From 4b08a05274c1c95b495285cf6c3df5ffa5ddc6df Mon Sep 17 00:00:00 2001 From: Rohith Date: Tue, 8 Jan 2019 15:21:02 +0000 Subject: [PATCH 1/3] Kubelet API Admin for Webhook Mode - adding a default binding for the kubelet-api for when kubelet webhook is enabled --- .../rbac.addons.k8s.io/kubelet-api-admin.yaml | 13 +++++++ .../pkg/fi/cloudup/bootstrapchannelbuilder.go | 36 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 upup/models/cloudup/resources/addons/rbac.addons.k8s.io/kubelet-api-admin.yaml diff --git a/upup/models/cloudup/resources/addons/rbac.addons.k8s.io/kubelet-api-admin.yaml b/upup/models/cloudup/resources/addons/rbac.addons.k8s.io/kubelet-api-admin.yaml new file mode 100644 index 0000000000..5df64b0670 --- /dev/null +++ b/upup/models/cloudup/resources/addons/rbac.addons.k8s.io/kubelet-api-admin.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kops:system:kubelet-api-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:kubelet-api-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: kubelet-api diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index 61b30ca562..8417e67f00 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -265,6 +265,42 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri } } + { + // @check if kubelet web authorization is enabled - by default the is not bound + // docs: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles + // issue: https://github.com/kubernetes/kops/issues/5176 + var enabled bool + + // @TODO: now technically kubelet config can come form instancegroup, master kubelet or cluster, though i'm not + // sure how to check the instancegroups here + if b.cluster.Spec.Kubelet != nil && fi.BoolValue(b.cluster.Spec.Kubelet.AuthenticationTokenWebhook) { + enabled = true + } + if b.cluster.Spec.MasterKubelet != nil && fi.BoolValue(b.cluster.Spec.MasterKubelet.AuthenticationTokenWebhook) { + enabled = true + } + + if enabled { + key := "rbac.addons.k8s.io" + version := "v0.0.1" + + { + id := "kubelet-api-admin" + location := key + "/kubelet-api-admin.yaml" + + addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ + Name: fi.String(key), + Version: fi.String(version), + Selector: map[string]string{"k8s-addon": key}, + Manifest: fi.String(location), + KubernetesVersion: ">=1.8.0", + Id: id, + }) + manifests[key+"-"+id] = "addons/" + location + } + } + } + { key := "limit-range.addons.k8s.io" version := "1.5.0" From 83ba980f40be6760c132cab0489eb737e4a43ba9 Mon Sep 17 00:00:00 2001 From: Rohith Date: Tue, 8 Jan 2019 15:33:03 +0000 Subject: [PATCH 2/3] - changing this to a default install and its a breaking change and won't effect unless the webhook is enabled --- .../rbac.addons.k8s.io/kubelet-api-admin.yaml | 1 + .../pkg/fi/cloudup/bootstrapchannelbuilder.go | 43 +++++++------------ 2 files changed, 16 insertions(+), 28 deletions(-) diff --git a/upup/models/cloudup/resources/addons/rbac.addons.k8s.io/kubelet-api-admin.yaml b/upup/models/cloudup/resources/addons/rbac.addons.k8s.io/kubelet-api-admin.yaml index 5df64b0670..053b9dca77 100644 --- a/upup/models/cloudup/resources/addons/rbac.addons.k8s.io/kubelet-api-admin.yaml +++ b/upup/models/cloudup/resources/addons/rbac.addons.k8s.io/kubelet-api-admin.yaml @@ -8,6 +8,7 @@ roleRef: kind: ClusterRole name: system:kubelet-api-admin subjects: +# TODO: perhaps change the client cerificate, place into a group and using a group selector instead? - apiGroup: rbac.authorization.k8s.io kind: User name: kubelet-api diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index 8417e67f00..fd456cf828 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -266,38 +266,25 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri } { - // @check if kubelet web authorization is enabled - by default the is not bound + // Adding the kubelet-api-admin binding: this is required when switching to webhook authorization on the kubelet // docs: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles // issue: https://github.com/kubernetes/kops/issues/5176 - var enabled bool + key := "rbac.addons.k8s.io" + version := "v0.0.1" - // @TODO: now technically kubelet config can come form instancegroup, master kubelet or cluster, though i'm not - // sure how to check the instancegroups here - if b.cluster.Spec.Kubelet != nil && fi.BoolValue(b.cluster.Spec.Kubelet.AuthenticationTokenWebhook) { - enabled = true - } - if