader election
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - create
  - get
  - list
  - watch
  - update
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - create

You'll need to create the service account and cluster role binding so you can reference it in the CCM deployment spec.

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cloud-controller-manager
  namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: system:cloud-controller-manager
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:cloud-controller-manager
subjects:
- kind: ServiceAccount
  name: cloud-controller-manager
  namespace: kube-system

from digitalocean-cloud-controller-manager.

andrewsykim commented on May 14, 2024

Can use a similar script as https://github.com/digitalocean/digitalocean-cloud-controller-manager/blob/master/scripts/generate-secret.sh to generate RBAC rules.

from digitalocean-cloud-controller-manager.

tamalsaha commented on May 14, 2024

The list of required roles has changed. Based on https://github.com/kubernetes/website/blob/master/docs/concepts/architecture/cloud-controller.md and kubernetes/website#6111

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: system:cloud-controller-manager
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
rules:
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - nodes/status
  verbs:
  - patch
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - create
  - get
  - list
  - watch
  - update