Skip to content

Commit

Permalink
Enable RBAC on APIServer
Browse files Browse the repository at this point in the history
  • Loading branch information
@robbiezhang
robbiezhang committed Jun 7, 2017
1 parent e648d3d commit af24ad6
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 4 deletions.
2 changes: 2 additions & 0 deletions parts/defaultpolicy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"client", "namespace": "*", "resource": "*", "apiGroup": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-system:default", "namespace": "*", "resource": "*", "apiGroup": "*"}}
2 changes: 2 additions & 0 deletions parts/kubernetesmaster-kube-apiserver.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ spec:
- "--client-ca-file=/etc/kubernetes/certs/ca.crt"
- "--service-account-key-file=/etc/kubernetes/certs/apiserver.key"
- "--storage-backend=etcd2"
- "--authorization-mode=ABAC,RBAC"
- "--authorization-policy-file=/etc/kubernetes/manifests/defaultpolicy.json"
- "--v=4"
volumeMounts:
- name: "etc-kubernetes"
Expand Down
7 changes: 7 additions & 0 deletions parts/kubernetesmastercustomdata.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,13 @@ write_files:
name: localclustercontext
current-context: localclustercontext
- path: /etc/kubernetes/manifests/defaultpolicy.json
permissions: "0644"
encoding: gzip
owner: "root"
content: !!binary |
API_SERVER_POLICY_B64_GZIP_STR

- path: /etc/kubernetes/manifests/kube-apiserver.yaml
permissions: "0644"
encoding: gzip
Expand Down
7 changes: 6 additions & 1 deletion parts/kubernetesmastercustomscript.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,10 @@ users:
set -x
}

function createSuperUserClusterRoleBinding() {
kubectl create clusterrolebinding superuser --clusterrole=cluster-admin --user=client
}

# master and node
ensureDocker
configNetworkPolicy
Expand All @@ -318,7 +322,8 @@ if [[ ! -z "${APISERVER_PRIVATE_KEY}" ]]; then
ensureEtcdDataDir
ensureEtcd
ensureApiserver

createSuperUserClusterRoleBinding
fi

echo "Install complete successfully"

2 changes: 2 additions & 0 deletions pkg/acsengine/engine.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ const (
kubernetesAgentCustomScript = "kubernetesagentcustomscript.sh"
kubeConfigJSON = "kubeconfig.json"
kubernetesWindowsAgentCustomDataPS1 = "kuberneteswindowssetup.ps1"
kubePolicyJSON = "defaultpolicy.json"
)

const (
Expand Down Expand Up @@ -95,6 +96,7 @@ var kubernetesAritfacts = map[string]string{
"MASTER_PROVISION_B64_GZIP_STR": kubernetesMasterCustomScript,
"KUBELET_SERVICE_B64_GZIP_STR": kubernetesKubeletService,
"KUBELET_SERVICE_AGENT_B64_GZIP_STR": kubernetesAgentKubeletSvc,
"API_SERVER_POLICY_B64_GZIP_STR": kubePolicyJSON,
}

var kubernetesAddonYamls = map[string]string{
Expand Down
29 changes: 26 additions & 3 deletions pkg/acsengine/templates.go
View file

Large diffs are not rendered by default.

0 comments on commit af24ad6

Please sign in to comment.