Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
32537395
Commit
32537395
authored
Feb 24, 2016
by
CJ Cullen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Use ABAC authz instead of AllowAll.
parent
4c7abddc
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
30 additions
and
31 deletions
+30
-31
configure-vm.sh
cluster/gce/configure-vm.sh
+0
-11
util.sh
cluster/gce/util.sh
+3
-1
abac-authz-policy.jsonl
cluster/saltbase/salt/kube-apiserver/abac-authz-policy.jsonl
+7
-0
init.sls
cluster/saltbase/salt/kube-apiserver/init.sls
+8
-5
kube-apiserver.manifest
cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
+11
-13
exceptions.txt
hack/verify-flags/exceptions.txt
+1
-1
No files found.
cluster/gce/configure-vm.sh
View file @
32537395
...
@@ -579,17 +579,6 @@ function create-salt-master-auth() {
...
@@ -579,17 +579,6 @@ function create-salt-master-auth() {
echo
"
${
KUBE_BEARER_TOKEN
}
,admin,admin"
>
"
${
KNOWN_TOKENS_FILE
}
"
;
echo
"
${
KUBE_BEARER_TOKEN
}
,admin,admin"
>
"
${
KNOWN_TOKENS_FILE
}
"
;
echo
"
${
KUBELET_TOKEN
}
,kubelet,kubelet"
>>
"
${
KNOWN_TOKENS_FILE
}
"
;
echo
"
${
KUBELET_TOKEN
}
,kubelet,kubelet"
>>
"
${
KNOWN_TOKENS_FILE
}
"
;
echo
"
${
KUBE_PROXY_TOKEN
}
,kube_proxy,kube_proxy"
>>
"
${
KNOWN_TOKENS_FILE
}
"
)
echo
"
${
KUBE_PROXY_TOKEN
}
,kube_proxy,kube_proxy"
>>
"
${
KNOWN_TOKENS_FILE
}
"
)
# Generate tokens for other "service accounts". Append to known_tokens.
#
# NB: If this list ever changes, this script actually has to
# change to detect the existence of this file, kill any deleted
# old tokens and add any new tokens (to handle the upgrade case).
local
-r
service_accounts
=(
"system:scheduler"
"system:controller_manager"
"system:logging"
"system:monitoring"
)
for
account
in
"
${
service_accounts
[@]
}
"
;
do
token
=
$(
dd
if
=
/dev/urandom
bs
=
128
count
=
1 2>/dev/null |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2>/dev/null
)
echo
"
${
token
}
,
${
account
}
,
${
account
}
"
>>
"
${
KNOWN_TOKENS_FILE
}
"
done
fi
fi
}
}
...
...
cluster/gce/util.sh
View file @
32537395
...
@@ -1360,7 +1360,9 @@ function prepare-e2e() {
...
@@ -1360,7 +1360,9 @@ function prepare-e2e() {
detect-project
detect-project
}
}
# Writes configure-vm.sh to a temporary location with comments stripped.
# Writes configure-vm.sh to a temporary location with comments stripped. GCE
# limits the size of metadata fields to 32K, and stripping comments is the
# easiest way to buy us a little more room.
function
prepare-startup-script
()
{
function
prepare-startup-script
()
{
sed
'/^\s*#\([^!].*\)*$/ d'
${
KUBE_ROOT
}
/cluster/gce/configure-vm.sh
>
${
KUBE_TEMP
}
/configure-vm.sh
sed
'/^\s*#\([^!].*\)*$/ d'
${
KUBE_ROOT
}
/cluster/gce/configure-vm.sh
>
${
KUBE_TEMP
}
/configure-vm.sh
}
}
cluster/saltbase/salt/kube-apiserver/abac-authz-policy.jsonl
0 → 100644
View file @
32537395
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kube_proxy", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubecfg", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"client", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group":"system:serviceaccounts", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
\ No newline at end of file
cluster/saltbase/salt/kube-apiserver/init.sls
View file @
32537395
{% if grains.cloud is defined %}
{% if grains['cloud'] is defined and grains.cloud in ['aws', 'gce', 'vagrant', 'vsphere'] %}
{% if grains.cloud in ['aws', 'gce', 'vagrant', 'vsphere', 'photon-controller'] %}
# TODO: generate and distribute tokens on other cloud providers.
# TODO: generate and distribute tokens on other cloud providers.
/srv/kubernetes/known_tokens.csv:
/srv/kubernetes/known_tokens.csv:
file.managed:
file.managed:
...
