Granular authentication Control
It is now possible to deactivate selected authentication methods (basic auth, token auth) inside the cluster by adding removing the required arguments to the Kube API Server and generating the secrets accordingly. The x509 authentification is currently not optional because disabling it would affect the kubectl clients deployed on the master nodes.pull/1080/head
parent
3feab1cb2d
commit
026da060f2
|
@ -58,9 +58,16 @@ kube_users:
|
|||
role: admin
|
||||
|
||||
|
||||
|
||||
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
|
||||
#kube_oidc_auth: false
|
||||
#kube_basic_auth: false
|
||||
#kube_token_auth: false
|
||||
|
||||
|
||||
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
|
||||
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
|
||||
# kube_oidc_auth: false
|
||||
|
||||
# kube_oidc_url: https:// ...
|
||||
# kube_oidc_client_id: kubernetes
|
||||
## Optional settings for OIDC
|
||||
|
@ -69,7 +76,6 @@ kube_users:
|
|||
# kube_oidc_groups_claim: groups
|
||||
|
||||
|
||||
|
||||
# Choose network plugin (calico, weave or flannel)
|
||||
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
|
||||
kube_network_plugin: calico
|
||||
|
|
|
@ -31,9 +31,15 @@ kube_apiserver_memory_requests: 256M
|
|||
kube_apiserver_cpu_requests: 300m
|
||||
kube_apiserver_storage_backend: etcd2
|
||||
|
||||
|
||||
## Enable/Disable Kube API Server Authentication Methods
|
||||
kube_basic_auth: true
|
||||
kube_token_auth: true
|
||||
kube_oidc_auth: false
|
||||
|
||||
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
|
||||
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
|
||||
kube_oidc_auth: false
|
||||
|
||||
#kube_oidc_url: https:// ...
|
||||
# kube_oidc_client_id: kubernetes
|
||||
## Optional settings for OIDC
|
||||
|
|
|
@ -34,10 +34,14 @@ spec:
|
|||
- --service-cluster-ip-range={{ kube_service_addresses }}
|
||||
- --service-node-port-range={{ kube_apiserver_node_port_range }}
|
||||
- --client-ca-file={{ kube_cert_dir }}/ca.pem
|
||||
{% if kube_basic_auth|default(true) %}
|
||||
- --basic-auth-file={{ kube_users_dir }}/known_users.csv
|
||||
{% endif %}
|
||||
- --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
|
||||
- --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
||||
{% if kube_token_auth|default(true) %}
|
||||
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv
|
||||
{% endif %}
|
||||
- --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
||||
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
|
||||
- --oidc-issuer-url={{ kube_oidc_url }}
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
- name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true"
|
||||
set_fact:
|
||||
gen_tokens: true
|
||||
when: not known_tokens_master.stat.exists
|
||||
when: not known_tokens_master.stat.exists and kube_token_auth|default(true)
|
||||
run_once: true
|
||||
|
||||
- name: "Check tokens | check if a cert already exists"
|
||||
|
|
|
@ -33,7 +33,7 @@
|
|||
line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
|
||||
backup: yes
|
||||
with_dict: "{{ kube_users }}"
|
||||
when: inventory_hostname in "{{ groups['kube-master'] }}"
|
||||
when: inventory_hostname in "{{ groups['kube-master'] }}" and kube_basic_auth|default(true)
|
||||
notify: set secret_changed
|
||||
|
||||
#
|
||||
|
|
Loading…
Reference in New Issue