Merge pull request #29164 from cjcullen/customuser

Automatic merge from submit-queue

append an abac rule for $KUBE_USER.

Allows the specified basic-auth credentials to be authorized against all resources.

Fixes #28869.

cluster/gce/configure-vm.sh

@@ -904,6 +904,7 @@ EOF
   fi
 
   env-to-grains "runtime_config"
+  env-to-grains "kube_user"
 }
 
 function salt-node-role() {

cluster/gce/gci/configure-helper.sh

@@ -637,7 +637,12 @@ function start-kube-apiserver {
     webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}},"
   fi
   local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
-  cp "${src_dir}/abac-authz-policy.jsonl" /etc/srv/kubernetes/
+
+  local -r abac_policy_json="${src_dir}/abac-authz-policy.jsonl"
+  remove-salt-config-comments "${abac_policy_json}"
+  sed -i -e "s@{{kube_user}}@${KUBE_USER}@g" "${abac_policy_json}"
+  cp "${abac_policy_json}" /etc/srv/kubernetes/
+
   src_file="${src_dir}/kube-apiserver.manifest"
   remove-salt-config-comments "${src_file}"
   # Evaluate variables.

cluster/gce/trusty/configure-helper.sh

@@ -542,7 +542,12 @@ start_kube_apiserver() {
   fi
 
   src_dir="/home/kubernetes/kube-manifests/kubernetes/gci-trusty"
-  cp "${src_dir}/abac-authz-policy.jsonl" /etc/srv/kubernetes/
+
+  local -r abac_policy_json="${src_dir}/abac-authz-policy.jsonl"
+  remove_salt_config_comments "${abac_policy_json}"
+  sed -i -e "s@{{kube_user}}@${KUBE_USER}@g" "${abac_policy_json}"
+  cp "${abac_policy_json}" /etc/srv/kubernetes/
+
   src_file="${src_dir}/kube-apiserver.manifest"
   remove_salt_config_comments "${src_file}"
   # Evaluate variables

cluster/saltbase/salt/kube-apiserver/abac-authz-policy.jsonl

@@ -1,4 +1,6 @@
+{% set kube_user = grains.kube_user -%}
 {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"{{kube_user}}", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
 {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
 {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kube_proxy", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
 {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubecfg", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}

cluster/saltbase/salt/kube-apiserver/init.sls

@@ -19,6 +19,7 @@
 /srv/kubernetes/abac-authz-policy.jsonl:
   file.managed:
     - source: salt://kube-apiserver/abac-authz-policy.jsonl
+    - template: jinja
     - user: root
     - group: root
     - mode: 600