Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow webhook authorization #6502

Merged
merged 1 commit into from
Aug 24, 2020
Merged

Allow webhook authorization #6502

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,15 @@ kube_users:
# kube_oidc_groups_claim: groups
# kube_oidc_groups_prefix: oidc:

## Variables to control webhook authn/authz
# kube_webhook_token_auth: false
# kube_webhook_token_auth_url: https://...
# kube_webhook_token_auth_url_skip_tls_verify: false

## For webhook authorization, authorization_modes must include Webhook
# kube_webhook_authorization: false
# kube_webhook_authorization_url: https://...
# kube_webhook_authorization_url_skip_tls_verify: false

# Choose network plugin (cilium, calico, contiv, weave or flannel. Use cni for generic cni plugin)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing
Expand Down
10 changes: 7 additions & 3 deletions roles/kubernetes/master/defaults/main/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,13 @@ kube_token_auth: false
kube_oidc_auth: false
kube_webhook_token_auth: false
kube_webhook_token_auth_url_skip_tls_verify: false
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
# kube_webhook_token_auth_url: https://...
kube_webhook_authorization: false
## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/
# kube_webhook_authorization_url: https://...
kube_webhook_authorization_url_skip_tls_verify: false


## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
Expand All @@ -136,9 +143,6 @@ kube_webhook_token_auth_url_skip_tls_verify: false
# Optionally include a base64-encoded oidc CA cert
# kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20...

## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
# kube_webhook_token_auth_url: https://...

# List of the preferred NodeAddressTypes to use for kubelet connections.
kubelet_preferred_address_types: 'InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP'

Expand Down
6 changes: 6 additions & 0 deletions roles/kubernetes/master/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@
dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
when: kube_webhook_token_auth|default(false)

- name: Create webhook authorization config
template:
src: webhook-authorization-config.yaml.j2
dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml"
when: kube_webhook_authorization|default(false)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This default(false) is redundant because the role defines a default. I understand the task above it is also to blame. Just pointing out a stylistic issue here.


- import_tasks: encrypt-at-rest.yml
when:
- kube_encrypt_secret_data
Expand Down
8 changes: 8 additions & 0 deletions roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,9 @@ apiServer:
{% if kube_webhook_token_auth|default(false) %}
authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
{% endif %}
{% if kube_webhook_authorization|default(false) %}
authorization-webhook-config-file: {{ kube_config_dir }}/webhook-authorization-config.yaml
{% endif %}
{% if kube_encrypt_secret_data %}
encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %}
Expand Down Expand Up @@ -218,6 +221,11 @@ apiServer:
hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
{% endif %}
{% if kube_webhook_authorization|default(false) %}
- name: webhook-authorization-config
hostPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
mountPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
{% endif %}
{% if kubernetes_audit or kubernetes_audit_webhook %}
- name: {{ audit_policy_name }}
hostPath: {{ audit_policy_hostpath }}
Expand Down
18 changes: 18 additions & 0 deletions roles/kubernetes/master/templates/webhook-authorization-config.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# clusters refers to the remote service.
clusters:
- name: webhook-token-authz-cluster
cluster:
server: {{ kube_webhook_authorization_url }}
insecure-skip-tls-verify: {{ kube_webhook_authorization_url_skip_tls_verify }}

# users refers to the API server's webhook configuration.
users:
- name: webhook-token-authz-user

# kubeconfig files require a context. Provide one for the API server.
current-context: webhook-token-authz
contexts:
- context:
cluster: webhook-token-authz-cluster
user: webhook-token-authz-user
name: webhook-token-authz