From 4a6eb7eaa2b96bf34ac35fc536d90726e4bca19b Mon Sep 17 00:00:00 2001 From: Arthur Outhenin-Chalandre Date: Tue, 17 Jan 2023 08:56:32 +0100 Subject: [PATCH] enable back kubelet_authorization_mode_webhook by default (#9662) In 6db6c8678c31621934c2253faa331174bf9fa49a, this was disabled becaue kubesrpay gave too much permissions that were not needed. This commit re-enable back this option by default and also removes the extra permissions that kubespray gave that were in fact not needed. Signed-off-by: Arthur Outhenin-Chalandre Signed-off-by: Arthur Outhenin-Chalandre --- docs/hardening.md | 1 + .../cluster_roles/tasks/main.yml | 38 ++----------------- .../templates/node-webhook-cr.yml.j2 | 20 ---------- .../templates/node-webhook-crb.yml.j2 | 17 --------- roles/kubespray-defaults/defaults/main.yaml | 2 +- 5 files changed, 6 insertions(+), 72 deletions(-) delete mode 100644 roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 delete mode 100644 roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2 diff --git a/docs/hardening.md b/docs/hardening.md index b3359b74b..5aa8fcfb0 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -85,6 +85,7 @@ kube_kubeadm_scheduler_extra_args: etcd_deployment_type: kubeadm ## kubelet +kubelet_authorization_mode_webhook: true kubelet_authentication_token_webhook: true kube_read_only_port: 0 kubelet_rotate_server_certificates: true diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml index ddbddba4b..f0e07018c 100644 --- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml +++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml @@ -37,55 +37,25 @@ - node_crb_manifest.changed - inventory_hostname == groups['kube_control_plane'][0] -- name: Kubernetes Apps | Add webhook ClusterRole that grants access to proxy, stats, log, spec, and metrics on a kubelet - template: - src: "node-webhook-cr.yml.j2" - dest: "{{ kube_config_dir }}/node-webhook-cr.yml" - mode: 0640 - register: node_webhook_cr_manifest - when: - - rbac_enabled - - kubelet_authorization_mode_webhook - - inventory_hostname == groups['kube_control_plane'][0] - tags: node-webhook - -- name: Apply webhook ClusterRole +- name: Kubernetes Apps | Remove old webhook ClusterRole kube: name: "system:node-webhook" kubectl: "{{ bin_dir }}/kubectl" resource: "clusterrole" - filename: "{{ kube_config_dir }}/node-webhook-cr.yml" - state: latest + state: absent when: - rbac_enabled - - kubelet_authorization_mode_webhook - - node_webhook_cr_manifest.changed - inventory_hostname == groups['kube_control_plane'][0] tags: node-webhook -- name: Kubernetes Apps | Add ClusterRoleBinding for system:nodes to webhook ClusterRole - template: - src: "node-webhook-crb.yml.j2" - dest: "{{ kube_config_dir }}/node-webhook-crb.yml" - mode: 0640 - register: node_webhook_crb_manifest - when: - - rbac_enabled - - kubelet_authorization_mode_webhook - - inventory_hostname == groups['kube_control_plane'][0] - tags: node-webhook - -- name: Grant system:nodes the webhook ClusterRole +- name: Kubernetes Apps | Remove old webhook ClusterRoleBinding kube: name: "system:node-webhook" kubectl: "{{ bin_dir }}/kubectl" resource: "clusterrolebinding" - filename: "{{ kube_config_dir }}/node-webhook-crb.yml" - state: latest + state: absent when: - rbac_enabled - - kubelet_authorization_mode_webhook - - node_webhook_crb_manifest.changed - inventory_hostname == groups['kube_control_plane'][0] tags: node-webhook diff --git a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 deleted file mode 100644 index bf9aaf73f..000000000 --- a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:node-webhook -rules: - - apiGroups: - - "" - resources: - - nodes/proxy - - nodes/stats - - nodes/log - - nodes/spec - - nodes/metrics - verbs: - - "*" diff --git a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2 deleted file mode 100644 index 68aed5cb5..000000000 --- a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2 +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:node-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:node-webhook -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:nodes diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 6d91768bd..b02744dbc 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -480,7 +480,7 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes }}" kubelet_authentication_token_webhook: true # When enabled, access to the kubelet API requires authorization by delegation to the API server -kubelet_authorization_mode_webhook: false +kubelet_authorization_mode_webhook: true # kubelet uses certificates for authenticating to the Kubernetes API # Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration