Allow webhook authorization (#6502)
parent
0c80d3d9fa
commit
36924b63dc
|
@ -69,6 +69,15 @@ kube_users:
|
|||
# kube_oidc_groups_claim: groups
|
||||
# kube_oidc_groups_prefix: oidc:
|
||||
|
||||
## Variables to control webhook authn/authz
|
||||
# kube_webhook_token_auth: false
|
||||
# kube_webhook_token_auth_url: https://...
|
||||
# kube_webhook_token_auth_url_skip_tls_verify: false
|
||||
|
||||
## For webhook authorization, authorization_modes must include Webhook
|
||||
# kube_webhook_authorization: false
|
||||
# kube_webhook_authorization_url: https://...
|
||||
# kube_webhook_authorization_url_skip_tls_verify: false
|
||||
|
||||
# Choose network plugin (cilium, calico, contiv, weave or flannel. Use cni for generic cni plugin)
|
||||
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
|
||||
|
|
|
@ -117,6 +117,13 @@ kube_token_auth: false
|
|||
kube_oidc_auth: false
|
||||
kube_webhook_token_auth: false
|
||||
kube_webhook_token_auth_url_skip_tls_verify: false
|
||||
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
|
||||
# kube_webhook_token_auth_url: https://...
|
||||
kube_webhook_authorization: false
|
||||
## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/
|
||||
# kube_webhook_authorization_url: https://...
|
||||
kube_webhook_authorization_url_skip_tls_verify: false
|
||||
|
||||
|
||||
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
|
||||
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
|
||||
|
@ -133,9 +140,6 @@ kube_webhook_token_auth_url_skip_tls_verify: false
|
|||
# Optionally include a base64-encoded oidc CA cert
|
||||
# kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20...
|
||||
|
||||
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
|
||||
# kube_webhook_token_auth_url: https://...
|
||||
|
||||
# List of the preferred NodeAddressTypes to use for kubelet connections.
|
||||
kubelet_preferred_address_types: 'InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP'
|
||||
|
||||
|
|
|
@ -13,6 +13,12 @@
|
|||
dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
|
||||
when: kube_webhook_token_auth|default(false)
|
||||
|
||||
- name: Create webhook authorization config
|
||||
template:
|
||||
src: webhook-authorization-config.yaml.j2
|
||||
dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml"
|
||||
when: kube_webhook_authorization|default(false)
|
||||
|
||||
- import_tasks: encrypt-at-rest.yml
|
||||
when:
|
||||
- kube_encrypt_secret_data
|
||||
|
|
|
@ -154,6 +154,9 @@ apiServer:
|
|||
{% if kube_webhook_token_auth|default(false) %}
|
||||
authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
|
||||
{% endif %}
|
||||
{% if kube_webhook_authorization|default(false) %}
|
||||
authorization-webhook-config-file: {{ kube_config_dir }}/webhook-authorization-config.yaml
|
||||
{% endif %}
|
||||
{% if kube_encrypt_secret_data %}
|
||||
encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
|
||||
{% endif %}
|
||||
|
@ -218,6 +221,11 @@ apiServer:
|
|||
hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
|
||||
mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
|
||||
{% endif %}
|
||||
{% if kube_webhook_authorization|default(false) %}
|
||||
- name: webhook-authorization-config
|
||||
hostPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
|
||||
mountPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
|
||||
{% endif %}
|
||||
{% if kubernetes_audit or kubernetes_audit_webhook %}
|
||||
- name: {{ audit_policy_name }}
|
||||
hostPath: {{ audit_policy_hostpath }}
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
# clusters refers to the remote service.
|
||||
clusters:
|
||||
- name: webhook-token-authz-cluster
|
||||
cluster:
|
||||
server: {{ kube_webhook_authorization_url }}
|
||||
insecure-skip-tls-verify: {{ kube_webhook_authorization_url_skip_tls_verify }}
|
||||
|
||||
# users refers to the API server's webhook configuration.
|
||||
users:
|
||||
- name: webhook-token-authz-user
|
||||
|
||||
# kubeconfig files require a context. Provide one for the API server.
|
||||
current-context: webhook-token-authz
|
||||
contexts:
|
||||
- context:
|
||||
cluster: webhook-token-authz-cluster
|
||||
user: webhook-token-authz-user
|
||||
name: webhook-token-authz
|
Loading…
Reference in New Issue