diff options
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | kafka/10broker-config.yml | 15 | ||||
-rw-r--r-- | rbac-namespace-default/pod-labler.yml | 39 |
3 files changed, 49 insertions, 7 deletions
@@ -68,8 +68,6 @@ For clusters that enfoce [RBAC](https://kubernetes.io/docs/admin/authorization/r kubectl apply -f rbac-namespace-default/ ``` -For example rack awareness can fail without this, `logs -c init-config` showing `Error from server (Forbidden): pods "kafka-0" is forbidden: User "system:serviceaccount:kafka:default" cannot get pods in the namespace "kafka": Unknown user "system:serviceaccount:kafka:default"`. - ## Tests Tests are based on the [kube-test](https://github.com/Yolean/kube-test) concept. diff --git a/kafka/10broker-config.yml b/kafka/10broker-config.yml index bc1d55d..2846232 100644 --- a/kafka/10broker-config.yml +++ b/kafka/10broker-config.yml @@ -11,6 +11,8 @@ data: KAFKA_BROKER_ID=${HOSTNAME##*-} sed -i "s/#init#broker.id=#init#/broker.id=$KAFKA_BROKER_ID/" /etc/kafka/server.properties + LABELS="kafka-broker-id=$KAFKA_BROKER_ID" + hash kubectl 2>/dev/null || { sed -i "s/#init#broker.rack=#init#/#init#broker.rack=# kubectl not found in path/" /etc/kafka/server.properties } && { @@ -21,17 +23,20 @@ data: sed -i "s/#init#broker.rack=#init#/#init#broker.rack=# zone label not found for node $NODE_NAME/" /etc/kafka/server.properties else sed -i "s/#init#broker.rack=#init#/broker.rack=$ZONE/" /etc/kafka/server.properties + LABELS="$LABELS kafka-broker-rack=$ZONE" fi - # This requires additional RBAC, and won't be needed after https://github.com/kubernetes/kubernetes/pull/55329 - kubectl -n $POD_NAMESPACE label pod $POD_NAME kafka-broker-id=$KAFKA_BROKER_ID - OUTSIDE_HOST=$(kubectl get node "$NODE_NAME" -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}') if [ $? -ne 0 ]; then echo "Outside (i.e. cluster-external access) host lookup command failed" else - OUTSIDE_HOST=${OUTSIDE_HOST}:3240${KAFKA_BROKER_ID} - sed -i "s|#init#advertised.listeners=OUTSIDE://#init#|advertised.listeners=OUTSIDE://${OUTSIDE_HOST}|" /etc/kafka/server.properties + OUTSIDE_PORT=3240${KAFKA_BROKER_ID} + sed -i "s|#init#advertised.listeners=OUTSIDE://#init#|advertised.listeners=OUTSIDE://${OUTSIDE_HOST}:${OUTSIDE_PORT}|" /etc/kafka/server.properties + LABELS="$LABELS kafka-listener-outside-host=$OUTSIDE_HOST kafka-listener-outside-port=$OUTSIDE_PORT" + fi + + if [ ! -z "$LABELS" ]; then + kubectl -n $POD_NAMESPACE label pod $POD_NAME $LABELS || echo "Failed to label $POD_NAMESPACE.$POD_NAME - RBAC issue?" fi } diff --git a/rbac-namespace-default/pod-labler.yml b/rbac-namespace-default/pod-labler.yml new file mode 100644 index 0000000..bd488b0 --- /dev/null +++ b/rbac-namespace-default/pod-labler.yml @@ -0,0 +1,39 @@ +# To see if init containers need RBAC: +# +# $ kubectl -n kafka logs kafka-2 -c init-config +# ... +# Error from server (Forbidden): pods "kafka-2" is forbidden: User "system:serviceaccount:kafka:default" cannot get pods in the namespace "kafka": Unknown user "system:serviceaccount:kafka:default" +# +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: pod-labler + namespace: kafka + labels: + origin: github.com_Yolean_kubernetes-kafka +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - update + - patch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kafka-pod-labler + namespace: kafka + labels: + origin: github.com_Yolean_kubernetes-kafka +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pod-labler +subjects: +- kind: ServiceAccount + name: default + namespace: kafka |