mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
update gce for RBAC, controllers, proxy, kubelet (p1)
This commit is contained in:
parent
ad47a181ee
commit
2e2a2e4b94
@ -208,8 +208,9 @@ function create-master-auth {
|
||||
local -r known_tokens_csv="${auth_dir}/known_tokens.csv"
|
||||
if [[ ! -e "${known_tokens_csv}" ]]; then
|
||||
echo "${KUBE_BEARER_TOKEN},admin,admin" > "${known_tokens_csv}"
|
||||
echo "${KUBELET_TOKEN},kubelet,kubelet" >> "${known_tokens_csv}"
|
||||
echo "${KUBE_PROXY_TOKEN},kube_proxy,kube_proxy" >> "${known_tokens_csv}"
|
||||
echo "${KUBE_CONTROLLER_MANAGER_TOKEN},system:kube-controller-manager,uid:system:kube-controller-manager" >> "${known_tokens_csv}"
|
||||
echo "${KUBELET_TOKEN},system:node:node-name,uid:kubelet,system:nodes" >> "${known_tokens_csv}"
|
||||
echo "${KUBE_PROXY_TOKEN},system:kube-proxy,uid:kube_proxy" >> "${known_tokens_csv}"
|
||||
fi
|
||||
local use_cloud_config="false"
|
||||
cat <<EOF >/etc/gce.conf
|
||||
@ -354,6 +355,7 @@ function create-master-kubelet-auth {
|
||||
REGISTER_MASTER_KUBELET="true"
|
||||
create-kubelet-kubeconfig
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
function create-kubeproxy-kubeconfig {
|
||||
@ -378,6 +380,30 @@ current-context: service-account-context
|
||||
EOF
|
||||
}
|
||||
|
||||
function create-kubecontrollermanager-kubeconfig {
|
||||
echo "Creating kube-controller-manager kubeconfig file"
|
||||
mkdir -p /etc/srv/kubernetes/kube-controller-manager
|
||||
cat <<EOF >/etc/srv/kubernetes/kube-controller-manager/kubeconfig
|
||||
apiVersion: v1
|
||||
kind: Config
|
||||
users:
|
||||
- name: kube-controller-manager
|
||||
user:
|
||||
token: ${KUBE_CONTROLLER_MANAGER_TOKEN}
|
||||
clusters:
|
||||
- name: local
|
||||
cluster:
|
||||
insecure-skip-tls-verify: true
|
||||
server: https://localhost:443
|
||||
contexts:
|
||||
- context:
|
||||
cluster: local
|
||||
user: kube-controller-manager
|
||||
name: service-account-context
|
||||
current-context: service-account-context
|
||||
EOF
|
||||
}
|
||||
|
||||
function create-master-etcd-auth {
|
||||
if [[ -n "${ETCD_CA_CERT:-}" && -n "${ETCD_PEER_KEY:-}" && -n "${ETCD_PEER_CERT:-}" ]]; then
|
||||
local -r auth_dir="/etc/srv/kubernetes"
|
||||
@ -838,7 +864,7 @@ function start-kube-apiserver {
|
||||
webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}},"
|
||||
fi
|
||||
|
||||
params+=" --authorization-mode=ABAC"
|
||||
params+=" --authorization-mode=RBAC,ABAC"
|
||||
local webhook_config_mount=""
|
||||
local webhook_config_volume=""
|
||||
if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then
|
||||
@ -897,11 +923,13 @@ function start-kube-apiserver {
|
||||
# DOCKER_REGISTRY
|
||||
function start-kube-controller-manager {
|
||||
echo "Start kubernetes controller-manager"
|
||||
create-kubecontrollermanager-kubeconfig
|
||||
prepare-log-file /var/log/kube-controller-manager.log
|
||||
# Calculate variables and assemble the command line.
|
||||
local params="${CONTROLLER_MANAGER_TEST_LOG_LEVEL:-"--v=2"} ${CONTROLLER_MANAGER_TEST_ARGS:-} ${CLOUD_CONFIG_OPT}"
|
||||
params+=" --use-service-account-credentials"
|
||||
params+=" --cloud-provider=gce"
|
||||
params+=" --master=127.0.0.1:8080"
|
||||
params+=" --kubeconfig=/etc/srv/kubernetes/kube-controller-manager/kubeconfig"
|
||||
params+=" --root-ca-file=/etc/srv/kubernetes/ca.crt"
|
||||
params+=" --service-account-private-key-file=/etc/srv/kubernetes/server.key"
|
||||
if [[ -n "${ENABLE_GARBAGE_COLLECTOR:-}" ]]; then
|
||||
@ -1253,6 +1281,9 @@ if [[ -n "${KUBE_USER:-}" ]]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
# generate the controller manager token here since its only used on the master.
|
||||
KUBE_CONTROLLER_MANAGER_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
|
||||
|
||||
setup-os-params
|
||||
config-ip-firewall
|
||||
create-dirs
|
||||
|
@ -2,7 +2,6 @@
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"{{kube_user}}", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kube_proxy", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubecfg", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"client", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group":"system:serviceaccounts", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
Loading…
Reference in New Issue
Block a user