Configure placeholder role-mapping Sync
+ Adds placeholder ConfigMap and with a template keystone-sync-policy that can be edited by the cluster admin + Docs for sync policy added + Docs for auth policy edited for grammar, spelling and clarity. Task: 39136 Story: 1755770 Change-Id: I0afc19c630e077c079f7f6a52439f4aee8bf5eb8
This commit is contained in:
parent
00727ef980
commit
31623a13ad
|
@ -44,29 +44,30 @@ can configure their cluster's role policies with those roles.
|
||||||
Setup configmap for authorization policies
|
Setup configmap for authorization policies
|
||||||
------------------------------------------
|
------------------------------------------
|
||||||
|
|
||||||
Given the k8s Keystone auth has been enable by default, user can get the
|
While the `k8s-keystone-auth` service is enabled in clusters by default, users
|
||||||
authentication support by default without doing anything. However, user can't
|
will need specify their own authorization policy to start making use of this
|
||||||
do anything actually before setup a default authorization policies.
|
feature.
|
||||||
|
|
||||||
The authorization policy can be specified using an existing configmap name in
|
The user can specify their own authorization policy by either:
|
||||||
the cluster, by doing this, the policy could be changed dynamically without
|
|
||||||
the k8s-keystone-auth service restart.
|
|
||||||
|
|
||||||
Or the policy can be read from a default policy file. In devstack, the policy
|
- Updating the placeholder `k8s-keystone-auth-policy` configmap, created
|
||||||
file will be created automatically.
|
by default in the `kube-system` namespace. This does not require restarting
|
||||||
|
the `k8s-keystone-auth` service.
|
||||||
|
- Reading the policy from a default policy file. In devstack the policy file is
|
||||||
|
created automatically.
|
||||||
|
|
||||||
Currently, k8s-keystone-auth service supports four types of policies:
|
Currently, the `k8s-keystone-auth` service supports four types of policies:
|
||||||
|
|
||||||
- user. The Keystone user ID or name.
|
- user. The Keystone user ID or name.
|
||||||
- roject. The Keystone project ID or name.
|
- project. The Keystone project ID or name.
|
||||||
- role. The user role defined in Keystone.
|
- role. The user role defined in Keystone.
|
||||||
- group. The group is not a Keystone concept actually, it’s supported for
|
- group. The group is not a Keystone concept actually, it’s supported for
|
||||||
backward compatibility, you can use group as project ID.
|
backward compatibility, you can use group as project ID.
|
||||||
|
|
||||||
For example, in the following configmap, we only allow the users in
|
For example, if we wish to configure a policy to only allow the users in
|
||||||
project demo with k8s-viewer role in OpenStack to query the pod information
|
project `demo` with `k8s-viewer` role in OpenStack to query the pod information
|
||||||
from all the namespaces. So we need to update the configmap
|
from all the namespaces, then we can update the default
|
||||||
`k8s-keystone-auth-policy` which has been created in kube-system namespace.
|
`k8s-keystone-auth-policy` configmap as follows.
|
||||||
|
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
|
@ -100,12 +101,18 @@ from all the namespaces. So we need to update the configmap
|
||||||
]
|
]
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
Please note that the default configmap name is `k8s-keystone-auth-policy`, user
|
More on keystone authorization policies can be found in the
|
||||||
can change it, but they have to change the config of the k8s keystone auth
|
kubernetes/cloud-provider-openstack documentation for
|
||||||
service configuration as well and restart the service.
|
`Using the Keystone Webhook Authenticator and Authorizer
|
||||||
|
<https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-keystone-webhook-authenticator-and-authorizer.md#prepare-the-authorization-policy-optional>`_
|
||||||
|
|
||||||
Now user need to get a token from Keystone to have a kubeconfig for kubectl,
|
Note: If the user wishes to use an alternate name for the
|
||||||
user can also get the config with Magnum python client.
|
`k8s-keystone-auth-policy` configmap they will need to update the value of the
|
||||||
|
`--policy-configmap-name` parameter passed to the `k8s-keystone-auth` service
|
||||||
|
and then restart the service.
|
||||||
|
|
||||||
|
Next the user needs to get a token from Keystone to have a kubeconfig for
|
||||||
|
kubectl. The user can also get the config with Magnum python client.
