Merge pull request #1080 from VincentS/Granular_Auth_Control

Granular authentication Control
pull/1278/head
Matthew Mosesohn 2017-03-15 13:12:51 +03:00 committed by GitHub
commit 4354162067
5 changed files with 21 additions and 5 deletions

View File

@ -58,9 +58,16 @@ kube_users:
role: admin role: admin
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
#kube_oidc_auth: false
#kube_basic_auth: false
#kube_token_auth: false
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/ ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...) ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
# kube_oidc_auth: false
# kube_oidc_url: https:// ... # kube_oidc_url: https:// ...
# kube_oidc_client_id: kubernetes # kube_oidc_client_id: kubernetes
## Optional settings for OIDC ## Optional settings for OIDC
@ -69,7 +76,6 @@ kube_users:
# kube_oidc_groups_claim: groups # kube_oidc_groups_claim: groups
# Choose network plugin (calico, weave or flannel) # Choose network plugin (calico, weave or flannel)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: calico kube_network_plugin: calico

View File

@ -33,9 +33,15 @@ kube_apiserver_cpu_limit: 800m
kube_apiserver_memory_requests: 256M kube_apiserver_memory_requests: 256M
kube_apiserver_cpu_requests: 300m kube_apiserver_cpu_requests: 300m
## Enable/Disable Kube API Server Authentication Methods
kube_basic_auth: true
kube_token_auth: true
kube_oidc_auth: false
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/ ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...) ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
kube_oidc_auth: false
#kube_oidc_url: https:// ... #kube_oidc_url: https:// ...
# kube_oidc_client_id: kubernetes # kube_oidc_client_id: kubernetes
## Optional settings for OIDC ## Optional settings for OIDC

View File

@ -34,10 +34,14 @@ spec:
- --service-cluster-ip-range={{ kube_service_addresses }} - --service-cluster-ip-range={{ kube_service_addresses }}
- --service-node-port-range={{ kube_apiserver_node_port_range }} - --service-node-port-range={{ kube_apiserver_node_port_range }}
- --client-ca-file={{ kube_cert_dir }}/ca.pem - --client-ca-file={{ kube_cert_dir }}/ca.pem
{% if kube_basic_auth|default(true) %}
- --basic-auth-file={{ kube_users_dir }}/known_users.csv - --basic-auth-file={{ kube_users_dir }}/known_users.csv
{% endif %}
- --tls-cert-file={{ kube_cert_dir }}/apiserver.pem - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
- --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
{% if kube_token_auth|default(true) %}
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv - --token-auth-file={{ kube_token_dir }}/known_tokens.csv
{% endif %}
- --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem - --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %} {% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
- --oidc-issuer-url={{ kube_oidc_url }} - --oidc-issuer-url={{ kube_oidc_url }}

View File

@ -14,7 +14,7 @@
- name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true" - name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true"
set_fact: set_fact:
gen_tokens: true gen_tokens: true
when: not known_tokens_master.stat.exists when: not known_tokens_master.stat.exists and kube_token_auth|default(true)
run_once: true run_once: true
- name: "Check tokens | check if a cert already exists" - name: "Check tokens | check if a cert already exists"

View File

@ -33,7 +33,7 @@
line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}' line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
backup: yes backup: yes
with_dict: "{{ kube_users }}" with_dict: "{{ kube_users }}"
when: inventory_hostname in "{{ groups['kube-master'] }}" when: inventory_hostname in "{{ groups['kube-master'] }}" and kube_basic_auth|default(true)
notify: set secret_changed notify: set secret_changed
# #