Remove deprecated (and removed in 1.19) flag and function --basic-auth-file (#6655)

pull/6666/head
Florian Ruynat 2020-09-11 09:30:14 +02:00 committed by GitHub
parent 1765c9125a
commit a556f8f2bf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 4 additions and 70 deletions

View File

@ -95,7 +95,7 @@ the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-applicati
Supported version is kubernetes-dashboard v2.0.x : Supported version is kubernetes-dashboard v2.0.x :
- Login options are : token/kubeconfig by default, basic can be enabled with `kube_basic_auth: true` inventory variable - not recommended because this requires ABAC api-server which is not tested by kubespray team - Login option : token/kubeconfig by default
- Deployed by default in "kube-system" namespace, can be overridden with `dashboard_namespace: kubernetes-dashboard` in inventory, - Deployed by default in "kube-system" namespace, can be overridden with `dashboard_namespace: kubernetes-dashboard` in inventory,
- Only serves over https - Only serves over https

View File

@ -209,11 +209,3 @@ in the form of dicts of key-value pairs of configuration parameters that will be
* *helm_version* - Defaults to v3.x, set to a v2 version (e.g. `v2.16.1` ) to install Helm 2.x (will install Tiller!). * *helm_version* - Defaults to v3.x, set to a v2 version (e.g. `v2.16.1` ) to install Helm 2.x (will install Tiller!).
Picking v3 for an existing cluster running Tiller will leave it alone. In that case you will have to remove Tiller manually afterwards. Picking v3 for an existing cluster running Tiller will leave it alone. In that case you will have to remove Tiller manually afterwards.
## User accounts
The variable `kube_basic_auth` is false by default, but if set to true, a user with admin rights is created, named `kube`.
The password can be viewed after deployment by looking at the file
`{{ credentials_dir }}/kube_user.creds` (`credentials_dir` is set to `{{ inventory_dir }}/credentials` by default). This contains a randomly generated
password. If you wish to set your own password, just precreate/modify this
file yourself or change `kube_api_pwd` var.

View File

@ -14,9 +14,6 @@ kube_cert_dir: "{{ kube_config_dir }}/ssl"
# This is where all of the bearer tokens will be stored # This is where all of the bearer tokens will be stored
kube_token_dir: "{{ kube_config_dir }}/tokens" kube_token_dir: "{{ kube_config_dir }}/tokens"
# This is where to save basic auth file
kube_users_dir: "{{ kube_config_dir }}/users"
kube_api_anonymous_auth: true kube_api_anonymous_auth: true
## Change this to use another Kubernetes version, e.g. a current beta release ## Change this to use another Kubernetes version, e.g. a current beta release
@ -41,19 +38,8 @@ kube_log_level: 2
# Directory where credentials will be stored # Directory where credentials will be stored
credentials_dir: "{{ inventory_dir }}/credentials" credentials_dir: "{{ inventory_dir }}/credentials"
# Users to create for basic auth in Kubernetes API via HTTP ## It is possible to activate / deactivate selected authentication methods (oidc, static token auth)
# Optionally add groups for user
kube_api_pwd: "{{ lookup('password', credentials_dir + '/kube_user.creds length=15 chars=ascii_letters,digits') }}"
kube_users:
kube:
pass: "{{kube_api_pwd}}"
role: admin
groups:
- system:masters
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
# kube_oidc_auth: false # kube_oidc_auth: false
# kube_basic_auth: false
# kube_token_auth: false # kube_token_auth: false

View File

@ -189,7 +189,7 @@ spec:
{% if dashboard_skip_login %} {% if dashboard_skip_login %}
- --enable-skip-login - --enable-skip-login
{% endif %} {% endif %}
- --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %} - --authentication-mode=token
# Uncomment the following line to manually specify Kubernetes API server Host # Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect # If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work. # to it. Uncomment only if the default does not work.

View File

@ -95,7 +95,6 @@ kube_apiserver_disable_admission_plugins: []
kube_api_runtime_config: [] kube_api_runtime_config: []
## Enable/Disable Kube API Server Authentication Methods ## Enable/Disable Kube API Server Authentication Methods
kube_basic_auth: false
kube_token_auth: false kube_token_auth: false
kube_oidc_auth: false kube_oidc_auth: false
kube_webhook_token_auth: false kube_webhook_token_auth: false

View File

@ -3,10 +3,6 @@
tags: tags:
- k8s-pre-upgrade - k8s-pre-upgrade
- import_tasks: users-file.yml
when:
- kube_basic_auth|default(true)
- name: Create webhook token auth config - name: Create webhook token auth config
template: template:
src: webhook-token-auth-config.yaml.j2 src: webhook-token-auth-config.yaml.j2

