diff --git a/charts/virtual-kubelet/README.md b/charts/virtual-kubelet/README.md index eff03e56..a9f3e64c 100644 --- a/charts/virtual-kubelet/README.md +++ b/charts/virtual-kubelet/README.md @@ -103,4 +103,3 @@ The following table lists the configurable parameters of the azure-aci chart and | rbac.install | Install Default RBAC roles and bindings. | `true` | | rbac.serviceAccountName | RBAC service account name. | `virtual-kubelet-helm` | | rbac.apiVersion | RBAC api version. | `v1` | -| rbac.roleRef | Cluster role reference. | `cluster-admin` | diff --git a/charts/virtual-kubelet/templates/clusterrole.yaml b/charts/virtual-kubelet/templates/clusterrole.yaml new file mode 100644 index 00000000..7d7ea732 --- /dev/null +++ b/charts/virtual-kubelet/templates/clusterrole.yaml @@ -0,0 +1,24 @@ +apiVersion: "rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }}" +kind: ClusterRole +metadata: + name: {{ include "vk.fullname" . }}-clusterrole +{{ include "vk.labels" . | indent 2 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["pods/status", "nodes/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumes", "persistentvolumeclaims", "replicationcontrollers", "namespaces", "configmaps", "secrets", "services"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get","list","watch","create", "delete", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "create", "update"] \ No newline at end of file diff --git a/charts/virtual-kubelet/templates/clusterrolebinding.yaml b/charts/virtual-kubelet/templates/clusterrolebinding.yaml index ba3acc21..3a189231 100644 --- a/charts/virtual-kubelet/templates/clusterrolebinding.yaml +++ b/charts/virtual-kubelet/templates/clusterrolebinding.yaml @@ -5,11 +5,11 @@ metadata: name: {{ template "vk.fullname" . }}-{{ .Values.rbac.serviceAccountName }} {{ include "vk.labels" . | indent 2 }} subjects: -- kind: ServiceAccount - name: {{ template "vk.fullname" . }}-{{ .Values.rbac.serviceAccountName }} - namespace: {{ .Values.namespace }} + - kind: ServiceAccount + name: {{ template "vk.fullname" . }}-{{ .Values.rbac.serviceAccountName }} + namespace: {{ .Values.namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ .Values.rbac.roleRef }} + name: {{ include "vk.fullname" . }}-clusterrole {{ end }} diff --git a/charts/virtual-kubelet/values.yaml b/charts/virtual-kubelet/values.yaml index 96f2995a..dc8ddf48 100644 --- a/charts/virtual-kubelet/values.yaml +++ b/charts/virtual-kubelet/values.yaml @@ -74,5 +74,3 @@ rbac: serviceAccountName: virtual-kubelet-helm ## RBAC api version apiVersion: v1 - ## Cluster role reference - roleRef: cluster-admin diff --git a/hack/e2e/aks-addon.sh b/hack/e2e/aks-addon.sh index 401cc830..0dd7fe08 100755 --- a/hack/e2e/aks-addon.sh +++ b/hack/e2e/aks-addon.sh @@ -114,7 +114,7 @@ az aks create \ -g "$RESOURCE_GROUP" \ -l "$LOCATION" \ -c "$NODE_COUNT" \ - --node-vm-size standard_d8_v3 \ + --node-vm-size standard_d8s_v3 \ -n "$CLUSTER_NAME" \ --network-plugin azure \ --vnet-subnet-id "$cluster_subnet_id" \ @@ -128,7 +128,7 @@ az aks create \ -g "$RESOURCE_GROUP" \ -l "$LOCATION" \ -c "$NODE_COUNT" \ - --node-vm-size standard_d8_v3 \ + --node-vm-size standard_d8s_v3 \ -n "$CLUSTER_NAME" \ --network-plugin azure \ --vnet-subnet-id "$cluster_subnet_id" \