Merge pull request #98 from Charliekenney23/fix-skip-configmap-auth

Hardcode --authentication-skip-lookup=true to short-circuit ConfigMap auth

Author: 0xch4z

Makefile

@@ -68,7 +68,6 @@ run: build
 	dist/linode-cloud-controller-manager \
 		--logtostderr=true \
 		--stderrthreshold=INFO \
-		--cloud-provider=linode \
 		--kubeconfig=${KUBECONFIG}
 
 .PHONY: run-debug
@@ -77,7 +76,6 @@ run-debug: build
 	dist/linode-cloud-controller-manager \
 		--logtostderr=true \
 		--stderrthreshold=INFO \
-		--cloud-provider=linode \
 		--kubeconfig=${KUBECONFIG} \
 		--linodego-debug
 

deploy/ccm-linode-template.yaml

@@ -15,15 +15,44 @@ metadata:
   name: ccm-linode
   namespace: kube-system
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ccm-linode-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["endpoints"]
+  verbs: ["get", "watch", "list", "update", "create"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "watch", "list", "update", "delete", "patch"]
+- apiGroups: [""]
+  resources: ["nodes/status"]
+  verbs: ["get", "watch", "list", "update", "delete", "patch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["get", "watch", "list", "update", "create", "patch"]
+- apiGroups: [""]
+  resources: ["persistentvolumes"]
+  verbs: ["get", "watch", "list", "update"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: [""]
+  resources: ["services/status"]
+  verbs: ["get", "watch", "list", "update", "patch"]
+---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: system:ccm-linode
+  name: ccm-linode-clusterrolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  # TODO: make these permissions more fine-grained
-  name: cluster-admin
+  name: ccm-linode-clusterrole
 subjects:
 - kind: ServiceAccount
   name: ccm-linode
@@ -72,7 +101,6 @@ spec:
           imagePullPolicy: Always
           name: ccm-linode
           args:
-          - --cloud-provider=linode
           - --leader-elect-resource-lock=endpoints
           - --v=3
           - --port=0

main.go

@@ -69,6 +69,28 @@ func main() {
 	// Add Linode-specific flags
 	command.Flags().BoolVar(&linode.Options.LinodeGoDebug, "linodego-debug", false, "enables debug output for the LinodeAPI wrapper")
 
+	// Set static flags
+	command.Flags().VisitAll(func(fl *pflag.Flag) {
+		var err error
+		switch fl.Name {
+		case "cloud-provider":
+			err = fl.Value.Set(linode.ProviderName)
+		case
+			// Prevent reaching out to an authentication-related ConfigMap that
+			// we do not need, and thus do not intend to create RBAC permissions
+			// for. See also
+			// https://github.com/linode/linode-cloud-controller-manager/issues/91
+			// and https://github.com/kubernetes/cloud-provider/issues/29.
+			"authentication-skip-lookup":
+			err = fl.Value.Set("true")
+		}
+
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "failed to set flag %q: %s\n", fl.Name, err)
+			os.Exit(1)
+		}
+	})
+
 	// Make the Linode-specific CCM bits aware of the kubeconfig flag
 	linode.Options.KubeconfigFlag = command.Flags().Lookup("kubeconfig")
 	if linode.Options.KubeconfigFlag == nil {