Skip to content

Commit

Permalink
Configuration on K8S master for authentication and/or authorization
Browse files Browse the repository at this point in the history
  • Loading branch information
@okozachenko1203
okozachenko1203 committed Jan 23, 2024
1 parent e26917a commit d62ccd3
Show file tree
Hide file tree
Showing 3 changed files with 109 additions and 22 deletions.
23 changes: 15 additions & 8 deletions ...anifests/keystone-auth/auth-keystone.yaml → ...anifests/keystone-auth/keystone-auth.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,19 @@ data:
- keystone-role: member
groups: []
---
kind: Service
apiVersion: v1
metadata:
name: k8s-keystone-auth-service
namespace: kube-system
spec:
selector:
app: k8s-keystone-auth
ports:
- protocol: TCP
port: 8443
targetPort: 8443
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
Expand All @@ -72,13 +85,13 @@ spec:
# The controllers can only have a single active instance.
selector:
matchLabels:
k8s-app: k8s-keystone-auth
app: k8s-keystone-auth
template:
metadata:
name: k8s-keystone-auth
namespace: kube-system
labels:
k8s-app: k8s-keystone-auth
app: k8s-keystone-auth
spec:
serviceAccountName: k8s-keystone-auth
tolerations:
Expand Down Expand Up @@ -106,12 +119,6 @@ spec:
- k8s-keystone-auth-policy
- --keystone-url
- {{ auth_url }}
- --sync-configmap-name
- keystone-sync-policy
- --keystone-ca-file
- /etc/kubernetes/pki/ca.crt
- --listen
- 127.0.0.1:8443
volumeMounts:
- mountPath: /etc/kubernetes/pki
name: k8s-certs
Expand Down
Empty file added magnum_cluster_api/manifests/keystone-auth/webhook.yaml
View file
Empty file.
108 changes: 94 additions & 14 deletions magnum_cluster_api/resources.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -337,16 +337,13 @@ def get_object(self) -> pykube.ConfigMap:
data = {
**data,
**{
os.path.basename(manifest): image_utils.update_manifest_images(
"keystone-auth.yaml": image_utils.update_manifest_images(
self.cluster.uuid,
manifest,
os.path.join(manifests_path, "keystone-auth/keystone-auth.yaml"),
repository=repository,
auth_url=auth_url,
policy=utils.get_keystone_auth_default_policy(self.cluster),
)
for manifest in glob.glob(
os.path.join(manifests_path, "keystone-auth/*.yaml")
)
},
}

Expand Down Expand Up @@ -557,9 +554,10 @@ def get_object(self) -> pykube.Secret:
class KubeadmControlPlaneTemplate(Base):
def get_object(self) -> objects.KubeadmControlPlaneTemplate:
manifests_path = pkg_resources.resource_filename(
"magnum_cluster_api.manifests", "audit"
"magnum_cluster_api", "manifests"
)
audit_policy = open(os.path.join(manifests_path, "policy.yaml")).read()
audit_policy = open(os.path.join(manifests_path, "audit/policy.yaml")).read()
keystone_auth_webhook = open(os.path.join(manifests_path, "keystone-auth/webhook.yaml")).read()

return objects.KubeadmControlPlaneTemplate(
self.api,
Expand Down Expand Up @@ -601,6 +599,13 @@ def get_object(self) -> objects.KubeadmControlPlaneTemplate:
"content": base64.encode_as_text(audit_policy),
"encoding": "base64",
},
{
"path": "/etc/kubernetes/webhooks/webhookconfig.yaml",
"owner": "root:root"
"permissions": "0644",
"content": base64.encode_as_text(keystone_auth_webhook),
"encoding": "base64",
},
],
"initConfiguration": {
"nodeRegistration": {
Expand Down Expand Up @@ -1062,6 +1067,16 @@ def get_object(self) -> objects.ClusterClass:
},
},
},
{
"name": "enableKeystoneAUth",
"required": True,
"schema": {
"openAPIV3Schema": {
"type": "boolean",
"default": False,
},
},
},
],
"patches": [
{
Expand Down Expand Up @@ -1110,16 +1125,26 @@ def get_object(self) -> objects.ClusterClass:
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes", # noqa: E501
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes/-", # noqa: E501
"valueFrom": {
"template": textwrap.dedent(
"""\
- name: audit-policy
hostPath: /etc/kubernetes/audit-policy
mountPath: /etc/kubernetes/audit-policy
- name: audit-logs
hostPath: /var/log/kubernetes/audit
mountPath: /var/log/audit
name: audit-policy
hostPath: /etc/kubernetes/audit-policy
mountPath: /etc/kubernetes/audit-policy
"""
),
},
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes/-", # noqa: E501
"valueFrom": {
"template": textwrap.dedent(
"""\
name: audit-logs
hostPath: /var/log/kubernetes/audit
mountPath: /var/log/audit
"""
),
},
Expand Down Expand Up @@ -1582,6 +1607,57 @@ def get_object(self) -> objects.ClusterClass:
},
],
},
{
"name": "keystoneAuth",
"enabledIf": "{{ if .enableKeystoneAuth }}true{{end}}",
"definitions": [
{
"selector": {
"apiVersion": objects.KubeadmControlPlaneTemplate.version,
"kind": objects.KubeadmControlPlaneTemplate.kind,
"matchResources": {
"controlPlane": True,
},
},
"jsonPatches": [
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/authentication-token-webhook-config-file", # noqa: E501
"valueFrom": {
"variable": "/etc/kubernetes/webhooks/webhookconfig.yaml",
},
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/authorization-webhook-config-file", # noqa: E501
"valueFrom": {
"variable": "/etc/kubernetes/webhooks/webhookconfig.yaml",
},
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/authorization-mode", # noqa: E501
"valueFrom": {
"variable": "Node,RBAC,Webhook",
},
},
{
"op": "add",
"path": "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraVolumes/-", # noqa: E501
"valueFrom": {
"template": textwrap.dedent(
"""\
name: webhooks
hostPath: /etc/kubernetes/webhooks
mountPath: /etc/kubernetes/webhooks
"""
),
},
},
]
}
]
},
{
"name": "controlPlaneConfig",
"definitions": [
Expand Down Expand Up @@ -2113,6 +2189,10 @@ def get_object(self) -> objects.Cluster:
"name": "operatingSystem",
"value": utils.get_operating_system(self.cluster),
},
{
"name": "enableKeystoneAuth",
"value": utils.get_cluster_label_as_bool(self.cluster, "keystone_auth_enabled", True),
},
],
},
},
Expand Down

0 comments on commit d62ccd3

Please sign in to comment.