github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-16 15:20:17 +00:00
Code Issues Projects Releases Wiki Activity

Move ingress to kube-system. Rename enable-rbac to authorization-mode.

Browse Source
This commit is contained in:
Konstantinos Tsakalozos 2017-08-11 12:51:38 +03:00
parent eb698629df
commit b8a4fa6d81
4 changed files with 27 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cluster/juju/layers/kubernetes-master/config.yaml
View File

@ -40,7 +40,9 @@ options:
runtime-config=batch/v2alpha1=true profiling=true runtime-config=batch/v2alpha1=true profiling=true
will result in kube-apiserver being run with the following options: will result in kube-apiserver being run with the following options:
--runtime-config=batch/v2alpha1=true --profiling=true --runtime-config=batch/v2alpha1=true --profiling=true
enable-rbac: authorization-mode:
type: boolean type: string
default: True default: "RBAC"
description: Enable RBAC authorization mode. description: |
Set the cluster's authorization mode. Allowed values are
"RBAC" and "None".

18
cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
View File

@ -59,6 +59,7 @@ nrpe.Check.shortname_re = '[\.A-Za-z0-9-_]+$'
os.environ['PATH'] += os.pathsep + os.path.join(os.sep, 'snap', 'bin') os.environ['PATH'] += os.pathsep + os.path.join(os.sep, 'snap', 'bin')
valid_auth_modes = ['rbac', 'none']
def service_cidr(): def service_cidr():
''' Return the charm's service-cidr config ''' ''' Return the charm's service-cidr config '''
@ -321,6 +322,11 @@ def idle_status(kube_api, kube_control):
msg = 'WARN: cannot change service-cidr, still using ' + service_cidr() msg = 'WARN: cannot change service-cidr, still using ' + service_cidr()
hookenv.status_set('active', msg) hookenv.status_set('active', msg)
else: else:
mode = hookenv.config().get('authorization-mode').lower()
if mode not in valid_auth_modes:
hookenv.status_set('blocked', 'Incorrect authorization mode.')
return
# All services should be up and running at this point. Double-check... # All services should be up and running at this point. Double-check...
failing_services = master_services_down() failing_services = master_services_down()
if len(failing_services) == 0: if len(failing_services) == 0:
@ -656,11 +662,13 @@ def initial_nrpe_config(nagios=None):
update_nrpe_config(nagios) update_nrpe_config(nagios)
@when('config.changed.enable-rbac', @when('config.changed.authorization-mode',
'kubernetes-master.components.started') 'kubernetes-master.components.started')
def enable_rbac_config(): def switch_auth_mode():
config = hookenv.config() config = hookenv.config()
if data_changed('rbac-flag', str(config.get('enable-rbac'))): mode = config.get('authorization-mode').lower()
if mode in valid_auth_modes and \
data_changed('auth-mode', mode):
remove_state('kubernetes-master.components.started') remove_state('kubernetes-master.components.started')
@ -1015,7 +1023,7 @@ def configure_apiserver():
'DefaultTolerationSeconds' 'DefaultTolerationSeconds'
] ]
if hookenv.config('enable-rbac'): if hookenv.config('authorization-mode').lower() == 'rbac':
admission_control.append('NodeRestriction') admission_control.append('NodeRestriction')
api_opts.add('authorization-mode', 'Node,RBAC', strict=True) api_opts.add('authorization-mode', 'Node,RBAC', strict=True)
else: else:
@ -1178,4 +1186,4 @@ def touch(fname):
try: try:
os.utime(fname, None) os.utime(fname, None)
except OSError: except OSError:
open(fname, 'a').close() open(fname, 'a').close()

2
cluster/juju/layers/kubernetes-worker/templates/default-http-backend.yaml
View File

@ -2,6 +2,7 @@ apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
metadata: metadata:
name: default-http-backend name: default-http-backend
namespace: kube-system
labels: labels:
k8s-app: default-http-backend k8s-app: default-http-backend
spec: spec:
@ -39,6 +40,7 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: default-http-backend name: default-http-backend
namespace: kube-system
labels: labels:
k8s-app: default-http-backend k8s-app: default-http-backend
spec: spec:

11
cluster/juju/layers/kubernetes-worker/templates/ingress-replication-controller.yaml
View File

@ -2,7 +2,7 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: nginx-ingress-serviceaccount name: nginx-ingress-serviceaccount
namespace: default namespace: kube-system
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole kind: ClusterRole
@ -60,7 +60,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role kind: Role
metadata: metadata:
name: nginx-ingress-role name: nginx-ingress-role
namespace: default namespace: kube-system
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
@ -103,7 +103,7 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: nginx-ingress-role-nisa-binding name: nginx-ingress-role-nisa-binding
namespace: default namespace: kube-system
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
@ -111,7 +111,7 @@ roleRef:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: nginx-ingress-serviceaccount name: nginx-ingress-serviceaccount
namespace: default namespace: kube-system
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding kind: ClusterRoleBinding
@ -124,7 +124,7 @@ roleRef:
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: nginx-ingress-serviceaccount name: nginx-ingress-serviceaccount
namespace: default namespace: kube-system
--- ---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -135,6 +135,7 @@ apiVersion: v1
kind: ReplicationController kind: ReplicationController
metadata: metadata:
name: nginx-ingress-controller name: nginx-ingress-controller
namespace: kube-system
labels: labels:
k8s-app: nginx-ingress-lb k8s-app: nginx-ingress-lb
spec: spec: