[stable/kube2iam]: add rbac support #1286
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @SamClinckspoor. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
needs-ok-to-test
SamClinckspoor
changed the title
|
Can I get a review on this? |
|
Reviewed discussion from @c-knowles' merged LGTM |
|
If you'd like to account for users switching RBAC enabled from You can see the fault by installing a chart that does not do this and then trying to turn RBAC off, you will notice the deployment still has the RBAC service account and not the default service account: |
|
I think it's definitely an edge case though so the rest of this PR looks great. |
|
@c-knowles you mean I should set the following? {{- if .Values.rbac.enabled }}
serviceAccountName: {{ template "fullname" . }}
{{- else }}
serviceAccountName: default
{{- end }} |
|
@SamClinckspoor yes exactly that. As above it's an edge case but may be worth including. It will go away whenever k8s gets rid of the deprecated attribute. |
|
@c-knowles, thanks for pointing out the SA default. |
|
LGTM, cc @lachie83 @viglesiasce @prydonius |
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
* upstream/master: (67 commits) Fix json whitespace (helm#1458) Use consistent whitespace in template placeholders (helm#1437) [stable/selenium] Make hub readiness probe timeout configurable (helm#1391) [stable/kube2iam]: add rbac support (helm#1286) [stable/traefik] Allow enabling traefik access logs (helm#1302) Add Stash chart (helm#1420) Add Gearman G2 chart (helm#1421) add option to include tolerations to daemonset (helm#1364) Moved Artifactory to stable and updated version to 5.3.2 (helm#1314) Concourse postgres conditional dependency (helm#1390) Typo in helm install command for dask-distributed (helm#1413) [stable/fluent-bit] Fluent Bit v0.11.12 (helm#1417) fixed cassandra chart's persistence bug (helm#1245) Prometheus: modify config to support k8s 1.6 by default (helm#1080) Add rocket.chat (helm#752) Fix influxdb deployment (helm#1424) feat(stable/etcd-operator): add support for supplying additional command args (helm#1418) add configurable service annotations helm#1234 (helm#1244) [stable/prometheus] extra environment variable for alert manager (helm#1237) [stable/heapster] Default service name to Heapster (helm#1266) ...
* add rbac support * solve and edge-case when turning off rbac
Adds support in kube2iam for RBAC.
setting
rbac.enabledto true will create a role, rolebinding and service account.