Now cloud-provider-openstack of Kubernetes has a webhook to support Keystone authorization and authentication. With this feature, user can use a new label 'keystone-auth-enabled' to enable the keystone authN and authZ. DocImpact Task: 21637 Story: 1755770 Change-Id: I3d21ad8f55c0d7308a302f62db9e9af147a604f8changes/83/561783/22
parent
0bf9ccadcb
commit
59da4e25a6
@ -0,0 +1,185 @@
|
||||
#!/bin/sh
|
||||
|
||||
. /etc/sysconfig/heat-params
|
||||
|
||||
step="enable-keystone-auth"
|
||||
printf "Starting to run ${step}\n"
|
||||
|
||||
if [ "$(echo $KEYSTONE_AUTH_ENABLED | tr '[:upper:]' '[:lower:]')" != "false" ]; then
|
||||
_prefix=${CONTAINER_INFRA_PREFIX:-docker.io/k8scloudprovider/}
|
||||
CERT_DIR=/etc/kubernetes/certs
|
||||
|
||||
# Create policy configmap for keystone auth
|
||||
KEYSTONE_AUTH_POLICY=/srv/magnum/kubernetes/keystone-auth-policy.yaml
|
||||
|
||||
[ -f ${KEYSTONE_AUTH_POLICY} ] || {
|
||||
echo "Writing File: $KEYSTONE_AUTH_POLICY"
|
||||
mkdir -p $(dirname ${KEYSTONE_AUTH_POLICY})
|
||||
cat << EOF > ${KEYSTONE_AUTH_POLICY}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: k8s-keystone-auth
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
kubernetes.io/bootstrapping: rbac-defaults
|
||||
name: system:k8s-keystone-auth
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
- services
|
||||
- pods
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
annotations:
|
||||
rbac.authorization.kubernetes.io/autoupdate: "true"
|
||||
labels:
|
||||
kubernetes.io/bootstrapping: rbac-defaults
|
||||
name: system:k8s-keystone-auth
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: system:k8s-keystone-auth
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: k8s-keystone-auth
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: k8s-keystone-auth-policy
|
||||
namespace: kube-system
|
||||
data:
|
||||
policies: |
|
||||
[
|
||||
{
|
||||
"resource": {
|
||||
"verbs": ["list"],
|
||||
"resources": ["pods", "services", "deployments", "pvc"],
|
||||
"version": "*",
|
||||
"namespace": "default"
|
||||
},
|
||||
"match": [
|
||||
{
|
||||
"type": "role",
|
||||
"values": ["member"]
|
||||
},
|
||||
{
|
||||
"type": "project",
|
||||
"values": ["$PROJECT_ID"]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
EOF
|
||||
}
|
||||
|
||||
# Generate k8s-keystone-auth service manifest file
|
||||
KEYSTONE_AUTH_DEPLOY=/srv/magnum/kubernetes/manifests/k8s-keystone-auth.yaml
|
||||
|
||||
[ -f ${KEYSTONE_AUTH_DEPLOY} ] || {
|
||||
echo "Writing File: $KEYSTONE_AUTH_DEPLOY"
|
||||
mkdir -p $(dirname ${KEYSTONE_AUTH_DEPLOY})
|
||||
cat << EOF > ${KEYSTONE_AUTH_DEPLOY}
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: k8s-keystone-auth
|
||||
tier: control-plane
|
||||
name: k8s-keystone-auth
|
||||
namespace: kube-system
|
||||
spec:
|
||||
# The controllers can only have a single active instance.
|
||||
template:
|
||||
metadata:
|
||||
name: k8s-keystone-auth
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-app: k8s-keystone-auth
|
||||
spec:
|
||||
serviceAccountName: k8s-keystone-auth
|
||||
tolerations:
|
||||
# Make sure the pod can be scheduled on master kubelet.
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
# Mark the pod as a critical add-on for rescheduling.
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
containers:
|
||||
- name: k8s-keystone-auth
|
||||
image: ${_prefix}k8s-keystone-auth:${K8S_KEYSTONE_AUTH_TAG}
|
||||
imagePullPolicy: Always
|
||||
args:
|
||||
- ./bin/k8s-keystone-auth
|
||||
- --tls-cert-file
|
||||
- ${CERT_DIR}/server.crt
|
||||
- --tls-private-key-file
|
||||
- ${CERT_DIR}/server.key
|
||||
- --policy-configmap-name
|
||||
- k8s-keystone-auth-policy
|
||||
- --keystone-url
|
||||
- ${AUTH_URL}
|
||||
- --keystone-ca-file
|
||||
- /etc/kubernetes/ca-bundle.crt
|
||||
- --listen
|
||||
- 127.0.0.1:8443
|
||||
volumeMounts:
|
||||
- mountPath: ${CERT_DIR}
|
||||
name: k8s-certs
|
||||
readOnly: true
|
||||
- mountPath: /etc/kubernetes
|
||||
name: ca-certs
|
||||
readOnly: true
|
||||
resources:
|
||||
requests:
|
||||
cpu: 200m
|
||||
ports:
|
||||
- containerPort: 8443
|
||||
hostPort: 8443
|
||||
name: https
|
||||
protocol: TCP
|
||||
hostNetwork: true
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: ${CERT_DIR}
|
||||
type: DirectoryOrCreate
|
||||
name: k8s-certs
|
||||
- hostPath:
|
||||
path: /etc/kubernetes
|
||||
type: DirectoryOrCreate
|
||||
name: ca-certs
|
||||
EOF
|
||||
}
|
||||
|
||||
until [ "ok" = "$(curl --silent http://127.0.0.1:8080/healthz)" ]
|
||||
do
|
||||
echo "Waiting for Kubernetes API..."
|
||||
sleep 5
|
||||
done
|
||||
|
||||
/usr/bin/kubectl apply -f ${KEYSTONE_AUTH_POLICY}
|
||||
/usr/bin/kubectl apply -f ${KEYSTONE_AUTH_DEPLOY}
|
||||
|
||||
fi
|
||||
|
||||
printf "Finished running ${step}\n"
|
@ -0,0 +1,7 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Now cloud-provider-openstack of Kubernetes has a webhook to support
|
||||
Keystone authorization and authentication. With this feature, user can use
|
||||
a new label 'keystone-auth-enabled' to enable the keystone authN and authZ.
|
||||
|
Loading…
Reference in new issue