Skip to content

Commit

Permalink
GCI/Trusty: Support ABAC authorization
Browse files Browse the repository at this point in the history
  • Loading branch information
Andy Zheng committed Apr 28, 2016
1 parent 7a72541 commit 27c9ee3
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 21 deletions.
1 change: 1 addition & 0 deletions build/common.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -904,6 +904,7 @@ function kube::release::package_kube_manifests_tarball() {
cp "${salt_dir}/etcd/etcd.manifest" "${dst_dir}"
cp "${salt_dir}/kube-scheduler/kube-scheduler.manifest" "${dst_dir}"
cp "${salt_dir}/kube-apiserver/kube-apiserver.manifest" "${dst_dir}"
cp "${salt_dir}/kube-apiserver/abac-authz-policy.jsonl" "${dst_dir}"
cp "${salt_dir}/kube-controller-manager/kube-controller-manager.manifest" "${dst_dir}"
cp "${salt_dir}/kube-addons/namespace.yaml" "${dst_dir}"
cp "${salt_dir}/kube-addons/kube-addons.sh" "${dst_dir}"
Expand Down
25 changes: 4 additions & 21 deletions cluster/gce/trusty/configure-helper.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -276,14 +276,6 @@ mount_master_pd() {
chgrp -R etcd "${mount_point}/var/etcd"
}

# A helper function that adds an entry to a token file.
# $1: account information
# $2: token file
add_token_entry() {
current_token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
echo "${current_token},$1,$1" >> $2
}

# After the first boot and on upgrade, these files exists on the master-pd
# and should never be touched again (except perhaps an additional service
# account, see NB below.)
Expand All @@ -310,16 +302,6 @@ create_master_auth() {
echo "${KUBE_BEARER_TOKEN},admin,admin" > "${known_tokens_csv}"
echo "${KUBELET_TOKEN},kubelet,kubelet" >> "${known_tokens_csv}"
echo "${KUBE_PROXY_TOKEN},kube_proxy,kube_proxy" >> "${known_tokens_csv}"

# Generate tokens for other "service accounts". Append to known_tokens.
#
# NB: If this list ever changes, this script actually has to
# change to detect the existence of this file, kill any deleted
# old tokens and add any new tokens (to handle the upgrade case).
add_token_entry "system:scheduler" "${known_tokens_csv}"
add_token_entry "system:controller_manager" "${known_tokens_csv}"
add_token_entry "system:logging" "${known_tokens_csv}"
add_token_entry "system:monitoring" "${known_tokens_csv}"
fi

if [ -n "${PROJECT_ID:-}" ] && [ -n "${TOKEN_URL:-}" ] && [ -n "${TOKEN_BODY:-}" ] && [ -n "${NODE_NETWORK:-}" ]; then
Expand Down Expand Up @@ -433,8 +415,7 @@ start_kube_apiserver() {
timeout 30 docker load -i /home/kubernetes/kube-docker-files/kube-apiserver.tar

# Calculate variables and assemble the command line.
params="--cloud-provider=gce --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001 --tls-cert-file=/etc/srv/kubernetes/server.cert --tls-private-key-file=/etc/srv/kubernetes/server.key --secure-port=443 --client-ca-file=/etc/srv/kubernetes/ca.crt --token-auth-file=/etc/srv/kubernetes/known_tokens.csv --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv --allow-privileged=true"
params="${params} --etcd-servers-overrides=/events#http://127.0.0.1:4002"
params="--cloud-provider=gce --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001 --tls-cert-file=/etc/srv/kubernetes/server.cert --tls-private-key-file=/etc/srv/kubernetes/server.key --secure-port=443 --client-ca-file=/etc/srv/kubernetes/ca.crt --token-auth-file=/etc/srv/kubernetes/known_tokens.csv --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv --allow-privileged=true --authorization-mode=ABAC --authorization-policy-file=/etc/srv/kubernetes/abac-authz-policy.jsonl --etcd-servers-overrides=/events#http://127.0.0.1:4002"
if [ -n "${SERVICE_CLUSTER_IP_RANGE:-}" ]; then
params="${params} --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}"
fi
Expand Down Expand Up @@ -462,7 +443,9 @@ start_kube_apiserver() {
fi
readonly kube_apiserver_docker_tag=$(cat /home/kubernetes/kube-docker-files/kube-apiserver.docker_tag)

src_file="/home/kubernetes/kube-manifests/kubernetes/gci-trusty/kube-apiserver.manifest"
src_dir="/home/kubernetes/kube-manifests/kubernetes/gci-trusty"
cp "${src_dir}/abac-authz-policy.jsonl" /etc/srv/kubernetes/
src_file="${src_dir}/kube-apiserver.manifest"
remove_salt_config_comments "${src_file}"
# Evaluate variables
sed -i -e "s@{{params}}@${params}@g" "${src_file}"
Expand Down

0 comments on commit 27c9ee3

Please sign in to comment.