Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
cloud
charms
kubernetes-keystone
Commits
884eeeab
Commit
884eeeab
authored
Jul 14, 2018
by
Giuseppe Attardi
Browse files
Added policy file.
parent
d8e99672
Changes
5
Expand all
Hide whitespace changes
Inline
Side-by-side
.build.manifest
View file @
884eeeab
This diff is collapsed.
Click to expand it.
README.md
View file @
884eeeab
# Kubernetes-keystone
This charm deploys a service that provides
[
Webhook Token
Authentication
](
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
)
This charm deploys a service that provides
[
Webhook Token
Authentication
](
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
)
to
`Kubernetes`
through
`OpenStack Keystone`
.
# Deployment
This is a subordinate charm to the
[
kubernetes-master
](
)
charm.
This is a subordinate charm to the
[
kubernetes-master charm
](
https://github.com/kubernetes/kubernetes/tree/master/cluster/juju/layers/kubernetes-master
)
.
In order to deploy it, do:
$ juju deploy cs:~csd-garr/kubernetes-keystone
$ juju add-relation kubernetes-master
:juju-info
kubernetes-keystone
:juju-info
$ juju add-relation kubernetes-master kubernetes-keystone
# Resources
The kubernetes-keystone charm takes advantage of the
[
Juju Resources
](
https://docs.jujucharms.com/2.4/en/developer-resources
)
feature to deliver the Kubernetes software.
In deployments on public clouds the Charm Store provides the resource to the
charm automatically with no user intervention. Some environments with strict
firewall rules may not be able to contact the Charm Store. In these network
restricted environments the resource can be uploaded to the model by the Juju
operator.
# Configuration
This charm supports some configuration options to set up a
`Webhook
Token Authentication`
server for
`Keystone`
:
#### keystone-url
URL of the Keystone endpoint.
#### k8s-keystone-auth-url
URL for downloading the Keystone authentication server.
#### authn-server-url
#### kubernetes-project
Name of the OpenStack project allowed to access the cluster.
#### authn-server-url
The URL of the
`Keystone`
endpoint.
#### authz-server-url
URL for the Webhook authorization server.
...
...
@@ -54,6 +43,6 @@ URL for the Webhook authorization server.
# Contact
The kubernetes-keystone charm is free and open source operations created
by the CSD team at GARR.
The
`
kubernetes-keystone
`
charm is free and open source operations created
by the
`
CSD team
`
at
`
GARR
`
<csd@garr.it>
.
reactive/kubernetes-keystone.py
View file @
884eeeab
...
...
@@ -41,7 +41,9 @@ from charmhelpers.fetch import archiveurl
webhook_authn_config_path
=
'/root/cdk/webhook-authn.config'
webhook_authz_config_path
=
'/root/cdk/webhook-authz.config'
k8s_keystone_sync_config_path
=
'/root/cdk/sync-config.yaml'
webhook_sync_config_path
=
'/root/cdk/sync-config.yaml'
webhook_policy_file
=
'/root/cdk/webhook-policy.json'
k8s_keystone_auth_start
=
'/root/cdk/k8s-keystone-auth.sh'
k8s_keystone_auth_path
=
'/root/cdk/k8s-keystone-auth'
k8s_keystone_auth_service
=
'/etc/systemd/system/k8s-keystone-auth.service'
...
...
@@ -63,12 +65,19 @@ def setup_authentication():
k8s_keystone_auth_path
,
'k8s_keystone_auth_start'
:
k8s_keystone_auth_start
,
'kubernetes_project'
:
hookenv
.
config
(
'kubernetes-project'
),
'keystone_url'
:
hookenv
.
config
(
'keystone-url'
),
'keystone_url'
:
hookenv
.
config
(
'keystone-url'
)}
webhook_policy_file
}
render
(
'webhook-authn.config'
,
webhook_authn_config_path
,
webhook_context
)
render
(
'webhook-authz.config'
,
webhook_authz_config_path
,
webhook_context
)
render
(
'sync-config.yaml'
,
k8s_keystone_sync_config_path
,
webhook_context
)
# the systemd unit
render
(
'sync-config.yaml'
,
webhook_sync_config_path
,
webhook_context
)
render
(
'webhook-policy.json'
,
webhook_policy_json
,
webhook_context
)
# the systemd unit for deploying the k8s_keystone_auth service.
render
(
'k8s-keystone-auth.service'
,
k8s_keystone_auth_service
,
webhook_context
)
# invokes this script
render
(
'k8s-keystone-auth.sh'
,
k8s_keystone_auth_start
,
webhook_context
)
...
...
templates/k8s-keystone-auth.sh
View file @
884eeeab
...
...
@@ -3,6 +3,7 @@ set -a
K8S_KEYSTONE_AUTH
={{
k8s_keystone_auth_path
}}
KEYSTONE_URL
={{
keystone_url
}}
KEYSTONE_POLICY
={{
keystone_policy
}}
APISERVER_CERT
=
/root/cdk/server.crt
APISERVER_KEY
=
/root/cdk/server.key
SYNC_CONFIG
=
/root/cdk/sync-config.yaml
...
...
@@ -11,5 +12,6 @@ KUBE_CONFIG=/home/ubuntu/config
$K8S_KEYSTONE_AUTH
--tls-cert-file
$APISERVER_CERT
\
--tls-private-key-file
$APISERVER_KEY
\
--keystone-url
$KEYSTONE_URL
\
--keystone-policy-file
$KEYSTONE_POLICY
\
--sync-config-file
$SYNC_CONFIG
\
--kubeconfig
$KUBE_CONFIG
templates/webhook-policy.json
0 → 100644
View file @
884eeeab
##
The
Kubernetes
cluster
can
only
be
accessed
by
the
users
in
kubernetes
project,
##
users
with
k
8
s-admin
or
k
8
s-user
role
have
both
write
and
read
permissions
##
to
the
pod
resource,
but
users
with
k
8
s-admin
role
can
also
assign
roles
##
to
others.
[
{
"resource"
:
{
"verbs"
:
[
"get"
,
"list"
,
"watch"
,
"create"
,
"update"
,
"delete"
],
"resources"
:
[
"pods"
],
"version"
:
"*"
,
"namespace"
:
"default"
},
"match"
:
[
{
"type"
:
"role"
,
"values"
:
[
"k8s-admin"
,
"k8s-user"
]
},
{
"type"
:
"project"
,
"values"
:
[
"{{ kubernetes_project }}"
]
}
]
},
{
"resource"
:
{
"verbs"
:
[
"bind"
],
"resources"
:
[
"clusterroles"
],
"resourceNames"
:
[
"admin"
,
"edit"
,
"view"
],
"version"
:
"*"
,
"namespace"
:
"default"
},
"match"
:
[
{
"type"
:
"role"
,
"values"
:
[
"k8s-admin"
]
},
{
"type"
:
"project"
,
"values"
:
[
"{{ kubernetes_project }}"
]
}
]
}
]
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment