Merge pull request #591 from andrewrynhard/rbac

Add Kubernetes RBAC support

Documentation/kube-flannel-rbac.yml

@@ -0,0 +1,26 @@
+# Create the clusterrole:
+# $ kubectl create -f kube-flannel-rbac.yml
+# Bind the flannel serviceaccount to the flannel clusterrole:
+# $ kubectl create clusterrolebinding flannel --clusterrole=flannel --serviceaccount=kube-system:flannel
+# Create the pod using the same namespace used by the flannel serviceaccount:
+# $ kubectl create --namespace kube-system -f kube-flannel.yml
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: flannel
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - list
+      - update
+      - watch

Documentation/kube-flannel.yml

@@ -1,9 +1,13 @@
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: flannel
+---
 kind: ConfigMap
 apiVersion: v1
 metadata:
   name: kube-flannel-cfg
-  namespace: kube-system
   labels:
     tier: node
     app: flannel
@@ -28,7 +32,6 @@ apiVersion: extensions/v1beta1
 kind: DaemonSet
 metadata:
   name: kube-flannel-ds
-  namespace: kube-system
   labels:
     tier: node
     app: flannel
@@ -42,6 +45,7 @@ spec:
       hostNetwork: true
       nodeSelector:
         beta.kubernetes.io/arch: amd64
+      serviceAccountName: flannel
       containers:
       - name: kube-flannel
         image: quay.io/coreos/flannel-git:v0.6.1-62-g6d631ba-amd64