remove worker node from elb && add cloud-provider rbac

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
HuaweiCloudDeveloper · Feb 25, 2025 · 3fbcfec · 3fbcfec
1 parent 45f4269
commit 3fbcfec
Show file tree

Hide file tree

Showing 3 changed files with 139 additions and 3 deletions.
diff --git a/internal/controller/huaweicloudmachine_controller.go b/internal/controller/huaweicloudmachine_controller.go
@@ -386,7 +386,7 @@ func (r *HuaweiCloudMachineReconciler) reconcileNormal(_ context.Context, machin
 	}
 
 	// tasks that can take place during all known instance states
-	if machineScope.InstanceIsInKnownState() {
+	if machineScope.InstanceIsInKnownState() && machineScope.IsControlPlane() {
 		if err := ecsSvc.AttachInstanceToElb(instance); err != nil {
 			machineScope.Logger.Error(err, "failed to attach instance to ELB")
 			return ctrl.Result{}, err

diff --git a/pkg/services/ecs/cloudconfig.go b/pkg/services/ecs/cloudconfig.go
@@ -50,8 +50,11 @@ func (c *CloudConfig) genCloudProviderSecretTask() (writeFile *WriteFile, runCmd
 	}
 
 	runCmd = []string{
-		"if ! kubectl get secret cloud-config; then kubectl create secret generic cloud-config --from-file=/etc/kubernetes/cloud-config; fi",
-		// "rm -rf /etc/kubernetes/cloud-config",
+		// TODO: remove sleep if we can find a better way to wait for the cluster to be ready
+		"sleep 10",
+		"export KUBECONFIG=/etc/kubernetes/super-admin.conf",
+		"if ! kubectl -n kube-system get secret cloud-config; then kubectl -n kube-system create secret generic cloud-config --from-file=/etc/kubernetes/cloud-config; fi",
+		"rm -rf /etc/kubernetes/cloud-config",
 	}
 
 	return writeFile, runCmd, nil

diff --git a/templates/cluster-template.yaml b/templates/cluster-template.yaml
@@ -132,6 +132,139 @@ apiVersion: v1
 data:
   hw-cp-external.yaml: |
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: system:cloud-controller-manager
+    rules:
+      - resources:
+          - tokenreviews
+        verbs:
+          - get
+          - list
+          - watch
+          - create
+          - update
+          - patch
+        apiGroups:
+          - authentication.k8s.io
+      - resources:
+          - configmaps
+          - endpoints
+          - pods
+          - services
+          - secrets
+          - serviceaccounts
+          - serviceaccounts/token
+        verbs:
+          - get
+          - list
+          - watch
+          - create
+          - update
+          - patch
+        apiGroups:
+          - ''
+      - resources:
+          - nodes
+        verbs:
+          - get
+          - list
+          - watch
+          - delete
+          - patch
+          - update
+        apiGroups:
+          - ''
+      - resources:
+          - services/status
+          - pods/status
+        verbs:
+          - update
+          - patch
+        apiGroups:
+          - ''
+      - resources:
+          - nodes/status
+        verbs:
+          - patch
+          - update
+        apiGroups:
+          - ''
+      - resources:
+          - events
+          - endpoints
+        verbs:
+          - create
+          - patch
+          - update
+        apiGroups:
+          - ''
+      - resources:
+          - leases
+        verbs:
+          - get
+          - update
+          - create
+          - delete
+        apiGroups:
+          - coordination.k8s.io
+      - resources:
+          - customresourcedefinitions
+        verbs:
+          - get
+          - update
+          - create
+          - delete
+        apiGroups:
+          - apiextensions.k8s.io
+      - resources:
+          - ingresses
+        verbs:
+          - get
+          - list
+          - watch
+          - update
+          - create
+          - patch
+          - delete
+        apiGroups:
+          - networking.k8s.io
+      - resources:
+          - ingresses/status
+        verbs:
+          - update
+          - patch
+        apiGroups:
+          - networking.k8s.io
+      - resources:
+          - endpointslices
+        verbs:
+          - get
+          - list
+          - watch
+        apiGroups:
+          - discovery.k8s.io
+    ---
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: cloud-controller-manager
+      namespace: kube-system
+    ---
+    kind: ClusterRoleBinding
+    apiVersion: rbac.authorization.k8s.io/v1
+    metadata:
+      name: system:cloud-controller-manager
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: system:cloud-controller-manager
+    subjects:
+      - kind: ServiceAccount
+        name: cloud-controller-manager
+        namespace: kube-system
+    ---
     apiVersion: apps/v1
     kind: DaemonSet
     metadata: