Allow enabling ABAC authz

This commit is contained in:
Jordan Liggitt 2017-01-06 15:00:30 -05:00
parent 1fe517e96a
commit 21b422fccc
No known key found for this signature in database
GPG Key ID: 24E7ADF9A3B42012
3 changed files with 24 additions and 5 deletions

View File

@ -814,16 +814,22 @@ function start-kube-apiserver {
webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}},"
fi
params+=" --authorization-mode=RBAC"
local authorization_mode="RBAC"
if [[ -n "${ABAC_AUTHZ_FILE:-}" && -e "${ABAC_AUTHZ_FILE}" ]]; then
params+=" --authorization-policy-file=${ABAC_AUTHZ_FILE}"
authorization_mode+=",ABAC"
fi
local webhook_config_mount=""
local webhook_config_volume=""
if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then
params+=",Webhook --authorization-webhook-config-file=/etc/gcp_authz.config"
authorization_mode+=",Webhook"
params+=" --authorization-webhook-config-file=/etc/gcp_authz.config"
webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false},"
webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}},"
fi
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
params+=" --authorization-mode=${authorization_mode}"
src_file="${src_dir}/kube-apiserver.manifest"
remove-salt-config-comments "${src_file}"
# Evaluate variables.

View File

@ -878,15 +878,22 @@ function start-kube-apiserver {
webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}},"
fi
params+=" --authorization-mode=RBAC"
local authorization_mode="RBAC"
if [[ -n "${ABAC_AUTHZ_FILE:-}" && -e "${ABAC_AUTHZ_FILE}" ]]; then
params+=" --authorization-policy-file=${ABAC_AUTHZ_FILE}"
authorization_mode+=",ABAC"
fi
local webhook_config_mount=""
local webhook_config_volume=""
if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then
params+=",Webhook --authorization-webhook-config-file=/etc/gcp_authz.config"
authorization_mode+=",Webhook"
params+=" --authorization-webhook-config-file=/etc/gcp_authz.config"
webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false},"
webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}},"
fi
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
params+=" --authorization-mode=${authorization_mode}"
src_file="${src_dir}/kube-apiserver.manifest"
remove-salt-config-comments "${src_file}"

View File

@ -12,10 +12,16 @@ cluster/gce/configure-vm.sh: cloud_config: ${CLOUD_CONFIG}
cluster/gce/configure-vm.sh: env-to-grains "feature_gates"
cluster/gce/configure-vm.sh: env-to-grains "runtime_config"
cluster/gce/configure-vm.sh: kubelet_api_servers: '${KUBELET_APISERVER}'
cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",ABAC"
cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",Webhook"
cluster/gce/container-linux/configure-helper.sh: local api_servers="--master=https://${KUBERNETES_MASTER_NAME}"
cluster/gce/container-linux/configure-helper.sh: local authorization_mode="RBAC"
cluster/gce/container-linux/configure-helper.sh: sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}"
cluster/gce/container-linux/configure-helper.sh: sed -i -e "s@{{pillar\['allow_privileged'\]}}@true@g" "${src_file}"
cluster/gce/gci/configure-helper.sh: authorization_mode+=",ABAC"
cluster/gce/gci/configure-helper.sh: authorization_mode+=",Webhook"
cluster/gce/gci/configure-helper.sh: local api_servers="--master=https://${KUBERNETES_MASTER_NAME}"
cluster/gce/gci/configure-helper.sh: local authorization_mode="RBAC"
cluster/gce/gci/configure-helper.sh: sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}"
cluster/gce/gci/configure-helper.sh: sed -i -e "s@{{pillar\['allow_privileged'\]}}@true@g" "${src_file}"
cluster/gce/trusty/configure-helper.sh: sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}"