Allow webhook authorization (#6502)

2020-08-24 14:29:41 +01:00 · 2020-08-24 14:29:41 +01:00 · 36924b63dc
commit 36924b63dc
parent 0c80d3d9fa
5 changed files with 48 additions and 3 deletions
--- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
@ -69,6 +69,15 @@ kube_users:
 # kube_oidc_groups_claim: groups
 # kube_oidc_groups_prefix: oidc:

+## Variables to control webhook authn/authz
+# kube_webhook_token_auth: false
+# kube_webhook_token_auth_url: https://...
+# kube_webhook_token_auth_url_skip_tls_verify: false
+
+## For webhook authorization, authorization_modes must include Webhook
+# kube_webhook_authorization: false
+# kube_webhook_authorization_url: https://...
+# kube_webhook_authorization_url_skip_tls_verify: false

 # Choose network plugin (cilium, calico, contiv, weave or flannel. Use cni for generic cni plugin)
 # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
--- a/roles/kubernetes/master/defaults/main/main.yml
+++ b/roles/kubernetes/master/defaults/main/main.yml
@ -117,6 +117,13 @@ kube_token_auth: false
 kube_oidc_auth: false
 kube_webhook_token_auth: false
 kube_webhook_token_auth_url_skip_tls_verify: false
+## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
+# kube_webhook_token_auth_url: https://...
+kube_webhook_authorization: false
+## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/
+# kube_webhook_authorization_url: https://...
+kube_webhook_authorization_url_skip_tls_verify: false
+

 ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
 ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
@ -133,9 +140,6 @@ kube_webhook_token_auth_url_skip_tls_verify: false
 # Optionally include a base64-encoded oidc CA cert
 # kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20...

-## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
-# kube_webhook_token_auth_url: https://...
-
 # List of the preferred NodeAddressTypes to use for kubelet connections.
 kubelet_preferred_address_types: 'InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP'

--- a/roles/kubernetes/master/tasks/main.yml
+++ b/roles/kubernetes/master/tasks/main.yml
@ -13,6 +13,12 @@
    dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
  when: kube_webhook_token_auth|default(false)

+- name: Create webhook authorization config
+  template:
+    src: webhook-authorization-config.yaml.j2
+    dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml"
+  when: kube_webhook_authorization|default(false)
+
 - import_tasks: encrypt-at-rest.yml
  when:
    - kube_encrypt_secret_data
--- a/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2
@ -154,6 +154,9 @@ apiServer:
 {% if kube_webhook_token_auth|default(false) %}
    authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
 {% endif %}
+{% if kube_webhook_authorization|default(false) %}
+    authorization-webhook-config-file: {{ kube_config_dir }}/webhook-authorization-config.yaml
+{% endif %}
 {% if kube_encrypt_secret_data %}
    encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
 {% endif %}
@ -218,6 +221,11 @@ apiServer:
    hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
    mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
 {% endif %}
+{% if kube_webhook_authorization|default(false) %}
+  - name: webhook-authorization-config
+    hostPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
+    mountPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
+{% endif %}
 {% if kubernetes_audit or kubernetes_audit_webhook %}
  - name: {{ audit_policy_name }}
    hostPath: {{ audit_policy_hostpath }}
--- a/roles/kubernetes/master/templates/webhook-authorization-config.yaml.j2
+++ b/roles/kubernetes/master/templates/webhook-authorization-config.yaml.j2
@ -0,0 +1,18 @@
+# clusters refers to the remote service.
+clusters:
+- name: webhook-token-authz-cluster
+  cluster:
+    server: {{ kube_webhook_authorization_url }}
+    insecure-skip-tls-verify: {{ kube_webhook_authorization_url_skip_tls_verify }}
+
+# users refers to the API server's webhook configuration.
+users:
+- name: webhook-token-authz-user
+
+# kubeconfig files require a context. Provide one for the API server.
+current-context: webhook-token-authz
+contexts:
+- context:
+    cluster: webhook-token-authz-cluster
+    user: webhook-token-authz-user
+  name: webhook-token-authz