From eb698629df9c5ce1ba187766c5b6cf5f0656113a Mon Sep 17 00:00:00 2001 From: Konstantinos Tsakalozos Date: Wed, 9 Aug 2017 12:10:54 +0300 Subject: [PATCH] Use the updated (RBAC enabled) cdk-addons --- .../juju/layers/kubernetes-master/README.md | 4 + .../reactive/kubernetes_master.py | 39 ------ .../templates/heapster-rbac.yaml | 58 -------- .../nginx-ingress-controller-rbac.yml | 127 ----------------- .../ingress-replication-controller.yaml | 128 ++++++++++++++++++ .../nginx-ingress-controller-rbac.yml | 0 6 files changed, 132 insertions(+), 224 deletions(-) delete mode 100644 cluster/juju/layers/kubernetes-master/templates/heapster-rbac.yaml delete mode 100644 cluster/juju/layers/kubernetes-master/templates/nginx-ingress-controller-rbac.yml create mode 100644 cluster/juju/layers/kubernetes-worker/templates/nginx-ingress-controller-rbac.yml diff --git a/cluster/juju/layers/kubernetes-master/README.md b/cluster/juju/layers/kubernetes-master/README.md index c1738869a8d..c1cc84a6cf0 100644 --- a/cluster/juju/layers/kubernetes-master/README.md +++ b/cluster/juju/layers/kubernetes-master/README.md @@ -54,6 +54,10 @@ The domain name to use for the Kubernetes cluster for DNS. Enables the installation of Kubernetes dashboard, Heapster, Grafana, and InfluxDB. +#### enable-rbac + +Enable RBAC and Node authorisation. + # DNS for the cluster The DNS add-on allows the pods to have a DNS names in addition to IP addresses. diff --git a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py index f910020e633..df78ee20d11 100644 --- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py +++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py @@ -534,7 +534,6 @@ def addons_ready(): """ try: - apply_rbac() check_call(['cdk-addons.apply']) return True except CalledProcessError: @@ -665,44 +664,6 @@ def enable_rbac_config(): remove_state('kubernetes-master.components.started') -def apply_rbac(): - # TODO(kjackal): we should be checking if rbac is already applied - config = hookenv.config() - if is_state('leadership.is_leader'): - if config.get('enable-rbac'): - try: - cmd = ['kubectl', 'apply', '-f', 'templates/heapster-rbac.yaml'] - check_output(cmd).decode('utf-8') - except CalledProcessError: - hookenv.log('Failed to apply heapster rbac rules') - try: - cmd = ['kubectl', 'apply', '-f', 'templates/nginx-ingress-controller-rbac.yml'] - check_output(cmd).decode('utf-8') - except CalledProcessError: - hookenv.log('Failed to apply heapster rbac rules') - - # TODO(kjackal): The follwoing is wrong and imposes security risk. What we should be doing is - # update the add-ons to include an rbac enabled dashboard - try: - cmd = "kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin" \ - " --serviceaccount=kube-system:default".split(' ') - check_output(cmd).decode('utf-8') - except CalledProcessError: - hookenv.log('Failed to elevate credentials') - - else: - try: - cmd = ['kubectl', 'delete', '-f', 'templates/heapster-rbac.yaml'] - check_output(cmd).decode('utf-8') - except CalledProcessError: - hookenv.log('Failed to delete heapster rbac rules') - try: - cmd = ['kubectl', 'delete', '-f', 'templates/nginx-ingress-controller-rbac.yml'] - check_output(cmd).decode('utf-8') - except CalledProcessError: - hookenv.log('Failed to apply heapster rbac rules') - - @when('kubernetes-master.components.started') @when('nrpe-external-master.available') @when_any('config.changed.nagios_context', diff --git a/cluster/juju/layers/kubernetes-master/templates/heapster-rbac.yaml b/cluster/juju/layers/kubernetes-master/templates/heapster-rbac.yaml deleted file mode 100644 index 58fa1b9921b..00000000000 --- a/cluster/juju/layers/kubernetes-master/templates/heapster-rbac.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: heapster-binding - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:heapster -subjects: -- kind: ServiceAccount - name: heapster - namespace: kube-system ---- -# Heapster's pod_nanny monitors the heapster deployment & its pod(s), and scales -# the resources of the deployment if necessary. -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: system:pod-nanny - namespace: kube-system - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - "extensions" - resources: - - deployments - verbs: - - get - - update ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: heapster-binding - namespace: kube-system - labels: - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: system:pod-nanny -subjects: -- kind: ServiceAccount - name: heapster - namespace: kube-system ---- diff --git a/cluster/juju/layers/kubernetes-master/templates/nginx-ingress-controller-rbac.yml b/cluster/juju/layers/kubernetes-master/templates/nginx-ingress-controller-rbac.yml deleted file mode 100644 index 5b039282353..00000000000 --- a/cluster/juju/layers/kubernetes-master/templates/nginx-ingress-controller-rbac.yml +++ /dev/null @@ -1,127 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-ingress-serviceaccount - namespace: default ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: nginx-ingress-clusterrole -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - resources: - - ingresses/status - verbs: - - update ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: nginx-ingress-role - namespace: default -rules: - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - # Defaults to "-" - # Here: "-" - # This has to be adapted if you change either parameter - # when launching the nginx-ingress-controller. - - "ingress-controller-leader-nginx" - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get - - create - - update ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: nginx-ingress-role-nisa-binding - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: nginx-ingress-role -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: default ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: nginx-ingress-clusterrole-nisa-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nginx-ingress-clusterrole -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: default diff --git a/cluster/juju/layers/kubernetes-worker/templates/ingress-replication-controller.yaml b/cluster/juju/layers/kubernetes-worker/templates/ingress-replication-controller.yaml index aa7173ce025..8fea69d3987 100644 --- a/cluster/juju/layers/kubernetes-worker/templates/ingress-replication-controller.yaml +++ b/cluster/juju/layers/kubernetes-worker/templates/ingress-replication-controller.yaml @@ -1,4 +1,132 @@ apiVersion: v1 +kind: ServiceAccount +metadata: + name: nginx-ingress-serviceaccount + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: nginx-ingress-clusterrole +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "extensions" + resources: + - ingresses/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: nginx-ingress-role + namespace: default +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + # Defaults to "-" + # Here: "-" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "ingress-controller-leader-nginx" + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - create + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: nginx-ingress-role-nisa-binding + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress-role +subjects: + - kind: ServiceAccount + name: nginx-ingress-serviceaccount + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: nginx-ingress-clusterrole-nisa-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress-clusterrole +subjects: + - kind: ServiceAccount + name: nginx-ingress-serviceaccount + namespace: default +--- +apiVersion: v1 kind: ConfigMap metadata: name: nginx-load-balancer-conf diff --git a/cluster/juju/layers/kubernetes-worker/templates/nginx-ingress-controller-rbac.yml b/cluster/juju/layers/kubernetes-worker/templates/nginx-ingress-controller-rbac.yml new file mode 100644 index 00000000000..e69de29bb2d