ansible: Add service account for host-provisioner

The _k8s-worker_ Ansible role in the configuration policy now uses the
Kubernetes API to create bootstrap tokens for adding worker nodes to the
cluster.  For this to work, the pod running the host-provisioner must be
associated with a service account that has the correct permissions to
create secrets and access the `cluster-info` ConfigMap.

ansible/kustomization.yaml

@@ -1,6 +1,19 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+transformers:
+- |
+  apiVersion: builtin
+  kind: NamespaceTransformer
+  metadata:
+    name: namespace-transformer
+    namespace: ansible
+  unsetOnly: true
+  setRoleBindingSubjects: allServiceAccounts
+  fieldSpecs:
+  - path: metadata/namespace
+    create: true
+
 labels:
 - pairs:
     app.kubernetes.io/instance: ansible
@@ -9,8 +22,6 @@ labels:
 - pairs:
     app.kubernetes.io/part-of: ansible
 
-namespace: ansible
-
 resources:
 - ../dch-root-ca
 - ../ssh-host-keys

ansible/rbac.yaml

@@ -23,3 +23,112 @@ subjects:
 - kind: ServiceAccount
   name: dch-webhooks
   namespace: default
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: host-provisioner
+  labels:
+    app.kubernetes.io/name: host-provisioner
+    app.kubernetes.io/component: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: host-provisioner
+  namespace: kube-public
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to access the _cluster-info_ ConfigMap,
+      which it uses to get the connection details for the Kubernetes API
+      server, including the issuing CA certificate, to pass to `kubeadm
+      join` on a new worker node.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+  resourceNames:
+  - cluster-info
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: host-provisioner
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to manipulate labels, taints, etc. on
+      nodes it adds to the cluster.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+  - patch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: host-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: host-provisioner
+  namespace: kube-system
+  annotations:
+    kubernetes.io/description: >-
+      Allows the host-provisioner to create bootstrap tokens in order to
+      add new nodes to the Kubernetes cluster.
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+  - get
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-provisioner
+  namespace: kube-public
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: host-provisioner
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: host-provisioner
+subjects:
+- kind: ServiceAccount
+  name: host-provisioner

dch-webhooks/ansible-job.yaml

@@ -90,11 +90,15 @@ spec:
         - mountPath: /tmp
           name: tmp
           subPath: tmp
+        - mountPath: /var/tmp
+          name: tmp
+          subPath: tmp
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 1000
         fsGroup: 1000
+      serviceAccountName: host-provisioner
       volumes:
       - name: dch-root-ca
         configMap: