From 16715adfa009a60f25cdd5d094ca8689102746ab Mon Sep 17 00:00:00 2001
From: Seongjin Cho <w4-sjcho@users.noreply.github.com>
Date: Wed, 26 Dec 2018 18:52:53 +0900
Subject: [PATCH] Adds support for webhook token auth. (#3939)
Webhook token auth:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
Fixes #3063.
---
roles/kubernetes/master/defaults/main.yml | 4 ++++
roles/kubernetes/master/tasks/main.yml | 6 ++++++
.../templates/kubeadm-config.v1alpha1.yaml.j2 | 10 +++++++++-
.../templates/kubeadm-config.v1alpha2.yaml.j2 | 10 +++++++++-
.../templates/kubeadm-config.v1alpha3.yaml.j2 | 10 +++++++++-
.../templates/kubeadm-config.v1beta1.yaml.j2 | 10 +++++++++-
.../templates/webhook-token-auth-config.yaml.j2 | 17 +++++++++++++++++
7 files changed, 63 insertions(+), 4 deletions(-)
create mode 100644 roles/kubernetes/master/templates/webhook-token-auth-config.yaml.j2
diff --git a/roles/kubernetes/master/defaults/main.yml b/roles/kubernetes/master/defaults/main.yml
index e40a9d1aa..ab1106918 100644
--- a/roles/kubernetes/master/defaults/main.yml
+++ b/roles/kubernetes/master/defaults/main.yml
@@ -100,6 +100,7 @@ kube_api_runtime_config:
kube_basic_auth: false
kube_token_auth: false
kube_oidc_auth: false
+kube_webhook_token_auth: false
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
@@ -113,6 +114,9 @@ kube_oidc_auth: false
# kube_oidc_groups_claim: groups
# kube_oidc_groups_prefix: oidc:
+## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
+# kube_webhook_token_auth_url: https://...
+
## Variables for custom flags
apiserver_custom_flags: []
diff --git a/roles/kubernetes/master/tasks/main.yml b/roles/kubernetes/master/tasks/main.yml
index f7faf43f8..43d9f9fa9 100644
--- a/roles/kubernetes/master/tasks/main.yml
+++ b/roles/kubernetes/master/tasks/main.yml
@@ -7,6 +7,12 @@
when:
- kube_basic_auth|default(true)
+- name: Create webhook token auth config
+ template:
+ src: webhook-token-auth-config.yaml.j2
+ dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
+ when: kube_webhook_token_auth|default(false)
+
- import_tasks: encrypt-at-rest.yml
when:
- kube_encrypt_secret_data
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
index 5ffbb97f6..41e744bc7 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
@@ -99,6 +99,9 @@ apiServerExtraArgs:
oidc-groups-claim: {{ kube_oidc_groups_claim }}
{% endif %}
{% endif %}
+{% if kube_webhook_token_auth|default(false) %}
+ authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+{% endif %}
{% if kube_encrypt_secret_data %}
experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %}
@@ -152,7 +155,7 @@ schedulerExtraArgs:
{{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
{% endfor %}
{% endif %}
-{% if kube_basic_auth|default(true) or kube_token_auth|default(true) %}
+{% if kube_basic_auth|default(true) or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) %}
apiServerExtraVolumes:
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %}
- name: cloud-config
@@ -169,6 +172,11 @@ apiServerExtraVolumes:
hostPath: {{ kube_token_dir }}
mountPath: {{ kube_token_dir }}
{% endif %}
+{% if kube_webhook_token_auth|default(false) %}
+- name: webhook-token-auth-config
+ hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+ mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+{% endif %}
{% endif %}
apiServerCertSANs:
{% for san in apiserver_sans.split() | unique %}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
index cf7331293..141087d3d 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
@@ -84,6 +84,9 @@ apiServerExtraArgs:
oidc-groups-claim: {{ kube_oidc_groups_claim }}
{% endif %}
{% endif %}
+{% if kube_webhook_token_auth|default(false) %}
+ authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+{% endif %}
{% if kube_encrypt_secret_data %}
experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %}
@@ -146,7 +149,7 @@ controllerManagerExtraVolumes:
mountPath: {{ kube_config_dir }}/cloud_config
{% endif %}
{% endif %}
-{% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) %}
