Fix RBAC for Kubelet and add ClusterRole/Bindings
parent
12ce8c5a89
commit
0aaf79ec93
|
@ -79,7 +79,7 @@ ExecStart=/usr/local/bin/kube-apiserver \\
|
||||||
--etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \\
|
--etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \\
|
||||||
--event-ttl=1h \\
|
--event-ttl=1h \\
|
||||||
--experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\
|
--experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\
|
||||||
--insecure-bind-address=0.0.0.0 \\
|
--insecure-bind-address=127.0.0.1 \\
|
||||||
--kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\
|
--kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\
|
||||||
--kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \\
|
--kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \\
|
||||||
--kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\
|
--kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\
|
||||||
|
@ -118,7 +118,7 @@ ExecStart=/usr/local/bin/kube-controller-manager \\
|
||||||
--cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\
|
--cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\
|
||||||
--cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\
|
--cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\
|
||||||
--leader-elect=true \\
|
--leader-elect=true \\
|
||||||
--master=http://${INTERNAL_IP}:8080 \\
|
--master=http://127.0.0.1:8080 \\
|
||||||
--root-ca-file=/var/lib/kubernetes/ca.pem \\
|
--root-ca-file=/var/lib/kubernetes/ca.pem \\
|
||||||
--service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \\
|
--service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \\
|
||||||
--service-cluster-ip-range=10.32.0.0/16 \\
|
--service-cluster-ip-range=10.32.0.0/16 \\
|
||||||
|
@ -144,7 +144,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/usr/local/bin/kube-scheduler \\
|
ExecStart=/usr/local/bin/kube-scheduler \\
|
||||||
--leader-elect=true \\
|
--leader-elect=true \\
|
||||||
--master=http://${INTERNAL_IP}:8080 \\
|
--master=http://127.0.0.1:8080 \\
|
||||||
--v=2
|
--v=2
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
RestartSec=5
|
RestartSec=5
|
||||||
|
|
|
@ -185,6 +185,7 @@ Requires=crio.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/usr/local/bin/kubelet \\
|
ExecStart=/usr/local/bin/kubelet \\
|
||||||
|
--anonymous-auth=false \\
|
||||||
--authorization-mode=Webhook \\
|
--authorization-mode=Webhook \\
|
||||||
--allow-privileged=true \\
|
--allow-privileged=true \\
|
||||||
--cluster-dns=10.32.0.10 \\
|
--cluster-dns=10.32.0.10 \\
|
||||||
|
@ -200,6 +201,7 @@ ExecStart=/usr/local/bin/kubelet \\
|
||||||
--register-node=true \\
|
--register-node=true \\
|
||||||
--require-kubeconfig \\
|
--require-kubeconfig \\
|
||||||
--runtime-request-timeout=10m \\
|
--runtime-request-timeout=10m \\
|
||||||
|
--client-ca-file=/var/lib/kubernetes/ca.pem \\
|
||||||
--tls-cert-file=/var/lib/kubelet/${HOSTNAME}.pem \\
|
--tls-cert-file=/var/lib/kubelet/${HOSTNAME}.pem \\
|
||||||
--tls-private-key-file=/var/lib/kubelet/${HOSTNAME}-key.pem \\
|
--tls-private-key-file=/var/lib/kubelet/${HOSTNAME}-key.pem \\
|
||||||
--v=2
|
--v=2
|
||||||
|
@ -259,7 +261,7 @@ sudo systemctl start crio kubelet kube-proxy
|
||||||
|
|
||||||
> Remember to run the above commands on each worker node: `worker-0`, `worker-1`, and `worker-2`.
|
> Remember to run the above commands on each worker node: `worker-0`, `worker-1`, and `worker-2`.
|
||||||
|
|
||||||
## Verification
|
## Implement RBAC for Kubelet Authorization
|
||||||
|
|
||||||
Login to one of the controller nodes:
|
Login to one of the controller nodes:
|
||||||
|
|
||||||
|
@ -267,7 +269,57 @@ Login to one of the controller nodes:
|
||||||
gcloud compute ssh controller-0
|
gcloud compute ssh controller-0
|
||||||
```
|
```
|
||||||
|
|
||||||
List the registered Kubernetes nodes:
|
Define a ```clusterrole``` with the proper permissions for kubelet API access and a ```clusterrolebinding``` to allow the ```kubernetes``` user to use that ```clusterrole```.
|
||||||
|
```
|
||||||
|
cat > kubelet-rbac.yaml << EOF
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: List
|
||||||
|
metadata: {}
|
||||||
|
items:
|
||||||
|
- apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
||||||
|
labels:
|
||||||
|
kubernetes.io/bootstrapping: rbac-defaults
|
||||||
|
name: system:kube-apiserver-to-kubelet
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- nodes/proxy
|
||||||
|
- nodes/stats
|
||||||
|
- nodes/log
|
||||||
|
- nodes/spec
|
||||||
|
- nodes/metrics
|
||||||
|
verbs:
|
||||||
|
- "*"
|
||||||
|
- apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: system:kube-apiserver
|
||||||
|
namespace: ""
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:kube-apiserver-to-kubelet
|
||||||
|
subjects:
|
||||||
|
- apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: User
|
||||||
|
name: kubernetes
|
||||||
|
EOF
|
||||||
|
```
|
||||||
|
|
||||||
|
Create the ```clusterrole``` and ```clusterrolebinding``` in the cluster.
|
||||||
|
```
|
||||||
|
kubectl create -f kubelet-rbac.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
## Verification
|
||||||
|
|
||||||
|
While still logged into one of the controller nodes, list the registered Kubernetes nodes:
|
||||||
|
|
||||||
```
|
```
|
||||||
kubectl get nodes
|
kubectl get nodes
|
||||||
|
|
Loading…
Reference in New Issue