Skip to content

Commit

Permalink
调整apiserver可选开启基本认证(默认关闭)
Browse files Browse the repository at this point in the history
  • Loading branch information
gjmzj committed Mar 15, 2019
1 parent 78b947f commit cdddf6e
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 1 deletion.
12 changes: 12 additions & 0 deletions roles/kube-master/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,18 @@
template: src=basic-auth.csv.j2 dest={{ ca_dir }}/basic-auth.csv
when: 'BASIC_AUTH_ENABLE == "yes"'

- name: 配置{{ BASIC_AUTH_USER }}用户rbac权限
template: src=admin-user-binding.yaml.j2 dest=/opt/kube/kube-system/admin-user-binding.yaml
when: 'BASIC_AUTH_ENABLE == "yes"'
delegate_to: "{{ groups.deploy[0] }}"
run_once: true

- name: 创建{{ BASIC_AUTH_USER }}用户rbac权限
shell: "{{ bin_dir }}/kubectl apply -f /opt/kube/kube-system/admin-user-binding.yaml"
when: 'BASIC_AUTH_ENABLE == "yes"'
delegate_to: "{{ groups.deploy[0] }}"
run_once: true

# 为兼容v1.8版本,配置不同 kube-apiserver的systemd unit文件
- name: 获取 k8s 版本信息
shell: "{{ bin_dir }}/kube-apiserver --version"
Expand Down
12 changes: 12 additions & 0 deletions roles/kube-master/templates/admin-user-binding.yaml.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: {{ BASIC_AUTH_USER }}
2 changes: 1 addition & 1 deletion roles/kube-master/templates/basic-auth.csv.j2
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
{{ BASIC_AUTH_PASS }},{{ BASIC_AUTH_USER }},1
{{ BASIC_AUTH_PASS | truncate(8, True) }},{{ readonly }},2
{{ BASIC_AUTH_PASS | truncate(8, True, '') }},readonly,2

0 comments on commit cdddf6e

Please sign in to comment.