github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Scripts to configure image verification admission controller for gce.

Browse Source
This commit is contained in:
Quintin Lee
2016-08-18 13:42:57 -07:00
parent 9de9405be7
commit 182a4fd0ac
4 changed files with 175 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
cluster/gce/configure-vm.sh
View File

@@ -460,6 +460,11 @@ kube_uid: '$(echo "${KUBE_UID}" | sed -e "s/'/''/g")'
initial_etcd_cluster: '$(echo "${INITIAL_ETCD_CLUSTER:-}" | sed -e "s/'/''/g")' initial_etcd_cluster: '$(echo "${INITIAL_ETCD_CLUSTER:-}" | sed -e "s/'/''/g")'
hostname: $(hostname -s) hostname: $(hostname -s)
EOF EOF
if [ -n "${ADMISSION_CONTROL:-}" ] && [ ${ADMISSION_CONTROL} == *"ImagePolicyWebhook"* ]; then
cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
admission-control-config-file: /etc/admission_controller.config
EOF
fi
if [ -n "${KUBELET_PORT:-}" ]; then if [ -n "${KUBELET_PORT:-}" ]; then
cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
kubelet_port: '$(echo "$KUBELET_PORT" | sed -e "s/'/''/g")' kubelet_port: '$(echo "$KUBELET_PORT" | sed -e "s/'/''/g")'
@@ -896,6 +901,44 @@ contexts:
EOF EOF
fi fi
if [[ -n "${GCP_IMAGE_VERIFICATION_URL:-}" ]]; then
# This is the config file for the image review webhook.
cat <<EOF >>/etc/salt/minion.d/grains.conf
image_review_config: /etc/gcp_image_review.config
EOF
cat <<EOF >/etc/gcp_image_review.config
clusters:
- name: gcp-image-review-server
cluster:
server: ${GCP_IMAGE_VERIFICATION_URL}
users:
- name: kube-apiserver
user:
auth-provider:
name: gcp
current-context: webhook
contexts:
- context:
cluster: gcp-image-review-server
user: kube-apiserver
name: webhook
EOF
# This is the config for the image review admission controller.
cat <<EOF >>/etc/salt/minion.d/grains.conf
image_review_webhook_config: /etc/admission_controller.config
EOF
cat <<EOF >/etc/admission_controller.config
imagePolicy:
kubeConfigFile: /etc/gcp_image_review.config
allowTTL: 30
denyTTL: 30
retryBackoff: 500
defaultAllow: true
EOF
fi
# If the kubelet on the master is enabled, give it the same CIDR range # If the kubelet on the master is enabled, give it the same CIDR range
# as a generic node. # as a generic node.
if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then

