Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
b95f5286
Unverified
Commit
b95f5286
authored
Mar 22, 2017
by
Jordan Liggitt
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Default to enabling legacy ABAC policy in non-test GCE kube-up.sh environments
parent
5f39ef81
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
40 additions
and
11 deletions
+40
-11
common.sh
cluster/common.sh
+1
-0
config-default.sh
cluster/gce/config-default.sh
+3
-0
config-test.sh
cluster/gce/config-test.sh
+11
-0
configure-helper.sh
cluster/gce/container-linux/configure-helper.sh
+19
-3
configure-helper.sh
cluster/gce/gci/configure-helper.sh
+6
-8
No files found.
cluster/common.sh
View file @
b95f5286
...
...
@@ -753,6 +753,7 @@ NUM_NODES: $(yaml-quote ${NUM_NODES})
STORAGE_BACKEND:
$(
yaml-quote
${
STORAGE_BACKEND
:-
etcd3
})
STORAGE_MEDIA_TYPE:
$(
yaml-quote
${
STORAGE_MEDIA_TYPE
:-})
ENABLE_GARBAGE_COLLECTOR:
$(
yaml-quote
${
ENABLE_GARBAGE_COLLECTOR
:-})
ENABLE_LEGACY_ABAC:
$(
yaml-quote
${
ENABLE_LEGACY_ABAC
:-})
MASTER_ADVERTISE_ADDRESS:
$(
yaml-quote
${
MASTER_ADVERTISE_ADDRESS
:-})
ETCD_CA_KEY:
$(
yaml-quote
${
ETCD_CA_KEY_BASE64
:-})
ETCD_CA_CERT:
$(
yaml-quote
${
ETCD_CA_CERT_BASE64
:-})
...
...
cluster/gce/config-default.sh
View file @
b95f5286
...
...
@@ -204,6 +204,9 @@ SCHEDULING_ALGORITHM_PROVIDER="${SCHEDULING_ALGORITHM_PROVIDER:-}"
# Optional: install a default StorageClass
ENABLE_DEFAULT_STORAGE_CLASS
=
"
${
ENABLE_DEFAULT_STORAGE_CLASS
:-
true
}
"
# Optional: Enable legacy ABAC policy that makes all service accounts superusers.
ENABLE_LEGACY_ABAC
=
"
${
ENABLE_LEGACY_ABAC
:-
true
}
"
# true, false
# TODO(dawn1107): Remove this once the flag is built into CVM image.
# Kernel panic upon soft lockup issue
SOFTLOCKUP_PANIC
=
"
${
SOFTLOCKUP_PANIC
:-
false
}
"
# true, false
...
...
cluster/gce/config-test.sh
View file @
b95f5286
...
...
@@ -241,6 +241,17 @@ SCHEDULING_ALGORITHM_PROVIDER="${SCHEDULING_ALGORITHM_PROVIDER:-}"
# Optional: install a default StorageClass
ENABLE_DEFAULT_STORAGE_CLASS
=
"
${
ENABLE_DEFAULT_STORAGE_CLASS
:-
true
}
"
# Optional: Enable legacy ABAC policy that makes all service accounts superusers.
if
[[
"
${
E2E_UPGRADE_TEST
:-}
"
==
"true"
]]
;
then
# Enable (match the regular default) when running upgrade tests (E2E_UPGRADE_TEST=true is set by upgrade CI jobs).
# This ensures the combination of legacy ABAC and default RBAC policies work properly for upgrade scenarios.
ENABLE_LEGACY_ABAC
=
"
${
ENABLE_LEGACY_ABAC
:-
true
}
"
# true, false
else
# Disable by default when running regular e2e tests.
# This ensures default RBAC policies alone are sufficient for e2e tests from 1.6+
ENABLE_LEGACY_ABAC
=
"
${
ENABLE_LEGACY_ABAC
:-
false
}
"
# true, false
fi
# TODO(dawn1107): Remove this once the flag is built into CVM image.
# Kernel panic upon soft lockup issue
SOFTLOCKUP_PANIC
=
"
${
SOFTLOCKUP_PANIC
:-
true
}
"
# true, false
cluster/gce/container-linux/configure-helper.sh
View file @
b95f5286
...
...
@@ -889,10 +889,27 @@ function start-kube-apiserver {
fi
local
authorization_mode
=
"RBAC"
if
[[
-n
"
${
ABAC_AUTHZ_FILE
:-}
"
&&
-e
"
${
ABAC_AUTHZ_FILE
}
"
]]
;
then
params+
=
" --authorization-policy-file=
${
ABAC_AUTHZ_FILE
}
"
local
-r
src_dir
=
"
${
KUBE_HOME
}
/kube-manifests/kubernetes/gci-trusty"
# Enable ABAC mode unless the user explicitly opts out with ENABLE_LEGACY_ABAC=false
if
[[
"
${
ENABLE_LEGACY_ABAC
:-}
"
!=
"false"
]]
;
then
echo
"Warning: Enabling legacy ABAC policy. All service accounts will have superuser API access. Set ENABLE_LEGACY_ABAC=false to disable this."
