External-dns: Document RBAC permissions
It would be really useful to have an example showing how the ServiceAccount and ClusterRoleBindings should be configured in a 1.6 cluster with RBAC enabled, which I believe is the default in 1.6.
rk295
All 6 comments
We could define it very strict like https://github.com/kubernetes/charts/blob/master/incubator/istio/templates/rbac.yaml or just give external-dns viewer rules (as this seems to be a "standard" role). This is what just worked for me.
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-dns
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: external-dns-viewer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: external-dns
namespace: default
linki
on 12 Jun 2017
this works for me:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: external-dns
rules:
- apiGroups:
- ""
resources:
- services
verbs:
- get
- watch
- list
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
janwillies
on 12 Jun 2017
I'm wondering why this is not added to the docs.
@linki your solution works for me on a 1.7.10 cluster with RBAC. If you don't have time I'm happy to put it in a pull request. Thanks
mstuparu
on 8 Nov 2017
@mstuparu please go ahead, your PR is welcome! :smile:
hjacobs
on 8 Nov 2017
@hjacobs I'll add one here in a sec if that's ok
zparnold
on 29 Jan 2018
@hjacobs I added this PR to hopefully address the RBAC concerns. :) https://github.com/kubernetes-incubator/external-dns/pull/451
zparnold
on 30 Jan 2018
Related issues
naveeng68
路
4Comments
jchv
路
3Comments
lemaral
路
4Comments
nyetwurk
路
4Comments
wndhydrnt
路
3Comments
Most helpful comment
this works for me: