Commit 20003bdc authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #38626 from deads2k/rbac-21-e2e-enable

Automatic merge from submit-queue Enforce the RBAC authorizer in e2e for controllers and proxy Turns on RBAC and updates the GCE controllers to use discrete service accounts. Opening pull to start completing roles.
parents 1955ed61 17f600d6
...@@ -208,8 +208,9 @@ function create-master-auth { ...@@ -208,8 +208,9 @@ function create-master-auth {
local -r known_tokens_csv="${auth_dir}/known_tokens.csv" local -r known_tokens_csv="${auth_dir}/known_tokens.csv"
if [[ ! -e "${known_tokens_csv}" ]]; then if [[ ! -e "${known_tokens_csv}" ]]; then
echo "${KUBE_BEARER_TOKEN},admin,admin" > "${known_tokens_csv}" echo "${KUBE_BEARER_TOKEN},admin,admin" > "${known_tokens_csv}"
echo "${KUBELET_TOKEN},kubelet,kubelet" >> "${known_tokens_csv}" echo "${KUBE_CONTROLLER_MANAGER_TOKEN},system:kube-controller-manager,uid:system:kube-controller-manager" >> "${known_tokens_csv}"
echo "${KUBE_PROXY_TOKEN},kube_proxy,kube_proxy" >> "${known_tokens_csv}" echo "${KUBELET_TOKEN},system:node:node-name,uid:kubelet,system:nodes" >> "${known_tokens_csv}"
echo "${KUBE_PROXY_TOKEN},system:kube-proxy,uid:kube_proxy" >> "${known_tokens_csv}"
fi fi
local use_cloud_config="false" local use_cloud_config="false"
cat <<EOF >/etc/gce.conf cat <<EOF >/etc/gce.conf
...@@ -354,6 +355,7 @@ function create-master-kubelet-auth { ...@@ -354,6 +355,7 @@ function create-master-kubelet-auth {
REGISTER_MASTER_KUBELET="true" REGISTER_MASTER_KUBELET="true"
create-kubelet-kubeconfig create-kubelet-kubeconfig
fi fi
} }
function create-kubeproxy-kubeconfig { function create-kubeproxy-kubeconfig {
...@@ -378,6 +380,30 @@ current-context: service-account-context ...@@ -378,6 +380,30 @@ current-context: service-account-context
EOF EOF
} }
function create-kubecontrollermanager-kubeconfig {
echo "Creating kube-controller-manager kubeconfig file"
mkdir -p /etc/srv/kubernetes/kube-controller-manager
cat <<EOF >/etc/srv/kubernetes/kube-controller-manager/kubeconfig
apiVersion: v1
kind: Config
users:
- name: kube-controller-manager
user:
token: ${KUBE_CONTROLLER_MANAGER_TOKEN}
clusters:
- name: local
cluster:
insecure-skip-tls-verify: true
server: https://localhost:443
contexts:
- context:
cluster: local
user: kube-controller-manager
name: service-account-context
current-context: service-account-context
EOF
}
function create-master-etcd-auth { function create-master-etcd-auth {
if [[ -n "${ETCD_CA_CERT:-}" && -n "${ETCD_PEER_KEY:-}" && -n "${ETCD_PEER_CERT:-}" ]]; then if [[ -n "${ETCD_CA_CERT:-}" && -n "${ETCD_PEER_KEY:-}" && -n "${ETCD_PEER_CERT:-}" ]]; then
local -r auth_dir="/etc/srv/kubernetes" local -r auth_dir="/etc/srv/kubernetes"
...@@ -838,7 +864,7 @@ function start-kube-apiserver { ...@@ -838,7 +864,7 @@ function start-kube-apiserver {
webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}}," webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}},"
fi fi
params+=" --authorization-mode=ABAC" params+=" --authorization-mode=RBAC,ABAC"
local webhook_config_mount="" local webhook_config_mount=""
local webhook_config_volume="" local webhook_config_volume=""
if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then
...@@ -897,11 +923,13 @@ function start-kube-apiserver { ...@@ -897,11 +923,13 @@ function start-kube-apiserver {
# DOCKER_REGISTRY # DOCKER_REGISTRY
function start-kube-controller-manager { function start-kube-controller-manager {
echo "Start kubernetes controller-manager" echo "Start kubernetes controller-manager"
create-kubecontrollermanager-kubeconfig
prepare-log-file /var/log/kube-controller-manager.log prepare-log-file /var/log/kube-controller-manager.log
# Calculate variables and assemble the command line. # Calculate variables and assemble the command line.
local params="${CONTROLLER_MANAGER_TEST_LOG_LEVEL:-"--v=2"} ${CONTROLLER_MANAGER_TEST_ARGS:-} ${CLOUD_CONFIG_OPT}" local params="${CONTROLLER_MANAGER_TEST_LOG_LEVEL:-"--v=2"} ${CONTROLLER_MANAGER_TEST_ARGS:-} ${CLOUD_CONFIG_OPT}"
params+=" --use-service-account-credentials"
params+=" --cloud-provider=gce" params+=" --cloud-provider=gce"
params+=" --master=127.0.0.1:8080" params+=" --kubeconfig=/etc/srv/kubernetes/kube-controller-manager/kubeconfig"
params+=" --root-ca-file=/etc/srv/kubernetes/ca.crt" params+=" --root-ca-file=/etc/srv/kubernetes/ca.crt"
params+=" --service-account-private-key-file=/etc/srv/kubernetes/server.key" params+=" --service-account-private-key-file=/etc/srv/kubernetes/server.key"
if [[ -n "${ENABLE_GARBAGE_COLLECTOR:-}" ]]; then if [[ -n "${ENABLE_GARBAGE_COLLECTOR:-}" ]]; then
...@@ -1253,6 +1281,9 @@ if [[ -n "${KUBE_USER:-}" ]]; then ...@@ -1253,6 +1281,9 @@ if [[ -n "${KUBE_USER:-}" ]]; then
fi fi
fi fi
# generate the controller manager token here since its only used on the master.
KUBE_CONTROLLER_MANAGER_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
setup-os-params setup-os-params
config-ip-firewall config-ip-firewall
create-dirs create-dirs
......
...@@ -2,7 +2,6 @@ ...@@ -2,7 +2,6 @@
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}} {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"{{kube_user}}", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}} {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"{{kube_user}}", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}} {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kube_proxy", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubecfg", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}} {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubecfg", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"client", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}} {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"client", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group":"system:serviceaccounts", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}} {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group":"system:serviceaccounts", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
\ No newline at end of file
...@@ -21,6 +21,7 @@ go_library( ...@@ -21,6 +21,7 @@ go_library(
"//pkg/auth/authorizer:go_default_library", "//pkg/auth/authorizer:go_default_library",
"//pkg/auth/user:go_default_library", "//pkg/auth/user:go_default_library",
"//pkg/util/errors:go_default_library", "//pkg/util/errors:go_default_library",
"//vendor:github.com/golang/glog",
], ],
) )
......
...@@ -18,6 +18,8 @@ limitations under the License. ...@@ -18,6 +18,8 @@ limitations under the License.
package rbac package rbac
import ( import (
"github.com/golang/glog"
"k8s.io/kubernetes/pkg/apis/rbac" "k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/apis/rbac/validation" "k8s.io/kubernetes/pkg/apis/rbac/validation"
"k8s.io/kubernetes/pkg/auth/authorizer" "k8s.io/kubernetes/pkg/auth/authorizer"
...@@ -42,6 +44,9 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo ...@@ -42,6 +44,9 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo
return true, "", nil return true, "", nil
} }
glog.V(2).Infof("RBAC DENY: user %q groups %v cannot %q on \"%v.%v/%v\"", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(),
requestAttributes.GetVerb(), requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource())
return false, "", ruleResolutionError return false, "", ruleResolutionError
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment