Merge pull request #117 from Yolean/broker-init-pod-labler

Fix RBAC, set useful labels on broker pods from init script

1 files changed, 39 insertions, 0 deletions

diff --git a/rbac-namespace-default/pod-labler.yml b/rbac-namespace-default/pod-labler.yml
new file mode 100644
index 0000000..bd488b0
--- /dev/null
+++ b/rbac-namespace-default/pod-labler.yml
@@ -0,0 +1,39 @@
+# To see if init containers need RBAC:
+#
+# $ kubectl -n kafka logs kafka-2 -c init-config
+# ...
+# Error from server (Forbidden): pods "kafka-2" is forbidden: User "system:serviceaccount:kafka:default" cannot get pods in the namespace "kafka": Unknown user "system:serviceaccount:kafka:default"
+#
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: pod-labler
+  namespace: kafka
+  labels:
+    origin: github.com_Yolean_kubernetes-kafka
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - update
+  - patch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kafka-pod-labler
+  namespace: kafka
+  labels:
+    origin: github.com_Yolean_kubernetes-kafka
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-labler
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: kafka