|
||||||
|
|
||||||
Here is a sample of the kubeconfig:
|
Here is a sample of the kubeconfig:
|
||||||
|
|
||||||
|
@ -141,5 +148,49 @@ Here is a sample of the kubeconfig:
|
||||||
echo '{ "apiVersion": "client.authentication.k8s.io/v1alpha1", "kind": "ExecCredential", "status": { "token": "'"${OS_TOKEN}"'"}}'
|
echo '{ "apiVersion": "client.authentication.k8s.io/v1alpha1", "kind": "ExecCredential", "status": { "token": "'"${OS_TOKEN}"'"}}'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
Now after export the Keystone token to OS_TOKEN, user should be able to list
|
After exporting the Keystone token to the ``OS_TOKEN`` environment variable,
|
||||||
pods with kubectl.
|
the user should be able to list pods with `kubectl`.
|
||||||
|
|
||||||
|
Setup configmap for role synchronization policies
|
||||||
|
-------------------------------------------------
|
||||||
|
|
||||||
|
To start taking advantage of role synchronization between kubernetes and openstack
|
||||||
|
users need to specify an `authentication synchronization policy
|
||||||
|
<https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-auth-data-synchronization.md#example-of-sync-config-file>`_
|
||||||
|
|
||||||
|
Users can specify their own policy by either:
|
||||||
|
|
||||||
|
- Updating the placeholder `keystone-sync-policy` configmap, created by
|
||||||
|
default in the `kube-system` namespace. This does *not* require restarting
|
||||||
|
`k8s-keystone-auth`
|
||||||
|
- Reading the policy from a local config file. This requires restarting the
|
||||||
|
`k8s-keystone-auth` service.
|
||||||
|
|
||||||
|
For example, to set a policy which assigns the `project-1` group in
|
||||||
|
kubernetes to users who have been assigned the `member` role in Keystone the
|
||||||
|
user can update the default `keystone-sync-policy` configmap as follows.
|
||||||
|
|
||||||
|
.. code-block:: bash
|
||||||
|
|
||||||
|
cat <<EOF | kubectl apply -f -
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: keystone-sync-policy
|
||||||
|
namespace: kube-system
|
||||||
|
data:
|
||||||
|
syncConfig: |
|
||||||
|
role-mappings:
|
||||||
|
- keystone-role: member
|
||||||
|
groups: ["project-1"]
|
||||||
|
EOF
|
||||||
|
|
||||||
|
If users wish to use an alternative name for the keystone-sync-policy
|
||||||
|
configmap they will need to update the value of the ``--sync-configmap-name``
|
||||||
|
parameter passed to the `k8s-keystone-auth` service and then restart service.
|
||||||
|
|
||||||
|
For more examples and information on configuring and using authorization
|
||||||
|
synchronization policies please refer to the
|
||||||
|
kubernetes/cloud-provider-openstack documentation for `Authentication
|
||||||
|
synchronization between Keystone and Kubernetes
|
||||||
|
<https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-auth-data-synchronization.md>`_
|
||||||
|
|
|
@ -66,6 +66,17 @@ metadata:
|
||||||
data:
|
data:
|
||||||
policies: |
|
policies: |
|
||||||
$KEYSTONE_AUTH_DEFAULT_POLICY
|
$KEYSTONE_AUTH_DEFAULT_POLICY
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: keystone-sync-policy
|
||||||
|
namespace: kube-system
|
||||||
|
data:
|
||||||
|
syncConfig: |
|
||||||
|
role-mappings:
|
||||||
|
keystone-role: member
|
||||||
|
groups: []
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -123,6 +134,8 @@ spec:
|
||||||
- k8s-keystone-auth-policy
|
- k8s-keystone-auth-policy
|
||||||
- --keystone-url
|
- --keystone-url
|
||||||
- ${AUTH_URL}
|
- ${AUTH_URL}
|
||||||
|
- --sync-configmap-name
|
||||||
|
- keystone-sync-policy
|
||||||
- --keystone-ca-file
|
- --keystone-ca-file
|
||||||
- /etc/kubernetes/ca-bundle.crt
|
- /etc/kubernetes/ca-bundle.crt
|
||||||
- --listen
|
- --listen
|
||||||
|
|
Loading…
Reference in New Issue