57
cluster/gce/gci/configure-helper.sh
View File

@@ -279,6 +279,36 @@ contexts:
name: webhook name: webhook
EOF EOF
fi fi
if [[ -n "${GCP_IMAGE_VERIFICATION_URL:-}" ]]; then
# This is the config file for the image review webhook.
cat <<EOF >/etc/gcp_image_review.config
clusters:
- name: gcp-image-review-server
cluster:
server: ${GCP_IMAGE_VERIFICATION_URL}
users:
- name: kube-apiserver
user:
auth-provider:
name: gcp
current-context: webhook
contexts:
- context:
cluster: gcp-image-review-server
user: kube-apiserver
name: webhook
EOF
# This is the config for the image review admission controller.
cat <<EOF >/etc/admission_controller.config
imagePolicy:
kubeConfigFile: /etc/gcp_image_review.config
allowTTL: 30
denyTTL: 30
retryBackoff: 500
defaultAllow: true
EOF
fi
} }
function create-kubelet-kubeconfig { function create-kubelet-kubeconfig {
@@ -670,9 +700,24 @@ function start-kube-apiserver {
if [[ -n "${SERVICE_CLUSTER_IP_RANGE:-}" ]]; then if [[ -n "${SERVICE_CLUSTER_IP_RANGE:-}" ]]; then
params+=" --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" params+=" --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}"
fi fi
local admission_controller_config_mount=""
local admission_controller_config_volume=""
local image_policy_webhook_config_mount=""
local image_policy_webhook_config_volume=""
if [[ -n "${ADMISSION_CONTROL:-}" ]]; then if [[ -n "${ADMISSION_CONTROL:-}" ]]; then
params+=" --admission-control=${ADMISSION_CONTROL}" params+=" --admission-control=${ADMISSION_CONTROL}"
if [[ ${ADMISSION_CONTROL} == *"ImagePolicyWebhook"* ]]; then
params+=" --admission-control-config-file=/etc/admission_controller.config"
# Mount the file to configure admission controllers if ImagePolicyWebhook is set.
admission_controller_config_mount="{\"name\": \"admissioncontrollerconfigmount\",\"mountPath\": \"/etc/admission_controller.config\", \"readOnly\": false},"
admission_controller_config_volume="{\"name\": \"admissioncontrollerconfigmount\",\"hostPath\": {\"path\": \"/etc/admission_controller.config\"}},"
# Mount the file to configure the ImagePolicyWebhook's webhook.
image_policy_webhook_config_mount="{\"name\": \"imagepolicywebhookconfigmount\",\"mountPath\": \"/etc/gcp_image_review.config\", \"readOnly\": false},"
image_policy_webhook_config_volume="{\"name\": \"imagepolicywebhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_image_review.config\"}},"
fi fi
fi
if [[ -n "${KUBE_APISERVER_REQUEST_TIMEOUT:-}" ]]; then if [[ -n "${KUBE_APISERVER_REQUEST_TIMEOUT:-}" ]]; then
params+=" --min-request-timeout=${KUBE_APISERVER_REQUEST_TIMEOUT}" params+=" --min-request-timeout=${KUBE_APISERVER_REQUEST_TIMEOUT}"
fi fi
@@ -689,8 +734,8 @@ function start-kube-apiserver {
params+=" --ssh-keyfile=/etc/srv/sshproxy/.sshkeyfile" params+=" --ssh-keyfile=/etc/srv/sshproxy/.sshkeyfile"
fi fi
webhook_authn_config_mount="" local webhook_authn_config_mount=""
webhook_authn_config_volume="" local webhook_authn_config_volume=""
if [[ -n "${GCP_AUTHN_URL:-}" ]]; then if [[ -n "${GCP_AUTHN_URL:-}" ]]; then
params+=" --authentication-token-webhook-config-file=/etc/gcp_authn.config" params+=" --authentication-token-webhook-config-file=/etc/gcp_authn.config"
webhook_authn_config_mount="{\"name\": \"webhookauthnconfigmount\",\"mountPath\": \"/etc/gcp_authn.config\", \"readOnly\": false}," webhook_authn_config_mount="{\"name\": \"webhookauthnconfigmount\",\"mountPath\": \"/etc/gcp_authn.config\", \"readOnly\": false},"
@@ -698,8 +743,8 @@ function start-kube-apiserver {
fi fi
params+=" --authorization-mode=ABAC" params+=" --authorization-mode=ABAC"
webhook_config_mount="" local webhook_config_mount=""
webhook_config_volume="" local webhook_config_volume=""
if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then
params+=",Webhook --authorization-webhook-config-file=/etc/gcp_authz.config" params+=",Webhook --authorization-webhook-config-file=/etc/gcp_authz.config"
webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false}," webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false},"
@@ -734,6 +779,10 @@ function start-kube-apiserver {
sed -i -e "s@{{webhook_authn_config_volume}}@${webhook_authn_config_volume}@g" "${src_file}" sed -i -e "s@{{webhook_authn_config_volume}}@${webhook_authn_config_volume}@g" "${src_file}"
sed -i -e "s@{{webhook_config_mount}}@${webhook_config_mount}@g" "${src_file}" sed -i -e "s@{{webhook_config_mount}}@${webhook_config_mount}@g" "${src_file}"
sed -i -e "s@{{webhook_config_volume}}@${webhook_config_volume}@g" "${src_file}" sed -i -e "s@{{webhook_config_volume}}@${webhook_config_volume}@g" "${src_file}"
sed -i -e "s@{{admission_controller_config_mount}}@${admission_controller_config_mount}@g" "${src_file}"
sed -i -e "s@{{admission_controller_config_volume}}@${admission_controller_config_volume}@g" "${src_file}"
sed -i -e "s@{{image_policy_webhook_config_mount}}@${image_policy_webhook_config_mount}@g" "${src_file}"
sed -i -e "s@{{image_policy_webhook_config_volume}}@${image_policy_webhook_config_volume}@g" "${src_file}"
cp "${src_file}" /etc/kubernetes/manifests cp "${src_file}" /etc/kubernetes/manifests
} }

