Scripts to configure image verification admission controller for gce.

2025-09-17 07:03:31 +00:00 · 2016-08-18 13:42:57 -07:00
parent 9de9405be7
commit 182a4fd0ac
4 changed files with 175 additions and 17 deletions
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -279,6 +279,36 @@ contexts:
  name: webhook
 EOF
  fi
+
+if [[ -n "${GCP_IMAGE_VERIFICATION_URL:-}" ]]; then
+    # This is the config file for the image review webhook.
+    cat <<EOF >/etc/gcp_image_review.config
+clusters:
+  - name: gcp-image-review-server
+    cluster:
+      server: ${GCP_IMAGE_VERIFICATION_URL}
+users:
+  - name: kube-apiserver
+    user:
+      auth-provider:
+        name: gcp
+current-context: webhook
+contexts:
+- context:
+    cluster: gcp-image-review-server
+    user: kube-apiserver
+  name: webhook
+EOF
+    # This is the config for the image review admission controller.
+    cat <<EOF >/etc/admission_controller.config
+imagePolicy:
+  kubeConfigFile: /etc/gcp_image_review.config
+  allowTTL: 30
+  denyTTL: 30
+  retryBackoff: 500
+  defaultAllow: true
+EOF
+  fi
 }

 function create-kubelet-kubeconfig {
@@ -670,9 +700,24 @@ function start-kube-apiserver {
  if [[ -n "${SERVICE_CLUSTER_IP_RANGE:-}" ]]; then
    params+=" --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}"
  fi
+
+  local admission_controller_config_mount=""
+  local admission_controller_config_volume=""
+  local image_policy_webhook_config_mount=""
+  local image_policy_webhook_config_volume=""
  if [[ -n "${ADMISSION_CONTROL:-}" ]]; then
    params+=" --admission-control=${ADMISSION_CONTROL}"
+    if [[ ${ADMISSION_CONTROL} == *"ImagePolicyWebhook"* ]]; then
+      params+=" --admission-control-config-file=/etc/admission_controller.config"
+      # Mount the file to configure admission controllers if ImagePolicyWebhook is set.
+      admission_controller_config_mount="{\"name\": \"admissioncontrollerconfigmount\",\"mountPath\": \"/etc/admission_controller.config\", \"readOnly\": false},"
+      admission_controller_config_volume="{\"name\": \"admissioncontrollerconfigmount\",\"hostPath\": {\"path\": \"/etc/admission_controller.config\"}},"
+      # Mount the file to configure the ImagePolicyWebhook's webhook.
+      image_policy_webhook_config_mount="{\"name\": \"imagepolicywebhookconfigmount\",\"mountPath\": \"/etc/gcp_image_review.config\", \"readOnly\": false},"
+      image_policy_webhook_config_volume="{\"name\": \"imagepolicywebhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_image_review.config\"}},"
+    fi
  fi
+
  if [[ -n "${KUBE_APISERVER_REQUEST_TIMEOUT:-}" ]]; then
    params+=" --min-request-timeout=${KUBE_APISERVER_REQUEST_TIMEOUT}"
  fi
@@ -689,8 +734,8 @@ function start-kube-apiserver {
    params+=" --ssh-keyfile=/etc/srv/sshproxy/.sshkeyfile"
  fi

-  webhook_authn_config_mount=""
-  webhook_authn_config_volume=""
+  local webhook_authn_config_mount=""
+  local webhook_authn_config_volume=""
  if [[ -n "${GCP_AUTHN_URL:-}" ]]; then
    params+=" --authentication-token-webhook-config-file=/etc/gcp_authn.config"
    webhook_authn_config_mount="{\"name\": \"webhookauthnconfigmount\",\"mountPath\": \"/etc/gcp_authn.config\", \"readOnly\": false},"
@@ -698,8 +743,8 @@ function start-kube-apiserver {
  fi

  params+=" --authorization-mode=ABAC"
-  webhook_config_mount=""
-  webhook_config_volume=""
+  local webhook_config_mount=""
+  local webhook_config_volume=""
  if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then
    params+=",Webhook --authorization-webhook-config-file=/etc/gcp_authz.config"
    webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false},"
@@ -708,10 +753,10 @@ function start-kube-apiserver {
  local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"

  if [[ -n "${KUBE_USER:-}" ]]; then
-	  local -r abac_policy_json="${src_dir}/abac-authz-policy.jsonl"
-	  remove-salt-config-comments "${abac_policy_json}"
-	  sed -i -e "s@{{kube_user}}@${KUBE_USER}@g" "${abac_policy_json}"
-	  cp "${abac_policy_json}" /etc/srv/kubernetes/
+    local -r abac_policy_json="${src_dir}/abac-authz-policy.jsonl"
+    remove-salt-config-comments "${abac_policy_json}"
+    sed -i -e "s@{{kube_user}}@${KUBE_USER}@g" "${abac_policy_json}"
+    cp "${abac_policy_json}" /etc/srv/kubernetes/
  fi

  src_file="${src_dir}/kube-apiserver.manifest"
@@ -734,6 +779,10 @@ function start-kube-apiserver {
  sed -i -e "s@{{webhook_authn_config_volume}}@${webhook_authn_config_volume}@g" "${src_file}"
  sed -i -e "s@{{webhook_config_mount}}@${webhook_config_mount}@g" "${src_file}"
  sed -i -e "s@{{webhook_config_volume}}@${webhook_config_volume}@g" "${src_file}"
+  sed -i -e "s@{{admission_controller_config_mount}}@${admission_controller_config_mount}@g" "${src_file}"
+  sed -i -e "s@{{admission_controller_config_volume}}@${admission_controller_config_volume}@g" "${src_file}"
+  sed -i -e "s@{{image_policy_webhook_config_mount}}@${image_policy_webhook_config_mount}@g" "${src_file}"
+  sed -i -e "s@{{image_policy_webhook_config_volume}}@${image_policy_webhook_config_volume}@g" "${src_file}"
  cp "${src_file}" /etc/kubernetes/manifests
 }