kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3928 from justinsb/kopeio_auth 

Automatic merge from submit-queue.

Update kopeio auth
This commit is contained in:
Kubernetes Submit Queue 2017-11-27 15:02:12 -08:00 committed by GitHub
parent fe1ab92dac 660c45a01c
commit 967ed4acf5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 223 additions and 136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
docs/authentication.md Normal file
View File

@ -0,0 +1,34 @@
# Authentication
Kops has support for configuring authentication systems. This support is
currently highly experimental, and should not be used with kubernetes versions
before 1.8.5 because of a serious bug with apimachinery (#55022)[https://github.com/kubernetes/kubernetes/issues/55022].
## kopeio authentication
If you want to experiment with kopeio authentication, you can use
`--authentication kopeio`. However please be aware that kopeio authentication
has not yet been formally released, and thus there is not a lot of upstream
documentation.
Alternatively, you can add this block to your cluster:
```
authentication:
kopeio: {}
```
For example:
```
apiVersion: kops/v1alpha2
kind: Cluster
metadata:
name: cluster.example.com
spec:
authentication:
kopeio: {}
authorization:
rbac: {}
```

132
upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.6.yaml
View File

@ -1,132 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: kopeio-auth
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: auth-portal
namespace: kopeio-auth
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
spec:
template:
metadata:
labels:
app: auth-portal
spec:
containers:
- name: auth-portal
image: kopeio/auth-portal:1.0.20170619
ports:
- containerPort: 8080
command:
- /auth-portal
---
apiVersion: v1
kind: Service
metadata:
name: auth-portal
namespace: kopeio-auth
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
spec:
selector:
app: auth-portal
ports:
- port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: auth-api
namespace: kopeio-auth
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
spec:
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
app: auth-api
spec:
hostNetwork: true
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
containers:
- name: auth-api
image: kopeio/auth-api:1.0.20170619
imagePullPolicy: Always
ports:
- containerPort: 9001
command:
- /auth-api
- --listen=127.0.0.1:9001
- --secure-port=9002
- --server=https://127.0.0.1:9002
- --insecure-skip-tls-verify
- --etcd-servers=http://127.0.0.1:4001
- --v=8
- --storage-backend=etcd2
---
apiVersion: v1
kind: Service
metadata:
name: auth-api
namespace: kopeio-auth
spec:
selector:
app: auth-api
ports:
- port: 443
targetPort: 9002
---
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
name: v1alpha1.auth.kope.io
spec:
insecureSkipTLSVerify: true
group: auth.kope.io
priority: 150
service:
name: auth-api
namespace: kopeio-auth
version: v1alpha1
---
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
name: v1alpha1.config.auth.kope.io
spec:
insecureSkipTLSVerify: true
group: config.auth.kope.io
priority: 150
service:
name: auth-api
namespace: kopeio-auth
version: v1alpha1

185
upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.8.yaml Normal file
View File

@ -0,0 +1,185 @@
apiVersion: v1
kind: Namespace
metadata:
name: kopeio-auth
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
---
apiVersion: v1
kind: Service
metadata:
name: auth-api
namespace: kopeio-auth
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
spec:
selector:
app: auth-api
ports:
- port: 443
targetPort: 9002
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: auth-api
namespace: kopeio-auth
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
spec:
template:
metadata:
labels:
app: auth-api
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
serviceAccountName: auth-api
hostNetwork: true
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- key: "CriticalAddonsOnly"
operator: "Exists"
containers:
- name: auth-api
image: kopeio/auth-api:1.0.20171125
imagePullPolicy: Always
ports:
- containerPort: 9001
command:
- /auth-api
- --listen=127.0.0.1:9001
- --secure-port=9002
- --etcd-servers=http://127.0.0.1:4001
- --v=8
- --storage-backend=etcd2
---
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
name: v1alpha1.auth.kope.io
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
spec:
insecureSkipTLSVerify: true
group: auth.kope.io
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: auth-api
namespace: kopeio-auth
version: v1alpha1
---
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
name: v1alpha1.config.auth.kope.io
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
spec:
insecureSkipTLSVerify: true
group: config.auth.kope.io
groupPriorityMinimum: 1000
versionPriority: 15
service:
name: auth-api
namespace: kopeio-auth
version: v1alpha1
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: auth-api
namespace: kopeio-auth
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kopeio-auth:auth-api:auth-reader
namespace: kube-system
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: auth-api
namespace: kopeio-auth
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kopeio-auth:system:auth-delegator
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: auth-api
namespace: kopeio-auth
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: auth-api
namespace: kopeio-auth
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
rules:
- apiGroups: ["auth.kope.io"]
resources: ["users"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auth-api
namespace: kopeio-auth
labels:
k8s-addon: authentication.kope.io
role.kubernetes.io/authentication: "1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: auth-api
subjects:
- kind: ServiceAccount
name: auth-api
namespace: kopeio-auth

8
upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
View File

@ -625,18 +625,18 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri
if b.cluster.Spec.Authentication != nil && b.cluster.Spec.Authentication.Kopeio != nil {
key := "authentication.kope.io"
version := "1.0.20170619"
version := "1.0.20171125"
{
location := key + "/k8s-1.6.yaml"
id := "k8s-1.6"
location := key + "/k8s-1.8.yaml"
id := "k8s-1.8"
addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
Name: fi.String(key),
Version: fi.String(version),
Selector: authenticationSelector,
Manifest: fi.String(location),
KubernetesVersion: ">=1.6.0",
KubernetesVersion: ">=1.8.0",
Id: id,
})
manifests[key+"-"+id] = "addons/" + location