From 69ccba0c1ab16e4237fb885059d0cc55ed731ebe Mon Sep 17 00:00:00 2001 From: moelsayed Date: Thu, 14 Dec 2017 23:56:19 +0200 Subject: [PATCH] Make RBAC default authz mode --- cluster.yml | 4 +++- cluster/cluster.go | 11 +++++++++-- cluster/defaults.go | 3 ++- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/cluster.yml b/cluster.yml index a993ab58..32619f96 100644 --- a/cluster.yml +++ b/cluster.yml @@ -22,7 +22,9 @@ network: ssh_key_path: ~/.ssh/test ignore_docker_version: false -# Kubernetes authorization mode, currently only `rbac` is supported +# Kubernetes authorization mode; currently only `rbac` is supported and enabled by default. +# Use `mode: none` to disable authorization + authorization: mode: rbac options: diff --git a/cluster/cluster.go b/cluster/cluster.go index 3f61b423..cce04ba3 100644 --- a/cluster/cluster.go +++ b/cluster/cluster.go @@ -48,6 +48,7 @@ const ( KubeDNSSidecarImage = "kubedns_sidecar_image" KubeDNSAutoScalerImage = "kubedns_autoscaler_image" ServiceSidekickImage = "service_sidekick_image" + NoneAuthorizationMode = "none" ) func (c *Cluster) DeployClusterPlanes() error { @@ -64,7 +65,7 @@ func (c *Cluster) DeployClusterPlanes() error { if err != nil { return fmt.Errorf("[controlPlane] Failed to bring up Control Plane: %v", err) } - err = c.ApplyRBACResources() + err = c.ApplyAuthzResources() if err != nil { return fmt.Errorf("[auths] Failed to apply RBAC resources: %v", err) } @@ -140,6 +141,9 @@ func (c *Cluster) setClusterDefaults() { c.Nodes[i].SSHKeyPath = c.SSHKeyPath } } + if len(c.Authorization.Mode) == 0 { + c.Authorization.Mode = DefaultAuthorizationMode + } c.setClusterServicesDefaults() c.setClusterNetworkDefaults() c.setClusterImageDefaults() @@ -246,10 +250,13 @@ func getLocalAdminConfigWithNewAddress(localConfigPath, cpAddress string) string string(config.KeyData)) } -func (c *Cluster) ApplyRBACResources() error { +func (c *Cluster) ApplyAuthzResources() error { if err := authz.ApplyJobDeployerServiceAccount(c.LocalKubeConfigPath); err != nil { return fmt.Errorf("Failed to apply the ServiceAccount needed for job execution: %v", err) } + if c.Authorization.Mode == NoneAuthorizationMode { + return nil + } if c.Authorization.Mode == services.RBACAuthorizationMode { if err := authz.ApplySystemNodeClusterRoleBinding(c.LocalKubeConfigPath); err != nil { return fmt.Errorf("Failed to apply the ClusterRoleBinding needed for node authorization: %v", err) diff --git a/cluster/defaults.go b/cluster/defaults.go index 282513e3..58329229 100644 --- a/cluster/defaults.go +++ b/cluster/defaults.go @@ -11,7 +11,8 @@ const ( DefaultDockerSockPath = "/var/run/docker.sock" - DefaultAuthStrategy = "x509" + DefaultAuthStrategy = "x509" + DefaultAuthorizationMode = "rabc" DefaultNetworkPlugin = "flannel" DefaultNetworkCloudProvider = "none"