Coder Social home page Coder Social logo

Comments (4)

johnbelamaric avatar johnbelamaric commented on June 23, 2024

@chrisohaver had this issue and has a solution. It's the RBAC in 1.6, it needs more permissions to access other namespaces. @chrisohaver?

from deployment.

chrisohaver avatar chrisohaver commented on June 23, 2024

RBAC is used by default in k8s 1.6. The kube-system default account no longer has access by default to the API. Also, coredns requires access to a couple more API objects than kube-dns does. There are a few ways to grant access. I think the cleanest solution is to create a new ServiceAccount, ClusterRole, and ClusterRoleBinding for coredns, and then configure the pods to use the new service account.

Create ServiceAccount, ClusterRole, and ClusterRoleBinding

apiVersion: v1
kind: ServiceAccount
metadata:
  name: coredns
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:coredns
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  - services
  - pods
  - namespaces
  verbs:
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:coredns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:coredns
subjects:
- kind: ServiceAccount
  name: coredns
  namespace: kube-system

Configure pods to use the coredns service account
You'll also need to point the pods to this service account. You can do this by adding serviceAccountName: coredns to the template: spec: section of the Deployment yaml.

from deployment.

huang195 avatar huang195 commented on June 23, 2024

@johnbelamaric @chrisohaver thanks for pointing me to a solution. This doesn't look like a problem with coredns deployment but rather an issue in k8s. I wished I saw the solution earlier as the solution I hacked up was not as clean. I ended up reusing the kube-dns service account by adding namespaces into its access list and using that instead of the default service account in the kube-system namespace. This has also worked.

from deployment.

johnbelamaric avatar johnbelamaric commented on June 23, 2024

@chrisohaver can you add those templates here? Or, better make a 1.6 and later version of the deployment manifest that includes these?

from deployment.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.