mirror of https://github.com/k3s-io/k3s
Merge pull request #72491 from liggitt/delegated-auth-permissions
Ensure controller manager and scheduler can perform delegated auth checkspull/564/head
Kubernetes Prow Robot
GitHub
commit
834c9a5e3d
|
|
@ -23,6 +23,7 @@ import (
|
|||
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
|
||||
)
|
||||
|
||||
|
|
@ -119,10 +120,15 @@ func init() {
|
|||
rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-scheduler").RuleOrDie(),
|
||||
},
|
||||
})
|
||||
|
||||
delegatedAuthBinding := rbacv1helpers.NewRoleBinding("extension-apiserver-authentication-reader", metav1.NamespaceSystem).Users(user.KubeControllerManager, user.KubeScheduler).BindingOrDie()
|
||||
delegatedAuthBinding.Name = "system::extension-apiserver-authentication-reader"
|
||||
addNamespaceRoleBinding(metav1.NamespaceSystem, delegatedAuthBinding)
|
||||
|
||||
addNamespaceRoleBinding(metav1.NamespaceSystem,
|
||||
rbacv1helpers.NewRoleBinding("system::leader-locking-kube-controller-manager", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "kube-controller-manager").BindingOrDie())
|
||||
rbacv1helpers.NewRoleBinding("system::leader-locking-kube-controller-manager", metav1.NamespaceSystem).Users(user.KubeControllerManager).SAs(metav1.NamespaceSystem, "kube-controller-manager").BindingOrDie())
|
||||
addNamespaceRoleBinding(metav1.NamespaceSystem,
|
||||
rbacv1helpers.NewRoleBinding("system::leader-locking-kube-scheduler", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "kube-scheduler").BindingOrDie())
|
||||
rbacv1helpers.NewRoleBinding("system::leader-locking-kube-scheduler", metav1.NamespaceSystem).Users(user.KubeScheduler).SAs(metav1.NamespaceSystem, "kube-scheduler").BindingOrDie())
|
||||
addNamespaceRoleBinding(metav1.NamespaceSystem,
|
||||
rbacv1helpers.NewRoleBinding(saRolePrefix+"bootstrap-signer", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "bootstrap-signer").BindingOrDie())
|
||||
// cloud-provider is deprecated starting Kubernetes 1.10 and will be deleted according to GA deprecation policy.
|
||||
|
|
|
|||
|
|
@ -402,6 +402,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
|
|||
rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
|
||||
// Needed to check API access. These creates are non-mutating
|
||||
rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
|
||||
rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(),
|
||||
// Needed for all shared informers
|
||||
rbacv1helpers.NewRule("list", "watch").Groups("*").Resources("*").RuleOrDie(),
|
||||
},
|
||||
|
|
@ -429,6 +430,9 @@ func ClusterRoles() []rbacv1.ClusterRole {
|
|||
// things that pods use or applies to them
|
||||
rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
|
||||
rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(),
|
||||
// Needed to check API access. These creates are non-mutating
|
||||
rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
|
||||
rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(),
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
|
|||
|
|
@ -658,6 +658,12 @@ items:
|
|||
- tokenreviews
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- authorization.k8s.io
|
||||
resources:
|
||||
- subjectaccessreviews
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- '*'
|
||||
resources:
|
||||
|
|
@ -792,6 +798,18 @@ items:
|
|||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- authentication.k8s.io
|
||||
resources:
|
||||
- tokenreviews
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- authorization.k8s.io
|
||||
resources:
|
||||
- subjectaccessreviews
|
||||
verbs:
|
||||
- create
|
||||
- apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
|
|
|||
|
|
@ -18,6 +18,27 @@ items:
|
|||
- kind: ServiceAccount
|
||||
name: bootstrap-signer
|
||||
namespace: kube-system
|
||||
- apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
annotations:
|
||||
rbac.authorization.kubernetes.io/autoupdate: "true"
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
kubernetes.io/bootstrapping: rbac-defaults
|
||||
name: system::extension-apiserver-authentication-reader
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: extension-apiserver-authentication-reader
|
||||
subjects:
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: User
|
||||
name: system:kube-controller-manager
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: User
|
||||
name: system:kube-scheduler
