From 2bc960a01c731b42ee13ca7a1f86558bc941cb3c Mon Sep 17 00:00:00 2001 From: galal-hussein Date: Thu, 25 Jul 2019 22:07:38 +0200 Subject: [PATCH] Add kubeapi proxy cluster role and role binding --- authz/authz.go | 16 ++++++++++++++++ cluster/cluster.go | 6 +++++- templates/authz.go | 24 ++++++++++++++++++++++++ 3 files changed, 45 insertions(+), 1 deletion(-) diff --git a/authz/authz.go b/authz/authz.go index a2bbd84d..253f76d4 100644 --- a/authz/authz.go +++ b/authz/authz.go @@ -36,3 +36,19 @@ func ApplySystemNodeClusterRoleBinding(ctx context.Context, kubeConfigPath strin log.Infof(ctx, "[authz] system:node ClusterRoleBinding created successfully") return nil } + +func ApplyKubeAPIClusterRole(ctx context.Context, kubeConfigPath string, k8sWrapTransport k8s.WrapTransport) error { + log.Infof(ctx, "[authz] Creating kube-apiserver proxy ClusterRole and ClusterRoleBinding") + k8sClient, err := k8s.NewClient(kubeConfigPath, k8sWrapTransport) + if err != nil { + return err + } + if err := k8s.UpdateClusterRoleFromYaml(k8sClient, templates.KubeAPIClusterRole); err != nil { + return err + } + if err := k8s.UpdateClusterRoleBindingFromYaml(k8sClient, templates.KubeAPIClusterRoleBinding); err != nil { + return err + } + log.Infof(ctx, "[authz] kube-apiserver proxy ClusterRole and ClusterRoleBinding created successfully") + return nil +} diff --git a/cluster/cluster.go b/cluster/cluster.go index e4daf24b..ec3b4b6c 100644 --- a/cluster/cluster.go +++ b/cluster/cluster.go @@ -3,12 +3,13 @@ package cluster import ( "context" "fmt" - "github.com/rancher/rke/metadata" "net" "reflect" "strings" "time" + "github.com/rancher/rke/metadata" + "github.com/docker/docker/api/types" "github.com/rancher/rke/authz" "github.com/rancher/rke/docker" @@ -316,6 +317,9 @@ func ApplyAuthzResources(ctx context.Context, rkeConfig v3.RancherKubernetesEngi if err := authz.ApplySystemNodeClusterRoleBinding(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil { return fmt.Errorf("Failed to apply the ClusterRoleBinding needed for node authorization: %v", err) } + if err := authz.ApplyKubeAPIClusterRole(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil { + return fmt.Errorf("Failed to apply the ClusterRole and Binding needed for node kubeapi proxy: %v", err) + } } if kubeCluster.Authorization.Mode == services.RBACAuthorizationMode && kubeCluster.Services.KubeAPI.PodSecurityPolicy { if err := authz.ApplyDefaultPodSecurityPolicy(ctx, kubeCluster.LocalKubeConfigPath, kubeCluster.K8sWrapTransport); err != nil { diff --git a/templates/authz.go b/templates/authz.go index e9dda156..100a4286 100644 --- a/templates/authz.go +++ b/templates/authz.go @@ -1,6 +1,30 @@ package templates const ( + KubeAPIClusterRole = ` +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: proxy-clusterrole-kubeapiserver +rules: +- apiGroups: [""] + resources: + - nodes/metrics + - nodes/proxy + verbs: ["get", "list", "watch", "create"]` + KubeAPIClusterRoleBinding = ` +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: proxy-role-binding-kubernetes-master +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-clusterrole-kubeapiserver +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: kube-apiserver` SystemNodeClusterRoleBinding = ` apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding