easzlab
/
kubeasz
mirror of https://github.com/easzlab/kubeasz.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

调整apiserver可选开启基本认证(默认关闭)

pull/485/head
gjmzj 2019-03-15 14:17:24 +08:00
parent 78b947f86f
commit cdddf6e6bb
3 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
roles/kube-master/tasks/main.yml
View File

@ -59,6 +59,18 @@
template: src=basic-auth.csv.j2 dest={{ ca_dir }}/basic-auth.csv template: src=basic-auth.csv.j2 dest={{ ca_dir }}/basic-auth.csv
when: 'BASIC_AUTH_ENABLE == "yes"' when: 'BASIC_AUTH_ENABLE == "yes"'
- name: 配置{{ BASIC_AUTH_USER }}用户rbac权限
template: src=admin-user-binding.yaml.j2 dest=/opt/kube/kube-system/admin-user-binding.yaml
when: 'BASIC_AUTH_ENABLE == "yes"'
delegate_to: "{{ groups.deploy[0] }}"
run_once: true
- name: 创建{{ BASIC_AUTH_USER }}用户rbac权限
shell: "{{ bin_dir }}/kubectl apply -f /opt/kube/kube-system/admin-user-binding.yaml"
when: 'BASIC_AUTH_ENABLE == "yes"'
delegate_to: "{{ groups.deploy[0] }}"
run_once: true
# 为兼容v1.8版本,配置不同 kube-apiserver的systemd unit文件 # 为兼容v1.8版本,配置不同 kube-apiserver的systemd unit文件
- name: 获取 k8s 版本信息 - name: 获取 k8s 版本信息
shell: "{{ bin_dir }}/kube-apiserver --version" shell: "{{ bin_dir }}/kube-apiserver --version"

12
roles/kube-master/templates/admin-user-binding.yaml.j2 100644
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: {{ BASIC_AUTH_USER }}

2
roles/kube-master/templates/basic-auth.csv.j2
View File

@ -1,2 +1,2 @@
{{ BASIC_AUTH_PASS }},{{ BASIC_AUTH_USER }},1 {{ BASIC_AUTH_PASS }},{{ BASIC_AUTH_USER }},1
{{ BASIC_AUTH_PASS | truncate(8, True) }},{{ readonly }},2 {{ BASIC_AUTH_PASS | truncate(8, True, '') }},readonly,2