From b8a4fa6d81ba78a8562f4cfb795d6fdd8b2ca3fe Mon Sep 17 00:00:00 2001 From: Konstantinos Tsakalozos Date: Fri, 11 Aug 2017 12:51:38 +0300 Subject: [PATCH] Move ingress to kube-system. Rename enable-rbac to authorization-mode. --- .../juju/layers/kubernetes-master/config.yaml | 10 ++++++---- .../reactive/kubernetes_master.py | 18 +++++++++++++----- .../templates/default-http-backend.yaml | 2 ++ .../ingress-replication-controller.yaml | 11 ++++++----- 4 files changed, 27 insertions(+), 14 deletions(-) diff --git a/cluster/juju/layers/kubernetes-master/config.yaml b/cluster/juju/layers/kubernetes-master/config.yaml index aca3f31ea0a..fd6e65e62d1 100644 --- a/cluster/juju/layers/kubernetes-master/config.yaml +++ b/cluster/juju/layers/kubernetes-master/config.yaml @@ -40,7 +40,9 @@ options: runtime-config=batch/v2alpha1=true profiling=true will result in kube-apiserver being run with the following options: --runtime-config=batch/v2alpha1=true --profiling=true - enable-rbac: - type: boolean - default: True - description: Enable RBAC authorization mode. \ No newline at end of file + authorization-mode: + type: string + default: "RBAC" + description: | + Set the cluster's authorization mode. Allowed values are + "RBAC" and "None". \ No newline at end of file diff --git a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py index df78ee20d11..8c61bb9d724 100644 --- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py +++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py @@ -59,6 +59,7 @@ nrpe.Check.shortname_re = '[\.A-Za-z0-9-_]+$' os.environ['PATH'] += os.pathsep + os.path.join(os.sep, 'snap', 'bin') +valid_auth_modes = ['rbac', 'none'] def service_cidr(): ''' Return the charm's service-cidr config ''' @@ -321,6 +322,11 @@ def idle_status(kube_api, kube_control): msg = 'WARN: cannot change service-cidr, still using ' + service_cidr() hookenv.status_set('active', msg) else: + mode = hookenv.config().get('authorization-mode').lower() + if mode not in valid_auth_modes: + hookenv.status_set('blocked', 'Incorrect authorization mode.') + return + # All services should be up and running at this point. Double-check... failing_services = master_services_down() if len(failing_services) == 0: @@ -656,11 +662,13 @@ def initial_nrpe_config(nagios=None): update_nrpe_config(nagios) -@when('config.changed.enable-rbac', +@when('config.changed.authorization-mode', 'kubernetes-master.components.started') -def enable_rbac_config(): +def switch_auth_mode(): config = hookenv.config() - if data_changed('rbac-flag', str(config.get('enable-rbac'))): + mode = config.get('authorization-mode').lower() + if mode in valid_auth_modes and \ + data_changed('auth-mode', mode): remove_state('kubernetes-master.components.started') @@ -1015,7 +1023,7 @@ def configure_apiserver(): 'DefaultTolerationSeconds' ] - if hookenv.config('enable-rbac'): + if hookenv.config('authorization-mode').lower() == 'rbac': admission_control.append('NodeRestriction') api_opts.add('authorization-mode', 'Node,RBAC', strict=True) else: @@ -1178,4 +1186,4 @@ def touch(fname): try: os.utime(fname, None) except OSError: - open(fname, 'a').close() \ No newline at end of file + open(fname, 'a').close() diff --git a/cluster/juju/layers/kubernetes-worker/templates/default-http-backend.yaml b/cluster/juju/layers/kubernetes-worker/templates/default-http-backend.yaml index 739ae2758a2..2e337b18eb9 100644 --- a/cluster/juju/layers/kubernetes-worker/templates/default-http-backend.yaml +++ b/cluster/juju/layers/kubernetes-worker/templates/default-http-backend.yaml @@ -2,6 +2,7 @@ apiVersion: extensions/v1beta1 kind: Deployment metadata: name: default-http-backend + namespace: kube-system labels: k8s-app: default-http-backend spec: @@ -39,6 +40,7 @@ apiVersion: v1 kind: Service metadata: name: default-http-backend + namespace: kube-system labels: k8s-app: default-http-backend spec: diff --git a/cluster/juju/layers/kubernetes-worker/templates/ingress-replication-controller.yaml b/cluster/juju/layers/kubernetes-worker/templates/ingress-replication-controller.yaml index 8fea69d3987..83640918332 100644 --- a/cluster/juju/layers/kubernetes-worker/templates/ingress-replication-controller.yaml +++ b/cluster/juju/layers/kubernetes-worker/templates/ingress-replication-controller.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: nginx-ingress-serviceaccount - namespace: default + namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole @@ -60,7 +60,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: nginx-ingress-role - namespace: default + namespace: kube-system rules: - apiGroups: - "" @@ -103,7 +103,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: nginx-ingress-role-nisa-binding - namespace: default + namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -111,7 +111,7 @@ roleRef: subjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount - namespace: default + namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding @@ -124,7 +124,7 @@ roleRef: subjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount - namespace: default + namespace: kube-system --- apiVersion: v1 kind: ConfigMap @@ -135,6 +135,7 @@ apiVersion: v1 kind: ReplicationController metadata: name: nginx-ingress-controller + namespace: kube-system labels: k8s-app: nginx-ingress-lb spec: