From 1fe517e96a878093e0fb4db1f1a75e797fbce7be Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Fri, 6 Jan 2017 14:15:36 -0500 Subject: [PATCH 1/3] Include admin in super-user group --- .../addons/e2e-rbac-bindings/admin-binding.yaml | 16 ---------------- cluster/gce/container-linux/configure-helper.sh | 4 ++-- cluster/gce/gci/configure-helper.sh | 4 ++-- 3 files changed, 4 insertions(+), 20 deletions(-) delete mode 100644 cluster/addons/e2e-rbac-bindings/admin-binding.yaml diff --git a/cluster/addons/e2e-rbac-bindings/admin-binding.yaml b/cluster/addons/e2e-rbac-bindings/admin-binding.yaml deleted file mode 100644 index 370635e7494..00000000000 --- a/cluster/addons/e2e-rbac-bindings/admin-binding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# something in the kube e2e uses an admin identity to list pods -# TODO figure out what is doing this and ultimately remove this binding -apiVersion: rbac.authorization.k8s.io/v1alpha1 -kind: ClusterRoleBinding -metadata: - name: admin-cluster-admin - labels: - kubernetes.io/cluster-service: "true" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: view -subjects: -- apiVersion: rbac/v1alpha1 - kind: User - name: admin diff --git a/cluster/gce/container-linux/configure-helper.sh b/cluster/gce/container-linux/configure-helper.sh index a3caaf6ea16..e78dd900e31 100755 --- a/cluster/gce/container-linux/configure-helper.sh +++ b/cluster/gce/container-linux/configure-helper.sh @@ -140,11 +140,11 @@ function create-master-auth { fi local -r basic_auth_csv="${auth_dir}/basic_auth.csv" if [[ ! -e "${basic_auth_csv}" && -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then - echo "${KUBE_PASSWORD},${KUBE_USER},admin" > "${basic_auth_csv}" + echo "${KUBE_PASSWORD},${KUBE_USER},admin,system:masters" > "${basic_auth_csv}" fi local -r known_tokens_csv="${auth_dir}/known_tokens.csv" if [[ ! -e "${known_tokens_csv}" ]]; then - echo "${KUBE_BEARER_TOKEN},admin,admin" > "${known_tokens_csv}" + echo "${KUBE_BEARER_TOKEN},admin,admin,system:masters" > "${known_tokens_csv}" echo "${KUBE_CONTROLLER_MANAGER_TOKEN},system:kube-controller-manager,uid:system:kube-controller-manager" >> "${known_tokens_csv}" echo "${KUBELET_TOKEN},system:node:node-name,uid:kubelet,system:nodes" >> "${known_tokens_csv}" echo "${KUBE_PROXY_TOKEN},system:kube-proxy,uid:kube_proxy" >> "${known_tokens_csv}" diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index d4368fd7833..6d414d5a57b 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -207,11 +207,11 @@ function create-master-auth { fi local -r basic_auth_csv="${auth_dir}/basic_auth.csv" if [[ ! -e "${basic_auth_csv}" && -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then - echo "${KUBE_PASSWORD},${KUBE_USER},admin" > "${basic_auth_csv}" + echo "${KUBE_PASSWORD},${KUBE_USER},admin,system:masters" > "${basic_auth_csv}" fi local -r known_tokens_csv="${auth_dir}/known_tokens.csv" if [[ ! -e "${known_tokens_csv}" ]]; then - echo "${KUBE_BEARER_TOKEN},admin,admin" > "${known_tokens_csv}" + echo "${KUBE_BEARER_TOKEN},admin,admin,system:masters" > "${known_tokens_csv}" echo "${KUBE_CONTROLLER_MANAGER_TOKEN},system:kube-controller-manager,uid:system:kube-controller-manager" >> "${known_tokens_csv}" echo "${KUBELET_TOKEN},system:node:node-name,uid:kubelet,system:nodes" >> "${known_tokens_csv}" echo "${KUBE_PROXY_TOKEN},system:kube-proxy,uid:kube_proxy" >> "${known_tokens_csv}" From 21b422fcccd63812048eaf7e431bf94e90fd57cd Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Fri, 6 Jan 2017 15:00:30 -0500 Subject: [PATCH 2/3] Allow enabling ABAC authz --- cluster/gce/container-linux/configure-helper.sh | 12 +++++++++--- cluster/gce/gci/configure-helper.sh | 11 +++++++++-- hack/verify-flags/exceptions.txt | 6 ++++++ 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/cluster/gce/container-linux/configure-helper.sh b/cluster/gce/container-linux/configure-helper.sh index e78dd900e31..8cc0745d17e 100755 --- a/cluster/gce/container-linux/configure-helper.sh +++ b/cluster/gce/container-linux/configure-helper.sh @@ -814,16 +814,22 @@ function start-kube-apiserver { webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}}," fi - params+=" --authorization-mode=RBAC" + local authorization_mode="RBAC" + if [[ -n "${ABAC_AUTHZ_FILE:-}" && -e "${ABAC_AUTHZ_FILE}" ]]; then + params+=" --authorization-policy-file=${ABAC_AUTHZ_FILE}" + authorization_mode+=",ABAC" + fi