github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #41238 from xilabao/add-check-to-authorization-config 

Automatic merge from submit-queue (batch tested with PRs 41466, 41456, 41550, 41238, 41416)

add check to authorization config

Prompt user to create the config when using abac/webhook.
pull/6/head
Kubernetes Submit Queue 2017-02-16 10:14:10 -08:00 committed by GitHub
parent b05e500485 60dfa6c9d7
commit a260db06aa
3 changed files with 37 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/kubeadm/app/constants/constants.go
View File

@ -19,6 +19,9 @@ package constants
import "time"
const (
AuthorizationPolicyFile = "abac_policy.json"
AuthorizationWebhookConfigFile = "webhook_authz.conf"
CACertAndKeyBaseName = "ca"
CACertName = "ca.crt"
CAKeyName = "ca.key"

24
cmd/kubeadm/app/master/manifests.go
View File

@ -40,17 +40,15 @@ const (
DefaultClusterName = "kubernetes"
DefaultCloudConfigPath = "/etc/kubernetes/cloud-config"
etcd = "etcd"
apiServer = "apiserver"
controllerManager = "controller-manager"
scheduler = "scheduler"
proxy = "proxy"
kubeAPIServer = "kube-apiserver"
kubeControllerManager = "kube-controller-manager"
kubeScheduler = "kube-scheduler"
kubeProxy = "kube-proxy"
authorizationPolicyFile = "abac_policy.json"
authorizationWebhookConfigFile = "webhook_authz.conf"
etcd = "etcd"
apiServer = "apiserver"
controllerManager = "controller-manager"
scheduler = "scheduler"
proxy = "proxy"
kubeAPIServer = "kube-apiserver"
kubeControllerManager = "kube-controller-manager"
kubeScheduler = "kube-scheduler"
kubeProxy = "kube-proxy"
)
// WriteStaticPodManifests builds manifest objects based on user provided configuration and then dumps it to disk
@ -326,9 +324,9 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [
command = append(command, "--authorization-mode="+cfg.AuthorizationMode)
switch cfg.AuthorizationMode {
case kubeadmconstants.AuthzModeABAC:
command = append(command, "--authorization-policy-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, authorizationPolicyFile))
command = append(command, "--authorization-policy-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationPolicyFile))
case kubeadmconstants.AuthzModeWebhook:
command = append(command, "--authorization-webhook-config-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, authorizationWebhookConfigFile))
command = append(command, "--authorization-webhook-config-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationWebhookConfigFile))
}
}

23
cmd/kubeadm/app/preflight/checks.go
View File

@ -186,6 +186,19 @@ func (fac FileAvailableCheck) Check() (warnings, errors []error) {
return nil, errors
}
// FileExistingCheck checks that the given file does not already exist.
type FileExistingCheck struct {
Path string
}
func (fac FileExistingCheck) Check() (warnings, errors []error) {
errors = []error{}
if _, err := os.Stat(fac.Path); err != nil {
errors = append(errors, fmt.Errorf("%s doesn't exist", fac.Path))
}
return nil, errors
}
// FileContentCheck checks that the given file contains the string Content.
type FileContentCheck struct {
Path string
@ -349,6 +362,16 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error {
)
}
// Check the config for authorization mode
switch cfg.AuthorizationMode {
case kubeadmconstants.AuthzModeABAC:
authorizationPolicyPath := filepath.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationPolicyFile)
checks = append(checks, FileExistingCheck{Path: authorizationPolicyPath})
case kubeadmconstants.AuthzModeWebhook:
authorizationWebhookConfigPath := filepath.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationWebhookConfigFile)
checks = append(checks, FileExistingCheck{Path: authorizationWebhookConfigPath})
}
return RunChecks(checks, os.Stderr)
}