Merge "k8s_fedora: Add admin user"

This commit is contained in:
Zuul 2018-05-01 02:20:37 +00:00 committed by Gerrit Code Review
commit e2d3fee1b3
3 changed files with 36 additions and 17 deletions

View File

@ -45,3 +45,31 @@ subjects:
kind: User
name: kubernetes
EOF
# Create an admin user and give it the cluster role.
ADMIN_RBAC=/srv/magnum/kubernetes/kubernetes-admin-rbac.yaml
[ -f ${ADMIN_RBAC} ] || {
echo "Writing File: $ADMIN_RBAC"
mkdir -p $(dirname ${ADMIN_RBAC})
cat << EOF > ${ADMIN_RBAC}
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-system
EOF
}

View File

@ -196,23 +196,6 @@ spec:
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
---
# Grant admin privileges to the dashboard serviceacount
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
EOF
}

View File

@ -0,0 +1,8 @@
---
security:
- |
k8s_fedora Remove cluster role from the kubernetes-dashboard account. When
accessing the dashboard and skip authentication, users login with the
kunernetes-dashboard service account, if that service account has the
cluster role, users have admin access without authentication. Create an
admin service account for this use case and others.