rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-17 15:40:07 +00:00
Code Issues Releases Wiki Activity

Make RBAC default authz mode

Browse Source
This commit is contained in:
moelsayed
2017-12-14 23:56:19 +02:00
parent ff3d8c5780
commit 69ccba0c1a
3 changed files with 14 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cluster.yml
View File

@@ -22,7 +22,9 @@ network:
ssh_key_path: ~/.ssh/test
ignore_docker_version: false
# Kubernetes authorization mode, currently only `rbac` is supported
# Kubernetes authorization mode; currently only `rbac` is supported and enabled by default.
# Use `mode: none` to disable authorization
authorization:
mode: rbac
options:

11
cluster/cluster.go
View File

@@ -48,6 +48,7 @@ const (
KubeDNSSidecarImage = "kubedns_sidecar_image"
KubeDNSAutoScalerImage = "kubedns_autoscaler_image"
ServiceSidekickImage = "service_sidekick_image"
NoneAuthorizationMode = "none"
)
func (c *Cluster) DeployClusterPlanes() error {
@@ -64,7 +65,7 @@ func (c *Cluster) DeployClusterPlanes() error {
if err != nil {
return fmt.Errorf("[controlPlane] Failed to bring up Control Plane: %v", err)
}
err = c.ApplyRBACResources()
err = c.ApplyAuthzResources()
if err != nil {
return fmt.Errorf("[auths] Failed to apply RBAC resources: %v", err)
}
@@ -140,6 +141,9 @@ func (c *Cluster) setClusterDefaults() {
c.Nodes[i].SSHKeyPath = c.SSHKeyPath
}
}
if len(c.Authorization.Mode) == 0 {
c.Authorization.Mode = DefaultAuthorizationMode
}
c.setClusterServicesDefaults()
c.setClusterNetworkDefaults()
c.setClusterImageDefaults()
@@ -246,10 +250,13 @@ func getLocalAdminConfigWithNewAddress(localConfigPath, cpAddress string) string
string(config.KeyData))
}
func (c *Cluster) ApplyRBACResources() error {
func (c *Cluster) ApplyAuthzResources() error {
if err := authz.ApplyJobDeployerServiceAccount(c.LocalKubeConfigPath); err != nil {
return fmt.Errorf("Failed to apply the ServiceAccount needed for job execution: %v", err)
}
if c.Authorization.Mode == NoneAuthorizationMode {
return nil
}
if c.Authorization.Mode == services.RBACAuthorizationMode {
if err := authz.ApplySystemNodeClusterRoleBinding(c.LocalKubeConfigPath); err != nil {
return fmt.Errorf("Failed to apply the ClusterRoleBinding needed for node authorization: %v", err)

1
cluster/defaults.go
View File

@@ -12,6 +12,7 @@ const (
DefaultDockerSockPath = "/var/run/docker.sock"
DefaultAuthStrategy = "x509"
DefaultAuthorizationMode = "rabc"
DefaultNetworkPlugin = "flannel"
DefaultNetworkCloudProvider = "none"