add support for `service-account-lookup` parameter (#8781)

* feat: add variable to manage service-account-lookup on kube-apiserver

* docs: add documentation about service-account-lookup variable
pull/8795/head
Alessio Greggi 2022-05-06 09:39:07 +02:00 committed by GitHub
parent 3e52a0db95
commit e7df4d3dd9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 0 deletions

View File

@ -146,6 +146,8 @@ kube_apiserver_admission_event_rate_limits:
...
```
* *kube_apiserver_service_account_lookup* - Enable validation service account before validating token. Default `true`.
Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
private addresses, make sure to pick another values for ``kube_service_addresses``
and ``kube_pods_subnet``, for example from the ``172.18.0.0/16``.

View File

@ -18,6 +18,11 @@ kube_apiserver_node_port_range: "30000-32767"
# ETCD backend for k8s data
kube_apiserver_storage_backend: etcd3
# CIS 1.2.26
# Validate that the service account token
# in the request is actually present in etcd.
kube_apiserver_service_account_lookup: true
kube_etcd_cacert_file: ca.pem
kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem

View File

@ -146,6 +146,9 @@ apiServer:
{% if kube_token_auth|default(true) %}
token-auth-file: {{ kube_token_dir }}/known_tokens.csv
{% endif %}
{% if kube_apiserver_service_account_lookup %}
service-account-lookup: "{{ kube_apiserver_service_account_lookup }}"
{% endif %}
{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
oidc-issuer-url: "{{ kube_oidc_url }}"
oidc-client-id: "{{ kube_oidc_client_id }}"