github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 03:11:40 +00:00
Code Issues Projects Releases Wiki Activity

Ensure controller manager and scheduler can perform delegated auth checks

Browse Source
This commit is contained in:
Jordan Liggitt 2019-01-02 13:08:25 -05:00
parent 58eb3e4b3a
commit 4212a9a05a
6 changed files with 60 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go
View File

@ -23,6 +23,7 @@ import (
rbacv1 "k8s.io/api/rbac/v1" rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apiserver/pkg/authentication/user"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1" rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
) )
@ -119,10 +120,15 @@ func init() {
rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-scheduler").RuleOrDie(), rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-scheduler").RuleOrDie(),
}, },
}) })
delegatedAuthBinding := rbacv1helpers.NewRoleBinding("extension-apiserver-authentication-reader", metav1.NamespaceSystem).Users(user.KubeControllerManager, user.KubeScheduler).BindingOrDie()
delegatedAuthBinding.Name = "system::extension-apiserver-authentication-reader"
addNamespaceRoleBinding(metav1.NamespaceSystem, delegatedAuthBinding)
addNamespaceRoleBinding(metav1.NamespaceSystem, addNamespaceRoleBinding(metav1.NamespaceSystem,
rbacv1helpers.NewRoleBinding("system::leader-locking-kube-controller-manager", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "kube-controller-manager").BindingOrDie()) rbacv1helpers.NewRoleBinding("system::leader-locking-kube-controller-manager", metav1.NamespaceSystem).Users(user.KubeControllerManager).SAs(metav1.NamespaceSystem, "kube-controller-manager").BindingOrDie())
addNamespaceRoleBinding(metav1.NamespaceSystem, addNamespaceRoleBinding(metav1.NamespaceSystem,
rbacv1helpers.NewRoleBinding("system::leader-locking-kube-scheduler", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "kube-scheduler").BindingOrDie()) rbacv1helpers.NewRoleBinding("system::leader-locking-kube-scheduler", metav1.NamespaceSystem).Users(user.KubeScheduler).SAs(metav1.NamespaceSystem, "kube-scheduler").BindingOrDie())
addNamespaceRoleBinding(metav1.NamespaceSystem, addNamespaceRoleBinding(metav1.NamespaceSystem,
rbacv1helpers.NewRoleBinding(saRolePrefix+"bootstrap-signer", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "bootstrap-signer").BindingOrDie()) rbacv1helpers.NewRoleBinding(saRolePrefix+"bootstrap-signer", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "bootstrap-signer").BindingOrDie())
// cloud-provider is deprecated starting Kubernetes 1.10 and will be deleted according to GA deprecation policy. // cloud-provider is deprecated starting Kubernetes 1.10 and will be deleted according to GA deprecation policy.

4
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@ -407,6 +407,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(), rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
// Needed to check API access. These creates are non-mutating // Needed to check API access. These creates are non-mutating
rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(), rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(),
// Needed for all shared informers // Needed for all shared informers
rbacv1helpers.NewRule("list", "watch").Groups("*").Resources("*").RuleOrDie(), rbacv1helpers.NewRule("list", "watch").Groups("*").Resources("*").RuleOrDie(),
}, },
@ -434,6 +435,9 @@ func ClusterRoles() []rbacv1.ClusterRole {
// things that pods use or applies to them // things that pods use or applies to them
rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(), rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(),
// Needed to check API access. These creates are non-mutating
rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(),
}, },
}, },
{ {

18
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml vendored
View File

@ -662,6 +662,12 @@ items:
- tokenreviews - tokenreviews
verbs: verbs:
- create - create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups: - apiGroups:
- '*' - '*'
resources: resources:
@ -796,6 +802,18 @@ items:
- get - get
- list - list
- watch - watch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiVersion: rbac.authorization.k8s.io/v1 - apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:

27
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml vendored
View File

@ -18,6 +18,27 @@ items:
- kind: ServiceAccount - kind: ServiceAccount
name: bootstrap-signer name: bootstrap-signer
namespace: kube-system namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system::extension-apiserver-authentication-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:kube-controller-manager
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:kube-scheduler
- apiVersion: rbac.authorization.k8s.io/v1 - apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
@ -33,6 +54,9 @@ items:
kind: Role kind: Role
name: system::leader-locking-kube-controller-manager name: system::leader-locking-kube-controller-manager
subjects: subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:kube-controller-manager
- kind: ServiceAccount - kind: ServiceAccount
name: kube-controller-manager name: kube-controller-manager
namespace: kube-system namespace: kube-system
@ -51,6 +75,9 @@ items:
kind: Role kind: Role
name: system::leader-locking-kube-scheduler name: system::leader-locking-kube-scheduler
subjects: subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:kube-scheduler
- kind: ServiceAccount - kind: ServiceAccount
name: kube-scheduler name: kube-scheduler
namespace: kube-system namespace: kube-system

