From 27c9ee3646f2318ea2dfcf4d69ac000d4b85cd74 Mon Sep 17 00:00:00 2001 From: Andy Zheng Date: Thu, 28 Apr 2016 14:04:28 -0700 Subject: [PATCH] GCI/Trusty: Support ABAC authorization --- build/common.sh | 1 + cluster/gce/trusty/configure-helper.sh | 25 ++++--------------------- 2 files changed, 5 insertions(+), 21 deletions(-) diff --git a/build/common.sh b/build/common.sh index 3d052e3c93..15f8c97831 100755 --- a/build/common.sh +++ b/build/common.sh @@ -904,6 +904,7 @@ function kube::release::package_kube_manifests_tarball() { cp "${salt_dir}/etcd/etcd.manifest" "${dst_dir}" cp "${salt_dir}/kube-scheduler/kube-scheduler.manifest" "${dst_dir}" cp "${salt_dir}/kube-apiserver/kube-apiserver.manifest" "${dst_dir}" + cp "${salt_dir}/kube-apiserver/abac-authz-policy.jsonl" "${dst_dir}" cp "${salt_dir}/kube-controller-manager/kube-controller-manager.manifest" "${dst_dir}" cp "${salt_dir}/kube-addons/namespace.yaml" "${dst_dir}" cp "${salt_dir}/kube-addons/kube-addons.sh" "${dst_dir}" diff --git a/cluster/gce/trusty/configure-helper.sh b/cluster/gce/trusty/configure-helper.sh index 229dcba805..748c1372bc 100644 --- a/cluster/gce/trusty/configure-helper.sh +++ b/cluster/gce/trusty/configure-helper.sh @@ -276,14 +276,6 @@ mount_master_pd() { chgrp -R etcd "${mount_point}/var/etcd" } -# A helper function that adds an entry to a token file. -# $1: account information -# $2: token file -add_token_entry() { - current_token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null) - echo "${current_token},$1,$1" >> $2 -} - # After the first boot and on upgrade, these files exists on the master-pd # and should never be touched again (except perhaps an additional service # account, see NB below.) @@ -310,16 +302,6 @@ create_master_auth() { echo "${KUBE_BEARER_TOKEN},admin,admin" > "${known_tokens_csv}" echo "${KUBELET_TOKEN},kubelet,kubelet" >> "${known_tokens_csv}" echo "${KUBE_PROXY_TOKEN},kube_proxy,kube_proxy" >> "${known_tokens_csv}" - - # Generate tokens for other "service accounts". Append to known_tokens. - # - # NB: If this list ever changes, this script actually has to - # change to detect the existence of this file, kill any deleted - # old tokens and add any new tokens (to handle the upgrade case). - add_token_entry "system:scheduler" "${known_tokens_csv}" - add_token_entry "system:controller_manager" "${known_tokens_csv}" - add_token_entry "system:logging" "${known_tokens_csv}" - add_token_entry "system:monitoring" "${known_tokens_csv}" fi if [ -n "${PROJECT_ID:-}" ] && [ -n "${TOKEN_URL:-}" ] && [ -n "${TOKEN_BODY:-}" ] && [ -n "${NODE_NETWORK:-}" ]; then @@ -433,8 +415,7 @@ start_kube_apiserver() { timeout 30 docker load -i /home/kubernetes/kube-docker-files/kube-apiserver.tar # Calculate variables and assemble the command line. - params="--cloud-provider=gce --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001 --tls-cert-file=/etc/srv/kubernetes/server.cert --tls-private-key-file=/etc/srv/kubernetes/server.key --secure-port=443 --client-ca-file=/etc/srv/kubernetes/ca.crt --token-auth-file=/etc/srv/kubernetes/known_tokens.csv --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv --allow-privileged=true" - params="${params} --etcd-servers-overrides=/events#http://127.0.0.1:4002" + params="--cloud-provider=gce --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001 --tls-cert-file=/etc/srv/kubernetes/server.cert --tls-private-key-file=/etc/srv/kubernetes/server.key --secure-port=443 --client-ca-file=/etc/srv/kubernetes/ca.crt --token-auth-file=/etc/srv/kubernetes/known_tokens.csv --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv --allow-privileged=true --authorization-mode=ABAC --authorization-policy-file=/etc/srv/kubernetes/abac-authz-policy.jsonl --etcd-servers-overrides=/events#http://127.0.0.1:4002" if [ -n "${SERVICE_CLUSTER_IP_RANGE:-}" ]; then params="${params} --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" fi @@ -462,7 +443,9 @@ start_kube_apiserver() { fi readonly kube_apiserver_docker_tag=$(cat /home/kubernetes/kube-docker-files/kube-apiserver.docker_tag) - src_file="/home/kubernetes/kube-manifests/kubernetes/gci-trusty/kube-apiserver.manifest" + src_dir="/home/kubernetes/kube-manifests/kubernetes/gci-trusty" + cp "${src_dir}/abac-authz-policy.jsonl" /etc/srv/kubernetes/ + src_file="${src_dir}/kube-apiserver.manifest" remove_salt_config_comments "${src_file}" # Evaluate variables sed -i -e "s@{{params}}@${params}@g" "${src_file}"