diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh index a9c516ff6de..0f7ec8decbe 100755 --- a/cluster/gce/configure-vm.sh +++ b/cluster/gce/configure-vm.sh @@ -904,6 +904,7 @@ EOF fi env-to-grains "runtime_config" + env-to-grains "kube_user" } function salt-node-role() { diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index f854538a791..1e92b7eaae8 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -637,7 +637,12 @@ function start-kube-apiserver { webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}}," fi local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" - cp "${src_dir}/abac-authz-policy.jsonl" /etc/srv/kubernetes/ + + local -r abac_policy_json="${src_dir}/abac-authz-policy.jsonl" + remove-salt-config-comments "${abac_policy_json}" + sed -i -e "s@{{kube_user}}@${KUBE_USER}@g" "${abac_policy_json}" + cp "${abac_policy_json}" /etc/srv/kubernetes/ + src_file="${src_dir}/kube-apiserver.manifest" remove-salt-config-comments "${src_file}" # Evaluate variables. diff --git a/cluster/gce/trusty/configure-helper.sh b/cluster/gce/trusty/configure-helper.sh index e995810cdcc..b5ec9ee958d 100644 --- a/cluster/gce/trusty/configure-helper.sh +++ b/cluster/gce/trusty/configure-helper.sh @@ -542,7 +542,12 @@ start_kube_apiserver() { fi src_dir="/home/kubernetes/kube-manifests/kubernetes/gci-trusty" - cp "${src_dir}/abac-authz-policy.jsonl" /etc/srv/kubernetes/ + + local -r abac_policy_json="${src_dir}/abac-authz-policy.jsonl" + remove_salt_config_comments "${abac_policy_json}" + sed -i -e "s@{{kube_user}}@${KUBE_USER}@g" "${abac_policy_json}" + cp "${abac_policy_json}" /etc/srv/kubernetes/ + src_file="${src_dir}/kube-apiserver.manifest" remove_salt_config_comments "${src_file}" # Evaluate variables diff --git a/cluster/saltbase/salt/kube-apiserver/abac-authz-policy.jsonl b/cluster/saltbase/salt/kube-apiserver/abac-authz-policy.jsonl index 53e86fd487e..f0cbce7d45f 100644 --- a/cluster/saltbase/salt/kube-apiserver/abac-authz-policy.jsonl +++ b/cluster/saltbase/salt/kube-apiserver/abac-authz-policy.jsonl @@ -1,4 +1,6 @@ +{% set kube_user = grains.kube_user -%} {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}} +{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"{{kube_user}}", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}} {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}} {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kube_proxy", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}} {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubecfg", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}} diff --git a/cluster/saltbase/salt/kube-apiserver/init.sls b/cluster/saltbase/salt/kube-apiserver/init.sls index 80661c6a4f6..28a7f7edfac 100644 --- a/cluster/saltbase/salt/kube-apiserver/init.sls +++ b/cluster/saltbase/salt/kube-apiserver/init.sls @@ -19,6 +19,7 @@ /srv/kubernetes/abac-authz-policy.jsonl: file.managed: - source: salt://kube-apiserver/abac-authz-policy.jsonl + - template: jinja - user: root - group: root - mode: 600