From 1d9855474d1805c9418ed81853753047ceb733d9 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Fri, 9 Jun 2017 10:17:08 -0400 Subject: [PATCH] Enable Node authorizer and NodeRestriction admission in kubemark --- cluster/kubemark/gce/config-default.sh | 2 +- .../kubelet-binding.yaml | 18 ++++++++++++++++++ .../resources/start-kubemark-master.sh | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 test/kubemark/resources/manifests/addons/kubemark-rbac-bindings/kubelet-binding.yaml diff --git a/cluster/kubemark/gce/config-default.sh b/cluster/kubemark/gce/config-default.sh index 3804c292751..8314484f824 100644 --- a/cluster/kubemark/gce/config-default.sh +++ b/cluster/kubemark/gce/config-default.sh @@ -81,7 +81,7 @@ fi ENABLE_GARBAGE_COLLECTOR=${ENABLE_GARBAGE_COLLECTOR:-true} USE_REAL_PROXIER=${USE_REAL_PROXIER:-true} # for hollow-proxy -CUSTOM_ADMISSION_PLUGINS="${CUSTOM_ADMISSION_PLUGINS:-Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PodPreset,DefaultTolerationSeconds,ResourceQuota}" +CUSTOM_ADMISSION_PLUGINS="${CUSTOM_ADMISSION_PLUGINS:-Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PodPreset,DefaultTolerationSeconds,NodeRestriction,ResourceQuota}" KUBELET_TEST_ARGS="--max-pods=100 $TEST_CLUSTER_LOG_LEVEL ${TEST_CLUSTER_API_CONTENT_TYPE}" APISERVER_TEST_ARGS="--runtime-config=extensions/v1beta1 ${API_SERVER_TEST_LOG_LEVEL} ${TEST_CLUSTER_STORAGE_MEDIA_TYPE} ${TEST_CLUSTER_MAX_REQUESTS_INFLIGHT} ${TEST_CLUSTER_DELETE_COLLECTION_WORKERS} --enable-garbage-collector=${ENABLE_GARBAGE_COLLECTOR}" diff --git a/test/kubemark/resources/manifests/addons/kubemark-rbac-bindings/kubelet-binding.yaml b/test/kubemark/resources/manifests/addons/kubemark-rbac-bindings/kubelet-binding.yaml new file mode 100644 index 00000000000..c0ce1955463 --- /dev/null +++ b/test/kubemark/resources/manifests/addons/kubemark-rbac-bindings/kubelet-binding.yaml @@ -0,0 +1,18 @@ +# The Kubemark environment currently gives all kubelets a single shared credential. +# +# TODO: give each kubelet a credential in the system:nodes group with username system:node:, +# to exercise the Node authorizer and admission, then remove this binding +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: kubelet-node + labels: + kubernetes.io/cluster-service: "true" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:node +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: kubelet diff --git a/test/kubemark/resources/start-kubemark-master.sh b/test/kubemark/resources/start-kubemark-master.sh index bdc11bc64bc..cea2932b3fd 100755 --- a/test/kubemark/resources/start-kubemark-master.sh +++ b/test/kubemark/resources/start-kubemark-master.sh @@ -351,7 +351,7 @@ function compute-kube-apiserver-params { params+=" --storage-backend=${STORAGE_BACKEND}" params+=" --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" params+=" --admission-control=${CUSTOM_ADMISSION_PLUGINS}" - params+=" --authorization-mode=RBAC" + params+=" --authorization-mode=Node,RBAC" echo "${params}" }