C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Added support for webhook authentication/authorization on the secure kubelet endpoint

Browse source
This commit is contained in:
Jonas Kongslund 2018-01-21 14:34:37 +04:00
parent 84e47f4aaa
commit a800ed094b
6 changed files with 97 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
roles/kubernetes-apps/cluster_roles/tasks/main.yml
View file

@ -29,6 +29,52 @@
- rbac_enabled - rbac_enabled
- node_crb_manifest.changed - node_crb_manifest.changed
- name: Kubernetes Apps | Add webhook ClusterRole that grants access to proxy, stats, log, spec, and metrics on a kubelet
template:
src: "node-webhook-cr.yml.j2"
dest: "{{ kube_config_dir }}/node-webhook-cr.yml"
register: node_webhook_cr_manifest
when:
- rbac_enabled
- kubelet_authorization_mode_webhook
tags: node-webhook
- name: Apply webhook ClusterRole
kube:
name: "system:node-webhook"
kubectl: "{{bin_dir}}/kubectl"
resource: "clusterrole"
filename: "{{ kube_config_dir }}/node-webhook-cr.yml"
state: latest
when:
- rbac_enabled
- kubelet_authorization_mode_webhook
- node_webhook_cr_manifest.changed
tags: node-webhook
- name: Kubernetes Apps | Add ClusterRoleBinding for system:nodes to webhook ClusterRole
template:
src: "node-webhook-crb.yml.j2"
dest: "{{ kube_config_dir }}/node-webhook-crb.yml"
register: node_webhook_crb_manifest
when:
- rbac_enabled
- kubelet_authorization_mode_webhook
tags: node-webhook
- name: Grant system:nodes the webhook ClusterRole
kube:
name: "system:node-webhook"
kubectl: "{{bin_dir}}/kubectl"
resource: "clusterrolebinding"
filename: "{{ kube_config_dir }}/node-webhook-crb.yml"
state: latest
when:
- rbac_enabled
- kubelet_authorization_mode_webhook
- node_webhook_crb_manifest.changed
tags: node-webhook
# This is not a cluster role, but should be run after kubeconfig is set on master # This is not a cluster role, but should be run after kubeconfig is set on master
- name: Write kube system namespace manifest - name: Write kube system namespace manifest
template: template:

19
roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 Normal file
View file

@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:node-webhook
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
- nodes/metrics
verbs:
- "*"

17
roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2 Normal file
View file

@ -0,0 +1,17 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:node-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node-webhook
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:nodes

3
roles/kubernetes/node/templates/kubelet.kubeadm.env.j2
View file

@ -20,6 +20,9 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
{% if kube_version | version_compare('v1.8', '<') %} {% if kube_version | version_compare('v1.8', '<') %}
--require-kubeconfig \ --require-kubeconfig \
{% endif %} {% endif %}
{% if kubelet_authentication_token_webhook %}
--authentication-token-webhook \
{% endif %}
--authorization-mode=Webhook \ --authorization-mode=Webhook \
--client-ca-file={{ kube_cert_dir }}/ca.crt \ --client-ca-file={{ kube_cert_dir }}/ca.crt \
--pod-manifest-path={{ kube_manifest_dir }} \ --pod-manifest-path={{ kube_manifest_dir }} \

6
roles/kubernetes/node/templates/kubelet.standard.env.j2
View file

@ -33,6 +33,12 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
{% else %} {% else %}
--fail-swap-on={{ kubelet_fail_swap_on|default(true)}} \ --fail-swap-on={{ kubelet_fail_swap_on|default(true)}} \
{% endif %} {% endif %}
{% if kubelet_authentication_token_webhook %}
--authentication-token-webhook \
{% endif %}
{% if kubelet_authorization_mode_webhook %}
--authorization-mode=Webhook \
{% endif %}
--enforce-node-allocatable={{ kubelet_enforce_node_allocatable }} {% endif %}{% endset %} --enforce-node-allocatable={{ kubelet_enforce_node_allocatable }} {% endif %}{% endset %}
{# DNS settings for kubelet #} {# DNS settings for kubelet #}

6
roles/kubespray-defaults/defaults/main.yaml
View file

@ -197,6 +197,12 @@ openstack_lbaas_monitor_max_retries: "3"
authorization_modes: ['Node', 'RBAC'] authorization_modes: ['Node', 'RBAC']
rbac_enabled: "{{ 'RBAC' in authorization_modes or kubeadm_enabled }}" rbac_enabled: "{{ 'RBAC' in authorization_modes or kubeadm_enabled }}"
# When enabled, API bearer tokens (including service account tokens) can be used to authenticate to the kubelets HTTPS endpoint
kubelet_authentication_token_webhook: false
# When enabled, access to the kubelet API requires authorization by delegation to the API server
kubelet_authorization_mode_webhook: false
## List of key=value pairs that describe feature gates for ## List of key=value pairs that describe feature gates for
## the k8s cluster. ## the k8s cluster.
kube_feature_gates: kube_feature_gates: