chore(in-cluster): update rke2 system upgrade controller; add crd

2024-09-22 19:35:27 -04:00 · 2024-09-22 19:35:27 -04:00 · 359d0a761f
commit 359d0a761f
parent 63543290fc
2 changed files with 783 additions and 9 deletions
--- a/bootstrap/cluster-resources/in-cluster/rke2-system-upgrade-controller.yaml
+++ b/bootstrap/cluster-resources/in-cluster/rke2-system-upgrade-controller.yaml
@ -1,13 +1,118 @@
-apiVersion: v1
-kind: Namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
-  labels:
-    pod-security.kubernetes.io/enforce: privileged
-  name: system-upgrade
+  name: system-upgrade-controller
+rules:
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - update
+- apiGroups:
+  - upgrade.cattle.io
+  resources:
+  - plans
+  - plans/status
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - patch
+  - update
+  - delete
 ---
-apiVersion: v1
-kind: ServiceAccount
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
+  name: system-upgrade-controller
+  namespace: system-upgrade
+rules:
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system-upgrade-controller-drainer
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - patch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  - daemonsets
+  - replicasets
+  verbs:
+  - get
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system-upgrade-drainer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system-upgrade-controller-drainer
+subjects:
+- kind: ServiceAccount
  name: system-upgrade
  namespace: system-upgrade
 ---
@ -18,12 +123,39 @@ metadata:
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: cluster-admin
+  name: system-upgrade-controller
 subjects:
 - kind: ServiceAccount
  name: system-upgrade
  namespace: system-upgrade
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: system-upgrade
+  namespace: system-upgrade
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: system-upgrade-controller
+subjects:
+- kind: ServiceAccount
+  name: system-upgrade
+  namespace: system-upgrade
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+  name: system-upgrade
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: system-upgrade
+  namespace: system-upgrade
+---
 apiVersion: v1
 data:
  SYSTEM_UPGRADE_CONTROLLER_DEBUG: "false"
@ -74,7 +206,7 @@ spec:
        envFrom:
        - configMapRef:
            name: default-controller-env
-        image: rancher/system-upgrade-controller:v0.13.2
+        image: rancher/system-upgrade-controller:v0.13.4
        imagePullPolicy: IfNotPresent
        name: system-upgrade-controller
        securityContext: