mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 19:31:44 +00:00
Merge pull request #93311 from logicalhan/monitoring-role
Add bootstrap policy for monitoring endpoints
This commit is contained in:
commit
a9d1482710
@ -699,6 +699,9 @@ function create-master-auth {
|
|||||||
append_or_replace_prefixed_line "${known_tokens_csv}" "${KONNECTIVITY_SERVER_TOKEN}," "system:konnectivity-server,uid:system:konnectivity-server"
|
append_or_replace_prefixed_line "${known_tokens_csv}" "${KONNECTIVITY_SERVER_TOKEN}," "system:konnectivity-server,uid:system:konnectivity-server"
|
||||||
create-kubeconfig "konnectivity-server" "${KONNECTIVITY_SERVER_TOKEN}"
|
create-kubeconfig "konnectivity-server" "${KONNECTIVITY_SERVER_TOKEN}"
|
||||||
fi
|
fi
|
||||||
|
if [[ -n "${MONITORING_TOKEN:-}" ]]; then
|
||||||
|
append_or_replace_prefixed_line "${known_tokens_csv}" "${MONITORING_TOKEN}," "system:monitoring,uid:system:monitoring,system:monitoring"
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ -n "${EXTRA_STATIC_AUTH_COMPONENTS:-}" ]]; then
|
if [[ -n "${EXTRA_STATIC_AUTH_COMPONENTS:-}" ]]; then
|
||||||
# Create a static Bearer token and kubeconfig for extra, comma-separated components.
|
# Create a static Bearer token and kubeconfig for extra, comma-separated components.
|
||||||
@ -2936,7 +2939,9 @@ function main() {
|
|||||||
if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
||||||
KONNECTIVITY_SERVER_TOKEN="$(secure_random 32)"
|
KONNECTIVITY_SERVER_TOKEN="$(secure_random 32)"
|
||||||
fi
|
fi
|
||||||
|
if [[ "${ENABLE_MONITORING_TOKEN:-false}" == "true" ]]; then
|
||||||
|
MONITORING_TOKEN="$(secure_random 32)"
|
||||||
|
fi
|
||||||
|
|
||||||
setup-os-params
|
setup-os-params
|
||||||
config-ip-firewall
|
config-ip-firewall
|
||||||
|
@ -196,7 +196,8 @@ func ClusterRoles() []rbacv1.ClusterRole {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
// a role which provides just enough power to determine if the server is ready and discover API versions for negotiation
|
// a role which provides just enough power to determine if the server is
|
||||||
|
// ready and discover API versions for negotiation
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"},
|
ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"},
|
||||||
Rules: []rbacv1.PolicyRule{
|
Rules: []rbacv1.PolicyRule{
|
||||||
rbacv1helpers.NewRule("get").URLs(
|
rbacv1helpers.NewRule("get").URLs(
|
||||||
@ -208,6 +209,20 @@ func ClusterRoles() []rbacv1.ClusterRole {
|
|||||||
).RuleOrDie(),
|
).RuleOrDie(),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
// a role which provides minimal read access to the monitoring endpoints
|
||||||
|
// (i.e. /metrics, /livez/*, /readyz/*, /healthz/*, /livez, /readyz, /healthz)
|
||||||
|
// The splatted health check endpoints allow read access to individual health check
|
||||||
|
// endpoints which may contain more sensitive cluster information information
|
||||||
|
ObjectMeta: metav1.ObjectMeta{Name: "system:monitoring"},
|
||||||
|
Rules: []rbacv1.PolicyRule{
|
||||||
|
rbacv1helpers.NewRule("get").URLs(
|
||||||
|
"/metrics",
|
||||||
|
"/livez", "/readyz", "/healthz",
|
||||||
|
"/livez/*", "/readyz/*", "/healthz/*",
|
||||||
|
).RuleOrDie(),
|
||||||
|
},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
// a role which provides minimal resource access to allow a "normal" user to learn information about themselves
|
// a role which provides minimal resource access to allow a "normal" user to learn information about themselves
