Configure placeholder role-mapping Sync

+ Adds placeholder ConfigMap and with a template keystone-sync-policy that can be edited by the cluster admin + Docs for sync policy added + Docs for auth policy edited for grammar, spelling and clarity. Task: 39136 Story: 1755770 Change-Id: I0afc19c630e077c079f7f6a52439f4aee8bf5eb8
2020-06-29 16:09:04 +12:00 · 2020-06-29 16:09:04 +12:00 · 31623a13ad
parent 00727ef980
commit 31623a13ad
2 changed files with 85 additions and 21 deletions
--- a/doc/source/user/k8s-keystone-authN-authZ.rst
+++ b/doc/source/user/k8s-keystone-authN-authZ.rst
@ -44,29 +44,30 @@ can configure their cluster's role policies with those roles.
 Setup configmap for authorization policies
 ------------------------------------------

-Given the k8s Keystone auth has been enable by default, user can get the
-authentication support by default without doing anything. However, user can't
-do anything actually before setup a default authorization policies.
+While the `k8s-keystone-auth` service is enabled in clusters by default, users
+will need specify their own authorization policy to start making use of this
+feature.

-The authorization policy can be specified using an existing configmap name in
-the cluster, by doing this, the policy could be changed dynamically without
-the k8s-keystone-auth service restart.
+The user can specify their own authorization policy by either:

-Or the policy can be read from a default policy file. In devstack, the policy
-file will be created automatically.
+- Updating the placeholder `k8s-keystone-auth-policy` configmap, created
+  by default in the `kube-system` namespace. This does not require restarting
+  the `k8s-keystone-auth` service.
+- Reading the policy from a default policy file. In devstack the policy file is
+  created automatically.

-Currently, k8s-keystone-auth service supports four types of policies:
+Currently, the `k8s-keystone-auth` service supports four types of policies:

 - user. The Keystone user ID or name.
- roject. The Keystone project ID or name.
+- project. The Keystone project ID or name.
 - role. The user role defined in Keystone.
 - group. The group is not a Keystone concept actually, it’s supported for
  backward compatibility, you can use group as project ID.

-For example, in the following configmap, we only allow the users in
-project demo with k8s-viewer role in OpenStack to query the pod information
-from all the namespaces. So we need to update the configmap
-`k8s-keystone-auth-policy` which has been created in kube-system namespace.
+For example, if we wish to configure a policy to only allow the users in
+project `demo` with `k8s-viewer` role in OpenStack to query the pod information
+from all the namespaces, then we can update the default
+`k8s-keystone-auth-policy` configmap as follows.

 .. code-block:: bash

@ -100,12 +101,18 @@ from all the namespaces. So we need to update the configmap
        ]
    EOF

-Please note that the default configmap name is `k8s-keystone-auth-policy`, user
-can change it, but they have to change the config of the k8s keystone auth
-service configuration as well and restart the service.
+More on keystone authorization policies can be found in the
+kubernetes/cloud-provider-openstack documentation for
+`Using the Keystone Webhook Authenticator and Authorizer
+<https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-keystone-webhook-authenticator-and-authorizer.md#prepare-the-authorization-policy-optional>`_

-Now user need to get a token from Keystone to have a kubeconfig for kubectl,
-user can also get the config with Magnum python client.
+Note: If the user wishes to use an alternate name for the
+`k8s-keystone-auth-policy` configmap they will need to update the value of the
+`--policy-configmap-name` parameter passed to the `k8s-keystone-auth` service
+and then restart the service.
+
+Next the user needs to get a token from Keystone to have a kubeconfig for
+kubectl. The user can also get the config with Magnum python client.

 Here is a sample of the kubeconfig:

@ -141,5 +148,49 @@ Here is a sample of the kubeconfig:
                echo '{ "apiVersion": "client.authentication.k8s.io/v1alpha1", "kind": "ExecCredential", "status": { "token": "'"${OS_TOKEN}"'"}}'
            fi

-Now after export the Keystone token to OS_TOKEN, user should be able to list
-pods with kubectl.
+After exporting the Keystone token to the ``OS_TOKEN`` environment variable,
+the user should be able to list pods with `kubectl`.
+
+Setup configmap for role synchronization policies
+-------------------------------------------------
+
+To start taking advantage of role synchronization between kubernetes and openstack
+users need to specify an `authentication synchronization policy
+<https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-auth-data-synchronization.md#example-of-sync-config-file>`_
+
+Users can specify their own policy by either:
+
+- Updating the placeholder `keystone-sync-policy` configmap, created by
+  default in the `kube-system` namespace. This does *not* require restarting
+  `k8s-keystone-auth`
+- Reading the policy from a local config file. This requires restarting the
+  `k8s-keystone-auth` service.
+
+For example, to set a policy which assigns the `project-1` group in
+kubernetes to users who have been assigned the `member` role in Keystone the
+user can update the default `keystone-sync-policy` configmap as follows.
+
+.. code-block:: bash
+
+    cat <<EOF | kubectl apply -f -
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+    name: keystone-sync-policy
+    namespace: kube-system
+    data:
+    syncConfig: |
+        role-mappings:
+          - keystone-role: member
+            groups: ["project-1"]
+    EOF
+
+If users wish to use an alternative name for the keystone-sync-policy
+configmap they will need to update the value of the ``--sync-configmap-name``
+parameter passed to the `k8s-keystone-auth` service and then restart service.
+
+For more examples and information on configuring and using authorization
+synchronization policies please refer to the
+kubernetes/cloud-provider-openstack documentation for `Authentication
+synchronization between Keystone and Kubernetes
+<https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-auth-data-synchronization.md>`_
--- a/magnum/drivers/common/templates/kubernetes/fragments/enable-keystone-auth.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/enable-keystone-auth.sh
@ -66,6 +66,17 @@ metadata:
 data:
  policies: |
    $KEYSTONE_AUTH_DEFAULT_POLICY
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keystone-sync-policy
+  namespace: kube-system
+data:
+  syncConfig: |
+    role-mappings:
+      keystone-role: member
+      groups: []
 EOF
    }

@ -123,6 +134,8 @@ spec:
            - k8s-keystone-auth-policy
            - --keystone-url
            - ${AUTH_URL}
+            - --sync-configmap-name
+            - keystone-sync-policy
            - --keystone-ca-file
            - /etc/kubernetes/ca-bundle.crt
            - --listen