调整apiserver可选开启基本认证(默认关闭)

2019-03-15 14:17:24 +08:00 · 2019-03-15 14:17:24 +08:00 · cdddf6e6bb
parent 78b947f86f
commit cdddf6e6bb
3 changed files with 25 additions and 1 deletions
--- a/roles/kube-master/tasks/main.yml
+++ b/roles/kube-master/tasks/main.yml
@ -59,6 +59,18 @@
  template: src=basic-auth.csv.j2 dest={{ ca_dir }}/basic-auth.csv
  when: 'BASIC_AUTH_ENABLE == "yes"'

+- name: 配置{{ BASIC_AUTH_USER }}用户rbac权限
+  template: src=admin-user-binding.yaml.j2 dest=/opt/kube/kube-system/admin-user-binding.yaml
+  when: 'BASIC_AUTH_ENABLE == "yes"'
+  delegate_to: "{{ groups.deploy[0] }}"
+  run_once: true
+
+- name: 创建{{ BASIC_AUTH_USER }}用户rbac权限
+  shell: "{{ bin_dir }}/kubectl apply -f /opt/kube/kube-system/admin-user-binding.yaml"
+  when: 'BASIC_AUTH_ENABLE == "yes"'
+  delegate_to: "{{ groups.deploy[0] }}"
+  run_once: true
+
 # 为兼容v1.8版本，配置不同 kube-apiserver的systemd unit文件
 - name: 获取 k8s 版本信息
  shell: "{{ bin_dir }}/kube-apiserver --version"
--- a/roles/kube-master/templates/admin-user-binding.yaml.j2
+++ b/roles/kube-master/templates/admin-user-binding.yaml.j2
@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: admin-user-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: {{ BASIC_AUTH_USER }}
--- a/roles/kube-master/templates/basic-auth.csv.j2
+++ b/roles/kube-master/templates/basic-auth.csv.j2
@ -1,2 +1,2 @@
 {{ BASIC_AUTH_PASS }},{{ BASIC_AUTH_USER }},1
-{{ BASIC_AUTH_PASS | truncate(8, True) }},{{ readonly }},2
+{{ BASIC_AUTH_PASS | truncate(8, True, '') }},readonly,2