Add missing ClusterRoleBinding and leases permissions for running 2nd scheduler

Signed-off-by: Aldo Culquicondor <acondor@google.com>
2020-04-30 14:56:46 -04:00 · 2020-04-30 14:56:46 -04:00 · ade52dec1e
parent 004bcd1ff8
commit ade52dec1e
2 changed files with 60 additions and 24 deletions
--- a/content/en/docs/tasks/administer-cluster/configure-multiple-schedulers.md
+++ b/content/en/docs/tasks/administer-cluster/configure-multiple-schedulers.md
@ -108,40 +108,63 @@ my-scheduler-lnf4s-4744f                       1/1       Running   0          2m
 You should see a "Running" my-scheduler pod, in addition to the default kube-scheduler
 pod in this list.

+### Enable leader election
+
 To run multiple-scheduler with leader election enabled, you must do the following:

 First, update the following fields in your YAML file:

 * `--leader-elect=true`
-* `--lock-object-namespace=lock-object-namespace`
-* `--lock-object-name=lock-object-name`
+* `--lock-object-namespace=<lock-object-namespace>`
+* `--lock-object-name=<lock-object-name>`

-If RBAC is enabled on your cluster, you must update the `system:kube-scheduler` cluster role. Add your scheduler name to the resourceNames of the rule applied for endpoints resources, as in the following example:
+{{< note >}}
+The control plane creates the lock objects for you, but the namespace must already exist.
+You can use the `kube-system` namespace.
+{{< /note >}}
+
+If RBAC is enabled on your cluster, you must update the `system:kube-scheduler` cluster role. Add your scheduler name to the resourceNames of the rule applied for `endpoints` and `leases` resources, as in the following example:
 ```
 kubectl edit clusterrole system:kube-scheduler
 ```
 ```yaml
- apiVersion: rbac.authorization.k8s.io/v1
-  kind: ClusterRole
-  metadata:
-    annotations:
-      rbac.authorization.kubernetes.io/autoupdate: "true"
-    labels:
-      kubernetes.io/bootstrapping: rbac-defaults
-    name: system:kube-scheduler
-  rules:
-  - apiGroups:
-    - ""
-    resourceNames:
-    - kube-scheduler
-    - my-scheduler
-    resources:
-    - endpoints
-    verbs:
-    - delete
-    - get
-    - patch
-    - update
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:kube-scheduler
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - kube-scheduler
+  - my-scheduler
+  resources:
+  - leases
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resourceNames:
+  - kube-scheduler
+  - my-scheduler
+  resources:
+  - endpoints
+  verbs:
+  - delete
+  - get
+  - patch
+  - update
 ```

 ## Specify schedulers for pods
--- a/content/en/examples/admin/sched/my-scheduler.yaml
+++ b/content/en/examples/admin/sched/my-scheduler.yaml
@ -17,6 +17,19 @@ roleRef:
  name: system:kube-scheduler
  apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: my-scheduler-as-volume-scheduler
+subjects:
+- kind: ServiceAccount
+  name: my-scheduler
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: system:volume-scheduler
+  apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata: