Configure placeholder role-mapping Sync
+ Adds placeholder ConfigMap and with a template keystone-sync-policy that can be edited by the cluster admin + Docs for sync policy added + Docs for auth policy edited for grammar, spelling and clarity. Task: 39136 Story: 1755770 Change-Id: I0afc19c630e077c079f7f6a52439f4aee8bf5eb8
This commit is contained in:
parent
00727ef980
commit
31623a13ad
|
@ -44,29 +44,30 @@ can configure their cluster's role policies with those roles.
|
|||
Setup configmap for authorization policies
|
||||
------------------------------------------
|
||||
|
||||
Given the k8s Keystone auth has been enable by default, user can get the
|
||||
authentication support by default without doing anything. However, user can't
|
||||
do anything actually before setup a default authorization policies.
|
||||
While the `k8s-keystone-auth` service is enabled in clusters by default, users
|
||||
will need specify their own authorization policy to start making use of this
|
||||
feature.
|
||||
|
||||
The authorization policy can be specified using an existing configmap name in
|
||||
the cluster, by doing this, the policy could be changed dynamically without
|
||||
the k8s-keystone-auth service restart.
|
||||
The user can specify their own authorization policy by either:
|
||||
|
||||
Or the policy can be read from a default policy file. In devstack, the policy
|
||||
file will be created automatically.
|
||||
- Updating the placeholder `k8s-keystone-auth-policy` configmap, created
|
||||
by default in the `kube-system` namespace. This does not require restarting
|
||||
the `k8s-keystone-auth` service.
|
||||
- Reading the policy from a default policy file. In devstack the policy file is
|
||||
created automatically.
|
||||
|
||||
Currently, k8s-keystone-auth service supports four types of policies:
|
||||
Currently, the `k8s-keystone-auth` service supports four types of policies:
|
||||
|
||||
- user. The Keystone user ID or name.
|
||||
- roject. The Keystone project ID or name.
|
||||
- project. The Keystone project ID or name.
|
||||
- role. The user role defined in Keystone.
|
||||
- group. The group is not a Keystone concept actually, it’s supported for
|
||||
backward compatibility, you can use group as project ID.
|
||||
|
||||
For example, in the following configmap, we only allow the users in
|
||||
project demo with k8s-viewer role in OpenStack to query the pod information
|
||||
from all the namespaces. So we need to update the configmap
|
||||
`k8s-keystone-auth-policy` which has been created in kube-system namespace.
|
||||
For example, if we wish to configure a policy to only allow the users in
|
||||
project `demo` with `k8s-viewer` role in OpenStack to query the pod information
|
||||
from all the namespaces, then we can update the default
|
||||
`k8s-keystone-auth-policy` configmap as follows.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
|
@ -100,12 +101,18 @@ from all the namespaces. So we need to update the configmap
|
|||
]
|
||||
EOF
|
||||
|
||||
Please note that the default configmap name is `k8s-keystone-auth-policy`, user
|
||||
can change it, but they have to change the config of the k8s keystone auth
|
||||
service configuration as well and restart the service.
|
||||
More on keystone authorization policies can be found in the
|
||||
kubernetes/cloud-provider-openstack documentation for
|
||||
`Using the Keystone Webhook Authenticator and Authorizer
|
||||
<https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-keystone-webhook-authenticator-and-authorizer.md#prepare-the-authorization-policy-optional>`_
|
||||
|
||||
Now user need to get a token from Keystone to have a kubeconfig for kubectl,
|
||||
user can also get the config with Magnum python client.
|
||||
Note: If the user wishes to use an alternate name for the
|
||||
`k8s-keystone-auth-policy` configmap they will need to update the value of the
|
||||
`--policy-configmap-name` parameter passed to the `k8s-keystone-auth` service
|
||||
and then restart the service.
|
||||
|
||||
Next the user needs to get a token from Keystone to have a kubeconfig for
|
||||
kubectl. The user can also get the config with Magnum python client.
|
||||
|
||||
Here is a sample of the kubeconfig:
|
||||
|
||||
|
@ -141,5 +148,49 @@ Here is a sample of the kubeconfig:
|
|||
echo '{ "apiVersion": "client.authentication.k8s.io/v1alpha1", "kind": "ExecCredential", "status": { "token": "'"${OS_TOKEN}"'"}}'
|
||||
fi
|
||||
|
||||
Now after export the Keystone token to OS_TOKEN, user should be able to list
|
||||
pods with kubectl.
|
||||
After exporting the Keystone token to the ``OS_TOKEN`` environment variable,
|
||||
the user should be able to list pods with `kubectl`.
|
||||
|
||||
Setup configmap for role synchronization policies
|
||||
-------------------------------------------------
|
||||
|
||||
To start taking advantage of role synchronization between kubernetes and openstack
|
||||
users need to specify an `authentication synchronization policy
|
||||
<https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-auth-data-synchronization.md#example-of-sync-config-file>`_
|
||||
|
||||
Users can specify their own policy by either:
|
||||
|
||||
- Updating the placeholder `keystone-sync-policy` configmap, created by
|
||||
default in the `kube-system` namespace. This does *not* require restarting
|
||||
`k8s-keystone-auth`
|
||||
- Reading the policy from a local config file. This requires restarting the
|
||||
`k8s-keystone-auth` service.
|
||||
|
||||
For example, to set a policy which assigns the `project-1` group in
|
||||
kubernetes to users who have been assigned the `member` role in Keystone the
|
||||
user can update the default `keystone-sync-policy` configmap as follows.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
cat <<EOF | kubectl apply -f -
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: keystone-sync-policy
|
||||
namespace: kube-system
|
||||
data:
|
||||
syncConfig: |
|
||||
role-mappings:
|
||||
- keystone-role: member
|
||||
groups: ["project-1"]
|
||||
EOF
|
||||
|
||||
If users wish to use an alternative name for the keystone-sync-policy
|
||||
configmap they will need to update the value of the ``--sync-configmap-name``
|
||||
parameter passed to the `k8s-keystone-auth` service and then restart service.
|
||||
|
||||
For more examples and information on configuring and using authorization
|
||||
synchronization policies please refer to the
|
||||
kubernetes/cloud-provider-openstack documentation for `Authentication
|
||||
synchronization between Keystone and Kubernetes
|
||||
<https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-auth-data-synchronization.md>`_
|
||||
|
|
|
@ -66,6 +66,17 @@ metadata:
|
|||
data:
|
||||
policies: |
|
||||
$KEYSTONE_AUTH_DEFAULT_POLICY
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: keystone-sync-policy
|
||||
namespace: kube-system
|
||||
data:
|
||||
syncConfig: |
|
||||
role-mappings:
|
||||
keystone-role: member
|
||||
groups: []
|
||||
EOF
|
||||
}
|
||||
|
||||
|
@ -123,6 +134,8 @@ spec:
|
|||
- k8s-keystone-auth-policy
|
||||
- --keystone-url
|
||||
- ${AUTH_URL}
|
||||
- --sync-configmap-name
|
||||
- keystone-sync-policy
|
||||
- --keystone-ca-file
|
||||
- /etc/kubernetes/ca-bundle.crt
|
||||
- --listen
|
||||
|
|
Loading…
Reference in New Issue