Files

Taahir Ahmed 9702c6e6e9 GCP config: gke-exec-auth-plugin for ValidatingAdmissionWebhook

This commit adds support for using `gke-exec-auth-plugin` (vTPM-based
certificates for mTLS) for webhooks when calling endpoints matching
`*.googleapis.com`, and integrates this support with
ValidatingAdmissionWebhook.

To enable it, request ValidatingAdmissionWebhook with
`ADMISSION_CONTROL=...,ValidatingAdmissionWebhook,...` (default) and
opt in to `gke-exec-auth-plugin` using `WEBHOOK_GKE_EXEC_AUTH=true`
during the configuration process.

If you don't opt-in, ValidatingAdmissionWebhook will be deployed as
before.

Requesting `WEBHOOK_GKE_EXEC_AUTH=true` will fail if you have not
provided other configuration variables:

  * `EXEC_AUTH_PLUGIN_URL`: controls whether `gke-exec-auth-plugin` is
    downloaded during the installation step.  A prerequisite for
    actually using the plugin.

  * `TOKEN_URL`, `TOKEN_BODY`, and `TOKEN_BODY_UNQUOTED`:
    configuration values used when calling the plugin.  `TOKEN_URL`
    and `TOKEN_BODY` have existing usage. `TOKEN_BODY_UNQUOTED` is a
    new variable that is meant to sidestep the problem of inverting
    `strconv.Quote` in Bash.

The existing configuration process for ImagePolicyWebhook has been
reworked to make it play nicely with ValidatingAdmissionWebhook under
`WEBHOOK_GKE_EXEC_AUTH=true`.

  * It originally placed the ImagePolicyWebhook configuration object
    at the top-level of the file specified by
    `--admission-control-config-file`.  I can't see why this worked;
    it must have been hitting some sort of lucky path through the
    various config file loading mechanisms.  Now, it places its
    configuration in a sub-field of that file, which is shared among
    all admission control plugins.

  * It mounted its various config files read-write.  I reviewed the
    code and couldn't see why it was necessary, so I moved the config
    files into the existing read-only mount at `/etc/srv/kubernetes`.

  * It now checks that all the configuration values it requires have
    been provided.

Co-authored-by: Mike Danese <mikedanese@google.com>
Co-authored-by: Taahir Ahmed <taahm@google.com>

2019-07-22 16:01:37 -07:00

mounter

Fix shellcheck failures in stage-upload.sh

2019-04-12 02:42:48 -04:00

apiserver_manifest_test.go

Revert "[Re-Apply][Distroless] Convert the GCE manifests for master containers."

2019-05-15 08:31:19 +02:00

audit_policy_test.go

Audit policy test

2019-07-03 10:39:37 -07:00

BUILD

Audit policy test

2019-07-03 10:39:37 -07:00

configure_helper_test.go

Audit policy test

2019-07-03 10:39:37 -07:00

configure-helper.sh

GCP config: gke-exec-auth-plugin for ValidatingAdmissionWebhook

2019-07-22 16:01:37 -07:00

configure.sh

gce: configure: use 'amd64' in kube core images manifest

2019-07-18 08:31:45 -07:00

flexvolume_node_setup.sh

delete all duplicate empty blanks

2019-02-23 10:28:04 +08:00

health-monitor.sh

Dump Stack when docker fails on healthcheck

2018-05-21 11:39:59 +09:00

helper.sh

Update all script to use /usr/bin/env bash in shebang

2018-04-19 13:20:13 +02:00

master-helper.sh

Fix HA setup logic

2019-07-03 11:17:31 +02:00

master.yaml

Perform GCE log rotation check every 5 minutes

2019-04-09 16:37:38 -07:00

node-helper.sh

fix shellcheck lint errors in cluster and hack scripts

2019-02-24 11:15:35 +08:00

node.yaml

Install and use crictl in gce kube-up.sh

2018-05-03 17:17:55 -07:00

OWNERS

Updated OWNERS files to include link to docs

2019-02-04 22:33:12 +01:00

README.md

Update Container-VM Image product name in docs

2016-09-09 10:08:56 -07:00

shutdown.sh

fix shellcheck failures of cluster/gce/gci/shutdown.sh

2019-04-22 11:46:45 +08:00

README.md

Container-VM Image

Container-VM Image is a container-optimized OS image for the Google Cloud Platform (GCP). It is primarily for running Google services on GCP. Unlike the open preview version of container-vm, the new Container-VM Image is based on the open source ChromiumOS project, allowing us greater control over the build management, security compliance, and customizations for GCP.