mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
Merge pull request #38626 from deads2k/rbac-21-e2e-enable
Automatic merge from submit-queue Enforce the RBAC authorizer in e2e for controllers and proxy Turns on RBAC and updates the GCE controllers to use discrete service accounts. Opening pull to start completing roles.
This commit is contained in:
commit
20003bdccb
@ -208,8 +208,9 @@ function create-master-auth {
|
||||
local -r known_tokens_csv="${auth_dir}/known_tokens.csv"
|
||||
if [[ ! -e "${known_tokens_csv}" ]]; then
|
||||
echo "${KUBE_BEARER_TOKEN},admin,admin" > "${known_tokens_csv}"
|
||||
echo "${KUBELET_TOKEN},kubelet,kubelet" >> "${known_tokens_csv}"
|
||||
echo "${KUBE_PROXY_TOKEN},kube_proxy,kube_proxy" >> "${known_tokens_csv}"
|
||||
echo "${KUBE_CONTROLLER_MANAGER_TOKEN},system:kube-controller-manager,uid:system:kube-controller-manager" >> "${known_tokens_csv}"
|
||||
echo "${KUBELET_TOKEN},system:node:node-name,uid:kubelet,system:nodes" >> "${known_tokens_csv}"
|
||||
echo "${KUBE_PROXY_TOKEN},system:kube-proxy,uid:kube_proxy" >> "${known_tokens_csv}"
|
||||
fi
|
||||
local use_cloud_config="false"
|
||||
cat <<EOF >/etc/gce.conf
|
||||
@ -354,6 +355,7 @@ function create-master-kubelet-auth {
|
||||
REGISTER_MASTER_KUBELET="true"
|
||||
create-kubelet-kubeconfig
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
function create-kubeproxy-kubeconfig {
|
||||
@ -378,6 +380,30 @@ current-context: service-account-context
|
||||
EOF
|
||||
}
|
||||
|
||||
function create-kubecontrollermanager-kubeconfig {
|
||||
echo "Creating kube-controller-manager kubeconfig file"
|
||||
mkdir -p /etc/srv/kubernetes/kube-controller-manager
|
||||
cat <<EOF >/etc/srv/kubernetes/kube-controller-manager/kubeconfig
|
||||
apiVersion: v1
|
||||
kind: Config
|
||||
users:
|
||||
- name: kube-controller-manager
|
||||
user:
|
||||
token: ${KUBE_CONTROLLER_MANAGER_TOKEN}
|
||||
clusters:
|
||||
- name: local
|
||||
cluster:
|
||||
insecure-skip-tls-verify: true
|
||||
server: https://localhost:443
|
||||
contexts:
|
||||
- context:
|
||||
cluster: local
|
||||
user: kube-controller-manager
|
||||
name: service-account-context
|
||||
current-context: service-account-context
|
||||
EOF
|
||||
}
|
||||
|
||||
function create-master-etcd-auth {
|
||||
if [[ -n "${ETCD_CA_CERT:-}" && -n "${ETCD_PEER_KEY:-}" && -n "${ETCD_PEER_CERT:-}" ]]; then
|
||||
local -r auth_dir="/etc/srv/kubernetes"
|
||||
@ -838,7 +864,7 @@ function start-kube-apiserver {
|
||||
webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}},"
|
||||
fi
|
||||
|
||||
params+=" --authorization-mode=ABAC"
|
||||
params+=" --authorization-mode=RBAC,ABAC"
|
||||
local webhook_config_mount=""
|
||||
local webhook_config_volume=""
|
||||
if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then
|
||||
@ -897,11 +923,13 @@ function start-kube-apiserver {
|
||||
# DOCKER_REGISTRY
|
||||
function start-kube-controller-manager {
|
||||
echo "Start kubernetes controller-manager"
|
||||
create-kubecontrollermanager-kubeconfig
|
||||
prepare-log-file /var/log/kube-controller-manager.log
|
||||
# Calculate variables and assemble the command line.
|
||||
local params="${CONTROLLER_MANAGER_TEST_LOG_LEVEL:-"--v=2"} ${CONTROLLER_MANAGER_TEST_ARGS:-} ${CLOUD_CONFIG_OPT}"
|
||||
params+=" --use-service-account-credentials"
|
||||
params+=" --cloud-provider=gce"
|
||||
params+=" --master=127.0.0.1:8080"
|
||||
params+=" --kubeconfig=/etc/srv/kubernetes/kube-controller-manager/kubeconfig"
|
||||
params+=" --root-ca-file=/etc/srv/kubernetes/ca.crt"
|
||||
params+=" --service-account-private-key-file=/etc/srv/kubernetes/server.key"
|
||||
if [[ -n "${ENABLE_GARBAGE_COLLECTOR:-}" ]]; then
|
||||
@ -1253,6 +1281,9 @@ if [[ -n "${KUBE_USER:-}" ]]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
# generate the controller manager token here since its only used on the master.
|
||||
KUBE_CONTROLLER_MANAGER_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
|
||||
|
||||
setup-os-params
|
||||
config-ip-firewall
|
||||
create-dirs
|
||||
|
@ -2,7 +2,6 @@
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"{{kube_user}}", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kube_proxy", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubecfg", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"client", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group":"system:serviceaccounts", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
@ -21,6 +21,7 @@ go_library(
|
||||
"//pkg/auth/authorizer:go_default_library",
|
||||
"//pkg/auth/user:go_default_library",
|
||||
"//pkg/util/errors:go_default_library",
|
||||
"//vendor:github.com/golang/glog",
|
||||
],
|
||||
)
|
||||
|
||||
|
@ -18,6 +18,8 @@ limitations under the License.
|
||||
package rbac
|
||||
|
||||
import (
|
||||
"github.com/golang/glog"
|
||||
|
||||
"k8s.io/kubernetes/pkg/apis/rbac"
|
||||
"k8s.io/kubernetes/pkg/apis/rbac/validation"
|
||||
"k8s.io/kubernetes/pkg/auth/authorizer"
|
||||
@ -42,6 +44,9 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo
|
||||
return true, "", nil
|
||||
}
|
||||
|
||||
glog.V(2).Infof("RBAC DENY: user %q groups %v cannot %q on \"%v.%v/%v\"", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(),
|
||||
requestAttributes.GetVerb(), requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource())
|
||||
|
||||
return false, "", ruleResolutionError
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user