diff options
| author |   Todd Malsbary <todd.malsbary@intel.com> | 2021-02-23 09:28:48 -0800 |
|---|---|---|
| committer | Todd Malsbary <todd.malsbary@intel.com> | 2021-04-29 08:45:07 -0700 |
| commit | 7d5f991538b2cf784645e7f1de71ff72800f8160 (patch) | |
| tree | 4c72762d46d4f4a54a871db2577462206ec462e1 /kud/deployment_infra/helm/cpu-manager/templates/clusterrole.yaml | |
| parent | a53172e77dc15728a11d888dc2be718b25529fc0 (diff) | |
Add cmk addon helm chart
The chart follows the instructions laid out in the CMK operator
manual, with the following notes:
- The nodes are prepared by running each CMK subcommand as a Pod
instead of running cmk cluster-init. The first reason for this is
that the existing addon only deploys CMK to the worker nodes in the
cluster. This is not possible using cluster-init without explicitly
providing the list of worker nodes to cluster-init, and this list is
unknown by helm. Instead it is sufficient to rely on the
node-role.kubernetes.io/master:NoSchedule taint. The second reason
is that cluster-init creates resources which are unknown to helm,
thus uninstall does not behave as expected.
- The v1.4.1 version of CMK is chosen. In v1.5.2, the description key
of the cmk-nodereport resource is not correct.
- All values listed as possibly requiring modification are exposed in
values.yaml
Issue-ID: MULTICLOUD-1324
Signed-off-by: Todd Malsbary <todd.malsbary@intel.com>
Change-Id: Ibc75462de3729cd88edeb4b15602d57fe12791ca
Diffstat (limited to 'kud/deployment_infra/helm/cpu-manager/templates/clusterrole.yaml')
| -rw-r--r-- | kud/deployment_infra/helm/cpu-manager/templates/clusterrole.yaml | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/kud/deployment_infra/helm/cpu-manager/templates/clusterrole.yaml b/kud/deployment_infra/helm/cpu-manager/templates/clusterrole.yaml new file mode 100644 index 00000000..003a5b61 --- /dev/null +++ b/kud/deployment_infra/helm/cpu-manager/templates/clusterrole.yaml @@ -0,0 +1,59 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "cpu-manager.fullname" . }}-custom-resource-definition-controller + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +rules: +- apiGroups: ["intel.com"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions", "customresourcedefinitions.extensions"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "cpu-manager.fullname" . }}-daemonset-controller + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +rules: +- apiGroups: ["extensions", "apps"] + resources: ["daemonsets", "daemonsets.extensions", "daemonsets.apps"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "cpu-manager.fullname" . }}-version-controller + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +rules: + - nonResourceURLs: ["*"] + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "cpu-manager.fullname" . }}-webhook-installer + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +rules: +- apiGroups: ["", "apps", "extensions", "admissionregistration.k8s.io"] + resources: ["secrets", "configmaps", "deployments", "services", "mutatingwebhookconfigurations"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "cpu-manager.fullname" . }}-node-lister + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: ["*"] +{{- end }} |