@@ -9,16 +8,20 @@
...
@@ -9,16 +8,20 @@
- mode: 600
- mode: 600
# - watch_in:
# - watch_in:
# - service: kube-apiserver
# - service: kube-apiserver
{% endif %}
{% endif %}
{% if grains['cloud'] is defined and grains.cloud in [ 'aws', 'gce', 'vagrant' ,'vsphere', 'photon-controller'] %}
/srv/kubernetes/basic_auth.csv:
/srv/kubernetes/basic_auth.csv:
file.managed:
file.managed:
- source: salt://kube-apiserver/basic_auth.csv
- source: salt://kube-apiserver/basic_auth.csv
- user: root
- user: root
- group: root
- group: root
- mode: 600
- mode: 600
/srv/kubernetes/abac-authz-policy.jsonl:
file.managed:
- source: salt://kube-apiserver/abac-authz-policy.jsonl
- user: root
- group: root
- mode: 600
{% endif %}
{% endif %}
/var/log/kube-apiserver.log:
/var/log/kube-apiserver.log:
...
...
cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
View file @
32537395
...
@@ -63,22 +63,20 @@
...
@@ -63,22 +63,20 @@
{% set client_ca_file = "--client-ca-file=/srv/kubernetes/ca.crt" -%}
{% set client_ca_file = "--client-ca-file=/srv/kubernetes/ca.crt" -%}
{% endif -%}
{% endif -%}
{% set token_auth_file = "--token-auth-file=/dev/null" -%}
{% set basic_auth_file = "" -%}
{% set min_request_timeout = "" -%}
{% set min_request_timeout = "" -%}
{% if grains.minRequestTimeout is defined -%}
{% if grains.minRequestTimeout is defined -%}
{% set min_request_timeout = "--min-request-timeout=" + grains.minRequestTimeout -%}
{% set min_request_timeout = "--min-request-timeout=" + grains.minRequestTimeout -%}
{% endif -%}
{% endif -%}
{% if grains.cloud is defined -%}
{% set token_auth_file = " --token-auth-file=/dev/null" -%}
{% if grains.cloud in [ 'aws', 'gce', 'vagrant', 'vsphere', 'photon-controller' ] -%}
{% set basic_auth_file = "" -%}
{% set token_auth_file = "--token-auth-file=/srv/kubernetes/known_tokens.csv" -%}
{% set authz_mode = "" -%}
{% endif -%}
{% set abac_policy_file = "" -%}
{% endif -%}
{% if grains['cloud'] is defined and grains.cloud in [ 'aws', 'gce', 'vagrant', 'vsphere'] %}
{% set token_auth_file = " --token-auth-file=/srv/kubernetes/known_tokens.csv" -%}
{% if grains['cloud'] is defined and grains.cloud in [ 'aws', 'gce', 'vagrant', 'vsphere', 'photon-controller' ] %}
{% set basic_auth_file = " --basic-auth-file=/srv/kubernetes/basic_auth.csv" -%}
{% set basic_auth_file = "--basic-auth-file=/srv/kubernetes/basic_auth.csv" -%}
{% set authz_mode = " --authorization-mode=ABAC" -%}
{% set abac_policy_file = " --authorization-policy-file=/srv/kubernetes/abac-authz-policy.jsonl" -%}
{% endif -%}
{% endif -%}
{% set admission_control = "" -%}
{% set admission_control = "" -%}
...
