From d0944714f47a7114da30810f499aedecc8495650 Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Sun, 26 Nov 2017 15:27:26 -0500 Subject: [PATCH 1/2] Update kopeio auth --- .../authentication.kope.io/k8s-1.6.yaml | 132 ------------- .../authentication.kope.io/k8s-1.8.yaml | 185 ++++++++++++++++++ .../pkg/fi/cloudup/bootstrapchannelbuilder.go | 8 +- 3 files changed, 189 insertions(+), 136 deletions(-) delete mode 100644 upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.6.yaml create mode 100644 upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.8.yaml diff --git a/upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.6.yaml b/upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.6.yaml deleted file mode 100644 index 63ad45f259..0000000000 --- a/upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.6.yaml +++ /dev/null @@ -1,132 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: kopeio-auth - labels: - k8s-addon: authentication.kope.io - role.kubernetes.io/authentication: "1" - ---- - -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: auth-portal - namespace: kopeio-auth - labels: - k8s-addon: authentication.kope.io - role.kubernetes.io/authentication: "1" -spec: - template: - metadata: - labels: - app: auth-portal - spec: - containers: - - name: auth-portal - image: kopeio/auth-portal:1.0.20170619 - ports: - - containerPort: 8080 - command: - - /auth-portal - ---- - -apiVersion: v1 -kind: Service -metadata: - name: auth-portal - namespace: kopeio-auth - labels: - k8s-addon: authentication.kope.io - role.kubernetes.io/authentication: "1" -spec: - selector: - app: auth-portal - ports: - - port: 80 - targetPort: 8080 - ---- - -apiVersion: extensions/v1beta1 -kind: DaemonSet -metadata: - name: auth-api - namespace: kopeio-auth - labels: - k8s-addon: authentication.kope.io - role.kubernetes.io/authentication: "1" -spec: - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - app: auth-api - spec: - hostNetwork: true - nodeSelector: - node-role.kubernetes.io/master: "" - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - containers: - - name: auth-api - image: kopeio/auth-api:1.0.20170619 - imagePullPolicy: Always - ports: - - containerPort: 9001 - command: - - /auth-api - - --listen=127.0.0.1:9001 - - --secure-port=9002 - - --server=https://127.0.0.1:9002 - - --insecure-skip-tls-verify - - --etcd-servers=http://127.0.0.1:4001 - - --v=8 - - --storage-backend=etcd2 - ---- - -apiVersion: v1 -kind: Service -metadata: - name: auth-api - namespace: kopeio-auth -spec: - selector: - app: auth-api - ports: - - port: 443 - targetPort: 9002 - ---- - -apiVersion: apiregistration.k8s.io/v1beta1 -kind: APIService -metadata: - name: v1alpha1.auth.kope.io -spec: - insecureSkipTLSVerify: true - group: auth.kope.io - priority: 150 - service: - name: auth-api - namespace: kopeio-auth - version: v1alpha1 - ---- - -apiVersion: apiregistration.k8s.io/v1beta1 -kind: APIService -metadata: - name: v1alpha1.config.auth.kope.io -spec: - insecureSkipTLSVerify: true - group: config.auth.kope.io - priority: 150 - service: - name: auth-api - namespace: kopeio-auth - version: v1alpha1 diff --git a/upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.8.yaml b/upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.8.yaml new file mode 100644 index 0000000000..62f4cdfcae --- /dev/null +++ b/upup/models/cloudup/resources/addons/authentication.kope.io/k8s-1.8.yaml @@ -0,0 +1,185 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kopeio-auth + labels: + k8s-addon: authentication.kope.io + role.kubernetes.io/authentication: "1" + +--- + +apiVersion: v1 +kind: Service +metadata: + name: auth-api + namespace: kopeio-auth + labels: + k8s-addon: authentication.kope.io + role.kubernetes.io/authentication: "1" +spec: + selector: + app: auth-api + ports: + - port: 443 + targetPort: 9002 + +--- + +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: auth-api + namespace: kopeio-auth + labels: + k8s-addon: authentication.kope.io + role.kubernetes.io/authentication: "1" +spec: + template: + metadata: + labels: + app: auth-api + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + serviceAccountName: auth-api + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - key: "CriticalAddonsOnly" + operator: "Exists" + containers: + - name: auth-api + image: kopeio/auth-api:1.0.20171125 + imagePullPolicy: Always + ports: + - containerPort: 9001 + command: + - /auth-api + - --listen=127.0.0.1:9001 + - --secure-port=9002 + - --etcd-servers=http://127.0.0.1:4001 + - --v=8 + - --storage-backend=etcd2 + +--- + +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1alpha1.auth.kope.io + labels: + k8s-addon: authentication.kope.io + role.kubernetes.io/authentication: "1" +spec: + insecureSkipTLSVerify: true + group: auth.kope.io + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: auth-api + namespace: kopeio-auth + version: v1alpha1 + +--- + +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1alpha1.config.auth.kope.io + labels: + k8s-addon: authentication.kope.io + role.kubernetes.io/authentication: "1" +spec: + insecureSkipTLSVerify: true + group: config.auth.kope.io + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: auth-api + namespace: kopeio-auth + version: v1alpha1 + +--- + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: auth-api + namespace: kopeio-auth + labels: + k8s-addon: authentication.kope.io + role.kubernetes.io/authentication: "1" + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kopeio-auth:auth-api:auth-reader + namespace: kube-system + labels: + k8s-addon: authentication.kope.io + role.kubernetes.io/authentication: "1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: auth-api + namespace: kopeio-auth + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kopeio-auth:system:auth-delegator + labels: + k8s-addon: authentication.kope.io + role.kubernetes.io/authentication: "1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: auth-api + namespace: kopeio-auth + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: auth-api + namespace: kopeio-auth + labels: + k8s-addon: authentication.kope.io + role.kubernetes.io/authentication: "1" +rules: +- apiGroups: ["auth.kope.io"] + resources: ["users"] + verbs: ["get", "list", "watch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: auth-api + namespace: kopeio-auth + labels: + k8s-addon: authentication.kope.io + role.kubernetes.io/authentication: "1" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: auth-api +subjects: +- kind: ServiceAccount + name: auth-api + namespace: kopeio-auth diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index f5fe45bcea..b20b2b139f 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -619,18 +619,18 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri if b.cluster.Spec.Authentication != nil && b.cluster.Spec.Authentication.Kopeio != nil { key := "authentication.kope.io" - version := "1.0.20170619" + version := "1.0.20171125" { - location := key + "/k8s-1.6.yaml" - id := "k8s-1.6" + location := key + "/k8s-1.8.yaml" + id := "k8s-1.8" addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ Name: fi.String(key), Version: fi.String(version), Selector: authenticationSelector, Manifest: fi.String(location), - KubernetesVersion: ">=1.6.0", + KubernetesVersion: ">=1.8.0", Id: id, }) manifests[key+"-"+id] = "addons/" + location From 660c45a01cded0bfa77ae1b29a50a71c4b19c836 Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Sun, 26 Nov 2017 23:26:23 -0500 Subject: [PATCH 2/2] Add initial docs on the kops side of authentication --- docs/authentication.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 docs/authentication.md diff --git a/docs/authentication.md b/docs/authentication.md new file mode 100644 index 0000000000..f8905f9588 --- /dev/null +++ b/docs/authentication.md @@ -0,0 +1,34 @@ +# Authentication + +Kops has support for configuring authentication systems. This support is +currently highly experimental, and should not be used with kubernetes versions +before 1.8.5 because of a serious bug with apimachinery (#55022)[https://github.com/kubernetes/kubernetes/issues/55022]. + +## kopeio authentication + +If you want to experiment with kopeio authentication, you can use +`--authentication kopeio`. However please be aware that kopeio authentication +has not yet been formally released, and thus there is not a lot of upstream +documentation. + +Alternatively, you can add this block to your cluster: + +``` +authentication: + kopeio: {} +``` + +For example: + +``` +apiVersion: kops/v1alpha2 +kind: Cluster +metadata: + name: cluster.example.com +spec: + authentication: + kopeio: {} + authorization: + rbac: {} +``` +