diff --git a/roles/kargo-defaults/defaults/main.yaml b/roles/kargo-defaults/defaults/main.yaml index f0323d479..9a7368d29 100644 --- a/roles/kargo-defaults/defaults/main.yaml +++ b/roles/kargo-defaults/defaults/main.yaml @@ -114,3 +114,9 @@ vault_deployment_type: docker k8s_image_pull_policy: IfNotPresent efk_enabled: false enable_network_policy: false + +## List of authorization plugins that must be configured for +## the k8s cluster. Only 'AlwaysAllow' and 'RBAC' is supported +## at the moment. +authorization_mode: ['AlwaysAllow'] +rbac_enabled: "{{ 'RBAC' in authorization_mode }}" diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index a5329c635..13f8e41a2 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -41,10 +41,9 @@ netchecker_server_memory_requests: 64M etcd_cert_dir: "/etc/ssl/etcd/ssl" canal_cert_dir: "/etc/canal/certs" -# RBAC -rbac_resources: +# RBAC specific resources that will be ignored when RBAC is not enabled. +apiserver_rbac_resources: - clusterrole, - clusterrolebinding, - sa - -rbac_enabled: "{{ authorization_mode == 'RBAC' }}" \ No newline at end of file + - serviceaccount diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index 164c00dff..37384496a 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -21,7 +21,7 @@ - {name: kubedns-autoscaler, file: kubedns-autoscaler-clusterrolebinding.yml, type: clusterrolebinding} - {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment} register: manifests - when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in rbac_resources or rbac_enabled) + when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in apiserver_rbac_resources or rbac_enabled) tags: dnsmasq # see https://github.com/kubernetes/kubernetes/issues/45084 diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrolebinding.yml b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrolebinding.yml index 1bdb2a715..a368ae333 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrolebinding.yml +++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrolebinding.yml @@ -24,4 +24,4 @@ subjects: roleRef: kind: ClusterRole name: cluster-proportional-autoscaler - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml index 32d307d76..6620c1642 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml +++ b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml @@ -114,6 +114,6 @@ spec: - containerPort: 8080 protocol: TCP dnsPolicy: Default # Don't use cluster DNS. -{% if authorization_mode is defined and authorization_mode == "RBAC" %} - serviceAccount: kube-dns +{% if rbac_enabled %} + serviceAccountName: kube-dns {% endif %} diff --git a/roles/kubernetes-apps/helm/defaults/main.yml b/roles/kubernetes-apps/helm/defaults/main.yml index 5cb600439..b1b2dfca9 100644 --- a/roles/kubernetes-apps/helm/defaults/main.yml +++ b/roles/kubernetes-apps/helm/defaults/main.yml @@ -2,5 +2,3 @@ helm_enabled: false # specify a dir and attach it to helm for HELM_HOME. helm_home_dir: "/root/.helm" - -rbac_enabled: "{{ authorization_mode == 'RBAC' }}" \ No newline at end of file diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml index 96901e235..0536432e5 100644 --- a/roles/kubernetes/master/defaults/main.yml +++ b/roles/kubernetes/master/defaults/main.yml @@ -66,4 +66,3 @@ controller_mgr_custom_flags: [] scheduler_custom_flags: [] -authorization_mode: RBAC \ No newline at end of file diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index 5a2101b73..fddd66a27 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -82,7 +82,7 @@ spec: - --anonymous-auth={{ kube_api_anonymous_auth }} {% endif %} {% if authorization_mode %} - - --authorization-mode={{ authorization_mode }} + - --authorization-mode={{ authorization_mode|join(',') }} {% endif %} {% if apiserver_custom_flags is string %} - {{ apiserver_custom_flags }} @@ -127,4 +127,4 @@ spec: - hostPath: path: /etc/ssl/certs/ca-bundle.crt name: rhel-ca-bundle -{% endif %} \ No newline at end of file +{% endif %} diff --git a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 index a5171f82f..a6b69fa14 100644 --- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 @@ -35,7 +35,7 @@ spec: - --node-monitor-period={{ kube_controller_node_monitor_period }} - --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }} - --v={{ kube_log_level }} -{% if authorization_mode is defined and authorization_mode == "RBAC" %} +{% if rbac_enabled %} - --use-service-account-credentials {% endif %} {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %} diff --git a/roles/kubernetes/secrets/tasks/check-certs.yml b/roles/kubernetes/secrets/tasks/check-certs.yml index fafc20c1e..73704caa4 100644 --- a/roles/kubernetes/secrets/tasks/check-certs.yml +++ b/roles/kubernetes/secrets/tasks/check-certs.yml @@ -10,8 +10,8 @@ - name: "Check_certs | Set default value for 'sync_certs', 'gen_certs', and 'secret_changed' to false" set_fact: - sync_certs: true - gen_certs: true + sync_certs: false + gen_certs: false secret_changed: false - name: "Check certs | check if a cert already exists on node"