View File

@ -1,14 +0,0 @@
---
- name: Make sure the users directory exits
file:
path: "{{ kube_users_dir }}"
state: directory
mode: o-rwx
group: "{{ kube_cert_group }}"
- name: Populate users for basic auth in API
template:
src: known_users.csv.j2
dest: "{{ kube_users_dir }}/known_users.csv"
mode: 0640
backup: yes

View File

@ -1,4 +0,0 @@
{% for user in kube_users %}
{{kube_users[user].pass}},{{user}},{{kube_users[user].role}}{% if kube_users[user].groups is defined %},{% set groups_csv = kube_users[user].groups|join(',') -%}"{{groups_csv}}"{% endif %}
{% endfor %}

View File

@ -126,9 +126,6 @@ apiServer:
profiling: "{{ kube_profiling }}" profiling: "{{ kube_profiling }}"
request-timeout: "{{ kube_apiserver_request_timeout }}" request-timeout: "{{ kube_apiserver_request_timeout }}"
enable-aggregator-routing: "{{ kube_api_aggregator_routing }}" enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
{% if kube_basic_auth|default(true) %}
basic-auth-file: {{ kube_users_dir }}/known_users.csv
{% endif %}
{% if kube_token_auth|default(true) %} {% if kube_token_auth|default(true) %}
token-auth-file: {{ kube_token_dir }}/known_tokens.csv token-auth-file: {{ kube_token_dir }}/known_tokens.csv
{% endif %} {% endif %}
@ -202,18 +199,13 @@ apiServer:
{% if kubelet_rotate_server_certificates %} {% if kubelet_rotate_server_certificates %}
kubelet-certificate-authority: {{ kube_cert_dir }}/ca.crt kubelet-certificate-authority: {{ kube_cert_dir }}/ca.crt
{% endif %} {% endif %}
{% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes or ssl_ca_dirs|length %} {% if kubernetes_audit or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes or ssl_ca_dirs|length %}
extraVolumes: extraVolumes:
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %} {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] %}
- name: cloud-config - name: cloud-config
hostPath: {{ kube_config_dir }}/cloud_config hostPath: {{ kube_config_dir }}/cloud_config
mountPath: {{ kube_config_dir }}/cloud_config mountPath: {{ kube_config_dir }}/cloud_config
{% endif %} {% endif %}
{% if kube_basic_auth|default(true) %}
- name: basic-auth-config
hostPath: {{ kube_users_dir }}
mountPath: {{ kube_users_dir }}
{% endif %}
{% if kube_token_auth|default(true) %} {% if kube_token_auth|default(true) %}
- name: token-auth-config - name: token-auth-config
hostPath: {{ kube_token_dir }} hostPath: {{ kube_token_dir }}

View File

@ -133,10 +133,6 @@ kube_cert_compat_dir: "/etc/kubernetes/pki"
# This is where all of the bearer tokens will be stored # This is where all of the bearer tokens will be stored
kube_token_dir: "{{ kube_config_dir }}/tokens" kube_token_dir: "{{ kube_config_dir }}/tokens"
# This is where to save basic auth file
kube_users_dir: "{{ kube_config_dir }}/users"
# This is the group that the cert creation scripts chgrp the # This is the group that the cert creation scripts chgrp the
# cert files to. Not really changeable... # cert files to. Not really changeable...
kube_cert_group: kube-cert kube_cert_group: kube-cert
@ -144,13 +140,6 @@ kube_cert_group: kube-cert
# Cluster Loglevel configuration # Cluster Loglevel configuration
kube_log_level: 2 kube_log_level: 2
# Users to create for basic auth in Kubernetes API via HTTP
kube_api_pwd: "changeme"
kube_users:
kube:
pass: "{{kube_api_pwd}}"
role: admin
# Choose network plugin (cilium, calico, weave or flannel) # Choose network plugin (cilium, calico, weave or flannel)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
kube_network_plugin: calico kube_network_plugin: calico

View File

@ -24,5 +24,4 @@ cert_manager_enabled: true
metrics_server_enabled: false metrics_server_enabled: false
metrics_server_kubelet_insecure_tls: true metrics_server_kubelet_insecure_tls: true
kube_token_auth: true kube_token_auth: true
kube_basic_auth: true
enable_nodelocaldns: false enable_nodelocaldns: false

View File

@ -24,5 +24,4 @@ cert_manager_enabled: true
metrics_server_enabled: false metrics_server_enabled: false
metrics_server_kubelet_insecure_tls: true metrics_server_kubelet_insecure_tls: true
kube_token_auth: true kube_token_auth: true
kube_basic_auth: true
enable_nodelocaldns: false enable_nodelocaldns: false