57
cluster/gce/trusty/configure-helper.sh
View File

@@ -389,6 +389,36 @@ contexts:
name: webhook name: webhook
EOF EOF
fi fi
if [[ -n "${GCP_IMAGE_VERIFICATION_URL:-}" ]]; then
# This is the config file for the image review webhook.
cat <<EOF >/etc/gcp_image_review.config
clusters:
- name: gcp-image-review-server
cluster:
server: ${GCP_IMAGE_VERIFICATION_URL}
users:
- name: kube-apiserver
user:
auth-provider:
name: gcp
current-context: webhook
contexts:
- context:
cluster: gcp-image-review-server
user: kube-apiserver
name: webhook
EOF
# This is the config for the image review admission controller.
cat <<EOF >/etc/admission_controller.config
imagePolicy:
kubeConfigFile: /etc/gcp_image_review.config
allowTTL: 30
denyTTL: 30
retryBackoff: 500
defaultAllow: true
EOF
fi
} }
# Uses KUBELET_CA_CERT (falling back to CA_CERT), KUBELET_CERT, and KUBELET_KEY # Uses KUBELET_CA_CERT (falling back to CA_CERT), KUBELET_CERT, and KUBELET_KEY
@@ -537,9 +567,24 @@ start_kube_apiserver() {
if [ -n "${SERVICE_CLUSTER_IP_RANGE:-}" ]; then if [ -n "${SERVICE_CLUSTER_IP_RANGE:-}" ]; then
params="${params} --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" params="${params} --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}"
fi fi
local admission_controller_config_mount=""
local admission_controller_config_volume=""
local image_policy_webhook_config_mount=""
local image_policy_webhook_config_volume=""
if [ -n "${ADMISSION_CONTROL:-}" ]; then if [ -n "${ADMISSION_CONTROL:-}" ]; then
params="${params} --admission-control=${ADMISSION_CONTROL}" params="${params} --admission-control=${ADMISSION_CONTROL}"
if [ ${ADMISSION_CONTROL} == *"ImagePolicyWebhook"* ]; then
params+=" --admission-control-config-file=/etc/admission_controller.config"
# Mount the file to configure admission controllers if ImagePolicyWebhook is set.
admission_controller_config_mount="{\"name\": \"admissioncontrollerconfigmount\",\"mountPath\": \"/etc/admission_controller.config\", \"readOnly\": false},"
admission_controller_config_volume="{\"name\": \"admissioncontrollerconfigmount\",\"hostPath\": {\"path\": \"/etc/admission_controller.config\"}},"
# Mount the file to configure the ImagePolicyWebhook's webhook.
image_policy_webhook_config_mount="{\"name\": \"imagepolicywebhookconfigmount\",\"mountPath\": \"/etc/gcp_image_review.config\", \"readOnly\": false},"
image_policy_webhook_config_volume="{\"name\": \"imagepolicywebhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_image_review.config\"}},"
fi fi
fi
if [ -n "${KUBE_APISERVER_REQUEST_TIMEOUT:-}" ]; then if [ -n "${KUBE_APISERVER_REQUEST_TIMEOUT:-}" ]; then
params="${params} --min-request-timeout=${KUBE_APISERVER_REQUEST_TIMEOUT}" params="${params} --min-request-timeout=${KUBE_APISERVER_REQUEST_TIMEOUT}"
fi fi
@@ -554,8 +599,8 @@ start_kube_apiserver() {
fi fi
readonly kube_apiserver_docker_tag=$(cat /home/kubernetes/kube-docker-files/kube-apiserver.docker_tag) readonly kube_apiserver_docker_tag=$(cat /home/kubernetes/kube-docker-files/kube-apiserver.docker_tag)
webhook_authn_config_mount="" local webhook_authn_config_mount=""
webhook_authn_config_volume="" local webhook_authn_config_volume=""
if [ -n "${GCP_AUTHN_URL:-}" ]; then if [ -n "${GCP_AUTHN_URL:-}" ]; then
params="${params} --authentication-token-webhook-config-file=/etc/gcp_authn.config" params="${params} --authentication-token-webhook-config-file=/etc/gcp_authn.config"
webhook_authn_config_mount="{\"name\": \"webhookauthnconfigmount\",\"mountPath\": \"/etc/gcp_authn.config\", \"readOnly\": false}," webhook_authn_config_mount="{\"name\": \"webhookauthnconfigmount\",\"mountPath\": \"/etc/gcp_authn.config\", \"readOnly\": false},"
@@ -563,8 +608,8 @@ start_kube_apiserver() {
fi fi
params="${params} --authorization-mode=ABAC" params="${params} --authorization-mode=ABAC"
webhook_config_mount="" local webhook_config_mount=""
webhook_config_volume="" local webhook_config_volume=""
if [ -n "${GCP_AUTHZ_URL:-}" ]; then if [ -n "${GCP_AUTHZ_URL:-}" ]; then
params="${params},Webhook --authorization-webhook-config-file=/etc/gcp_authz.config" params="${params},Webhook --authorization-webhook-config-file=/etc/gcp_authz.config"
webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false}," webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false},"
@@ -599,6 +644,10 @@ start_kube_apiserver() {
sed -i -e "s@{{webhook_authn_config_volume}}@${webhook_authn_config_volume}@g" "${src_file}" sed -i -e "s@{{webhook_authn_config_volume}}@${webhook_authn_config_volume}@g" "${src_file}"
sed -i -e "s@{{webhook_config_mount}}@${webhook_config_mount}@g" "${src_file}" sed -i -e "s@{{webhook_config_mount}}@${webhook_config_mount}@g" "${src_file}"
sed -i -e "s@{{webhook_config_volume}}@${webhook_config_volume}@g" "${src_file}" sed -i -e "s@{{webhook_config_volume}}@${webhook_config_volume}@g" "${src_file}"
sed -i -e "s@{{admission_controller_config_mount}}@${admission_controller_config_mount}@g" "${src_file}"
sed -i -e "s@{{admission_controller_config_volume}}@${admission_controller_config_volume}@g" "${src_file}"
sed -i -e "s@{{image_policy_webhook_config_mount}}@${image_policy_webhook_config_mount}@g" "${src_file}"
sed -i -e "s@{{image_policy_webhook_config_volume}}@${image_policy_webhook_config_volume}@g" "${src_file}"
cp "${src_file}" /etc/kubernetes/manifests cp "${src_file}" /etc/kubernetes/manifests
} }