# Create the ABAC file if it doesn't exist yet, or if we have a KUBE_USER set (to ensure the right user is given permissions)
if
[[
-n
"
${
KUBE_USER
:-}
"
||
!
-e
/etc/srv/kubernetes/abac-authz-policy.jsonl
]]
;
then
local
-r
abac_policy_json
=
"
${
src_dir
}
/abac-authz-policy.jsonl"
remove-salt-config-comments
"
${
abac_policy_json
}
"
if
[[
-n
"
${
KUBE_USER
:-}
"
]]
;
then
sed
-i
-e
"s/{{kube_user}}/
${
KUBE_USER
}
/g"
"
${
abac_policy_json
}
"
else
sed
-i
-e
"/{{kube_user}}/d"
"
${
abac_policy_json
}
"
fi
cp
"
${
abac_policy_json
}
"
/etc/srv/kubernetes/
fi
params+
=
" --authorization-policy-file=/etc/srv/kubernetes/abac-authz-policy.jsonl"
authorization_mode+
=
",ABAC"
fi
local
webhook_config_mount
=
""
local
webhook_config_volume
=
""
if
[[
-n
"
${
GCP_AUTHZ_URL
:-}
"
]]
;
then
...
...
@@ -901,7 +918,6 @@ function start-kube-apiserver {
webhook_config_mount
=
"{
\"
name
\"
:
\"
webhookconfigmount
\"
,
\"
mountPath
\"
:
\"
/etc/gcp_authz.config
\"
,
\"
readOnly
\"
: false},"
webhook_config_volume
=
"{
\"
name
\"
:
\"
webhookconfigmount
\"
,
\"
hostPath
\"
: {
\"
path
\"
:
\"
/etc/gcp_authz.config
\"
}},"
fi
local
-r
src_dir
=
"
${
KUBE_HOME
}
/kube-manifests/kubernetes/gci-trusty"
params+
=
" --authorization-mode=
${
authorization_mode
}
"
local
container_env
=
""
...
...
cluster/gce/gci/configure-helper.sh
View file @
b95f5286
...
...
@@ -1092,8 +1092,10 @@ function start-kube-apiserver {
local
authorization_mode
=
"RBAC"
local
-r
src_dir
=
"
${
KUBE_HOME
}
/kube-manifests/kubernetes/gci-trusty"
# Create the ABAC file only if it's explicitly requested.
if
[[
-n
"
${
ENABLE_LEGACY_ABAC_16_ONLY
:-}
"
]]
;
then
# Enable ABAC mode unless the user explicitly opts out with ENABLE_LEGACY_ABAC=false
if
[[
"
${
ENABLE_LEGACY_ABAC
:-}
"
!=
"false"
]]
;
then
echo
"Warning: Enabling legacy ABAC policy. All service accounts will have superuser API access. Set ENABLE_LEGACY_ABAC=false to disable this."
# Create the ABAC file if it doesn't exist yet, or if we have a KUBE_USER set (to ensure the right user is given permissions)
if
[[
-n
"
${
KUBE_USER
:-}
"
||
!
-e
/etc/srv/kubernetes/abac-authz-policy.jsonl
]]
;
then
local
-r
abac_policy_json
=
"
${
src_dir
}
/abac-authz-policy.jsonl"
remove-salt-config-comments
"
${
abac_policy_json
}
"
...
...
@@ -1104,15 +1106,11 @@ function start-kube-apiserver {
fi
cp
"
${
abac_policy_json
}
"
/etc/srv/kubernetes/
fi
fi
# Load existing ABAC policy files written by versions < 1.6 of this script
# TODO: only default to this legacy path when in upgrade mode
local
abac_authorization_file
=
"
${
ABAC_AUTHZ_FILE
:-
/etc/srv/kubernetes/abac-authz-policy.jsonl
}
"
if
[[
-n
"
${
abac_authorization_file
:-}
"
&&
-e
"
${
abac_authorization_file
}
"
]]
;
then
params+
=
" --authorization-policy-file=
${
abac_authorization_file
}
"
params+
=
" --authorization-policy-file=/etc/srv/kubernetes/abac-authz-policy.jsonl"
authorization_mode+
=
",ABAC"
fi
local
webhook_config_mount
=
""
local
webhook_config_volume
=
""
if
[[
-n
"
${
GCP_AUTHZ_URL
:-}
"
]]
;
then
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment