d187997c94
Automatic merge from submit-queue Allow anonymous API server access, decorate authenticated users with system:authenticated group When writing authorization policy, it is often necessary to allow certain actions to any authenticated user. For example, creating a service or configmap, and granting read access to all users It is also frequently necessary to allow actions to any unauthenticated user. For example, fetching discovery APIs might be part of an authentication process, and therefore need to be able to be read without access to authentication credentials. This PR: * Adds an option to allow anonymous requests to the secured API port. If enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of `system:anonymous` and a group of `system:unauthenticated`. Note: this should only be used with an `--authorization-mode` other than `AlwaysAllow` * Decorates user.Info returned from configured authenticators with the group `system:authenticated`. This is related to defining a default set of roles and bindings for RBAC (https://github.com/kubernetes/features/issues/2). The bootstrap policy should allow all users (anonymous or authenticated) to request the discovery APIs. ```release-note kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'. Authenticated users are decorated with a 'system:authenticated' group. NOTE: anonymous access is enabled by default. If you rely on authentication alone to authorize access, change to use an authorization mode other than AlwaysAllow, or or set '--anonymous-auth=false'. ``` c.f. https://github.com/kubernetes/kubernetes/issues/29177#issuecomment-244191596
Cluster Federation
Kubernetes Cluster Federation enables users to federate multiple Kubernetes clusters. Please see the user guide and the admin guide for more details about setting up and using the Cluster Federation.
Building Kubernetes Cluster Federation
Please see the Kubernetes Development Guide
for initial setup. Once you have the development environment setup
as explained in that guide, you also need to install jq
Building cluster federation artifacts should be as simple as running:
make build
You can specify the docker registry to tag the image using the KUBE_REGISTRY environment variable. Please make sure that you use the same value in all the subsequent commands.
To push the built docker images to the registry, run:
make push
To initialize the deployment run:
(This pull the installer images)
make init
To deploy the clusters and install the federation components, edit the
${KUBE_ROOT}/_output/federation/config.json file to describe your
clusters and run:
make deploy
To turn down the federation components and tear down the clusters run:
make destroy
Ideas for improvement
-
Split the
buildphase (make recipe) into multiple phases:init: pull installer imagesbuild-binariesbuild-dockerbuild: build-binary + build-dockerpush: to push the built imagesgenconfigdeploy-clustersdeploy-federationdeploy: deploy-clusters + deploy-federationdestroy-federationdestroy-clustersdestroy: destroy-federation + destroy-clustersredeploy-federation: just redeploys the federation components.
-
Continue with
destroyphase even in the face of errors.The bash script sets
set -e errexitwhich causes the script to exit at the very first error. This should be the default mode for deploying components but not for destroying/cleanup.