scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-01 18:58:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

KEP-2862: Fine-grained Kubelet API Authorization

Browse Source 
Signed-off-by: Vinayak Goyal <vinaygo@google.com>
This commit is contained in:
Vinayak Goyal
2024-09-29 04:02:55 +00:00
parent 5006caadc8
commit b1f290d444
10 changed files with 327 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@@ -388,17 +388,6 @@ func ClusterRoles() []rbacv1.ClusterRole {
eventsRule(),
},
},
{
// a role to use for full access to the kubelet API
ObjectMeta: metav1.ObjectMeta{Name: "system:kubelet-api-admin"},
Rules: []rbacv1.PolicyRule{
// Allow read-only access to the Node API objects
rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
// Allow all API calls to the nodes
rbacv1helpers.NewRule("proxy").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
rbacv1helpers.NewRule("*").Groups(legacyGroup).Resources("nodes/proxy", "nodes/metrics", "nodes/stats", "nodes/log").RuleOrDie(),
},
},
{
// a role to use for bootstrapping a node's client certificates
ObjectMeta: metav1.ObjectMeta{Name: "system:node-bootstrapper"},
@@ -530,6 +519,25 @@ func ClusterRoles() []rbacv1.ClusterRole {
},
})
// Add the cluster role system:kubelet-api-admin
kubeletAPIAdminRules := []rbacv1.PolicyRule{
// Allow read-only access to the Node API objects
rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
// Allow all API calls to the nodes
rbacv1helpers.NewRule("proxy").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
rbacv1helpers.NewRule("*").Groups(legacyGroup).Resources("nodes/proxy", "nodes/metrics", "nodes/stats", "nodes/log").RuleOrDie(),
}
if utilfeature.DefaultFeatureGate.Enabled(features.KubeletFineGrainedAuthz) {
kubeletAPIAdminRules = append(kubeletAPIAdminRules, rbacv1helpers.NewRule("*").Groups(legacyGroup).Resources("nodes/pods", "nodes/healthz", "nodes/configz").RuleOrDie())
}
roles = append(roles, rbacv1.ClusterRole{
// a role to use for full access to the kubelet API
ObjectMeta: metav1.ObjectMeta{Name: "system:kubelet-api-admin"},
Rules: kubeletAPIAdminRules,
})
// node-proxier role is used by kube-proxy.
nodeProxierRules := []rbacv1.PolicyRule{
rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(),