2017-09-26 17:38:58 +08:00
|
|
|
---
|
2020-07-27 21:24:17 +08:00
|
|
|
- name: Rotate Tokens | Get default token name # noqa 306
|
2018-12-06 18:33:38 +08:00
|
|
|
shell: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf get secrets -o custom-columns=name:{.metadata.name} --no-headers | grep -m1 default-token"
|
2017-10-02 20:14:50 +08:00
|
|
|
register: default_token
|
2017-11-06 21:51:07 +08:00
|
|
|
changed_when: false
|
2018-01-12 02:01:22 +08:00
|
|
|
until: default_token.rc == 0
|
2019-10-30 16:56:52 +08:00
|
|
|
delay: 4
|
|
|
|
retries: 10
|
2017-10-02 20:14:50 +08:00
|
|
|
|
|
|
|
- name: Rotate Tokens | Get default token data
|
2018-12-06 18:33:38 +08:00
|
|
|
command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf get secrets {{ default_token.stdout }} -ojson"
|
2017-10-02 20:14:50 +08:00
|
|
|
register: default_token_data
|
2017-11-06 21:51:07 +08:00
|
|
|
changed_when: false
|
2017-10-02 20:14:50 +08:00
|
|
|
|
2017-09-27 21:49:20 +08:00
|
|
|
- name: Rotate Tokens | Test if default certificate is expired
|
2017-10-02 20:14:50 +08:00
|
|
|
uri:
|
|
|
|
url: https://{{ kube_apiserver_ip }}/api/v1/nodes
|
|
|
|
method: GET
|
|
|
|
return_content: no
|
|
|
|
validate_certs: no
|
|
|
|
headers:
|
|
|
|
Authorization: "Bearer {{ (default_token_data.stdout|from_json)['data']['token']|b64decode }}"
|
2017-09-27 21:49:20 +08:00
|
|
|
register: check_secret
|
2017-10-02 20:14:50 +08:00
|
|
|
failed_when: false
|
2017-09-27 21:49:20 +08:00
|
|
|
|
|
|
|
- name: Rotate Tokens | Determine if certificate is expired
|
|
|
|
set_fact:
|
2017-10-02 20:14:50 +08:00
|
|
|
needs_rotation: '{{ check_secret.status not in [200, 403] }}'
|
2017-09-27 21:49:20 +08:00
|
|
|
|
2017-09-27 21:47:47 +08:00
|
|
|
# FIXME(mattymo): Exclude built in secrets that were automatically rotated,
|
|
|
|
# instead of filtering manually
|
2020-07-27 21:24:17 +08:00
|
|
|
- name: Rotate Tokens | Get all serviceaccount tokens to expire # noqa 306
|
2017-09-26 17:38:58 +08:00
|
|
|
shell: >-
|
2018-12-06 18:33:38 +08:00
|
|
|
{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf get secrets --all-namespaces
|
2017-09-26 17:38:58 +08:00
|
|
|
-o 'jsonpath={range .items[*]}{"\n"}{.metadata.namespace}{" "}{.metadata.name}{" "}{.type}{end}'
|
|
|
|
| grep kubernetes.io/service-account-token
|
2019-05-08 04:20:36 +08:00
|
|
|
| egrep 'default-token|kube-proxy|coredns|netchecker|weave|calico|canal|flannel|dashboard|cluster-proportional-autoscaler|tiller|local-volume-provisioner'
|
2017-09-26 17:38:58 +08:00
|
|
|
register: tokens_to_delete
|
2017-09-27 21:49:20 +08:00
|
|
|
when: needs_rotation
|
2017-09-26 17:38:58 +08:00
|
|
|
|
|
|
|
- name: Rotate Tokens | Delete expired tokens
|
2018-12-06 18:33:38 +08:00
|
|
|
command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
|
2017-09-26 17:38:58 +08:00
|
|
|
with_items: "{{ tokens_to_delete.stdout_lines }}"
|
2017-09-27 21:49:20 +08:00
|
|
|
when: needs_rotation
|
2017-09-26 17:38:58 +08:00
|
|
|
|
|
|
|
- name: Rotate Tokens | Delete pods in system namespace
|
2019-03-14 22:45:46 +08:00
|
|
|
command: "{{ bin_dir }}/kubectl --kubeconfig /etc/kubernetes/admin.conf delete pods -n kube-system --all --grace-period=0 --force"
|
2017-09-27 21:49:20 +08:00
|
|
|
when: needs_rotation
|