3
test/integration/serving/BUILD
View File

@ -22,11 +22,8 @@ go_test(
"//cmd/kube-controller-manager/app/testing:go_default_library", "//cmd/kube-controller-manager/app/testing:go_default_library",
"//cmd/kube-scheduler/app/testing:go_default_library", "//cmd/kube-scheduler/app/testing:go_default_library",
"//pkg/cloudprovider/providers/fake:go_default_library", "//pkg/cloudprovider/providers/fake:go_default_library",
"//staging/src/k8s.io/api/rbac/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
"//staging/src/k8s.io/cloud-provider:go_default_library", "//staging/src/k8s.io/cloud-provider:go_default_library",
"//test/integration/framework:go_default_library", "//test/integration/framework:go_default_library",
], ],

45
test/integration/serving/serving_test.go
View File

@ -28,11 +28,8 @@ import (
"strings" "strings"
"testing" "testing"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apiserver/pkg/server" "k8s.io/apiserver/pkg/server"
"k8s.io/apiserver/pkg/server/options" "k8s.io/apiserver/pkg/server/options"
"k8s.io/client-go/kubernetes"
"k8s.io/cloud-provider" "k8s.io/cloud-provider"
cloudctrlmgrtesting "k8s.io/kubernetes/cmd/cloud-controller-manager/app/testing" cloudctrlmgrtesting "k8s.io/kubernetes/cmd/cloud-controller-manager/app/testing"
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
@ -49,6 +46,8 @@ type componentTester interface {
type kubeControllerManagerTester struct{} type kubeControllerManagerTester struct{}
func (kubeControllerManagerTester) StartTestServer(t kubectrlmgrtesting.Logger, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, *server.DeprecatedInsecureServingInfo, func(), error) { func (kubeControllerManagerTester) StartTestServer(t kubectrlmgrtesting.Logger, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, *server.DeprecatedInsecureServingInfo, func(), error) {
// avoid starting any controller loops, we're just testing serving
customFlags = append([]string{"--controllers="}, customFlags...)
gotResult, err := kubectrlmgrtesting.StartTestServer(t, customFlags) gotResult, err := kubectrlmgrtesting.StartTestServer(t, customFlags)
if err != nil { if err != nil {
return nil, nil, nil, nil, err return nil, nil, nil, nil, err
@ -96,7 +95,7 @@ func TestComponentSecureServingAndAuth(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
tokenFile.WriteString(fmt.Sprintf(` tokenFile.WriteString(fmt.Sprintf(`
%s,controller-manager,controller-manager,"" %s,system:kube-controller-manager,system:kube-controller-manager,""
`, token)) `, token))
tokenFile.Close() tokenFile.Close()
@ -107,44 +106,6 @@ func TestComponentSecureServingAndAuth(t *testing.T) {
}, framework.SharedEtcd()) }, framework.SharedEtcd())
defer server.TearDownFn() defer server.TearDownFn()
// allow controller-manager to do SubjectAccessReview
client, err := kubernetes.NewForConfig(server.ClientConfig)
if err != nil {
t.Fatalf("unexpected error creating client config: %v", err)
}
_, err = client.RbacV1().ClusterRoleBindings().Create(&rbacv1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{Name: "controller-manager:system:auth-delegator"},
Subjects: []rbacv1.Subject{{
Kind: "User",
Name: "controller-manager",
}},
RoleRef: rbacv1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
Name: "system:auth-delegator",
},
})
if err != nil {
t.Fatalf("failed to create system:auth-delegator rbac cluster role binding: %v", err)
}
// allow controller-manager to read kube-system/extension-apiserver-authentication
_, err = client.RbacV1().RoleBindings("kube-system").Create(&rbacv1.RoleBinding{
ObjectMeta: metav1.ObjectMeta{Name: "controller-manager:extension-apiserver-authentication-reader"},
Subjects: []rbacv1.Subject{{
Kind: "User",
Name: "controller-manager",
}},
RoleRef: rbacv1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "Role",
Name: "extension-apiserver-authentication-reader",
},
})
if err != nil {
t.Fatalf("failed to create controller-manager:extension-apiserver-authentication-reader rbac role binding: %v", err)
}
// create kubeconfig for the apiserver // create kubeconfig for the apiserver
apiserverConfig, err := ioutil.TempFile("", "kubeconfig") apiserverConfig, err := ioutil.TempFile("", "kubeconfig")
if err != nil { if err != nil {