19
cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
View File

@@ -120,6 +120,19 @@
{% set authz_mode = authz_mode + ",Webhook" -%} {% set authz_mode = authz_mode + ",Webhook" -%}
{% endif -%} {% endif -%}
{% set image_review_config = "" -%}
{% set admission_controller_config_mount = "" -%}
{% set admission_controller_config_volume = "" -%}
{% set image_policy_webhook_config_mount = "" -%}
{% set image_policy_webhook_config_volume = "" -%}
{% if grains.image_review_config is defined -%}
{% set image_review_config = " --admission-control-config-file=" + grains.image_review_config -%}
{% set admission_controller_config_mount = "{\"name\": \"admissioncontrollerconfigmount\",\"mountPath\": \"" + grains.image_review_config + "\", \"readOnly\": false}," -%}
{% set admission_controller_config_volume = "{\"name\": \"admissioncontrollerconfigmount\",\"hostPath\": {\"path\": \"" + grains.image_review_config + "\"}}," -%}
{% set image_policy_webhook_config_mount = "{\"name\": \"imagepolicywebhookconfigmount\",\"mountPath\": \"/etc/gcp_image_review.config\", \"readOnly\": false}," -%}
{% set image_policy_webhook_config_volume = "{\"name\": \"imagepolicywebhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_image_review.config\"}}," -%}
{% endif -%}
{% set admission_control = "" -%} {% set admission_control = "" -%}
{% if pillar['admission_control'] is defined -%} {% if pillar['admission_control'] is defined -%}
{% set admission_control = "--admission-control=" + pillar['admission_control'] -%} {% set admission_control = "--admission-control=" + pillar['admission_control'] -%}
@@ -146,7 +159,7 @@
{% endif -%} {% endif -%}
{% set params = address + " " + storage_backend + " " + etcd_servers + " " + etcd_servers_overrides + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + feature_gates + " " + admission_control + " " + target_ram_mb + " " + service_cluster_ip_range + " " + client_ca_file + basic_auth_file + " " + min_request_timeout + " " + enable_garbage_collector -%} {% set params = address + " " + storage_backend + " " + etcd_servers + " " + etcd_servers_overrides + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + feature_gates + " " + admission_control + " " + target_ram_mb + " " + service_cluster_ip_range + " " + client_ca_file + basic_auth_file + " " + min_request_timeout + " " + enable_garbage_collector -%}
{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address + " " + proxy_ssh_options + authz_mode + abac_policy_file + webhook_authentication_config + webhook_authorization_config -%} {% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address + " " + proxy_ssh_options + authz_mode + abac_policy_file + webhook_authentication_config + webhook_authorization_config + image_review_config -%}
# test_args has to be kept at the end, so they'll overwrite any prior configuration # test_args has to be kept at the end, so they'll overwrite any prior configuration
{% if pillar['apiserver_test_args'] is defined -%} {% if pillar['apiserver_test_args'] is defined -%}
@@ -202,6 +215,8 @@
{{additional_cloud_config_mount}} {{additional_cloud_config_mount}}
{{webhook_config_mount}} {{webhook_config_mount}}
{{webhook_authn_config_mount}} {{webhook_authn_config_mount}}
{{admission_controller_config_mount}}
{{image_policy_webhook_config_mount}}
{ "name": "srvkube", { "name": "srvkube",
"mountPath": "{{srv_kube_path}}", "mountPath": "{{srv_kube_path}}",
"readOnly": true}, "readOnly": true},
@@ -231,6 +246,8 @@
{{additional_cloud_config_volume}} {{additional_cloud_config_volume}}
{{webhook_config_volume}} {{webhook_config_volume}}
{{webhook_authn_config_volume}} {{webhook_authn_config_volume}}
{{admission_controller_config_volume}}
{{image_policy_webhook_config_volume}}
{ "name": "srvkube", { "name": "srvkube",
"hostPath": { "hostPath": {
"path": "{{srv_kube_path}}"} "path": "{{srv_kube_path}}"}