Using RBAC with Swift

This tutorial will show you how to use Swift in a RBAC enabled cluster.

Before You Begin

At first, you need to have a RBAC enabled Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube. To create a RBAC enabled cluster using MiniKube, follow the instructions below:

  • If you are currently running a Minukube cluster without RBAC, delete the cluster. This will delete any objects running in the cluster.
minikube delete
  • Now, create a RBAC cluster with RBAC enabled.
minikube start --extra-config=apiserver.Authorization.Mode=RBAC
  • Once the cluster is up and running, you need to set ServiceAccount for the kube-dns addon to successfully run it.
# Wait for kube-dns deployment to be created.
$  kubectl get deployment -n kube-system --watch

# create kube-dns ServiceAccount
$ kubectl create serviceaccount kube-dns -n kube-system

# Patch kube-dns Deployment to set service account for pods.
$ kubectl patch deployment kube-dns -n kube-system -p '{"spec":{"template":{"spec":{"serviceAccountName":"kube-dns"}}}}'

# Wait for kube-dns pods to start running
$ kubectl get pods -n kube-system --watch

$ kubectl version --short
Client Version: v1.7.6
Server Version: v1.7.5

Deploy Tiller

Now, install Tiller server in your cluster following the commands below.

$ kubectl create serviceaccount tiller --namespace kube-system
$ kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount=kube-system:tiller
$ helm init --service-account tiller

$ helm version --short
Client: v2.7.0+g08c1144
Server: v2.7.0+g08c1144

Consult Tiller and Role-based Access Control for other configurations.

Deploy Swift

Now deploy Swift with necessary RBAc permissions using the following command:

curl -fsSL https://raw.githubusercontent.com/appscode/swift/0.11.0/hack/deploy/swift.sh | bash

To check if Swift proxy pods have started, run the following command:

kubectl get pods --all-namespaces -l app=swift --watch

Once the proxy pods are running, you can cancel the above command by typing Ctrl+C.

Test Swift

To test Swift server, let’s deploy a test chart included in this repo:

helm install test/hello --name=tester
helm ls

Now, to expose Swift proxy using a NodePort service, run the following command:

kubectl patch svc swift -n kube-system -p '{"spec":{"type":"NodePort"}}'

Find out the ip address for the minikube cluster.

$ minikube ip
192.168.99.100

Now, open your browser and go to the following URL: http://{minikube-ip}:{9855-nodeport}/tiller/v2/releases/json.

release-list

Cleaning up

If you would like to uninstall Swift proxy, please follow the steps here.

Take your team where it needs to go.

Create your cluster in minutes. Our team is here to help and would be happy to chat with you.