kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9779 from johngmyers/calico-client-iam 

Don't give access to calico-client key when not needed
This commit is contained in:
Kubernetes Prow Robot 2020-08-18 21:07:11 -07:00 committed by GitHub
parent f1a0e0312f ba96a84926
commit ee366e8958
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 30 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
pkg/model/iam/iam_builder.go
View File

@ -457,10 +457,8 @@ func ReadableStatePaths(cluster *kops.Cluster, role kops.InstanceGroupRole) ([]s
"/secrets/dockerconfig",
)
// @check if bootstrap tokens are enabled and if so enable access to client certificate
if model.UseKopsControllerForNodeBootstrap(cluster) {
// no additional permissions
} else {
// Give access to keys for client certificates as needed.
if !model.UseKopsControllerForNodeBootstrap(cluster) {
paths = append(paths, "/pki/private/kube-proxy/*")
if useBootstrapTokens(cluster) {
@ -468,25 +466,38 @@ func ReadableStatePaths(cluster *kops.Cluster, role kops.InstanceGroupRole) ([]s
} else {
paths = append(paths, "/pki/private/kubelet/*")
}
}
networkingSpec := cluster.Spec.Networking
networkingSpec := cluster.Spec.Networking
if networkingSpec != nil {
// @check if kuberoute is enabled and permit access to the private key
if networkingSpec.Kuberouter != nil && !model.UseKopsControllerForNodeBootstrap(cluster) {
paths = append(paths, "/pki/private/kube-router/*")
}
if networkingSpec != nil {
// @check if kuberoute is enabled and permit access to the private key
if networkingSpec.Kuberouter != nil {
paths = append(paths, "/pki/private/kube-router/*")
}
// @check if calico is enabled as the CNI provider and permit access to the client TLS certificate by default
if networkingSpec.Calico != nil {
paths = append(paths, "/pki/private/calico-client/*")
}
// @check if calico is enabled as the CNI provider and permit access to the client TLS certificate by default
if networkingSpec.Calico != nil {
calicoClientCert := false
for _, x := range cluster.Spec.EtcdClusters {
if x.Provider == kops.EtcdProviderTypeManager {
calicoClientCert = false
break
}
if x.EnableEtcdTLS {
calicoClientCert = true
}
}
// @check if cilium is enabled as the CNI provider and permit access to the cilium etc client TLS certificate by default
// As long as the Cilium Etcd cluster exists, we should do this
if networkingSpec.Cilium != nil && model.UseCiliumEtcd(cluster) && !model.UseKopsControllerForNodeBootstrap(cluster) {
paths = append(paths, "/pki/private/etcd-clients-ca-cilium/*")
if calicoClientCert {
paths = append(paths, "/pki/private/calico-client/*")
}
}
// @check if cilium is enabled as the CNI provider and permit access to the cilium etc client TLS certificate by default
// As long as the Cilium Etcd cluster exists, we should do this
if networkingSpec.Cilium != nil && model.UseCiliumEtcd(cluster) {
paths = append(paths, "/pki/private/etcd-clients-ca-cilium/*")
}
}
}
}