From 36924b63dc51978a43848787ce32d7777bfc94b3 Mon Sep 17 00:00:00 2001 From: Sulochan Acharya Date: Mon, 24 Aug 2020 14:29:41 +0100 Subject: [PATCH] Allow webhook authorization (#6502) --- .../group_vars/k8s-cluster/k8s-cluster.yml | 9 +++++++++ roles/kubernetes/master/defaults/main/main.yml | 10 +++++++--- roles/kubernetes/master/tasks/main.yml | 6 ++++++ .../templates/kubeadm-config.v1beta2.yaml.j2 | 8 ++++++++ .../webhook-authorization-config.yaml.j2 | 18 ++++++++++++++++++ 5 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 roles/kubernetes/master/templates/webhook-authorization-config.yaml.j2 diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml index 0c375159d..e886398fc 100644 --- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml +++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml @@ -69,6 +69,15 @@ kube_users: # kube_oidc_groups_claim: groups # kube_oidc_groups_prefix: oidc: +## Variables to control webhook authn/authz +# kube_webhook_token_auth: false +# kube_webhook_token_auth_url: https://... +# kube_webhook_token_auth_url_skip_tls_verify: false + +## For webhook authorization, authorization_modes must include Webhook +# kube_webhook_authorization: false +# kube_webhook_authorization_url: https://... +# kube_webhook_authorization_url_skip_tls_verify: false # Choose network plugin (cilium, calico, contiv, weave or flannel. Use cni for generic cni plugin) # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing diff --git a/roles/kubernetes/master/defaults/main/main.yml b/roles/kubernetes/master/defaults/main/main.yml index 477b687cc..a9696388c 100644 --- a/roles/kubernetes/master/defaults/main/main.yml +++ b/roles/kubernetes/master/defaults/main/main.yml @@ -117,6 +117,13 @@ kube_token_auth: false kube_oidc_auth: false kube_webhook_token_auth: false kube_webhook_token_auth_url_skip_tls_verify: false +## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication +# kube_webhook_token_auth_url: https://... +kube_webhook_authorization: false +## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/ +# kube_webhook_authorization_url: https://... +kube_webhook_authorization_url_skip_tls_verify: false + ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/ ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...) @@ -133,9 +140,6 @@ kube_webhook_token_auth_url_skip_tls_verify: false # Optionally include a base64-encoded oidc CA cert # kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20... -## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication -# kube_webhook_token_auth_url: https://... - # List of the preferred NodeAddressTypes to use for kubelet connections. kubelet_preferred_address_types: 'InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP' diff --git a/roles/kubernetes/master/tasks/main.yml b/roles/kubernetes/master/tasks/main.yml index d3835934d..7fcae51fc 100644 --- a/roles/kubernetes/master/tasks/main.yml +++ b/roles/kubernetes/master/tasks/main.yml @@ -13,6 +13,12 @@ dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml" when: kube_webhook_token_auth|default(false) +- name: Create webhook authorization config + template: + src: webhook-authorization-config.yaml.j2 + dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml" + when: kube_webhook_authorization|default(false) + - import_tasks: encrypt-at-rest.yml when: - kube_encrypt_secret_data diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2 index dcb989aa8..2e3d20a24 100644 --- a/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2 +++ b/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2 @@ -154,6 +154,9 @@ apiServer: {% if kube_webhook_token_auth|default(false) %} authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml {% endif %} +{% if kube_webhook_authorization|default(false) %} + authorization-webhook-config-file: {{ kube_config_dir }}/webhook-authorization-config.yaml +{% endif %} {% if kube_encrypt_secret_data %} encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml {% endif %} @@ -218,6 +221,11 @@ apiServer: hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml {% endif %} +{% if kube_webhook_authorization|default(false) %} + - name: webhook-authorization-config + hostPath: {{ kube_config_dir }}/webhook-authorization-config.yaml + mountPath: {{ kube_config_dir }}/webhook-authorization-config.yaml +{% endif %} {% if kubernetes_audit or kubernetes_audit_webhook %} - name: {{ audit_policy_name }} hostPath: {{ audit_policy_hostpath }} diff --git a/roles/kubernetes/master/templates/webhook-authorization-config.yaml.j2 b/roles/kubernetes/master/templates/webhook-authorization-config.yaml.j2 new file mode 100644 index 000000000..b5b553039 --- /dev/null +++ b/roles/kubernetes/master/templates/webhook-authorization-config.yaml.j2 @@ -0,0 +1,18 @@ +# clusters refers to the remote service. +clusters: +- name: webhook-token-authz-cluster + cluster: + server: {{ kube_webhook_authorization_url }} + insecure-skip-tls-verify: {{ kube_webhook_authorization_url_skip_tls_verify }} + +# users refers to the API server's webhook configuration. +users: +- name: webhook-token-authz-user + +# kubeconfig files require a context. Provide one for the API server. +current-context: webhook-token-authz +contexts: +- context: + cluster: webhook-token-authz-cluster + user: webhook-token-authz-user + name: webhook-token-authz