Add configuration for GCP webhook authorization.

2025-07-31 15:25:57 +00:00 · 2016-04-18 10:45:08 -07:00 · 2016-04-18 10:45:08 -07:00 · de71a2a76e
commit de71a2a76e
parent 0db3ca4b50
2 changed files with 37 additions and 2 deletions
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@ -790,7 +790,7 @@ EOF
    CLOUD_CONFIG=/etc/gce.conf
  fi

-  if [[ -n ${CLOUD_CONFIG:-} ]]; then
+  if [[ -n "${CLOUD_CONFIG:-}" ]]; then
  cat <<EOF >>/etc/salt/minion.d/grains.conf
  cloud_config: ${CLOUD_CONFIG}
 EOF
@ -798,6 +798,29 @@ EOF
    rm -f /etc/gce.conf
  fi

+  if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then
+    cat <<EOF >>/etc/salt/minion.d/grains.conf
+  webhook_authorization_config: /etc/gcp_authz.config
+EOF
+    cat <<EOF >/etc/gcp_authz.config
+clusters:
+  - name: gcp-authorization-server
+    cluster:
+      server: ${GCP_AUTHZ_URL}
+users:
+  - name: kube-apiserver
+    user:
+      auth-provider:
+        name: gcp
+current-context: webhook
+contexts:
+- context:
+    cluster: gcp-authorization-server
+    user: kube-apiserver
+  name: webhook
+EOF
+  fi
+
  # If the kubelet on the master is enabled, give it the same CIDR range
  # as a generic node.
  if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then
--- a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
+++ b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
@ -79,6 +79,16 @@
  {% set abac_policy_file = " --authorization-policy-file=/srv/kubernetes/abac-authz-policy.jsonl" -%}
 {% endif -%}

+{% set webhook_authorization_config = "" -%}
+{% set webhook_config_mount = "" -%}
+{% set webhook_config_volume = "" -%}
+{% if grains.webhook_authorization_config is defined -%}
+  {% set webhook_authorization_config = " --authorization-webhook-config-file=" + grains.webhook_authorization_config -%}
+  {% set webhook_config_mount = "{\"name\": \"webhookconfigmount\",\"mountPath\": \"" + grains.webhook_authorization_config + "\", \"readOnly\": false}," -%}
+  {% set webhook_config_volume = "{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"" + grains.webhook_authorization_config + "\"}}," -%}
+  {% set authz_mode = authz_mode + ",Webhook" -%}
+{% endif -%}
+
 {% set admission_control = "" -%}
 {% if pillar['admission_control'] is defined -%}
 {% set admission_control = "--admission-control=" + pillar['admission_control'] -%}
@ -95,7 +105,7 @@
 {% endif -%}

 {% set params = address + " " + etcd_servers + " " + etcd_servers_overrides + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + admission_control + " " + service_cluster_ip_range + " " + client_ca_file + basic_auth_file + " " + min_request_timeout -%}
-{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address  + " " + proxy_ssh_options + authz_mode + abac_policy_file -%}
+{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address  + " " + proxy_ssh_options + authz_mode + abac_policy_file + webhook_authorization_config-%}

 # test_args has to be kept at the end, so they'll overwrite any prior configuration
 {% if pillar['apiserver_test_args'] is defined -%}
@ -148,6 +158,7 @@
        ],
    "volumeMounts": [
        {{cloud_config_mount}}
+        {{webhook_config_mount}}
        {{additional_cloud_config_mount}}
        { "name": "srvkube",
        "mountPath": "{{srv_kube_path}}",
@ -175,6 +186,7 @@
 ],
 "volumes":[
  {{cloud_config_volume}}
+  {{webhook_config_volume}}
  {{additional_cloud_config_volume}}
  { "name": "srvkube",
    "hostPath": {