add support for service-account-lookup
parameter (#8781)
* feat: add variable to manage service-account-lookup on kube-apiserver * docs: add documentation about service-account-lookup variable
This commit is contained in:
parent
3e52a0db95
commit
e7df4d3dd9
3 changed files with 10 additions and 0 deletions
|
@ -146,6 +146,8 @@ kube_apiserver_admission_event_rate_limits:
|
||||||
...
|
...
|
||||||
```
|
```
|
||||||
|
|
||||||
|
* *kube_apiserver_service_account_lookup* - Enable validation service account before validating token. Default `true`.
|
||||||
|
|
||||||
Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
|
Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
|
||||||
private addresses, make sure to pick another values for ``kube_service_addresses``
|
private addresses, make sure to pick another values for ``kube_service_addresses``
|
||||||
and ``kube_pods_subnet``, for example from the ``172.18.0.0/16``.
|
and ``kube_pods_subnet``, for example from the ``172.18.0.0/16``.
|
||||||
|
|
|
@ -18,6 +18,11 @@ kube_apiserver_node_port_range: "30000-32767"
|
||||||
# ETCD backend for k8s data
|
# ETCD backend for k8s data
|
||||||
kube_apiserver_storage_backend: etcd3
|
kube_apiserver_storage_backend: etcd3
|
||||||
|
|
||||||
|
# CIS 1.2.26
|
||||||
|
# Validate that the service account token
|
||||||
|
# in the request is actually present in etcd.
|
||||||
|
kube_apiserver_service_account_lookup: true
|
||||||
|
|
||||||
kube_etcd_cacert_file: ca.pem
|
kube_etcd_cacert_file: ca.pem
|
||||||
kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
|
kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
|
||||||
kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
|
kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
|
||||||
|
|
|
@ -146,6 +146,9 @@ apiServer:
|
||||||
{% if kube_token_auth|default(true) %}
|
{% if kube_token_auth|default(true) %}
|
||||||
token-auth-file: {{ kube_token_dir }}/known_tokens.csv
|
token-auth-file: {{ kube_token_dir }}/known_tokens.csv
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if kube_apiserver_service_account_lookup %}
|
||||||
|
service-account-lookup: "{{ kube_apiserver_service_account_lookup }}"
|
||||||
|
{% endif %}
|
||||||
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
|
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
|
||||||
oidc-issuer-url: "{{ kube_oidc_url }}"
|
oidc-issuer-url: "{{ kube_oidc_url }}"
|
||||||
oidc-client-id: "{{ kube_oidc_client_id }}"
|
oidc-client-id: "{{ kube_oidc_client_id }}"
|
||||||
|
|
Loading…
Reference in a new issue