local webhook_config_mount="" local webhook_config_volume="" if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then - params+=",Webhook --authorization-webhook-config-file=/etc/gcp_authz.config" + authorization_mode+=",Webhook" + params+=" --authorization-webhook-config-file=/etc/gcp_authz.config" webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false}," webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}}," fi local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" - + params+=" --authorization-mode=${authorization_mode}" + src_file="${src_dir}/kube-apiserver.manifest" remove-salt-config-comments "${src_file}" # Evaluate variables. diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 6d414d5a57b..0462cd3db0d 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -878,15 +878,22 @@ function start-kube-apiserver { webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}}," fi - params+=" --authorization-mode=RBAC" + + local authorization_mode="RBAC" + if [[ -n "${ABAC_AUTHZ_FILE:-}" && -e "${ABAC_AUTHZ_FILE}" ]]; then + params+=" --authorization-policy-file=${ABAC_AUTHZ_FILE}" + authorization_mode+=",ABAC" + fi local webhook_config_mount="" local webhook_config_volume="" if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then - params+=",Webhook --authorization-webhook-config-file=/etc/gcp_authz.config" + authorization_mode+=",Webhook" + params+=" --authorization-webhook-config-file=/etc/gcp_authz.config" webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false}," webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}}," fi local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" + params+=" --authorization-mode=${authorization_mode}" src_file="${src_dir}/kube-apiserver.manifest" remove-salt-config-comments "${src_file}" diff --git a/hack/verify-flags/exceptions.txt b/hack/verify-flags/exceptions.txt index 961fcfac0fc..8e8dd2e362b 100644 --- a/hack/verify-flags/exceptions.txt +++ b/hack/verify-flags/exceptions.txt @@ -12,10 +12,16 @@ cluster/gce/configure-vm.sh: cloud_config: ${CLOUD_CONFIG} cluster/gce/configure-vm.sh: env-to-grains "feature_gates" cluster/gce/configure-vm.sh: env-to-grains "runtime_config" cluster/gce/configure-vm.sh: kubelet_api_servers: '${KUBELET_APISERVER}' +cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",ABAC" +cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",Webhook" cluster/gce/container-linux/configure-helper.sh: local api_servers="--master=https://${KUBERNETES_MASTER_NAME}" +cluster/gce/container-linux/configure-helper.sh: local authorization_mode="RBAC" cluster/gce/container-linux/configure-helper.sh: sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}" cluster/gce/container-linux/configure-helper.sh: sed -i -e "s@{{pillar\['allow_privileged'\]}}@true@g" "${src_file}" +cluster/gce/gci/configure-helper.sh: authorization_mode+=",ABAC" +cluster/gce/gci/configure-helper.sh: authorization_mode+=",Webhook" cluster/gce/gci/configure-helper.sh: local api_servers="--master=https://${KUBERNETES_MASTER_NAME}" +cluster/gce/gci/configure-helper.sh: local authorization_mode="RBAC" cluster/gce/gci/configure-helper.sh: sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}" cluster/gce/gci/configure-helper.sh: sed -i -e "s@{{pillar\['allow_privileged'\]}}@true@g" "${src_file}" cluster/gce/trusty/configure-helper.sh: sed -i -e "s@{{ *storage_backend *}}@${STORAGE_BACKEND:-}@g" "${temp_file}" From 968b0b30cfed1056c79bf51b6ca71e3998d4fb05 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Fri, 6 Jan 2017 15:35:53 -0500 Subject: [PATCH 3/3] Update token users if needed --- .../gce/container-linux/configure-helper.sh | 28 +++++++++++++------ cluster/gce/gci/configure-helper.sh | 28 +++++++++++++------ 2 files changed, 40 insertions(+), 16 deletions(-) diff --git a/cluster/gce/container-linux/configure-helper.sh b/cluster/gce/container-linux/configure-helper.sh index 8cc0745d17e..b5b494b382d 100755 --- a/cluster/gce/container-linux/configure-helper.sh +++ b/cluster/gce/container-linux/configure-helper.sh @@ -127,6 +127,20 @@ function mount-master-pd { chgrp -R etcd "${mount_point}/var/etcd" } +# replace_prefixed_line ensures: +# 1. the specified file exists +# 2. existing lines with the specified ${prefix} are removed +# 3. a new line with the specified ${prefix}${suffix} is appended +function