@@ -96,8 +94,8 @@
...
@@ -96,8 +94,8 @@
{% set log_level = pillar['api_server_test_log_level'] -%}
{% set log_level = pillar['api_server_test_log_level'] -%}
{% endif -%}
{% endif -%}
{% set params = address + " " + etcd_servers + " " + etcd_servers_overrides + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + admission_control + " " + service_cluster_ip_range + " " + client_ca_file +
" " +
basic_auth_file + " " + min_request_timeout -%}
{% set params = address + " " + etcd_servers + " " + etcd_servers_overrides + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + admission_control + " " + service_cluster_ip_range + " " + client_ca_file + basic_auth_file + " " + min_request_timeout -%}
{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port +
" " + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address + " " + proxy_ssh_options
-%}
{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port +
token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address + " " + proxy_ssh_options + authz_mode + abac_policy_file
-%}
# test_args has to be kept at the end, so they'll overwrite any prior configuration
# test_args has to be kept at the end, so they'll overwrite any prior configuration
{% if pillar['apiserver_test_args'] is defined -%}
{% if pillar['apiserver_test_args'] is defined -%}
...
...
hack/verify-flags/exceptions.txt
View file @
32537395
...
@@ -33,7 +33,7 @@ cluster/photon-controller/util.sh: node_name=${1}
...
@@ -33,7 +33,7 @@ cluster/photon-controller/util.sh: node_name=${1}
cluster/rackspace/util.sh: local node_ip=$(nova show --minimal ${NODE_NAMES[$i]} \
cluster/rackspace/util.sh: local node_ip=$(nova show --minimal ${NODE_NAMES[$i]} \
cluster/saltbase/salt/kube-addons/kube-addons.sh:# Create admission_control objects if defined before any other addon services. If the limits
cluster/saltbase/salt/kube-addons/kube-addons.sh:# Create admission_control objects if defined before any other addon services. If the limits
cluster/saltbase/salt/kube-admission-controls/init.sls:{% if 'LimitRanger' in pillar.get('admission_control', '') %}
cluster/saltbase/salt/kube-admission-controls/init.sls:{% if 'LimitRanger' in pillar.get('admission_control', '') %}
cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest:{% set params = address + " " + etcd_servers + " " + etcd_servers_overrides + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + admission_control + " " + service_cluster_ip_range + " " + client_ca_file +
" " +
basic_auth_file + " " + min_request_timeout -%}
cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest:{% set params = address + " " + etcd_servers + " " + etcd_servers_overrides + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + admission_control + " " + service_cluster_ip_range + " " + client_ca_file + basic_auth_file + " " + min_request_timeout -%}
cluster/saltbase/salt/kube-controller-manager/kube-controller-manager.manifest:{% set params = "--master=127.0.0.1:8080" + " " + cluster_name + " " + cluster_cidr + " " + allocate_node_cidrs + " " + terminated_pod_gc + " " + cloud_provider + " " + cloud_config + " " + service_account_key + " " + log_level + " " + root_ca_file -%}
cluster/saltbase/salt/kube-controller-manager/kube-controller-manager.manifest:{% set params = "--master=127.0.0.1:8080" + " " + cluster_name + " " + cluster_cidr + " " + allocate_node_cidrs + " " + terminated_pod_gc + " " + cloud_provider + " " + cloud_config + " " + service_account_key + " " + log_level + " " + root_ca_file -%}
cluster/saltbase/salt/kube-proxy/kube-proxy.manifest: {% set api_servers_with_port = api_servers + ":6443" -%}
cluster/saltbase/salt/kube-proxy/kube-proxy.manifest: {% set api_servers_with_port = api_servers + ":6443" -%}
cluster/saltbase/salt/kube-proxy/kube-proxy.manifest: {% set api_servers_with_port = api_servers -%}
cluster/saltbase/salt/kube-proxy/kube-proxy.manifest: {% set api_servers_with_port = api_servers -%}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment