mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 19:31:44 +00:00
Merge pull request #39537 from liggitt/legacy-policy
Automatic merge from submit-queue (batch tested with PRs 39803, 39698, 39537, 39478) include bootstrap admin in super-user group, ensure tokens file is correct on upgrades Fixes https://github.com/kubernetes/kubernetes/issues/39532 Possible issues with cluster bring-up scripts: - [x] known_tokens.csv and basic_auth.csv is not rewritten if the file already exists * new users (like the controller manager) are not available on upgrade * changed users (like the kubelet username change) are not reflected * group additions (like the addition of admin to the superuser group) don't take effect on upgrade * this PR updates the token and basicauth files line-by-line to preserve user additions, but also ensure new data is persisted - [x] existing 1.5 clusters may depend on more permissive ABAC permissions (or customized ABAC policies). This PR adds an option to enable existing ABAC policy files for clusters that are upgrading Follow-ups: - [ ] both scripts are loading e2e role-bindings, which only be loaded in e2e tests, not in normal kube-up scenarios - [ ] when upgrading, set the option to use existing ABAC policy files - [ ] update bootstrap superuser client certs to add superuser group? ("We also have a certificate that "used to be" a super-user. On GCE, it has CN "kubecfg", on GKE it's "client"") - [ ] define (but do not load by default) a relaxed set of RBAC roles/rolebindings matching legacy ABAC, and document how to load that for new clusters that do not want to isolate user permissions
This commit is contained in:
commit
d50c027d0c
@ -1,16 +0,0 @@
|
||||
# something in the kube e2e uses an admin identity to list pods
|
||||
# TODO figure out what is doing this and ultimately remove this binding
|
||||
apiVersion: rbac.authorization.k8s.io/v1alpha1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: admin-cluster-admin
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: view
|
||||
subjects:
|
||||
- apiVersion: rbac/v1alpha1
|
||||
kind: User
|
||||
name: admin
|
@ -127,6 +127,20 @@ function mount-master-pd {
|
||||
chgrp -R etcd "${mount_point}/var/etcd"
|
||||
}
|
||||
|
||||
# replace_prefixed_line ensures:
|
||||
# 1. the specified file exists
|
||||
# 2. existing lines with the specified ${prefix} are removed
|
||||
# 3. a new line with the specified ${prefix}${suffix} is appended
|
||||
function replace_prefixed_line {
|
||||
local -r file="${1:-}"
|
||||
local -r prefix="${2:-}"
|
||||
local -r suffix="${3:-}"
|
||||
|
||||
touch "${file}"
|
||||
awk "substr(\$0,0,length(\"${prefix}\")) != \"${prefix}\" { print }" "${file}" > "${file}.filtered" && mv "${file}.filtered" "${file}"
|
||||
echo "${prefix}${suffix}" >> "${file}"
