diff options
author | Staffan Olsson <staffan@repos.se> | 2017-08-05 06:28:56 +0200 |
---|---|---|
committer | Staffan Olsson <staffan@repos.se> | 2017-08-05 06:28:56 +0200 |
commit | 79d65fd2e35b29df9cc936ceba3e4b4a1c151201 (patch) | |
tree | c2d1999b6fe431e4404aa3df28398d16198a5a22 | |
parent | 1c6b7bb2866ab531ddaa55c0bed538ae9bd73a40 (diff) | |
download | kubernetes-kafka-79d65fd2e35b29df9cc936ceba3e4b4a1c151201.tar.gz kubernetes-kafka-79d65fd2e35b29df9cc936ceba3e4b4a1c151201.tar.bz2 kubernetes-kafka-79d65fd2e35b29df9cc936ceba3e4b4a1c151201.zip |
Details will live in the respective policies
-rw-r--r-- | README.md | 9 | ||||
-rw-r--r-- | rbac-namespace-default/node-reader.yml | 9 |
2 files changed, 8 insertions, 10 deletions
@@ -59,15 +59,6 @@ For clusters that enfoce [RBAC](https://kubernetes.io/docs/admin/authorization/r kubectl apply -f rbac-namespace-default/ ``` -For example here's how you see that `kafka`s init containers need RBAC for [rack awareness](https://github.com/Yolean/kubernetes-kafka/pull/41): -``` -$ kubectl exec kafka-1 -- cat /etc/kafka/server.properties | grep broker.rack -#init#broker.rack=# zone lookup failed, see -c init-config logs -$ kubectl logs -c init-config kafka-0 -++ kubectl get node some-node '-o=go-template={{index .metadata.labels "failure-domain.beta.kubernetes.io/zone"}}' -Error from server (Forbidden): User "system:serviceaccount:kafka:default" cannot get nodes at the cluster scope.: "Unknown user \"system:serviceaccount:kafka:default\"" -``` - # Tests ``` diff --git a/rbac-namespace-default/node-reader.yml b/rbac-namespace-default/node-reader.yml index 0454579..62669cd 100644 --- a/rbac-namespace-default/node-reader.yml +++ b/rbac-namespace-default/node-reader.yml @@ -1,4 +1,11 @@ -# For kubectl get node, required for kafka init container rack awareness +# To see if init containers need RBAC: +# +# $ kubectl exec kafka-1 -- cat /etc/kafka/server.properties | grep broker.rack +# #init#broker.rack=# zone lookup failed, see -c init-config logs +# $ kubectl logs -c init-config kafka-0 +# ++ kubectl get node some-node '-o=go-template={{index .metadata.labels "failure-domain.beta.kubernetes.io/zone"}}' +# Error from server (Forbidden): User "system:serviceaccount:kafka:default" cannot get nodes at the cluster scope.: "Unknown user \"system:serviceaccount:kafka:default\"" +# --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 |