-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always enable RBAC in kubeadm and make a pkg with authorization constants #41810
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,11 +16,14 @@ limitations under the License. | |
|
||
package constants | ||
|
||
import "time" | ||
import ( | ||
"path" | ||
"time" | ||
) | ||
|
||
const ( | ||
AuthorizationPolicyFile = "abac_policy.json" | ||
AuthorizationWebhookConfigFile = "webhook_authz.conf" | ||
// KubernetesDir is the directory kubernetes owns for storing various configuration files | ||
KubernetesDir = "/etc/kubernetes" | ||
|
||
CACertAndKeyBaseName = "ca" | ||
CACertName = "ca.crt" | ||
|
@@ -49,14 +52,6 @@ const ( | |
AdminKubeConfigFileName = "admin.conf" | ||
KubeletKubeConfigFileName = "kubelet.conf" | ||
|
||
// TODO: These constants should actually come from pkg/kubeapiserver/authorizer, but we can't vendor that package in now | ||
// because of all the other sub-packages that would get vendored. To fix this, a pkg/kubeapiserver/authorizer/modes package | ||
// or similar should exist that only has these constants; then we can vendor it. | ||
AuthzModeAlwaysAllow = "AlwaysAllow" | ||
AuthzModeABAC = "ABAC" | ||
AuthzModeRBAC = "RBAC" | ||
AuthzModeWebhook = "Webhook" | ||
|
||
// Important: a "v"-prefix shouldn't exist here; semver doesn't allow that | ||
MinimumControlPlaneVersion = "1.6.0-alpha.2" | ||
|
||
|
@@ -83,3 +78,8 @@ const ( | |
// The file name of the tokens file that can be used for bootstrapping | ||
CSVTokenFileName = "tokens.csv" | ||
) | ||
|
||
var ( | ||
AuthorizationPolicyPath = path.Join(KubernetesDir, "abac_policy.json") | ||
AuthorizationWebhookConfigPath = path.Join(KubernetesDir, "webhook_authz.conf") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. is the switch to a hard-coded absolute path new? seems like that would make testing difficult There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It isn't new. We decided on making these params hard coded -- at least until we have the full config file backend to rely on where the user can specify params that are passed directly to the apiserver/cm/scheduler |
||
) |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -32,6 +32,7 @@ import ( | |
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" | ||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" | ||
"k8s.io/kubernetes/cmd/kubeadm/app/images" | ||
authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" | ||
cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util" | ||
) | ||
|
||
|
@@ -326,15 +327,7 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [ | |
"--requestheader-allowed-names=front-proxy-client", | ||
) | ||
|
||
if cfg.AuthorizationMode != "" { | ||
command = append(command, "--authorization-mode="+cfg.AuthorizationMode) | ||
switch cfg.AuthorizationMode { | ||
case kubeadmconstants.AuthzModeABAC: | ||
command = append(command, "--authorization-policy-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationPolicyFile)) | ||
case kubeadmconstants.AuthzModeWebhook: | ||
command = append(command, "--authorization-webhook-config-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationWebhookConfigFile)) | ||
} | ||
} | ||
command = append(command, getAuthzParameters(cfg.AuthorizationMode)...) | ||
|
||
// Use first address we are given | ||
if len(cfg.API.AdvertiseAddresses) > 0 { | ||
|
@@ -459,3 +452,22 @@ func getSelfHostedAPIServerEnv() []api.EnvVar { | |
|
||
return append(getProxyEnvVars(), podIPEnvVar) | ||
} | ||
|
||
func getAuthzParameters(authzMode string) []string { | ||
command := []string{} | ||
// RBAC is always on. If the user specified | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This comment doesn't parse for me. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oops. This is artwork as a result of push notifications I guess 😄 |
||
authzModes := []string{authzmodes.ModeRBAC} | ||
if len(authzMode) != 0 && authzMode != authzmodes.ModeRBAC { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we want to interpret authzModes as a list similar to the way the apiserver does? That would change this code quite a bit. But it might be good to mirror what the apiserver does. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yea, that might make sense. However, if we do decide so (please file an issue and ping me), that's for an other PR to avoid doing too many things in one. |
||
authzModes = append(authzModes, authzMode) | ||
} | ||
|
||
command = append(command, "--authorization-mode="+strings.Join(authzModes, ",")) | ||
|
||
switch authzMode { | ||
case authzmodes.ModeABAC: | ||
command = append(command, "--authorization-policy-file="+kubeadmconstants.AuthorizationPolicyPath) | ||
case authzmodes.ModeWebhook: | ||
command = append(command, "--authorization-webhook-config-file="+kubeadmconstants.AuthorizationWebhookConfigPath) | ||
} | ||
return command | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure about this as a fixed, non-overrideable path
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a fine line between overridability and sprawl. Regarding this one, we decided in kubernetes/kubeadm#156 that
/etc/kubernetes
should be a constant -- it doesn't make sense to override that really.Also, this isn't new for this PR. If you have very strong opinions -- please file an issue and we'll see but it's not the main thing in this PR