mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-26 05:03:09 +00:00
Merge pull request #29164 from cjcullen/customuser
Automatic merge from submit-queue append an abac rule for $KUBE_USER. Allows the specified basic-auth credentials to be authorized against all resources. Fixes #28869.
This commit is contained in:
commit
8972b4ad4e
@ -904,6 +904,7 @@ EOF
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
env-to-grains "runtime_config"
|
env-to-grains "runtime_config"
|
||||||
|
env-to-grains "kube_user"
|
||||||
}
|
}
|
||||||
|
|
||||||
function salt-node-role() {
|
function salt-node-role() {
|
||||||
|
@ -637,7 +637,12 @@ function start-kube-apiserver {
|
|||||||
webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}},"
|
webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}},"
|
||||||
fi
|
fi
|
||||||
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
|
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
|
||||||
cp "${src_dir}/abac-authz-policy.jsonl" /etc/srv/kubernetes/
|
|
||||||
|
local -r abac_policy_json="${src_dir}/abac-authz-policy.jsonl"
|
||||||
|
remove-salt-config-comments "${abac_policy_json}"
|
||||||
|
sed -i -e "s@{{kube_user}}@${KUBE_USER}@g" "${abac_policy_json}"
|
||||||
|
cp "${abac_policy_json}" /etc/srv/kubernetes/
|
||||||
|
|
||||||
src_file="${src_dir}/kube-apiserver.manifest"
|
src_file="${src_dir}/kube-apiserver.manifest"
|
||||||
remove-salt-config-comments "${src_file}"
|
remove-salt-config-comments "${src_file}"
|
||||||
# Evaluate variables.
|
# Evaluate variables.
|
||||||
|
@ -542,7 +542,12 @@ start_kube_apiserver() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
src_dir="/home/kubernetes/kube-manifests/kubernetes/gci-trusty"
|
src_dir="/home/kubernetes/kube-manifests/kubernetes/gci-trusty"
|
||||||
cp "${src_dir}/abac-authz-policy.jsonl" /etc/srv/kubernetes/
|
|
||||||
|
local -r abac_policy_json="${src_dir}/abac-authz-policy.jsonl"
|
||||||
|
remove_salt_config_comments "${abac_policy_json}"
|
||||||
|
sed -i -e "s@{{kube_user}}@${KUBE_USER}@g" "${abac_policy_json}"
|
||||||
|
cp "${abac_policy_json}" /etc/srv/kubernetes/
|
||||||
|
|
||||||
src_file="${src_dir}/kube-apiserver.manifest"
|
src_file="${src_dir}/kube-apiserver.manifest"
|
||||||
remove_salt_config_comments "${src_file}"
|
remove_salt_config_comments "${src_file}"
|
||||||
# Evaluate variables
|
# Evaluate variables
|
||||||
|
@ -1,4 +1,6 @@
|
|||||||
|
{% set kube_user = grains.kube_user -%}
|
||||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||||
|
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"{{kube_user}}", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kube_proxy", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kube_proxy", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||||
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubecfg", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubecfg", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
|
||||||
|
@ -19,6 +19,7 @@
|
|||||||
/srv/kubernetes/abac-authz-policy.jsonl:
|
/srv/kubernetes/abac-authz-policy.jsonl:
|
||||||
file.managed:
|
file.managed:
|
||||||
- source: salt://kube-apiserver/abac-authz-policy.jsonl
|
- source: salt://kube-apiserver/abac-authz-policy.jsonl
|
||||||
|
- template: jinja
|
||||||
- user: root
|
- user: root
|
||||||
- group: root
|
- group: root
|
||||||
- mode: 600
|
- mode: 600
|
||||||
|
Loading…
Reference in New Issue
Block a user