+{% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) %}
apiServerExtraVolumes:
{% if kube_basic_auth|default(true) %}
- name: basic-auth-config
@@ -158,6 +161,11 @@ apiServerExtraVolumes:
hostPath: {{ kube_token_dir }}
mountPath: {{ kube_token_dir }}
{% endif %}
+{% if kube_webhook_token_auth|default(false) %}
+- name: webhook-token-auth-config
+ hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+ mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+{% endif %}
{% if kubernetes_audit %}
- name: {{ audit_policy_name }}
hostPath: {{ audit_policy_hostpath }}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
index 6238dffd9..9cba6a40f 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
@@ -94,6 +94,9 @@ apiServerExtraArgs:
oidc-groups-claim: {{ kube_oidc_groups_claim }}
{% endif %}
{% endif %}
+{% if kube_webhook_token_auth|default(false) %}
+ authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+{% endif %}
{% if kube_encrypt_secret_data %}
experimental-encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %}
@@ -147,7 +150,7 @@ schedulerExtraArgs:
{{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
{% endfor %}
{% endif %}
-{% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes %}
+{% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes %}
apiServerExtraVolumes:
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %}
- name: cloud-config
@@ -164,6 +167,11 @@ apiServerExtraVolumes:
hostPath: {{ kube_token_dir }}
mountPath: {{ kube_token_dir }}
{% endif %}
+{% if kube_webhook_token_auth|default(false) %}
+- name: webhook-token-auth-config
+ hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+ mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+{% endif %}
{% if kubernetes_audit %}
- name: {{ audit_policy_name }}
hostPath: {{ audit_policy_hostpath }}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
index 6a346cd83..f2589c9bb 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
@@ -92,6 +92,9 @@ apiServer:
oidc-groups-claim: {{ kube_oidc_groups_claim }}
{% endif %}
{% endif %}
+{% if kube_webhook_token_auth|default(false) %}
+ authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+{% endif %}
{% if kube_encrypt_secret_data %}
encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
{% endif %}
@@ -119,7 +122,7 @@ apiServer:
{% elif cloud_provider is defined and cloud_provider in ["external"] %}
cloud-config: {{ kube_config_dir }}/cloud_config
{% endif %}
-{% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes %}
+{% if kubernetes_audit or kube_basic_auth|default(true) or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws"] ) or apiserver_extra_volumes %}
extraVolumes:
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "external"] %}
- name: cloud-config
@@ -136,6 +139,11 @@ apiServer:
hostPath: {{ kube_token_dir }}
mountPath: {{ kube_token_dir }}
{% endif %}
+{% if kube_webhook_token_auth|default(false) %}
+ - name: webhook-token-auth-config
+ hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+ mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
+{% endif %}
{% if kubernetes_audit %}
- name: {{ audit_policy_name }}
hostPath: {{ audit_policy_hostpath }}
diff --git a/roles/kubernetes/master/templates/webhook-token-auth-config.yaml.j2 b/roles/kubernetes/master/templates/webhook-token-auth-config.yaml.j2
new file mode 100644
index 000000000..15559732c
--- /dev/null
+++ b/roles/kubernetes/master/templates/webhook-token-auth-config.yaml.j2
@@ -0,0 +1,17 @@
+# clusters refers to the remote service.
+clusters:
+- name: webhook-token-auth-cluster
+ cluster:
+ server: {{ kube_webhook_token_auth_url }}
+
+# users refers to the API server's webhook configuration.
+users:
+- name: webhook-token-auth-user
+
+# kubeconfig files require a context. Provide one for the API server.
+current-context: webhook-token-auth
+contexts:
+- context:
+ cluster: webhook-token-auth-cluster
+ user: webhook-token-auth-user
+ name: webhook-token-auth
\ No newline at end of file