Add RBAC policy (#126)

* Add rbac.yaml which contains needed rules for NFD to work on a RBAC enabled cluster * Add lines to templates to use the RBAC policy * Update README
2025-03-28 02:37:11 +00:00 · 2018-06-14 19:08:25 +03:00 · 2018-06-14 19:08:25 +03:00 · 23a1e19635
commit 23a1e19635
parent 52b143c5ee
4 changed files with 39 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -178,9 +178,12 @@ Feature discovery is preferably run as a Kubernetes DaemonSet. There is an
 example spec that can be used as a template, or, as is when just trying out the
 service:
 ```
+kubectl create -f rbac.yaml
 kubectl create -f node-feature-discovery-daemonset.json.template
 ```

+If you have RBAC authorization enabled (as is the default e.g. with clusters initialized with kubeadm) you need to configure the appropriate ClusterRoles, ClusterRoleBindings and a ServiceAccount in order for NFD to create node labels. The provided templates will configure these for you.
+
 When run as a daemonset, nodes are re-labeled at an interval specified using
 the `--sleep-interval` option. In the [template](https://github.com/kubernetes-incubator/node-feature-discovery/blob/master/node-feature-discovery-daemonset.json.template#L38) the default interval is set to 60s
 which is also the default when no `--sleep-interval` is specified.
--- a/node-feature-discovery-daemonset.json.template
+++ b/node-feature-discovery-daemonset.json.template
@ -21,6 +21,7 @@
      },
      "spec": {
        "hostNetwork": true,
+        "serviceAccount": "node-feature-discovery",
        "containers": [
          {
            "env": [
--- a/node-feature-discovery-job.json.template
+++ b/node-feature-discovery-job.json.template
@ -18,6 +18,7 @@
      },
      "spec": {
        "hostNetwork": true,
+        "serviceAccount": "node-feature-discovery",
        "containers": [
          {
            "env": [
--- a/rbac.yaml
+++ b/rbac.yaml
@ -0,0 +1,34 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: node-feature-discovery
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-feature-discovery
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: node-feature-discovery
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: node-feature-discovery
+subjects:
+- kind: ServiceAccount
+  name: node-feature-discovery
+  namespace: default
+
+