replace_prefixed_line { + local -r file="${1:-}" + local -r prefix="${2:-}" + local -r suffix="${3:-}" + + touch "${file}" + awk "substr(\$0,0,length(\"${prefix}\")) != \"${prefix}\" { print }" "${file}" > "${file}.filtered" && mv "${file}.filtered" "${file}" + echo "${prefix}${suffix}" >> "${file}" +} + # After the first boot and on upgrade, these files exist on the master-pd # and should never be touched again (except perhaps an additional service # account, see NB below.) @@ -139,16 +153,14 @@ function create-master-auth { echo "${MASTER_KEY}" | base64 --decode > "${auth_dir}/server.key" fi local -r basic_auth_csv="${auth_dir}/basic_auth.csv" - if [[ ! -e "${basic_auth_csv}" && -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then - echo "${KUBE_PASSWORD},${KUBE_USER},admin,system:masters" > "${basic_auth_csv}" + if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then + replace_prefixed_line "${basic_auth_csv}" "${KUBE_PASSWORD},${KUBE_USER}," "admin,system:masters" fi local -r known_tokens_csv="${auth_dir}/known_tokens.csv" - if [[ ! -e "${known_tokens_csv}" ]]; then - echo "${KUBE_BEARER_TOKEN},admin,admin,system:masters" > "${known_tokens_csv}" - echo "${KUBE_CONTROLLER_MANAGER_TOKEN},system:kube-controller-manager,uid:system:kube-controller-manager" >> "${known_tokens_csv}" - echo "${KUBELET_TOKEN},system:node:node-name,uid:kubelet,system:nodes" >> "${known_tokens_csv}" - echo "${KUBE_PROXY_TOKEN},system:kube-proxy,uid:kube_proxy" >> "${known_tokens_csv}" - fi + replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}" "admin,admin,system:masters" + replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}" "system:kube-controller-manager,uid:system:kube-controller-manager" + replace_prefixed_line "${known_tokens_csv}" "${KUBELET_TOKEN}" "system:node:node-name,uid:kubelet,system:nodes" + replace_prefixed_line "${known_tokens_csv}" "${KUBE_PROXY_TOKEN}" "system:kube-proxy,uid:kube_proxy" local use_cloud_config="false" cat </etc/gce.conf [global] diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 0462cd3db0d..e98e26259c1 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -190,6 +190,20 @@ function mount-master-pd { chgrp -R etcd "${mount_point}/var/etcd" } +# replace_prefixed_line ensures: +# 1. the specified file exists +# 2. existing lines with the specified ${prefix} are removed +# 3. a new line with the specified ${prefix}${suffix} is appended +function replace_prefixed_line { + local -r file="${1:-}" + local -r prefix="${2:-}" + local -r suffix="${3:-}" + + touch "${file}" + awk "substr(\$0,0,length(\"${prefix}\")) != \"${prefix}\" { print }" "${file}" > "${file}.filtered" && mv "${file}.filtered" "${file}" + echo "${prefix}${suffix}" >> "${file}" +} + # After the first boot and on upgrade, these files exist on the master-pd # and should never be touched again (except perhaps an additional service # account, see NB below.) @@ -206,16 +220,14 @@ function create-master-auth { echo "${KUBEAPISERVER_KEY}" | base64 --decode > "${auth_dir}/kubeapiserver.key" fi local -r basic_auth_csv="${auth_dir}/basic_auth.csv" - if [[ ! -e "${basic_auth_csv}" && -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then - echo "${KUBE_PASSWORD},${KUBE_USER},admin,system:masters" > "${basic_auth_csv}" + if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then + replace_prefixed_line "${basic_auth_csv}" "${KUBE_PASSWORD},${KUBE_USER}," "admin,system:masters" fi local -r known_tokens_csv="${auth_dir}/known_tokens.csv" - if [[ ! -e "${known_tokens_csv}" ]]; then - echo "${KUBE_BEARER_TOKEN},admin,admin,system:masters" > "${known_tokens_csv}" - echo "${KUBE_CONTROLLER_MANAGER_TOKEN},system:kube-controller-manager,uid:system:kube-controller-manager" >> "${known_tokens_csv}" - echo "${KUBELET_TOKEN},system:node:node-name,uid:kubelet,system:nodes" >> "${known_tokens_csv}" - echo "${KUBE_PROXY_TOKEN},system:kube-proxy,uid:kube_proxy" >> "${known_tokens_csv}" - fi + replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}," "admin,admin,system:masters" + replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager" + replace_prefixed_line "${known_tokens_csv}" "${KUBELET_TOKEN}," "system:node:node-name,uid:kubelet,system:nodes" + replace_prefixed_line "${known_tokens_csv}" "${KUBE_PROXY_TOKEN}," "system:kube-proxy,uid:kube_proxy" local use_cloud_config="false" cat </etc/gce.conf [global]