From 21b422fcccd63812048eaf7e431bf94e90fd57cd Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Fri, 6 Jan 2017 15:00:30 -0500 Subject: [PATCH] Allow enabling ABAC authz --- cluster/gce/container-linux/configure-helper.sh | 12 +++++++++--- cluster/gce/gci/configure-helper.sh | 11 +++++++++-- hack/verify-flags/exceptions.txt | 6 ++++++ 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/cluster/gce/container-linux/configure-helper.sh b/cluster/gce/container-linux/configure-helper.sh index e78dd900e31..8cc0745d17e 100755 --- a/cluster/gce/container-linux/configure-helper.sh +++ b/cluster/gce/container-linux/configure-helper.sh @@ -814,16 +814,22 @@ function start-kube-apiserver { webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}}," fi - params+=" --authorization-mode=RBAC" + local authorization_mode="RBAC" + if [[ -n "${ABAC_AUTHZ_FILE:-}" && -e "${ABAC_AUTHZ_FILE}" ]]; then + params+=" --authorization-policy-file=${ABAC_AUTHZ_FILE}" + authorization_mode+=",ABAC" + fi local webhook_config_mount="" local webhook_config_volume="" if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then - params+=",Webhook --authorization-webhook-config-file=/etc/gcp_authz.config" + authorization_mode+=",Webhook" + params+=" --authorization-webhook-config-file=/etc/gcp_authz.config" webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false}," webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}}," fi local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" - + params+=" --authorization-mode=${authorization_mode}" + src_file="${src_dir}/kube-apiserver.manifest" remove-salt-config-comments "${src_file}" # Evaluate variables. diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 6d414d5a57b..0462cd3db0d 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -878,15 +878,22 @@ function start-kube-apiserver { webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}}," fi - params+=" --authorization-mode=RBAC" + + local authorization_mode="RBAC" + if [[ -n "${ABAC_AUTHZ_FILE:-}" && -e "${ABAC_AUTHZ_FILE}" ]]; then + params+=" --authorization-policy-file=${ABAC_AUTHZ_FILE}" + authorization_mode+=",ABAC" + fi local webhook_config_mount="" local webhook_config_volume="" if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then - params+=",Webhook --authorization-webhook-config-file=/etc/gcp_authz.config" + authorization_mode+=",Webhook" + params+=" --authorization-webhook-config-file=/etc/gcp_authz.config" webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false}," webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}}," fi local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" + params+=" --authorization-mode=${authorization_mode}" src_file="${src_dir}/kube-apiserver.manifest" remove-salt-config-comments "${src_file}" diff --git a/hack/verify-flags/exceptions.txt b/hack/verify-flags/exceptions.txt index 961fcfac0fc..8e8dd2e362b 100644 --- a/hack/verify-flags/exceptions.txt +++ b/hack/verify-flags/exceptions.txt @@ -12,10 +12,16 @@ cluster/gce/configure-vm.sh: cloud_config: ${CLOUD_CONFIG} cluster/gce/configure-vm.sh: env-to-grains "feature_gates" cluster/gce/configure-vm.sh: env-to-grains "runtime_config" cluster/gce/configure-vm.sh: kubelet_api_servers: '${KUBELET_APISERVER}' +cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",ABAC" +cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",Webhook" cluster/gce/container-linux/configure-helper.sh: local api_servers="--master=https://${KUBERNETES_MASTER_NAME}" +cluster/gce/container-linux/configure-helper.sh: local authorization_mode="RBAC" cluster/gce/container-linux/configure-helper.sh: sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}" cluster/gce/container-linux/configure-helper.sh: sed -i -e "s@{{pillar\['allow_privileged'\]}}@true@g" "${src_file}" +cluster/gce/gci/configure-helper.sh: authorization_mode+=",ABAC" +cluster/gce/gci/configure-helper.sh: authorization_mode+=",Webhook" cluster/gce/gci/configure-helper.sh: local api_servers="--master=https://${KUBERNETES_MASTER_NAME}" +cluster/gce/gci/configure-helper.sh: local authorization_mode="RBAC" cluster/gce/gci/configure-helper.sh: sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}" cluster/gce/gci/configure-helper.sh: sed -i -e "s@{{pillar\['allow_privileged'\]}}@true@g" "${src_file}" cluster/gce/trusty/configure-helper.sh: sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}"