Enable RBAC on APIServer

robbiezhang · robbiezhang · commit af24ad6f2d9b · 2017-06-06T18:20:40.000-07:00
diff --git a/parts/defaultpolicy.json b/parts/defaultpolicy.json
@@ -0,0 +1,2 @@
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"client", "namespace": "*", "resource": "*", "apiGroup": "*"}}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-system:default", "namespace": "*", "resource": "*", "apiGroup": "*"}}
diff --git a/parts/kubernetesmaster-kube-apiserver.yaml b/parts/kubernetesmaster-kube-apiserver.yaml
@@ -30,6 +30,8 @@ spec:
         - "--client-ca-file=/etc/kubernetes/certs/ca.crt"
         - "--service-account-key-file=/etc/kubernetes/certs/apiserver.key"
         - "--storage-backend=etcd2"
+        - "--authorization-mode=ABAC,RBAC"
+        - "--authorization-policy-file=/etc/kubernetes/manifests/defaultpolicy.json"
         - "--v=4"
       volumeMounts:
         - name: "etc-kubernetes"
diff --git a/parts/kubernetesmastercustomdata.yml b/parts/kubernetesmastercustomdata.yml
@@ -84,6 +84,13 @@ write_files:
       name: localclustercontext
     current-context: localclustercontext
 
+- path: /etc/kubernetes/manifests/defaultpolicy.json
+  permissions: "0644"
+  encoding: gzip
+  owner: "root"
+  content: !!binary |
+    API_SERVER_POLICY_B64_GZIP_STR
+
 - path: /etc/kubernetes/manifests/kube-apiserver.yaml
   permissions: "0644"
   encoding: gzip
diff --git a/parts/kubernetesmastercustomscript.sh b/parts/kubernetesmastercustomscript.sh
@@ -304,6 +304,10 @@ users:
     set -x
 }
 
+function createSuperUserClusterRoleBinding() {
+    kubectl create clusterrolebinding superuser --clusterrole=cluster-admin --user=client
+}
+
 # master and node
 ensureDocker
 configNetworkPolicy
@@ -318,7 +322,8 @@ if [[ ! -z "${APISERVER_PRIVATE_KEY}" ]]; then
     ensureEtcdDataDir
     ensureEtcd
     ensureApiserver
+
+    createSuperUserClusterRoleBinding
 fi
 
 echo "Install complete successfully"
-
diff --git a/pkg/acsengine/engine.go b/pkg/acsengine/engine.go
@@ -24,6 +24,7 @@ const (
 	kubernetesAgentCustomScript         = "kubernetesagentcustomscript.sh"
 	kubeConfigJSON                      = "kubeconfig.json"
 	kubernetesWindowsAgentCustomDataPS1 = "kuberneteswindowssetup.ps1"
+	kubePolicyJSON						= "defaultpolicy.json"
 )
 
 const (
@@ -95,6 +96,7 @@ var kubernetesAritfacts = map[string]string{
 	"MASTER_PROVISION_B64_GZIP_STR": kubernetesMasterCustomScript,
 	"KUBELET_SERVICE_B64_GZIP_STR":  kubernetesKubeletService,
 	"KUBELET_SERVICE_AGENT_B64_GZIP_STR":  kubernetesAgentKubeletSvc,
+	"API_SERVER_POLICY_B64_GZIP_STR":  kubePolicyJSON,
 }
 
 var kubernetesAddonYamls = map[string]string{
diff --git a/pkg/acsengine/templates.go b/pkg/acsengine/templates.go

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"client", "namespace": "", "resource": "", "apiGroup": "*"}}`
	`2`	`+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"system:serviceaccount:kube-system:default", "namespace": "", "resource": "", "apiGroup": "*"}}`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ const (`
`24`	`24`	`kubernetesAgentCustomScript = "kubernetesagentcustomscript.sh"`
`25`	`25`	`kubeConfigJSON = "kubeconfig.json"`
`26`	`26`	`kubernetesWindowsAgentCustomDataPS1 = "kuberneteswindowssetup.ps1"`
	`27`	`+ kubePolicyJSON = "defaultpolicy.json"`
`27`	`28`	`)`
`28`	`29`
`29`	`30`	`const (`
`@@ -95,6 +96,7 @@ var kubernetesAritfacts = map[string]string{`
`95`	`96`	`"MASTER_PROVISION_B64_GZIP_STR": kubernetesMasterCustomScript,`
`96`	`97`	`"KUBELET_SERVICE_B64_GZIP_STR": kubernetesKubeletService,`
`97`	`98`	`"KUBELET_SERVICE_AGENT_B64_GZIP_STR": kubernetesAgentKubeletSvc,`
	`99`	`+ "API_SERVER_POLICY_B64_GZIP_STR": kubePolicyJSON,`
`98`	`100`	`}`
`99`	`101`
`100`	`102`	`var kubernetesAddonYamls = map[string]string{`