Fix RBAC for Kubelet and add ClusterRole/Bindings

pull/208/head
Brad Geesaman 2017-09-03 00:36:05 -04:00
parent 12ce8c5a89
commit 0aaf79ec93
2 changed files with 57 additions and 5 deletions

View File

@ -79,7 +79,7 @@ ExecStart=/usr/local/bin/kube-apiserver \\
--etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \\ --etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \\
--event-ttl=1h \\ --event-ttl=1h \\
--experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\ --experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\
--insecure-bind-address=0.0.0.0 \\ --insecure-bind-address=127.0.0.1 \\
--kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\ --kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\
--kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \\ --kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \\
--kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\ --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\
@ -118,7 +118,7 @@ ExecStart=/usr/local/bin/kube-controller-manager \\
--cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\ --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\
--cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\ --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\
--leader-elect=true \\ --leader-elect=true \\
--master=http://${INTERNAL_IP}:8080 \\ --master=http://127.0.0.1:8080 \\
--root-ca-file=/var/lib/kubernetes/ca.pem \\ --root-ca-file=/var/lib/kubernetes/ca.pem \\
--service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \\ --service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \\
--service-cluster-ip-range=10.32.0.0/16 \\ --service-cluster-ip-range=10.32.0.0/16 \\
@ -144,7 +144,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service] [Service]
ExecStart=/usr/local/bin/kube-scheduler \\ ExecStart=/usr/local/bin/kube-scheduler \\
--leader-elect=true \\ --leader-elect=true \\
--master=http://${INTERNAL_IP}:8080 \\ --master=http://127.0.0.1:8080 \\
--v=2 --v=2
Restart=on-failure Restart=on-failure
RestartSec=5 RestartSec=5

View File

@ -185,6 +185,7 @@ Requires=crio.service
[Service] [Service]
ExecStart=/usr/local/bin/kubelet \\ ExecStart=/usr/local/bin/kubelet \\
--anonymous-auth=false \\
--authorization-mode=Webhook \\ --authorization-mode=Webhook \\
--allow-privileged=true \\ --allow-privileged=true \\
--cluster-dns=10.32.0.10 \\ --cluster-dns=10.32.0.10 \\
@ -200,6 +201,7 @@ ExecStart=/usr/local/bin/kubelet \\
--register-node=true \\ --register-node=true \\
--require-kubeconfig \\ --require-kubeconfig \\
--runtime-request-timeout=10m \\ --runtime-request-timeout=10m \\
--client-ca-file=/var/lib/kubernetes/ca.pem \\
--tls-cert-file=/var/lib/kubelet/${HOSTNAME}.pem \\ --tls-cert-file=/var/lib/kubelet/${HOSTNAME}.pem \\
--tls-private-key-file=/var/lib/kubelet/${HOSTNAME}-key.pem \\ --tls-private-key-file=/var/lib/kubelet/${HOSTNAME}-key.pem \\
--v=2 --v=2
@ -259,7 +261,7 @@ sudo systemctl start crio kubelet kube-proxy
> Remember to run the above commands on each worker node: `worker-0`, `worker-1`, and `worker-2`. > Remember to run the above commands on each worker node: `worker-0`, `worker-1`, and `worker-2`.
## Verification ## Implement RBAC for Kubelet Authorization
Login to one of the controller nodes: Login to one of the controller nodes:
@ -267,7 +269,57 @@ Login to one of the controller nodes:
gcloud compute ssh controller-0 gcloud compute ssh controller-0
``` ```
List the registered Kubernetes nodes: Define a ```clusterrole``` with the proper permissions for kubelet API access and a ```clusterrolebinding``` to allow the ```kubernetes``` user to use that ```clusterrole```.
```
cat > kubelet-rbac.yaml << EOF
---
apiVersion: v1
kind: List
metadata: {}
items:
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-apiserver-to-kubelet
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
- nodes/metrics
verbs:
- "*"
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: system:kube-apiserver
namespace: ""
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-apiserver-to-kubelet
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubernetes
EOF
```
Create the ```clusterrole``` and ```clusterrolebinding``` in the cluster.
```
kubectl create -f kubelet-rbac.yaml
```
## Verification
While still logged into one of the controller nodes, list the registered Kubernetes nodes:
``` ```
kubectl get nodes kubectl get nodes