enable back kubelet_authorization_mode_webhook by default (#9662)

In 6db6c8678c, this was disabled becaue kubesrpay gave too much permissions that were not needed. This commit re-enable back this option by default and also removes the extra permissions that kubespray gave that were in fact not needed. Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
2023-01-17 08:56:32 +01:00 · 2023-01-17 08:56:32 +01:00 · 4a6eb7eaa2
parent 58fe1a0ed6
commit 4a6eb7eaa2
5 changed files with 6 additions and 72 deletions
--- a/docs/hardening.md
+++ b/docs/hardening.md
@ -85,6 +85,7 @@ kube_kubeadm_scheduler_extra_args:
 etcd_deployment_type: kubeadm

 ## kubelet
+kubelet_authorization_mode_webhook: true
 kubelet_authentication_token_webhook: true
 kube_read_only_port: 0
 kubelet_rotate_server_certificates: true
--- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml
+++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
@ -37,55 +37,25 @@
    - node_crb_manifest.changed
    - inventory_hostname == groups['kube_control_plane'][0]

- name: Kubernetes Apps | Add webhook ClusterRole that grants access to proxy, stats, log, spec, and metrics on a kubelet
-  template:
-    src: "node-webhook-cr.yml.j2"
-    dest: "{{ kube_config_dir }}/node-webhook-cr.yml"
-    mode: 0640
-  register: node_webhook_cr_manifest
-  when:
-    - rbac_enabled
-    - kubelet_authorization_mode_webhook
-    - inventory_hostname == groups['kube_control_plane'][0]
-  tags: node-webhook
-
- name: Apply webhook ClusterRole
+- name: Kubernetes Apps | Remove old webhook ClusterRole
  kube:
    name: "system:node-webhook"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "clusterrole"
-    filename: "{{ kube_config_dir }}/node-webhook-cr.yml"
-    state: latest
+    state: absent
  when:
    - rbac_enabled
-    - kubelet_authorization_mode_webhook
-    - node_webhook_cr_manifest.changed
    - inventory_hostname == groups['kube_control_plane'][0]
  tags: node-webhook

- name: Kubernetes Apps | Add ClusterRoleBinding for system:nodes to webhook ClusterRole
-  template:
-    src: "node-webhook-crb.yml.j2"
-    dest: "{{ kube_config_dir }}/node-webhook-crb.yml"
-    mode: 0640
-  register: node_webhook_crb_manifest
-  when:
-    - rbac_enabled
-    - kubelet_authorization_mode_webhook
-    - inventory_hostname == groups['kube_control_plane'][0]
-  tags: node-webhook
-
- name: Grant system:nodes the webhook ClusterRole
+- name: Kubernetes Apps | Remove old webhook ClusterRoleBinding
  kube:
    name: "system:node-webhook"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "clusterrolebinding"
-    filename: "{{ kube_config_dir }}/node-webhook-crb.yml"
-    state: latest
+    state: absent
  when:
    - rbac_enabled
-    - kubelet_authorization_mode_webhook
-    - node_webhook_crb_manifest.changed
    - inventory_hostname == groups['kube_control_plane'][0]
  tags: node-webhook

--- a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2
+++ b/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2
@ -1,20 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "true"
-  labels:
-    kubernetes.io/bootstrapping: rbac-defaults
-  name: system:node-webhook
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - nodes/proxy
-      - nodes/stats
-      - nodes/log
-      - nodes/spec
-      - nodes/metrics
-    verbs:
-      - "*"
--- a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2
+++ b/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2
@ -1,17 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "true"
-  labels:
-    kubernetes.io/bootstrapping: rbac-defaults
-  name: system:node-webhook
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:node-webhook
-subjects:
- apiGroup: rbac.authorization.k8s.io
-  kind: Group
-  name: system:nodes
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@ -480,7 +480,7 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
 kubelet_authentication_token_webhook: true

 # When enabled, access to the kubelet API requires authorization by delegation to the API server
-kubelet_authorization_mode_webhook: false
+kubelet_authorization_mode_webhook: true

 # kubelet uses certificates for authenticating to the Kubernetes API
 # Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration