diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 807b32093f6..b04cabd3c32 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -699,6 +699,9 @@ function create-master-auth { append_or_replace_prefixed_line "${known_tokens_csv}" "${KONNECTIVITY_SERVER_TOKEN}," "system:konnectivity-server,uid:system:konnectivity-server" create-kubeconfig "konnectivity-server" "${KONNECTIVITY_SERVER_TOKEN}" fi + if [[ -n "${MONITORING_TOKEN:-}" ]]; then + append_or_replace_prefixed_line "${known_tokens_csv}" "${MONITORING_TOKEN}," "system:monitoring,uid:system:monitoring,system:monitoring" + fi if [[ -n "${EXTRA_STATIC_AUTH_COMPONENTS:-}" ]]; then # Create a static Bearer token and kubeconfig for extra, comma-separated components. @@ -2936,7 +2939,9 @@ function main() { if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then KONNECTIVITY_SERVER_TOKEN="$(secure_random 32)" fi - + if [[ "${ENABLE_MONITORING_TOKEN:-false}" == "true" ]]; then + MONITORING_TOKEN="$(secure_random 32)" + fi setup-os-params config-ip-firewall diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index c3624119d2e..e35186a9ddc 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -196,7 +196,8 @@ func ClusterRoles() []rbacv1.ClusterRole { }, }, { - // a role which provides just enough power to determine if the server is ready and discover API versions for negotiation + // a role which provides just enough power to determine if the server is + // ready and discover API versions for negotiation ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"}, Rules: []rbacv1.PolicyRule{ rbacv1helpers.NewRule("get").URLs( @@ -208,6 +209,20 @@ func ClusterRoles() []rbacv1.ClusterRole { ).RuleOrDie(), }, }, + { + // a role which provides minimal read access to the monitoring endpoints + // (i.e. /metrics, /livez/*, /readyz/*, /healthz/*, /livez, /readyz, /healthz) + // The splatted health check endpoints allow read access to individual health check + // endpoints which may contain more sensitive cluster information information + ObjectMeta: metav1.ObjectMeta{Name: "system:monitoring"}, + Rules: []rbacv1.PolicyRule{ + rbacv1helpers.NewRule("get").URLs( + "/metrics", + "/livez", "/readyz", "/healthz", + "/livez/*", "/readyz/*", "/healthz/*", + ).RuleOrDie(), + }, + }, { // a role which provides minimal resource access to allow a "normal" user to learn information about themselves ObjectMeta: metav1.ObjectMeta{Name: "system:basic-user"}, @@ -563,6 +578,7 @@ const systemNodeRoleName = "system:node" func ClusterRoleBindings() []rbacv1.ClusterRoleBinding { rolebindings := []rbacv1.ClusterRoleBinding{ rbacv1helpers.NewClusterBinding("cluster-admin").Groups(user.SystemPrivilegedGroup).BindingOrDie(), + rbacv1helpers.NewClusterBinding("system:monitoring").Groups(user.MonitoringGroup).BindingOrDie(), rbacv1helpers.NewClusterBinding("system:discovery").Groups(user.AllAuthenticated).BindingOrDie(), rbacv1helpers.NewClusterBinding("system:basic-user").Groups(user.AllAuthenticated).BindingOrDie(), rbacv1helpers.NewClusterBinding("system:public-info-viewer").Groups(user.AllAuthenticated, user.AllUnauthenticated).BindingOrDie(), diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml index 05e333f5d73..010800ecc98 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml @@ -102,6 +102,23 @@ items: - apiGroup: rbac.authorization.k8s.io kind: User name: system:kube-scheduler +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:monitoring + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:monitoring + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:monitoring - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index b517b51eeb0..4970a793b49 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -861,6 +861,26 @@ items: - nodes/stats verbs: - '*' +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:monitoring + rules: + - nonResourceURLs: + - /healthz + - /healthz/* + - /livez + - /livez/* + - /metrics + - /readyz + - /readyz/* + verbs: + - get - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/user/user.go b/staging/src/k8s.io/apiserver/pkg/authentication/user/user.go index f02dc39ecbc..4d6ec098002 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/user/user.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/user/user.go @@ -70,6 +70,7 @@ func (i *DefaultInfo) GetExtra() map[string][]string { const ( SystemPrivilegedGroup = "system:masters" NodesGroup = "system:nodes" + MonitoringGroup = "system:monitoring" AllUnauthenticated = "system:unauthenticated" AllAuthenticated = "system:authenticated"