|
||||
- apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
|
|
@ -33,6 +54,9 @@ items:
|
|||
kind: Role
|
||||
name: system::leader-locking-kube-controller-manager
|
||||
subjects:
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: User
|
||||
name: system:kube-controller-manager
|
||||
- kind: ServiceAccount
|
||||
name: kube-controller-manager
|
||||
namespace: kube-system
|
||||
|
|
@ -51,6 +75,9 @@ items:
|
|||
kind: Role
|
||||
name: system::leader-locking-kube-scheduler
|
||||
subjects:
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: User
|
||||
name: system:kube-scheduler
|
||||
- kind: ServiceAccount
|
||||
name: kube-scheduler
|
||||
namespace: kube-system
|
||||
|
|
|
|||
|
|
@ -22,11 +22,8 @@ go_test(
|
|||
"//cmd/kube-controller-manager/app/testing:go_default_library",
|
||||
"//cmd/kube-scheduler/app/testing:go_default_library",
|
||||
"//pkg/cloudprovider/providers/fake:go_default_library",
|
||||
"//staging/src/k8s.io/api/rbac/v1:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
||||
"//staging/src/k8s.io/cloud-provider:go_default_library",
|
||||
"//test/integration/framework:go_default_library",
|
||||
],
|
||||
|
|
|
|||
|
|
@ -28,11 +28,8 @@ import (
|
|||
"strings"
|
||||
"testing"
|
||||
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apiserver/pkg/server"
|
||||
"k8s.io/apiserver/pkg/server/options"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
"k8s.io/cloud-provider"
|
||||
cloudctrlmgrtesting "k8s.io/kubernetes/cmd/cloud-controller-manager/app/testing"
|
||||
kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
|
||||
|
|
@ -49,6 +46,8 @@ type componentTester interface {
|
|||
type kubeControllerManagerTester struct{}
|
||||
|
||||
func (kubeControllerManagerTester) StartTestServer(t kubectrlmgrtesting.Logger, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, *server.DeprecatedInsecureServingInfo, func(), error) {
|
||||
// avoid starting any controller loops, we're just testing serving
|
||||
customFlags = append([]string{"--controllers="}, customFlags...)
|
||||
gotResult, err := kubectrlmgrtesting.StartTestServer(t, customFlags)
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, err
|
||||
|
|
@ -96,7 +95,7 @@ func TestComponentSecureServingAndAuth(t *testing.T) {
|
|||
t.Fatal(err)
|
||||
}
|
||||
tokenFile.WriteString(fmt.Sprintf(`
|
||||
%s,controller-manager,controller-manager,""
|
||||
%s,system:kube-controller-manager,system:kube-controller-manager,""
|
||||
`, token))
|
||||
tokenFile.Close()
|
||||
|
||||
|
|
@ -107,44 +106,6 @@ func TestComponentSecureServingAndAuth(t *testing.T) {
|
|||
}, framework.SharedEtcd())
|
||||
defer server.TearDownFn()
|
||||
|
||||
// allow controller-manager to do SubjectAccessReview
|
||||
client, err := kubernetes.NewForConfig(server.ClientConfig)
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error creating client config: %v", err)
|
||||
}
|
||||
_, err = client.RbacV1().ClusterRoleBindings().Create(&rbacv1.ClusterRoleBinding{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: "controller-manager:system:auth-delegator"},
|
||||
Subjects: []rbacv1.Subject{{
|
||||
Kind: "User",
|
||||
Name: "controller-manager",
|
||||
}},
|
||||
RoleRef: rbacv1.RoleRef{
|
||||
APIGroup: "rbac.authorization.k8s.io",
|
||||
Kind: "ClusterRole",
|
||||
Name: "system:auth-delegator",
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("failed to create system:auth-delegator rbac cluster role binding: %v", err)
|
||||
}
|
||||
|
||||
// allow controller-manager to read kube-system/extension-apiserver-authentication
|
||||
_, err = client.RbacV1().RoleBindings("kube-system").Create(&rbacv1.RoleBinding{
|
||||
ObjectMeta: metav1.ObjectMeta{Name: "controller-manager:extension-apiserver-authentication-reader"},
|
||||
Subjects: []rbacv1.Subject{{
|
||||
Kind: "User",
|
||||
Name: "controller-manager",
|
||||
}},
|
||||
RoleRef: rbacv1.RoleRef{
|
||||
APIGroup: "rbac.authorization.k8s.io",
|
||||
Kind: "Role",
|
||||
Name: "extension-apiserver-authentication-reader",
|
||||
},
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("failed to create controller-manager:extension-apiserver-authentication-reader rbac role binding: %v", err)
|
||||
}
|
||||
|
||||
// create kubeconfig for the apiserver
|
||||
apiserverConfig, err := ioutil.TempFile("", "kubeconfig")
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Reference in New Issue