Addressing review comments

2025-07-31 15:25:57 +00:00 · 2017-10-17 22:31:22 +03:00 · 2017-10-17 22:31:22 +03:00 · 9a28e9b125
commit 9a28e9b125
parent 95fec2dc3f
4 changed files with 22 additions and 34 deletions
--- a/cluster/juju/layers/kubernetes-e2e/reactive/kubernetes_e2e.py
+++ b/cluster/juju/layers/kubernetes-e2e/reactive/kubernetes_e2e.py
@ -24,7 +24,7 @@ from charms.reactive import when
 from charms.reactive import when_not
 from charms.reactive.helpers import data_changed

-from charmhelpers.core import hookenv, unitdata
+from charmhelpers.core import hookenv

 from shlex import split

@ -32,7 +32,7 @@ from subprocess import check_call
 from subprocess import check_output


-db = unitdata.kv()
+USER = 'system:e2e'


@hook('upgrade-charm')
@ -91,15 +91,16 @@ def install_snaps():

@when('tls_client.ca.saved', 'tls_client.client.certificate.saved',
      'tls_client.client.key.saved', 'kubernetes-master.available',
-      'kubernetes-e2e.installed', 'e2e.auth.bootstrapped')
+      'kubernetes-e2e.installed', 'e2e.auth.bootstrapped',
+      'kube-control.auth.available')
@when_not('kubeconfig.ready')
-def prepare_kubeconfig_certificates(master):
+def prepare_kubeconfig_certificates(master, kube_control):
    ''' Prepare the data to feed to create the kubeconfig file. '''

    layer_options = layer.options('tls-client')
    # Get all the paths to the tls information required for kubeconfig.
    ca = layer_options.get('ca_certificate_path')
-    creds = db.get('credentials')
+    creds = kube_control.get_auth_credentials(USER)
    data_changed('kube-control.creds', creds)

    servers = get_kube_api_servers(master)
@ -124,19 +125,16 @@ def request_credentials(kube_control):
    """ Request authorization creds."""

    # Ask for a user, although we will be using the 'client_token'
-    user = 'system:e2e'
-    kube_control.set_auth_request(user)
+    kube_control.set_auth_request(USER)


@when('kube-control.auth.available')
 def catch_change_in_creds(kube_control):
    """Request a service restart in case credential updates were detected."""
-    user = 'system:e2e'
-    creds = kube_control.get_auth_credentials(user)
+    creds = kube_control.get_auth_credentials(USER)
    if creds \
            and data_changed('kube-control.creds', creds) \
-            and creds['user'] == user:
-        db.set('credentials', creds)
+            and creds['user'] == USER:
        set_state('e2e.auth.bootstrapped')


--- a/cluster/juju/layers/kubernetes-master/config.yaml
+++ b/cluster/juju/layers/kubernetes-master/config.yaml
@ -42,7 +42,7 @@ options:
        --runtime-config=batch/v2alpha1=true --profiling=true
  authorization-mode:
    type: string
-    default: "None"
+    default: "AlwaysAllow"
    description: |
-      Set the cluster's authorization mode. Allowed values are
-      "RBAC" and "None".
+      Comma separated authorization modes. Allowed values are
+      "RBAC", "Node", "Webhook", "ABAC", "AlwaysDeny" and "AlwaysAllow".
--- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
+++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
@ -61,8 +61,6 @@ nrpe.Check.shortname_re = '[\.A-Za-z0-9-_]+$'

 os.environ['PATH'] += os.pathsep + os.path.join(os.sep, 'snap', 'bin')

-valid_auth_modes = ['rbac', 'none']
-

 def service_cidr():
    ''' Return the charm's service-cidr config '''
@ -357,11 +355,6 @@ def idle_status(kube_api, kube_control):
        msg = 'WARN: cannot change service-cidr, still using ' + service_cidr()
        hookenv.status_set('active', msg)
    else:
-        mode = hookenv.config().get('authorization-mode').lower()
-        if mode not in valid_auth_modes:
-            hookenv.status_set('blocked', 'Incorrect authorization mode.')
-            return
-
        # All services should be up and running at this point. Double-check...
        failing_services = master_services_down()
        if len(failing_services) == 0:
@ -463,7 +456,7 @@ def create_service_configs(kube_control):
        group = request[1]['group']
        kubelet_token = get_token(username)
        if not kubelet_token and username and group:
-            # Usernames have to be in the form of system:node:<hostname>
+            # Usernames have to be in the form of system:node:<nodeName>
            userid = "kubelet-{}".format(request[0].split('/')[1])
            setup_tokens(None, username, userid, group)
            kubelet_token = get_token(username)
@ -500,7 +493,7 @@ def flush_auth_for_departed(kube_control):
    with open(token_auth_file, 'w') as fp:
        fp.writelines(known_tokens)
    # Trigger rebroadcast of auth files for followers
-    remove_state('autentication.setup')
+    remove_state('authentication.setup')


@when_not('kube-control.connected')
@ -706,9 +699,8 @@ def initial_nrpe_config(nagios=None):
      'kubernetes-master.components.started')
 def switch_auth_mode():
    config = hookenv.config()
-    mode = config.get('authorization-mode').lower()
-    if mode in valid_auth_modes and \
-            data_changed('auth-mode', mode):
+    mode = config.get('authorization-mode')
+    if data_changed('auth-mode', mode):
        remove_state('kubernetes-master.components.started')


@ -1063,11 +1055,11 @@ def configure_apiserver():
        'DefaultTolerationSeconds'
    ]

-    if hookenv.config('authorization-mode').lower() == 'rbac':
+    auth_mode = hookenv.config('authorization-mode')
+    if 'Node' in auth_mode:
        admission_control.append('NodeRestriction')
-        api_opts.add('authorization-mode', 'Node,RBAC', strict=True)
-    else:
-        api_opts.add('authorization-mode', 'AlwaysAllow', strict=True)
+
+    api_opts.add('authorization-mode', auth_mode, strict=True)

    if get_version('kube-apiserver') < (1, 6):
        hookenv.log('Removing DefaultTolerationSeconds from admission-control')
--- a/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
+++ b/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
@ -52,8 +52,6 @@ kubeclientconfig_path = '/root/.kube/config'

 os.environ['PATH'] += os.pathsep + os.path.join(os.sep, 'snap', 'bin')

-db = unitdata.kv()
-

@hook('upgrade-charm')
 def upgrade_charm():
@ -338,7 +336,8 @@ def start_worker(kube_api, kube_control, auth_control, cni):
        hookenv.log('Waiting for cluster cidr.')
        return

-    creds = db.get('credentials')
+    nodeuser = 'system:node:{}'.format(gethostname())
+    creds = kube_control.get_auth_credentials(nodeuser)
    data_changed('kube-control.creds', creds)

    # set --allow-privileged flag for kubelet
@ -830,7 +829,6 @@ def catch_change_in_creds(kube_control):
    if creds \
            and data_changed('kube-control.creds', creds) \
            and creds['user'] == nodeuser:
-        db.set('credentials', creds)
        set_state('worker.auth.bootstrapped')
        set_state('kubernetes-worker.restart-needed')