Granular authentication Control

It is now possible to deactivate selected authentication methods
(basic auth, token auth) inside the cluster by adding
removing the required arguments to the Kube API Server and generating
the secrets accordingly.

The x509 authentification is currently not optional because disabling it
would affect the kubectl clients deployed on the master nodes.
This commit is contained in:
Vincent Schwarzer 2017-02-27 14:15:50 +01:00
parent 3feab1cb2d
commit 026da060f2
5 changed files with 21 additions and 5 deletions

View file

@ -58,9 +58,16 @@ kube_users:
role: admin role: admin
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
#kube_oidc_auth: false
#kube_basic_auth: false
#kube_token_auth: false
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/ ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...) ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
# kube_oidc_auth: false
# kube_oidc_url: https:// ... # kube_oidc_url: https:// ...
# kube_oidc_client_id: kubernetes # kube_oidc_client_id: kubernetes
## Optional settings for OIDC ## Optional settings for OIDC
@ -69,7 +76,6 @@ kube_users:
# kube_oidc_groups_claim: groups # kube_oidc_groups_claim: groups
# Choose network plugin (calico, weave or flannel) # Choose network plugin (calico, weave or flannel)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: calico kube_network_plugin: calico

View file

@ -31,9 +31,15 @@ kube_apiserver_memory_requests: 256M
kube_apiserver_cpu_requests: 300m kube_apiserver_cpu_requests: 300m
kube_apiserver_storage_backend: etcd2 kube_apiserver_storage_backend: etcd2
## Enable/Disable Kube API Server Authentication Methods
kube_basic_auth: true
kube_token_auth: true
kube_oidc_auth: false
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/ ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...) ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
kube_oidc_auth: false
#kube_oidc_url: https:// ... #kube_oidc_url: https:// ...
# kube_oidc_client_id: kubernetes # kube_oidc_client_id: kubernetes
## Optional settings for OIDC ## Optional settings for OIDC

View file

@ -34,10 +34,14 @@ spec:
- --service-cluster-ip-range={{ kube_service_addresses }} - --service-cluster-ip-range={{ kube_service_addresses }}
- --service-node-port-range={{ kube_apiserver_node_port_range }} - --service-node-port-range={{ kube_apiserver_node_port_range }}
- --client-ca-file={{ kube_cert_dir }}/ca.pem - --client-ca-file={{ kube_cert_dir }}/ca.pem
{% if kube_basic_auth|default(true) %}
- --basic-auth-file={{ kube_users_dir }}/known_users.csv - --basic-auth-file={{ kube_users_dir }}/known_users.csv
{% endif %}
- --tls-cert-file={{ kube_cert_dir }}/apiserver.pem - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
- --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
{% if kube_token_auth|default(true) %}
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv - --token-auth-file={{ kube_token_dir }}/known_tokens.csv
{% endif %}
- --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem - --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %} {% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
- --oidc-issuer-url={{ kube_oidc_url }} - --oidc-issuer-url={{ kube_oidc_url }}

View file

@ -14,7 +14,7 @@
- name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true" - name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true"
set_fact: set_fact:
gen_tokens: true gen_tokens: true
when: not known_tokens_master.stat.exists when: not known_tokens_master.stat.exists and kube_token_auth|default(true)
run_once: true run_once: true
- name: "Check tokens | check if a cert already exists" - name: "Check tokens | check if a cert already exists"

View file

@ -33,7 +33,7 @@
line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}' line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
backup: yes backup: yes
with_dict: "{{ kube_users }}" with_dict: "{{ kube_users }}"
when: inventory_hostname in "{{ groups['kube-master'] }}" when: inventory_hostname in "{{ groups['kube-master'] }}" and kube_basic_auth|default(true)
notify: set secret_changed notify: set secret_changed
# #