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: "system:basic-user"},
|
ObjectMeta: metav1.ObjectMeta{Name: "system:basic-user"},
|
||||||
@ -563,6 +578,7 @@ const systemNodeRoleName = "system:node"
|
|||||||
func ClusterRoleBindings() []rbacv1.ClusterRoleBinding {
|
func ClusterRoleBindings() []rbacv1.ClusterRoleBinding {
|
||||||
rolebindings := []rbacv1.ClusterRoleBinding{
|
rolebindings := []rbacv1.ClusterRoleBinding{
|
||||||
rbacv1helpers.NewClusterBinding("cluster-admin").Groups(user.SystemPrivilegedGroup).BindingOrDie(),
|
rbacv1helpers.NewClusterBinding("cluster-admin").Groups(user.SystemPrivilegedGroup).BindingOrDie(),
|
||||||
|
rbacv1helpers.NewClusterBinding("system:monitoring").Groups(user.MonitoringGroup).BindingOrDie(),
|
||||||
rbacv1helpers.NewClusterBinding("system:discovery").Groups(user.AllAuthenticated).BindingOrDie(),
|
rbacv1helpers.NewClusterBinding("system:discovery").Groups(user.AllAuthenticated).BindingOrDie(),
|
||||||
rbacv1helpers.NewClusterBinding("system:basic-user").Groups(user.AllAuthenticated).BindingOrDie(),
|
rbacv1helpers.NewClusterBinding("system:basic-user").Groups(user.AllAuthenticated).BindingOrDie(),
|
||||||
rbacv1helpers.NewClusterBinding("system:public-info-viewer").Groups(user.AllAuthenticated, user.AllUnauthenticated).BindingOrDie(),
|
rbacv1helpers.NewClusterBinding("system:public-info-viewer").Groups(user.AllAuthenticated, user.AllUnauthenticated).BindingOrDie(),
|
||||||
|
@ -102,6 +102,23 @@ items:
|
|||||||
- apiGroup: rbac.authorization.k8s.io
|
- apiGroup: rbac.authorization.k8s.io
|
||||||
kind: User
|
kind: User
|
||||||
name: system:kube-scheduler
|
name: system:kube-scheduler
|
||||||
|
- apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
||||||
|
creationTimestamp: null
|
||||||
|
labels:
|
||||||
|
kubernetes.io/bootstrapping: rbac-defaults
|
||||||
|
name: system:monitoring
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:monitoring
|
||||||
|
subjects:
|
||||||
|
- apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Group
|
||||||
|
name: system:monitoring
|
||||||
- apiVersion: rbac.authorization.k8s.io/v1
|
- apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -861,6 +861,26 @@ items:
|
|||||||
- nodes/stats
|
- nodes/stats
|
||||||
verbs:
|
verbs:
|
||||||
- '*'
|
- '*'
|
||||||
|
- apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
||||||
|
creationTimestamp: null
|
||||||
|
labels:
|
||||||
|
kubernetes.io/bootstrapping: rbac-defaults
|
||||||
|
name: system:monitoring
|
||||||
|
rules:
|
||||||
|
- nonResourceURLs:
|
||||||
|
- /healthz
|
||||||
|
- /healthz/*
|
||||||
|
- /livez
|
||||||
|
- /livez/*
|
||||||
|
- /metrics
|
||||||
|
- /readyz
|
||||||
|
- /readyz/*
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
- apiVersion: rbac.authorization.k8s.io/v1
|
- apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -70,6 +70,7 @@ func (i *DefaultInfo) GetExtra() map[string][]string {
|
|||||||
const (
|
const (
|
||||||
SystemPrivilegedGroup = "system:masters"
|
SystemPrivilegedGroup = "system:masters"
|
||||||
NodesGroup = "system:nodes"
|
NodesGroup = "system:nodes"
|
||||||
|
MonitoringGroup = "system:monitoring"
|
||||||
AllUnauthenticated = "system:unauthenticated"
|
AllUnauthenticated = "system:unauthenticated"
|
||||||
AllAuthenticated = "system:authenticated"
|
AllAuthenticated = "system:authenticated"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user