Added support for webhook authentication/authorization on the secure kubelet endpoint
parent
84e47f4aaa
commit
a800ed094b
|
@ -29,6 +29,52 @@
|
|||
- rbac_enabled
|
||||
- node_crb_manifest.changed
|
||||
|
||||
- name: Kubernetes Apps | Add webhook ClusterRole that grants access to proxy, stats, log, spec, and metrics on a kubelet
|
||||
template:
|
||||
src: "node-webhook-cr.yml.j2"
|
||||
dest: "{{ kube_config_dir }}/node-webhook-cr.yml"
|
||||
register: node_webhook_cr_manifest
|
||||
when:
|
||||
- rbac_enabled
|
||||
- kubelet_authorization_mode_webhook
|
||||
tags: node-webhook
|
||||
|
||||
- name: Apply webhook ClusterRole
|
||||
kube:
|
||||
name: "system:node-webhook"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
resource: "clusterrole"
|
||||
filename: "{{ kube_config_dir }}/node-webhook-cr.yml"
|
||||
state: latest
|
||||
when:
|
||||
- rbac_enabled
|
||||
- kubelet_authorization_mode_webhook
|
||||
- node_webhook_cr_manifest.changed
|
||||
tags: node-webhook
|
||||
|
||||
- name: Kubernetes Apps | Add ClusterRoleBinding for system:nodes to webhook ClusterRole
|
||||
template:
|
||||
src: "node-webhook-crb.yml.j2"
|
||||
dest: "{{ kube_config_dir }}/node-webhook-crb.yml"
|
||||
register: node_webhook_crb_manifest
|
||||
when:
|
||||
- rbac_enabled
|
||||
- kubelet_authorization_mode_webhook
|
||||
tags: node-webhook
|
||||
|
||||
- name: Grant system:nodes the webhook ClusterRole
|
||||
kube:
|
||||
name: "system:node-webhook"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
resource: "clusterrolebinding"
|
||||
filename: "{{ kube_config_dir }}/node-webhook-crb.yml"
|
||||
state: latest
|
||||
when:
|
||||
- rbac_enabled
|
||||
- kubelet_authorization_mode_webhook
|
||||
- node_webhook_crb_manifest.changed
|
||||
tags: node-webhook
|
||||
|
||||
# This is not a cluster role, but should be run after kubeconfig is set on master
|
||||
- name: Write kube system namespace manifest
|
||||
template:
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
annotations:
|
||||
rbac.authorization.kubernetes.io/autoupdate: "true"
|
||||
labels:
|
||||
kubernetes.io/bootstrapping: rbac-defaults
|
||||
name: system:node-webhook
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes/proxy
|
||||
- nodes/stats
|
||||
- nodes/log
|
||||
- nodes/spec
|
||||
- nodes/metrics
|
||||
verbs:
|
||||
- "*"
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
annotations:
|
||||
rbac.authorization.kubernetes.io/autoupdate: "true"
|
||||
labels:
|
||||
kubernetes.io/bootstrapping: rbac-defaults
|
||||
name: system:node-webhook
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: system:node-webhook
|
||||
subjects:
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: Group
|
||||
name: system:nodes
|
|
@ -20,6 +20,9 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
|
|||
{% if kube_version | version_compare('v1.8', '<') %}
|
||||
--require-kubeconfig \
|
||||
{% endif %}
|
||||
{% if kubelet_authentication_token_webhook %}
|
||||
--authentication-token-webhook \
|
||||
{% endif %}
|
||||
--authorization-mode=Webhook \
|
||||
--client-ca-file={{ kube_cert_dir }}/ca.crt \
|
||||
--pod-manifest-path={{ kube_manifest_dir }} \
|
||||
|
|
|
@ -33,6 +33,12 @@ KUBELET_HOSTNAME="--hostname-override={{ kube_override_hostname }}"
|
|||
{% else %}
|
||||
--fail-swap-on={{ kubelet_fail_swap_on|default(true)}} \
|
||||
{% endif %}
|
||||
{% if kubelet_authentication_token_webhook %}
|
||||
--authentication-token-webhook \
|
||||
{% endif %}
|
||||
{% if kubelet_authorization_mode_webhook %}
|
||||
--authorization-mode=Webhook \
|
||||
{% endif %}
|
||||
--enforce-node-allocatable={{ kubelet_enforce_node_allocatable }} {% endif %}{% endset %}
|
||||
|
||||
{# DNS settings for kubelet #}
|
||||
|
|
|
@ -197,6 +197,12 @@ openstack_lbaas_monitor_max_retries: "3"
|
|||
authorization_modes: ['Node', 'RBAC']
|
||||
rbac_enabled: "{{ 'RBAC' in authorization_modes or kubeadm_enabled }}"
|
||||
|
||||
# When enabled, API bearer tokens (including service account tokens) can be used to authenticate to the kubelet’s HTTPS endpoint
|
||||
kubelet_authentication_token_webhook: false
|
||||
|
||||
# When enabled, access to the kubelet API requires authorization by delegation to the API server
|
||||
kubelet_authorization_mode_webhook: false
|
||||
|
||||
## List of key=value pairs that describe feature gates for
|
||||
## the k8s cluster.
|
||||
kube_feature_gates:
|
||||
|
|
Loading…
Reference in New Issue