|
||||
}
|
||||
|
||||
# After the first boot and on upgrade, these files exist on the master-pd
|
||||
# and should never be touched again (except perhaps an additional service
|
||||
# account, see NB below.)
|
||||
@ -139,16 +153,14 @@ function create-master-auth {
|
||||
echo "${MASTER_KEY}" | base64 --decode > "${auth_dir}/server.key"
|
||||
fi
|
||||
local -r basic_auth_csv="${auth_dir}/basic_auth.csv"
|
||||
if [[ ! -e "${basic_auth_csv}" && -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then
|
||||
echo "${KUBE_PASSWORD},${KUBE_USER},admin" > "${basic_auth_csv}"
|
||||
if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then
|
||||
replace_prefixed_line "${basic_auth_csv}" "${KUBE_PASSWORD},${KUBE_USER}," "admin,system:masters"
|
||||
fi
|
||||
local -r known_tokens_csv="${auth_dir}/known_tokens.csv"
|
||||
if [[ ! -e "${known_tokens_csv}" ]]; then
|
||||
echo "${KUBE_BEARER_TOKEN},admin,admin" > "${known_tokens_csv}"
|
||||
echo "${KUBE_CONTROLLER_MANAGER_TOKEN},system:kube-controller-manager,uid:system:kube-controller-manager" >> "${known_tokens_csv}"
|
||||
echo "${KUBELET_TOKEN},system:node:node-name,uid:kubelet,system:nodes" >> "${known_tokens_csv}"
|
||||
echo "${KUBE_PROXY_TOKEN},system:kube-proxy,uid:kube_proxy" >> "${known_tokens_csv}"
|
||||
fi
|
||||
replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}" "admin,admin,system:masters"
|
||||
replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}" "system:kube-controller-manager,uid:system:kube-controller-manager"
|
||||
replace_prefixed_line "${known_tokens_csv}" "${KUBELET_TOKEN}" "system:node:node-name,uid:kubelet,system:nodes"
|
||||
replace_prefixed_line "${known_tokens_csv}" "${KUBE_PROXY_TOKEN}" "system:kube-proxy,uid:kube_proxy"
|
||||
local use_cloud_config="false"
|
||||
cat <<EOF >/etc/gce.conf
|
||||
[global]
|
||||
@ -814,16 +826,22 @@ function start-kube-apiserver {
|
||||
webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}},"
|
||||
fi
|
||||
|
||||
params+=" --authorization-mode=RBAC"
|
||||
local authorization_mode="RBAC"
|
||||
if [[ -n "${ABAC_AUTHZ_FILE:-}" && -e "${ABAC_AUTHZ_FILE}" ]]; then
|
||||
params+=" --authorization-policy-file=${ABAC_AUTHZ_FILE}"
|
||||
authorization_mode+=",ABAC"
|
||||
fi
|
||||
local webhook_config_mount=""
|
||||
local webhook_config_volume=""
|
||||
if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then
|
||||
params+=",Webhook --authorization-webhook-config-file=/etc/gcp_authz.config"
|
||||
authorization_mode+=",Webhook"
|
||||
params+=" --authorization-webhook-config-file=/etc/gcp_authz.config"
|
||||
webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false},"
|
||||
webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}},"
|
||||
fi
|
||||
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
|
||||
|
||||
params+=" --authorization-mode=${authorization_mode}"
|
||||
|
||||
src_file="${src_dir}/kube-apiserver.manifest"
|
||||
remove-salt-config-comments "${src_file}"
|
||||
# Evaluate variables.
|
||||
|
@ -190,6 +190,20 @@ function mount-master-pd {
|
||||
chgrp -R etcd "${mount_point}/var/etcd"
|
||||
}
|
||||
|
||||
# replace_prefixed_line ensures:
|
||||
# 1. the specified file exists
|
||||
# 2. existing lines with the specified ${prefix} are removed
|
||||
# 3. a new line with the specified ${prefix}${suffix} is appended
|
||||
function replace_prefixed_line {
|
||||
local -r file="${1:-}"
|
||||
local -r prefix="${2:-}"
|
||||
local -r suffix="${3:-}"
|
||||
|
||||
touch "${file}"
|
||||
awk "substr(\$0,0,length(\"${prefix}\")) != \"${prefix}\" { print }" "${file}" > "${file}.filtered" && mv "${file}.filtered" "${file}"
|
||||
echo "${prefix}${suffix}" >> "${file}"
