rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-17 15:40:07 +00:00
Code Issues Releases Wiki Activity

Make RBAC default authz mode

Browse Source
This commit is contained in:
moelsayed
2017-12-14 23:56:19 +02:00
parent ff3d8c5780
commit 69ccba0c1a
3 changed files with 14 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cluster.yml
View File

@@ -22,7 +22,9 @@ network:
ssh_key_path: ~/.ssh/test ssh_key_path: ~/.ssh/test
ignore_docker_version: false ignore_docker_version: false
# Kubernetes authorization mode, currently only `rbac` is supported # Kubernetes authorization mode; currently only `rbac` is supported and enabled by default.
# Use `mode: none` to disable authorization
authorization: authorization:
mode: rbac mode: rbac
options: options:

11
cluster/cluster.go
View File

@@ -48,6 +48,7 @@ const (
KubeDNSSidecarImage = "kubedns_sidecar_image" KubeDNSSidecarImage = "kubedns_sidecar_image"
KubeDNSAutoScalerImage = "kubedns_autoscaler_image" KubeDNSAutoScalerImage = "kubedns_autoscaler_image"
ServiceSidekickImage = "service_sidekick_image" ServiceSidekickImage = "service_sidekick_image"
NoneAuthorizationMode = "none"
) )
func (c *Cluster) DeployClusterPlanes() error { func (c *Cluster) DeployClusterPlanes() error {
@@ -64,7 +65,7 @@ func (c *Cluster) DeployClusterPlanes() error {
if err != nil { if err != nil {
return fmt.Errorf("[controlPlane] Failed to bring up Control Plane: %v", err) return fmt.Errorf("[controlPlane] Failed to bring up Control Plane: %v", err)
} }
err = c.ApplyRBACResources() err = c.ApplyAuthzResources()
if err != nil { if err != nil {
return fmt.Errorf("[auths] Failed to apply RBAC resources: %v", err) return fmt.Errorf("[auths] Failed to apply RBAC resources: %v", err)
} }
@@ -140,6 +141,9 @@ func (c *Cluster) setClusterDefaults() {
c.Nodes[i].SSHKeyPath = c.SSHKeyPath c.Nodes[i].SSHKeyPath = c.SSHKeyPath
} }
} }
if len(c.Authorization.Mode) == 0 {
c.Authorization.Mode = DefaultAuthorizationMode
}
c.setClusterServicesDefaults() c.setClusterServicesDefaults()
c.setClusterNetworkDefaults() c.setClusterNetworkDefaults()
c.setClusterImageDefaults() c.setClusterImageDefaults()
@@ -246,10 +250,13 @@ func getLocalAdminConfigWithNewAddress(localConfigPath, cpAddress string) string
string(config.KeyData)) string(config.KeyData))
} }
func (c *Cluster) ApplyRBACResources() error { func (c *Cluster) ApplyAuthzResources() error {
if err := authz.ApplyJobDeployerServiceAccount(c.LocalKubeConfigPath); err != nil { if err := authz.ApplyJobDeployerServiceAccount(c.LocalKubeConfigPath); err != nil {
return fmt.Errorf("Failed to apply the ServiceAccount needed for job execution: %v", err) return fmt.Errorf("Failed to apply the ServiceAccount needed for job execution: %v", err)
} }
if c.Authorization.Mode == NoneAuthorizationMode {
return nil
}
if c.Authorization.Mode == services.RBACAuthorizationMode { if c.Authorization.Mode == services.RBACAuthorizationMode {
if err := authz.ApplySystemNodeClusterRoleBinding(c.LocalKubeConfigPath); err != nil { if err := authz.ApplySystemNodeClusterRoleBinding(c.LocalKubeConfigPath); err != nil {
return fmt.Errorf("Failed to apply the ClusterRoleBinding needed for node authorization: %v", err) return fmt.Errorf("Failed to apply the ClusterRoleBinding needed for node authorization: %v", err)

3
cluster/defaults.go
View File

@@ -11,7 +11,8 @@ const (
DefaultDockerSockPath = "/var/run/docker.sock" DefaultDockerSockPath = "/var/run/docker.sock"
DefaultAuthStrategy = "x509" DefaultAuthStrategy = "x509"
DefaultAuthorizationMode = "rabc"
DefaultNetworkPlugin = "flannel" DefaultNetworkPlugin = "flannel"
DefaultNetworkCloudProvider = "none" DefaultNetworkCloudProvider = "none"