From 0aaf79ec93356f3afee534d67e17acca273c5d25 Mon Sep 17 00:00:00 2001 From: Brad Geesaman Date: Sun, 3 Sep 2017 00:36:05 -0400 Subject: [PATCH] Fix RBAC for Kubelet and add ClusterRole/Bindings --- ...08-bootstrapping-kubernetes-controllers.md | 6 +- docs/09-bootstrapping-kubernetes-workers.md | 56 ++++++++++++++++++- 2 files changed, 57 insertions(+), 5 deletions(-) diff --git a/docs/08-bootstrapping-kubernetes-controllers.md b/docs/08-bootstrapping-kubernetes-controllers.md index db64cca..e7ab4f8 100644 --- a/docs/08-bootstrapping-kubernetes-controllers.md +++ b/docs/08-bootstrapping-kubernetes-controllers.md @@ -79,7 +79,7 @@ ExecStart=/usr/local/bin/kube-apiserver \\ --etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \\ --event-ttl=1h \\ --experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\ - --insecure-bind-address=0.0.0.0 \\ + --insecure-bind-address=127.0.0.1 \\ --kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\ --kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \\ --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\ @@ -118,7 +118,7 @@ ExecStart=/usr/local/bin/kube-controller-manager \\ --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\ --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\ --leader-elect=true \\ - --master=http://${INTERNAL_IP}:8080 \\ + --master=http://127.0.0.1:8080 \\ --root-ca-file=/var/lib/kubernetes/ca.pem \\ --service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \\ --service-cluster-ip-range=10.32.0.0/16 \\ @@ -144,7 +144,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes [Service] ExecStart=/usr/local/bin/kube-scheduler \\ --leader-elect=true \\ - --master=http://${INTERNAL_IP}:8080 \\ + --master=http://127.0.0.1:8080 \\ --v=2 Restart=on-failure RestartSec=5 diff --git a/docs/09-bootstrapping-kubernetes-workers.md b/docs/09-bootstrapping-kubernetes-workers.md index 70d2085..acfd6c0 100644 --- a/docs/09-bootstrapping-kubernetes-workers.md +++ b/docs/09-bootstrapping-kubernetes-workers.md @@ -185,6 +185,7 @@ Requires=crio.service [Service] ExecStart=/usr/local/bin/kubelet \\ + --anonymous-auth=false \\ --authorization-mode=Webhook \\ --allow-privileged=true \\ --cluster-dns=10.32.0.10 \\ @@ -200,6 +201,7 @@ ExecStart=/usr/local/bin/kubelet \\ --register-node=true \\ --require-kubeconfig \\ --runtime-request-timeout=10m \\ + --client-ca-file=/var/lib/kubernetes/ca.pem \\ --tls-cert-file=/var/lib/kubelet/${HOSTNAME}.pem \\ --tls-private-key-file=/var/lib/kubelet/${HOSTNAME}-key.pem \\ --v=2 @@ -259,7 +261,7 @@ sudo systemctl start crio kubelet kube-proxy > Remember to run the above commands on each worker node: `worker-0`, `worker-1`, and `worker-2`. -## Verification +## Implement RBAC for Kubelet Authorization Login to one of the controller nodes: @@ -267,7 +269,57 @@ Login to one of the controller nodes: gcloud compute ssh controller-0 ``` -List the registered Kubernetes nodes: +Define a ```clusterrole``` with the proper permissions for kubelet API access and a ```clusterrolebinding``` to allow the ```kubernetes``` user to use that ```clusterrole```. +``` +cat > kubelet-rbac.yaml << EOF +--- +apiVersion: v1 +kind: List +metadata: {} +items: +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:kube-apiserver-to-kubelet + rules: + - apiGroups: + - "" + resources: + - nodes/proxy + - nodes/stats + - nodes/log + - nodes/spec + - nodes/metrics + verbs: + - "*" +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRoleBinding + metadata: + name: system:kube-apiserver + namespace: "" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:kube-apiserver-to-kubelet + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: kubernetes +EOF +``` + +Create the ```clusterrole``` and ```clusterrolebinding``` in the cluster. +``` +kubectl create -f kubelet-rbac.yaml +``` + +## Verification + +While still logged into one of the controller nodes, list the registered Kubernetes nodes: ``` kubectl get nodes