richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

enable back kubelet_authorization_mode_webhook by default (#9662) 

In 6db6c8678c, this was disabled becaue
kubesrpay gave too much permissions that were not needed. This commit
re-enable back this option by default and also removes the extra
permissions that kubespray gave that were in fact not needed.

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
pull/9674/head
Arthur Outhenin-Chalandre 2 years ago
committed by GitHub
parent
58fe1a0ed6
commit
4a6eb7eaa2
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 6 additions and 72 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      docs/hardening.md
  2. 38
      roles/kubernetes-apps/cluster_roles/tasks/main.yml
  3. 20
      roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2
  4. 17
      roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2
  5. 2
      roles/kubespray-defaults/defaults/main.yaml

1
docs/hardening.md
View File

@ -85,6 +85,7 @@ kube_kubeadm_scheduler_extra_args:
etcd_deployment_type: kubeadm etcd_deployment_type: kubeadm
## kubelet ## kubelet
kubelet_authorization_mode_webhook: true
kubelet_authentication_token_webhook: true kubelet_authentication_token_webhook: true
kube_read_only_port: 0 kube_read_only_port: 0
kubelet_rotate_server_certificates: true kubelet_rotate_server_certificates: true

38
roles/kubernetes-apps/cluster_roles/tasks/main.yml
View File

@ -37,55 +37,25 @@
- node_crb_manifest.changed - node_crb_manifest.changed
- inventory_hostname == groups['kube_control_plane'][0] - inventory_hostname == groups['kube_control_plane'][0]
- name: Kubernetes Apps | Add webhook ClusterRole that grants access to proxy, stats, log, spec, and metrics on a kubelet
template:
src: "node-webhook-cr.yml.j2"
dest: "{{ kube_config_dir }}/node-webhook-cr.yml"
mode: 0640
register: node_webhook_cr_manifest
when:
- rbac_enabled
- kubelet_authorization_mode_webhook
- inventory_hostname == groups['kube_control_plane'][0]
tags: node-webhook
- name: Apply webhook ClusterRole
- name: Kubernetes Apps | Remove old webhook ClusterRole
kube: kube:
name: "system:node-webhook" name: "system:node-webhook"
kubectl: "{{ bin_dir }}/kubectl" kubectl: "{{ bin_dir }}/kubectl"
resource: "clusterrole" resource: "clusterrole"
filename: "{{ kube_config_dir }}/node-webhook-cr.yml"
state: latest
state: absent
when: when:
- rbac_enabled - rbac_enabled
- kubelet_authorization_mode_webhook
- node_webhook_cr_manifest.changed
- inventory_hostname == groups['kube_control_plane'][0] - inventory_hostname == groups['kube_control_plane'][0]
tags: node-webhook tags: node-webhook
- name: Kubernetes Apps | Add ClusterRoleBinding for system:nodes to webhook ClusterRole
template:
src: "node-webhook-crb.yml.j2"
dest: "{{ kube_config_dir }}/node-webhook-crb.yml"
mode: 0640
register: node_webhook_crb_manifest
when:
- rbac_enabled
- kubelet_authorization_mode_webhook
- inventory_hostname == groups['kube_control_plane'][0]
tags: node-webhook
- name: Grant system:nodes the webhook ClusterRole
- name: Kubernetes Apps | Remove old webhook ClusterRoleBinding
kube: kube:
name: "system:node-webhook" name: "system:node-webhook"
kubectl: "{{ bin_dir }}/kubectl" kubectl: "{{ bin_dir }}/kubectl"
resource: "clusterrolebinding" resource: "clusterrolebinding"
filename: "{{ kube_config_dir }}/node-webhook-crb.yml"
state: latest
state: absent
when: when:
- rbac_enabled - rbac_enabled
- kubelet_authorization_mode_webhook
- node_webhook_crb_manifest.changed
- inventory_hostname == groups['kube_control_plane'][0] - inventory_hostname == groups['kube_control_plane'][0]
tags: node-webhook tags: node-webhook

20
roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2
View File

@ -1,20 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:node-webhook
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
- nodes/metrics
verbs:
- "*"

17
roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2
View File

@ -1,17 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:node-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node-webhook
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:nodes

2
roles/kubespray-defaults/defaults/main.yaml
View File

@ -480,7 +480,7 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
kubelet_authentication_token_webhook: true kubelet_authentication_token_webhook: true
# When enabled, access to the kubelet API requires authorization by delegation to the API server # When enabled, access to the kubelet API requires authorization by delegation to the API server
kubelet_authorization_mode_webhook: false
kubelet_authorization_mode_webhook: true
# kubelet uses certificates for authenticating to the Kubernetes API # kubelet uses certificates for authenticating to the Kubernetes API
# Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration # Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration

Write Preview
Loading…
Cancel
Save