diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh index bed95293195..9b3411cd543 100755 --- a/cluster/gce/configure-vm.sh +++ b/cluster/gce/configure-vm.sh @@ -790,7 +790,7 @@ EOF CLOUD_CONFIG=/etc/gce.conf fi - if [[ -n ${CLOUD_CONFIG:-} ]]; then + if [[ -n "${CLOUD_CONFIG:-}" ]]; then cat <>/etc/salt/minion.d/grains.conf cloud_config: ${CLOUD_CONFIG} EOF @@ -798,6 +798,29 @@ EOF rm -f /etc/gce.conf fi + if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then + cat <>/etc/salt/minion.d/grains.conf + webhook_authorization_config: /etc/gcp_authz.config +EOF + cat </etc/gcp_authz.config +clusters: + - name: gcp-authorization-server + cluster: + server: ${GCP_AUTHZ_URL} +users: + - name: kube-apiserver + user: + auth-provider: + name: gcp +current-context: webhook +contexts: +- context: + cluster: gcp-authorization-server + user: kube-apiserver + name: webhook +EOF + fi + # If the kubelet on the master is enabled, give it the same CIDR range # as a generic node. if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then diff --git a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest index a8ac7239e38..d96273249a4 100644 --- a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest +++ b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest @@ -79,6 +79,16 @@ {% set abac_policy_file = " --authorization-policy-file=/srv/kubernetes/abac-authz-policy.jsonl" -%} {% endif -%} +{% set webhook_authorization_config = "" -%} +{% set webhook_config_mount = "" -%} +{% set webhook_config_volume = "" -%} +{% if grains.webhook_authorization_config is defined -%} + {% set webhook_authorization_config = " --authorization-webhook-config-file=" + grains.webhook_authorization_config -%} + {% set webhook_config_mount = "{\"name\": \"webhookconfigmount\",\"mountPath\": \"" + grains.webhook_authorization_config + "\", \"readOnly\": false}," -%} + {% set webhook_config_volume = "{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"" + grains.webhook_authorization_config + "\"}}," -%} + {% set authz_mode = authz_mode + ",Webhook" -%} +{% endif -%} + {% set admission_control = "" -%} {% if pillar['admission_control'] is defined -%} {% set admission_control = "--admission-control=" + pillar['admission_control'] -%} @@ -95,7 +105,7 @@ {% endif -%} {% set params = address + " " + etcd_servers + " " + etcd_servers_overrides + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + admission_control + " " + service_cluster_ip_range + " " + client_ca_file + basic_auth_file + " " + min_request_timeout -%} -{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address + " " + proxy_ssh_options + authz_mode + abac_policy_file -%} +{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address + " " + proxy_ssh_options + authz_mode + abac_policy_file + webhook_authorization_config-%} # test_args has to be kept at the end, so they'll overwrite any prior configuration {% if pillar['apiserver_test_args'] is defined -%} @@ -148,6 +158,7 @@ ], "volumeMounts": [ {{cloud_config_mount}} + {{webhook_config_mount}} {{additional_cloud_config_mount}} { "name": "srvkube", "mountPath": "{{srv_kube_path}}", @@ -175,6 +186,7 @@ ], "volumes":[ {{cloud_config_volume}} + {{webhook_config_volume}} {{additional_cloud_config_volume}} { "name": "srvkube", "hostPath": {