Sulochan Acharya
4 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with
48 additions and
3 deletions
-
inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
-
roles/kubernetes/master/defaults/main/main.yml
-
roles/kubernetes/master/tasks/main.yml
-
roles/kubernetes/master/templates/kubeadm-config.v1beta2.yaml.j2
-
roles/kubernetes/master/templates/webhook-authorization-config.yaml.j2
|
|
|
@ -69,6 +69,15 @@ kube_users: |
|
|
|
# kube_oidc_groups_claim: groups |
|
|
|
# kube_oidc_groups_prefix: oidc: |
|
|
|
|
|
|
|
## Variables to control webhook authn/authz |
|
|
|
# kube_webhook_token_auth: false |
|
|
|
# kube_webhook_token_auth_url: https://... |
|
|
|
# kube_webhook_token_auth_url_skip_tls_verify: false |
|
|
|
|
|
|
|
## For webhook authorization, authorization_modes must include Webhook |
|
|
|
# kube_webhook_authorization: false |
|
|
|
# kube_webhook_authorization_url: https://... |
|
|
|
# kube_webhook_authorization_url_skip_tls_verify: false |
|
|
|
|
|
|
|
# Choose network plugin (cilium, calico, contiv, weave or flannel. Use cni for generic cni plugin) |
|
|
|
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing |
|
|
|
|
|
|
|
@ -117,6 +117,13 @@ kube_token_auth: false |
|
|
|
kube_oidc_auth: false |
|
|
|
kube_webhook_token_auth: false |
|
|
|
kube_webhook_token_auth_url_skip_tls_verify: false |
|
|
|
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication |
|
|
|
# kube_webhook_token_auth_url: https://... |
|
|
|
kube_webhook_authorization: false |
|
|
|
## Variables for webhook token authz https://kubernetes.io/docs/reference/access-authn-authz/webhook/ |
|
|
|
# kube_webhook_authorization_url: https://... |
|
|
|
kube_webhook_authorization_url_skip_tls_verify: false |
|
|
|
|
|
|
|
|
|
|
|
## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/ |
|
|
|
## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...) |
|
|
|
@ -133,9 +140,6 @@ kube_webhook_token_auth_url_skip_tls_verify: false |
|
|
|
# Optionally include a base64-encoded oidc CA cert |
|
|
|
# kube_oidc_ca_cert: c3RhY2thYnVzZS5jb20... |
|
|
|
|
|
|
|
## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication |
|
|
|
# kube_webhook_token_auth_url: https://... |
|
|
|
|
|
|
|
# List of the preferred NodeAddressTypes to use for kubelet connections. |
|
|
|
kubelet_preferred_address_types: 'InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP' |
|
|
|
|
|
|
|
|
|
|
|
@ -13,6 +13,12 @@ |
|
|
|
dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml" |
|
|
|
when: kube_webhook_token_auth|default(false) |
|
|
|
|
|
|
|
- name: Create webhook authorization config |
|
|
|
template: |
|
|
|
src: webhook-authorization-config.yaml.j2 |
|
|
|
dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml" |
|
|
|
when: kube_webhook_authorization|default(false) |
|
|
|
|
|
|
|
- import_tasks: encrypt-at-rest.yml |
|
|
|
when: |
|
|
|
- kube_encrypt_secret_data |
|
|
|
|
|
|
|
@ -154,6 +154,9 @@ apiServer: |
|
|
|
{% if kube_webhook_token_auth|default(false) %} |
|
|
|
authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml |
|
|
|
{% endif %} |
|
|
|
{% if kube_webhook_authorization|default(false) %} |
|
|
|
authorization-webhook-config-file: {{ kube_config_dir }}/webhook-authorization-config.yaml |
|
|
|
{% endif %} |
|
|
|
{% if kube_encrypt_secret_data %} |
|
|
|
encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml |
|
|
|
{% endif %} |
|
|
|
@ -218,6 +221,11 @@ apiServer: |
|
|
|
hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml |
|
|
|
mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml |
|
|
|
{% endif %} |
|
|
|
{% if kube_webhook_authorization|default(false) %} |
|
|
|
- name: webhook-authorization-config |
|
|
|
hostPath: {{ kube_config_dir }}/webhook-authorization-config.yaml |
|
|
|
mountPath: {{ kube_config_dir }}/webhook-authorization-config.yaml |
|
|
|
{% endif %} |
|
|
|
{% if kubernetes_audit or kubernetes_audit_webhook %} |
|
|
|
- name: {{ audit_policy_name }} |
|
|
|
hostPath: {{ audit_policy_hostpath }} |
|
|
|
|
|
|
|
@ -0,0 +1,18 @@ |
|
|
|
# clusters refers to the remote service. |
|
|
|
clusters: |
|
|
|
- name: webhook-token-authz-cluster |
|
|
|
cluster: |
|
|
|
server: {{ kube_webhook_authorization_url }} |
|
|
|
insecure-skip-tls-verify: {{ kube_webhook_authorization_url_skip_tls_verify }} |
|
|
|
|
|
|
|
# users refers to the API server's webhook configuration. |
|
|
|
users: |
|
|
|
- name: webhook-token-authz-user |
|
|
|
|
|
|
|
# kubeconfig files require a context. Provide one for the API server. |
|
|
|
current-context: webhook-token-authz |
|
|
|
contexts: |
|
|
|
- context: |
|
|
|
cluster: webhook-token-authz-cluster |
|
|
|
user: webhook-token-authz-user |
|
|
|
name: webhook-token-authz |