|
||||
}
|
||||
|
||||
# After the first boot and on upgrade, these files exist on the master-pd
|
||||
# and should never be touched again (except perhaps an additional service
|
||||
# account, see NB below.)
|
||||
@ -206,16 +220,14 @@ function create-master-auth {
|
||||
echo "${KUBEAPISERVER_KEY}" | base64 --decode > "${auth_dir}/kubeapiserver.key"
|
||||
fi
|
||||
local -r basic_auth_csv="${auth_dir}/basic_auth.csv"
|
||||
if [[ ! -e "${basic_auth_csv}" && -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then
|
||||
echo "${KUBE_PASSWORD},${KUBE_USER},admin" > "${basic_auth_csv}"
|
||||
if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then
|
||||
replace_prefixed_line "${basic_auth_csv}" "${KUBE_PASSWORD},${KUBE_USER}," "admin,system:masters"
|
||||
fi
|
||||
local -r known_tokens_csv="${auth_dir}/known_tokens.csv"
|
||||
if [[ ! -e "${known_tokens_csv}" ]]; then
|
||||
echo "${KUBE_BEARER_TOKEN},admin,admin" > "${known_tokens_csv}"
|
||||
echo "${KUBE_CONTROLLER_MANAGER_TOKEN},system:kube-controller-manager,uid:system:kube-controller-manager" >> "${known_tokens_csv}"
|
||||
echo "${KUBELET_TOKEN},system:node:node-name,uid:kubelet,system:nodes" >> "${known_tokens_csv}"
|
||||
echo "${KUBE_PROXY_TOKEN},system:kube-proxy,uid:kube_proxy" >> "${known_tokens_csv}"
|
||||
fi
|
||||
replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}," "admin,admin,system:masters"
|
||||
replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager"
|
||||
replace_prefixed_line "${known_tokens_csv}" "${KUBELET_TOKEN}," "system:node:node-name,uid:kubelet,system:nodes"
|
||||
replace_prefixed_line "${known_tokens_csv}" "${KUBE_PROXY_TOKEN}," "system:kube-proxy,uid:kube_proxy"
|
||||
local use_cloud_config="false"
|
||||
cat <<EOF >/etc/gce.conf
|
||||
[global]
|
||||
@ -878,15 +890,22 @@ function start-kube-apiserver {
|
||||
webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}},"
|
||||
fi
|
||||
|
||||
params+=" --authorization-mode=RBAC"
|
||||
|
||||
local authorization_mode="RBAC"
|
||||
if [[ -n "${ABAC_AUTHZ_FILE:-}" && -e "${ABAC_AUTHZ_FILE}" ]]; then
|
||||
params+=" --authorization-policy-file=${ABAC_AUTHZ_FILE}"
|
||||
authorization_mode+=",ABAC"
|
||||
fi
|
||||
local webhook_config_mount=""
|
||||
local webhook_config_volume=""
|
||||
if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then
|
||||
params+=",Webhook --authorization-webhook-config-file=/etc/gcp_authz.config"
|
||||
authorization_mode+=",Webhook"
|
||||
params+=" --authorization-webhook-config-file=/etc/gcp_authz.config"
|
||||
webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false},"
|
||||
webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}},"
|
||||
fi
|
||||
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
|
||||
params+=" --authorization-mode=${authorization_mode}"
|
||||
|
||||
src_file="${src_dir}/kube-apiserver.manifest"
|
||||
remove-salt-config-comments "${src_file}"
|
||||
|
@ -12,10 +12,16 @@ cluster/gce/configure-vm.sh: cloud_config: ${CLOUD_CONFIG}
|
||||
cluster/gce/configure-vm.sh: env-to-grains "feature_gates"
|
||||
cluster/gce/configure-vm.sh: env-to-grains "runtime_config"
|
||||
cluster/gce/configure-vm.sh: kubelet_api_servers: '${KUBELET_APISERVER}'
|
||||
cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",ABAC"
|
||||
cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",Webhook"
|
||||
cluster/gce/container-linux/configure-helper.sh: local api_servers="--master=https://${KUBERNETES_MASTER_NAME}"
|
||||
cluster/gce/container-linux/configure-helper.sh: local authorization_mode="RBAC"
|
||||
cluster/gce/container-linux/configure-helper.sh: sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}"
|
||||
cluster/gce/container-linux/configure-helper.sh: sed -i -e "s@{{pillar\['allow_privileged'\]}}@true@g" "${src_file}"
|
||||
cluster/gce/gci/configure-helper.sh: authorization_mode+=",ABAC"
|
||||
cluster/gce/gci/configure-helper.sh: authorization_mode+=",Webhook"
|
||||
cluster/gce/gci/configure-helper.sh: local api_servers="--master=https://${KUBERNETES_MASTER_NAME}"
|
||||
cluster/gce/gci/configure-helper.sh: local authorization_mode="RBAC"
|
||||
cluster/gce/gci/configure-helper.sh: sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}"
|
||||
cluster/gce/gci/configure-helper.sh: sed -i -e "s@{{pillar\['allow_privileged'\]}}@true@g" "${src_file}"
|
||||
cluster/gce/trusty/configure-helper.sh: sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}"
|
||||
|
Loading…
Reference in New Issue
Block a user