Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

append an abac rule for $KUBE_USER. #29164

Merged
merged 1 commit into from
Jul 21, 2016
Merged

append an abac rule for $KUBE_USER. #29164

merged 1 commit into from
Jul 21, 2016
+16 −2

Conversation

cjcullen
Copy link
Member

Allows the specified basic-auth credentials to be authorized against all resources.

Fixes #28869.

@k8s-github-robot k8s-github-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. release-note-label-needed labels Jul 19, 2016
@cjcullen
Copy link
Member Author

Doesn't look like this is correct on our debian-based scripts.

@adityakali
Copy link
Contributor

I am not too familiar with salt, but the way I have seen this done in the past is to add a configurable variable in salt config, it your case, you can in https://github.com/kubernetes/kubernetes/blob/master/cluster/saltbase/salt/kube-apiserver/abac-authz-policy.jsonl something like:

{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"{{kube_user}}", "namespace": "", "resource": "", "apiGroup": "", "nonResourcePath": ""}

and then
on debian: use saltstack to set the variable
on gci: use 'sed' to substitute it with value of KUBE_USER

@cjcullen cjcullen mentioned this pull request Jul 19, 2016
Closed
@cjcullen
Copy link
Member Author

@adityakali Yeah you're right. I'll do this in the more "salty" way.

@cjcullen cjcullen force-pushed the customuser branch 5 times, most recently from ac74be2 to be385d1 Compare July 20, 2016 00:29
@cjcullen
Copy link
Member Author

Okay, should be in a cleaner state now.

  • Added a line to abac-authz-policy.jsonl w/ the user specified by jinja variable {{kube_user}}
  • On Debian, configure-vm.sh puts $KUBE_USER into grains.kube_user for salt. Then the abac file is treated as a jinja template, so the value of $KUBE_USER gets into that line I added.
  • On GCI/Trusty, configure-helper.sh removes the jinja line, and replaces {{kube_user}} w/ the value of $KUBE_USER before copying the abac file.

PTAL

@adityakali
Copy link
Contributor

LGTM

@cjcullen cjcullen added release-note Denotes a PR that will be considered when it comes time to generate release notes. cherrypick-candidate labels Jul 20, 2016
@cjcullen cjcullen added this to the v1.3 milestone Jul 20, 2016
zmerlynn
zmerlynn reviewed Jul 20, 2016
View reviewed changes
cluster/gce/gci/configure-helper.sh
local -r abac_policy_json="${src_dir}/abac-authz-policy.jsonl"
remove-salt-config-comments "${abac_policy_json}"
sed -i -e "s@{{kube_user}}@${KUBE_USER}@g" "${abac_policy_json}"
cp ${abac_policy_json} /etc/srv/kubernetes/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: (and below) quotes: "${abac_policy_json}"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done and done.

@zmerlynn
Copy link
Member

LGTM except nit. Fix and feel free to self-apply label.

@cjcullen cjcullen force-pushed the customuser branch 2 times, most recently from c9593ba to 8de63a0 Compare July 20, 2016 23:32
@cjcullen cjcullen added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 21, 2016
@k8s-github-robot k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 21, 2016
@cjcullen
Copy link
Member Author

Change was just a rebase to get past the docs verification error from yesterday. Reapplying LGTM.

@cjcullen cjcullen added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 21, 2016
@k8s-bot
Copy link

k8s-bot commented Jul 21, 2016

GCE e2e build/test passed for commit e559e30.

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit 8972b4a into kubernetes:master Jul 21, 2016
@cjcullen cjcullen mentioned this pull request Jul 21, 2016
Merged
@justinsb justinsb mentioned this pull request Jul 22, 2016
Closed
justinsb added a commit to justinsb/kubernetes that referenced this pull request Jul 22, 2016
@justinsb
AWS kube-up: export kube_user to salt
55d0d3b 
This was done for GCE in kubernetes#29164, but not for AWS.

Fixes kubernetes#29424
@justinsb justinsb mentioned this pull request Jul 22, 2016
Merged
k8s-github-robot pushed a commit that referenced this pull request Jul 22, 2016
Merge pull request #29428 from justinsb/aws_abac
33f96bb 
Automatic merge from submit-queue

AWS kube-up: export kube_user to salt

This was done for GCE in #29164, but not for AWS.

Fixes #29424
@cjcullen cjcullen mentioned this pull request Jul 22, 2016
Merged
justinsb added a commit to justinsb/kubernetes that referenced this pull request Jul 23, 2016
@justinsb
AWS kube-up: export kube_user to salt
8e8dc17 
This was done for GCE in kubernetes#29164, but not for AWS.

Fixes kubernetes#29424
k8s-github-robot pushed a commit that referenced this pull request Jul 23, 2016
Merge pull request #29475 from cjcullen/customuser
d173428 
Automatic merge from submit-queue

export KUBE_USER to salt (support custom usernames) for vagrant, vsph…

GCE/GKE were handled in #29164, AWS was handled in #29428. This should cover the rest of the configurations that use ABAC.
@fabioy fabioy added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Jul 24, 2016
@cjcullen cjcullen mentioned this pull request Jul 25, 2016
Merged
k8s-github-robot pushed a commit that referenced this pull request Jul 25, 2016
Merge pull request #29393 from cjcullen/automated-cherry-pick-of-#291…
74e738c 
…64-upstream-release-1.3

Automatic merge from submit-queue

Automated cherry pick of #29164

Cherry pick of #29164 on release-1.3.
@k8s-cherrypick-bot
Copy link

Commit found in the "release-1.3" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked.

fabioy added a commit that referenced this pull request Jul 27, 2016
@fabioy
Revert "Automated cherry pick of #29164"
3ef3bbe
zefciu pushed a commit to zefciu/kubernetes that referenced this pull request Jul 28, 2016
@justinsb @zefciu
AWS kube-up: export kube_user to salt
2d9c16b 
This was done for GCE in kubernetes#29164, but not for AWS.

Fixes kubernetes#29424
shyamjvs pushed a commit to shyamjvs/kubernetes that referenced this pull request Dec 1, 2016
@justinsb
AWS kube-up: export kube_user to salt
681a8ff 
This was done for GCE in kubernetes#29164, but not for AWS.

Fixes kubernetes#29424
shyamjvs pushed a commit to shyamjvs/kubernetes that referenced this pull request Dec 1, 2016
Merge pull request kubernetes#29393 from cjcullen/automated-cherry-pi…
553b58d 
…ck-of-#29164-upstream-release-1.3

Automatic merge from submit-queue

Automated cherry pick of kubernetes#29164

Cherry pick of kubernetes#29164 on release-1.3.
shouhong pushed a commit to shouhong/kubernetes that referenced this pull request Feb 14, 2017
@fabioy
Revert "Automated cherry pick of kubernetes#29164"
1976030
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@zmerlynn zmerlynn

@eparis eparis

@adityakali adityakali

Labels
cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.3
Development

Successfully merging this pull request may close these issues.
9 participants
@cjcullen @adityakali @zmerlynn @k8s-bot @k8s-github-robot @k8s-cherrypick-bot @googlebot @fabioy @eparis