RBAC rights are purely additive so ...

a project like kubernetes-kafka should keep them minimal. To access nodes we do need ClusterRole instead of Role.
author: Staffan Olsson <staffan@repos.se> 2017-08-05 05:28:56 +0200
committer: Staffan Olsson <staffan@repos.se> 2017-08-05 05:47:29 +0200
commit: 7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d (patch)
tree: 541506687c94489b24f75f2f1892f0313ae9be9c
parent: a8db336c1a03d01e8aacd4f811bebc5ab9542b26 (diff)
download: kubernetes-kafka-7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d.tar.gz
kubernetes-kafka-7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d.tar.bz2
kubernetes-kafka-7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d.zip
1 files changed, 26 insertions, 0 deletions
diff --git a/rbac-namespace-default/node-reader.yml b/rbac-namespace-default/node-reader.yml
new file mode 100644
index 0000000..5054182
--- /dev/null
+++ b/rbac-namespace-default/node-reader.yml
@@ -0,0 +1,26 @@
+# For kubectl get node, required for kafka init container rack awareness
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: node-reader
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kafka-node-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: node-reader
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: kafka
author	Staffan Olsson <staffan@repos.se>	2017-08-05 05:28:56 +0200
committer	Staffan Olsson <staffan@repos.se>	2017-08-05 05:47:29 +0200
commit	7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d (patch)
tree	541506687c94489b24f75f2f1892f0313ae9be9c
parent	a8db336c1a03d01e8aacd4f811bebc5ab9542b26 (diff)
download	kubernetes-kafka-7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d.tar.gz kubernetes-kafka-7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d.tar.bz2 kubernetes-kafka-7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d.zip