kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow webhook authorization (#6502)

pull/6581/head
Sulochan Acharya 2020-08-24 14:29:41 +01:00 committed by GitHub
parent 0c80d3d9fa
commit 36924b63dc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 48 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
View File

@ -69,6 +69,15 @@ kube_users:
# kube_oidc_groups_claim: groups # kube_oidc_groups_claim: groups
# kube_oidc_groups_prefix: oidc: # kube_oidc_groups_prefix: oidc:
## Variables to control webhook authn/authz
# kube_webhook_token_auth: false
# kube_webhook_token_auth_url: https://...
# kube_webhook_token_auth_url_skip_tls_verify: false
## For webhook authorization, authorization_modes must include Webhook
# kube_webhook_authorization: false
# kube_webhook_authorization_url: https://...
# kube_webhook_authorization_url_skip_tls_verify: false
# Choose network plugin (cilium, calico, contiv, weave or flannel. Use cni for generic cni plugin) # Choose network plugin (cilium, calico, contiv, weave or flannel. Use cni for generic cni plugin)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing

10
roles/kubernetes/master/defaults/main/main.yml
View File

@ -117,6 +117,13 @@ kube_token_auth: false
kube_oidc_auth: false kube_oidc_auth: false
kube_webhook_token_auth: false kube_webhook_token_auth: false
kube_webhook_token_auth_url_skip_tls_verify: false kube_webhook_token_auth_url_skip_tls_verify: false
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
# kube_webhook_token_auth_url: https://...
kube_webhook_authorization: false
## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/
# kube_webhook_authorization_url: https://...
kube_webhook_authorization_url_skip_tls_verify: false
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/ ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...) ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
@ -133,9 +140,6 @@ kube_webhook_token_auth_url_skip_tls_verify: false
# Optionally include a base64-encoded oidc CA cert # Optionally include a base64-encoded oidc CA cert
# kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20... # kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20...
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
# kube_webhook_token_auth_url: https://...
# List of the preferred NodeAddressTypes to use for kubelet connections. # List of the preferred NodeAddressTypes to use for kubelet connections.
kubelet_preferred_address_types: 'InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP' kubelet_preferred_address_types: 'InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP'

6
roles/kubernetes/master/tasks/main.yml
View File

@ -13,6 +13,12 @@
dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml" dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
when: kube_webhook_token_auth|default(false) when: kube_webhook_token_auth|default(false)
- name: Create webhook authorization config
template:
src: webhook-authorization-config.yaml.j2
dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml"
when: kube_webhook_authorization|default(false)
- import_tasks: encrypt-at-rest.yml - import_tasks: encrypt-at-rest.yml
when: when:
- kube_encrypt_secret_data - kube_encrypt_secret_data

8
roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2
View File

@ -154,6 +154,9 @@ apiServer:
{% if kube_webhook_token_auth|default(false) %} {% if kube_webhook_token_auth|default(false) %}
authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
{% endif %} {% endif %}
{% if kube_webhook_authorization|default(false) %}
authorization-webhook-config-file: {{ kube_config_dir }}/webhook-authorization-config.yaml
{% endif %}
{% if kube_encrypt_secret_data %} {% if kube_encrypt_secret_data %}
encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %} {% endif %}
@ -218,6 +221,11 @@ apiServer:
hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
{% endif %} {% endif %}
{% if kube_webhook_authorization|default(false) %}
- name: webhook-authorization-config
hostPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
mountPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
{% endif %}
{% if kubernetes_audit or kubernetes_audit_webhook %} {% if kubernetes_audit or kubernetes_audit_webhook %}
- name: {{ audit_policy_name }} - name: {{ audit_policy_name }}
hostPath: {{ audit_policy_hostpath }} hostPath: {{ audit_policy_hostpath }}

18
roles/kubernetes/master/templates/webhook-authorization-config.yaml.j2 100644
View File

@ -0,0 +1,18 @@
# clusters refers to the remote service.
clusters:
- name: webhook-token-authz-cluster
cluster:
server: {{ kube_webhook_authorization_url }}
insecure-skip-tls-verify: {{ kube_webhook_authorization_url_skip_tls_verify }}
# users refers to the API server's webhook configuration.
users:
- name: webhook-token-authz-user
# kubeconfig files require a context. Provide one for the API server.
current-context: webhook-token-authz
contexts:
- context:
cluster: webhook-token-authz-cluster
user: webhook-token-authz-user
name: webhook-token-authz