b.cluster.Spec.MasterKubelet != nil && fi.BoolValue(b.cluster.Spec.MasterKubelet.AuthenticationTokenWebhook) { - enabled = true - } + { + id := "kubelet-api-admin" + location := key + "/kubelet-api-admin.yaml" - if enabled { - key := "rbac.addons.k8s.io" - version := "v0.0.1" - - { - id := "kubelet-api-admin" - location := key + "/kubelet-api-admin.yaml" - - addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ - Name: fi.String(key), - Version: fi.String(version), - Selector: map[string]string{"k8s-addon": key}, - Manifest: fi.String(location), - KubernetesVersion: ">=1.8.0", - Id: id, - }) - manifests[key+"-"+id] = "addons/" + location - } + addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ + Name: fi.String(key), + Version: fi.String(version), + Selector: map[string]string{"k8s-addon": key}, + Manifest: fi.String(location), + KubernetesVersion: ">=1.8.0", + Id: id, + }) + manifests[key+"-"+id] = "addons/" + location } } From ebd91354bbbd7961669170e45f890729deb31d0e Mon Sep 17 00:00:00 2001 From: Rohith Date: Tue, 8 Jan 2019 15:54:04 +0000 Subject: [PATCH 3/3] - fixing the unit test for the bootstrap code --- upup/pkg/fi/cloudup/bootstrapchannelbuilder.go | 2 +- .../tests/bootstrapchannelbuilder/cilium/manifest.yaml | 7 +++++++ .../bootstrapchannelbuilder/kopeio-vxlan/manifest.yaml | 7 +++++++ .../tests/bootstrapchannelbuilder/simple/manifest.yaml | 7 +++++++ .../tests/bootstrapchannelbuilder/weave/manifest.yaml | 7 +++++++ 5 files changed, 29 insertions(+), 1 deletion(-) diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index fd456cf828..3d523ef6cc 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -281,7 +281,7 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri Version: fi.String(version), Selector: map[string]string{"k8s-addon": key}, Manifest: fi.String(location), - KubernetesVersion: ">=1.8.0", + KubernetesVersion: ">=1.9.0", Id: id, }) manifests[key+"-"+id] = "addons/" + location diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml index eb4d052a07..d22d061964 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml @@ -30,6 +30,13 @@ spec: selector: k8s-addon: rbac.addons.k8s.io version: 1.8.0 + - id: kubelet-api-admin + kubernetesVersion: '>=1.9.0' + manifest: rbac.addons.k8s.io/kubelet-api-admin.yaml + name: rbac.addons.k8s.io + selector: + k8s-addon: rbac.addons.k8s.io + version: v0.0.1 - manifest: limit-range.addons.k8s.io/v1.5.0.yaml name: limit-range.addons.k8s.io selector: diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/kopeio-vxlan/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/kopeio-vxlan/manifest.yaml index 4c7d06b00e..c3c91f2830 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/kopeio-vxlan/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/kopeio-vxlan/manifest.yaml @@ -30,6 +30,13 @@ spec: selector: k8s-addon: rbac.addons.k8s.io version: 1.8.0 + - id: kubelet-api-admin + kubernetesVersion: '>=1.9.0' + manifest: rbac.addons.k8s.io/kubelet-api-admin.yaml + name: rbac.addons.k8s.io + selector: + k8s-addon: rbac.addons.k8s.io + version: v0.0.1 - manifest: limit-range.addons.k8s.io/v1.5.0.yaml name: limit-range.addons.k8s.io selector: diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/manifest.yaml index 86002b53a2..ad6e316605 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/manifest.yaml @@ -30,6 +30,13 @@ spec: selector: k8s-addon: rbac.addons.k8s.io version: 1.8.0 + - id: kubelet-api-admin + kubernetesVersion: '>=1.9.0' + manifest: rbac.addons.k8s.io/kubelet-api-admin.yaml + name: rbac.addons.k8s.io + selector: + k8s-addon: rbac.addons.k8s.io + version: v0.0.1 - manifest: limit-range.addons.k8s.io/v1.5.0.yaml name: limit-range.addons.k8s.io selector: diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/weave/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/weave/manifest.yaml index 4d02e19993..60af6fabd7 100644 --- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/weave/manifest.yaml +++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/weave/manifest.yaml @@ -30,6 +30,13 @@ spec: selector: k8s-addon: rbac.addons.k8s.io version: 1.8.0 + - id: kubelet-api-admin + kubernetesVersion: '>=1.9.0' + manifest: rbac.addons.k8s.io/kubelet-api-admin.yaml + name: rbac.addons.k8s.io + selector: + k8s-addon: rbac.addons.k8s.io + version: v0.0.1 - manifest: limit-range.addons.k8s.io/v1.5.0.yaml name: limit-range.addons.k8s.io selector: