Commit 884eeeab authored by Giuseppe Attardi's avatar Giuseppe Attardi
Browse files

Added policy file.

parent d8e99672
This diff is collapsed.
# Kubernetes-keystone
This charm deploys a service that provides [Webhook Token
Authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
This charm deploys a service that provides
[Webhook Token Authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
to `Kubernetes` through `OpenStack Keystone`.
# Deployment
This is a subordinate charm to the [kubernetes-master]() charm.
This is a subordinate charm to the
[kubernetes-master charm](https://github.com/kubernetes/kubernetes/tree/master/cluster/juju/layers/kubernetes-master).
In order to deploy it, do:
$ juju deploy cs:~csd-garr/kubernetes-keystone
$ juju add-relation kubernetes-master:juju-info kubernetes-keystone:juju-info
$ juju add-relation kubernetes-master kubernetes-keystone
# Resources
The kubernetes-keystone charm takes advantage of the [Juju Resources](https://docs.jujucharms.com/2.4/en/developer-resources)
feature to deliver the Kubernetes software.
In deployments on public clouds the Charm Store provides the resource to the
charm automatically with no user intervention. Some environments with strict
firewall rules may not be able to contact the Charm Store. In these network
restricted environments the resource can be uploaded to the model by the Juju
operator.
# Configuration
This charm supports some configuration options to set up a `Webhook
Token Authentication` server for `Keystone`:
#### keystone-url
URL of the Keystone endpoint.
#### k8s-keystone-auth-url
URL for downloading the Keystone authentication server.
#### authn-server-url
#### kubernetes-project
Name of the OpenStack project allowed to access the cluster.
#### authn-server-url
The URL of the `Keystone` endpoint.
#### authz-server-url
URL for the Webhook authorization server.
......@@ -54,6 +43,6 @@ URL for the Webhook authorization server.
# Contact
The kubernetes-keystone charm is free and open source operations created
by the CSD team at GARR.
The `kubernetes-keystone` charm is free and open source operations created
by the `CSD team` at `GARR` <csd@garr.it>.
......@@ -41,7 +41,9 @@ from charmhelpers.fetch import archiveurl
webhook_authn_config_path = '/root/cdk/webhook-authn.config'
webhook_authz_config_path = '/root/cdk/webhook-authz.config'
k8s_keystone_sync_config_path = '/root/cdk/sync-config.yaml'
webhook_sync_config_path = '/root/cdk/sync-config.yaml'
webhook_policy_file = '/root/cdk/webhook-policy.json'
k8s_keystone_auth_start = '/root/cdk/k8s-keystone-auth.sh'
k8s_keystone_auth_path = '/root/cdk/k8s-keystone-auth'
k8s_keystone_auth_service = '/etc/systemd/system/k8s-keystone-auth.service'
......@@ -63,12 +65,19 @@ def setup_authentication():
k8s_keystone_auth_path,
'k8s_keystone_auth_start':
k8s_keystone_auth_start,
'kubernetes_project':
hookenv.config('kubernetes-project'),
'keystone_url':
hookenv.config('keystone-url'),
'keystone_url':
hookenv.config('keystone-url')}
webhook_policy_file
}
render('webhook-authn.config', webhook_authn_config_path, webhook_context)
render('webhook-authz.config', webhook_authz_config_path, webhook_context)
render('sync-config.yaml', k8s_keystone_sync_config_path, webhook_context)
# the systemd unit
render('sync-config.yaml', webhook_sync_config_path, webhook_context)
render('webhook-policy.json', webhook_policy_json, webhook_context)
# the systemd unit for deploying the k8s_keystone_auth service.
render('k8s-keystone-auth.service', k8s_keystone_auth_service, webhook_context)
# invokes this script
render('k8s-keystone-auth.sh', k8s_keystone_auth_start, webhook_context)
......
......@@ -3,6 +3,7 @@ set -a
K8S_KEYSTONE_AUTH={{ k8s_keystone_auth_path }}
KEYSTONE_URL={{ keystone_url }}
KEYSTONE_POLICY={{ keystone_policy }}
APISERVER_CERT=/root/cdk/server.crt
APISERVER_KEY=/root/cdk/server.key
SYNC_CONFIG=/root/cdk/sync-config.yaml
......@@ -11,5 +12,6 @@ KUBE_CONFIG=/home/ubuntu/config
$K8S_KEYSTONE_AUTH --tls-cert-file $APISERVER_CERT \
--tls-private-key-file $APISERVER_KEY \
--keystone-url $KEYSTONE_URL \
--keystone-policy-file $KEYSTONE_POLICY \
--sync-config-file $SYNC_CONFIG \
--kubeconfig $KUBE_CONFIG
## The Kubernetes cluster can only be accessed by the users in kubernetes project,
## users with k8s-admin or k8s-user role have both write and read permissions
## to the pod resource, but users with k8s-admin role can also assign roles
## to others.
[
{
"resource": {
"verbs": ["get", "list", "watch", "create", "update", "delete"],
"resources": ["pods"],
"version": "*",
"namespace": "default"
},
"match": [
{
"type": "role",
"values": ["k8s-admin", "k8s-user"]
},
{
"type": "project",
"values": ["{{ kubernetes_project }}"]
}
]
},
{
"resource": {
"verbs": ["bind"],
"resources": ["clusterroles"],
"resourceNames": ["admin", "edit", "view"],
"version": "*",
"namespace": "default"
},
"match": [
{
"type": "role",
"values": ["k8s-admin"]
},
{
"type": "project",
"values": ["{{ kubernetes_project }}"]
}
]
}
]
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment