[fedora-atomic][k8s] Support default Keystone auth policy file
With the new config option `keystone_auth_default_policy`, cloud admin can set a default keystone auth policy for k8s cluster when the keystone auth is enabled. As a result, user can use their current keystone user to access k8s cluster as long as they're assigned correct roles, and they will get the pre-defined permissions set by the cloud provider. The default policy now is based on the v2 format recently introduced in k8s-keystone-auth which is getting more useful now. For example, in v1 it doesn't support a policy for user to access resources from all namespaces but kube-system, but v2 can do that. NOTE: Now we're using openstackmagnum dockerhub repo until CPO team fixing their image release issue. Task: 30069 Story: 1755770 Change-Id: I2425e957bd99edc92482b6f11ca0b1f91fe59ff6changes/25/643225/22
parent
05c27f2d73
commit
d8df9d0c36
@ -0,0 +1,76 @@
|
||||
[
|
||||
{
|
||||
"users":{
|
||||
"roles":[
|
||||
"k8s_admin"
|
||||
],
|
||||
"projects":[
|
||||
"$PROJECT_ID"
|
||||
]
|
||||
},
|
||||
"resource_permissions":{
|
||||
"*/*":[
|
||||
"*"
|
||||
]
|
||||
},
|
||||
"nonresource_permissions":{
|
||||
"/healthz":[
|
||||
"get",
|
||||
"post"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"users":{
|
||||
"roles":[
|
||||
"k8s_developer"
|
||||
],
|
||||
"projects":[
|
||||
"$PROJECT_ID"
|
||||
]
|
||||
},
|
||||
"resource_permissions":{
|
||||
"!kube-system/['apiServices', 'bindings', 'componentstatuses', 'configmaps', 'cronjobs', 'customResourceDefinitions', 'deployments', 'endpoints', 'events', 'horizontalPodAutoscalers', 'ingresses', 'initializerConfigurations', 'jobs', 'limitRanges', 'localSubjectAccessReviews', 'namespaces', 'networkPolicies', 'persistentVolumeClaims', 'persistentVolumes', 'podDisruptionBudgets', 'podPresets', 'podTemplates', 'pods', 'replicaSets', 'replicationControllers', 'resourceQuotas', 'secrets', 'selfSubjectAccessReviews', 'serviceAccounts', 'services', 'statefulSets', 'storageClasses', 'subjectAccessReviews', 'tokenReviews']":[
|
||||
"*"
|
||||
],
|
||||
"*/['clusterrolebindings', 'clusterroles', 'rolebindings', 'roles', 'controllerrevisions', 'nodes', 'podSecurityPolicies']":[
|
||||
"get",
|
||||
"list",
|
||||
"watch"
|
||||
],
|
||||
"*/['certificateSigningRequests']":[
|
||||
"create",
|
||||
"delete",
|
||||
"get",
|
||||
"list",
|
||||
"watch",
|
||||
"update"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"users":{
|
||||
"roles":[
|
||||
"k8s_viewer"
|
||||
],
|
||||
"projects":[
|
||||
"$PROJECT_ID"
|
||||
]
|
||||
},
|
||||
"resource_permissions":{
|
||||
"!kube-system/['tokenReviews']":[
|
||||
"*"
|
||||
],
|
||||
"!kube-system/['apiServices', 'bindings', 'componentstatuses', 'configmaps', 'cronjobs', 'customResourceDefinitions', 'deployments', 'endpoints', 'events', 'horizontalPodAutoscalers', 'ingresses', 'initializerConfigurations', 'jobs', 'limitRanges', 'localSubjectAccessReviews', 'namespaces', 'networkPolicies', 'persistentVolumeClaims', 'persistentVolumes', 'podDisruptionBudgets', 'podPresets', 'podTemplates', 'pods', 'replicaSets', 'replicationControllers', 'resourceQuotas', 'secrets', 'selfSubjectAccessReviews', 'serviceAccounts', 'services', 'statefulSets', 'storageClasses', 'subjectAccessReviews']":[
|
||||
"get",
|
||||
"list",
|
||||
"watch"
|
||||
],
|
||||
"*/['clusterrolebindings', 'clusterroles', 'rolebindings', 'roles', 'controllerrevisions', 'nodes', 'podSecurityPolicies']":[
|
||||
"get",
|
||||
"list",
|
||||
"watch"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
@ -0,0 +1,36 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy
|
||||
# of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
|
||||
kubernetes_group = cfg.OptGroup(name='kubernetes',
|
||||
title='Options for the Kubernetes addons')
|
||||
|
||||
kubernetes_opts = [
|
||||
cfg.StrOpt('keystone_auth_default_policy',
|
||||
default="/etc/magnum/keystone_auth_default_policy.json",
|
||||
help='Explicitly specify the path to the file defined default '
|
||||
'Keystone auth policy for Kubernetes cluster when '
|
||||
'the Keystone auth is enabled. Vendors can put their '
|
||||
'specific default policy here'),
|
||||
]
|
||||
|
||||
|
||||
def register_opts(conf):
|
||||
conf.register_group(kubernetes_group)
|
||||
conf.register_opts(kubernetes_opts, group=kubernetes_group)
|
||||
|
||||
|
||||
def list_opts():
|
||||
return {
|
||||
kubernetes_group: kubernetes_opts
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
---
|
||||
issues:
|
||||
- |
|
||||
With the new config option keystone_auth_default_policy, cloud admin
|
||||
can set a default keystone auth policy for k8s cluster when the
|
||||
keystone auth is enabled. As a result, user can use their current
|
||||
keystone user to access k8s cluster as long as they're assigned
|
||||
correct roles, and they will get the pre-defined permissions
|
||||
defined by the cloud provider.
|
Loading…
Reference in New Issue