From 29cc45c88d73abc7f88c812826dc441e0d07d9c1 Mon Sep 17 00:00:00 2001 From: Alexander Babai Date: Tue, 18 Sep 2018 20:50:27 +0300 Subject: [PATCH 1/3] feat(kops): add aws-iam-authenticator support --- rootfs/templates/kops/default.yaml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/rootfs/templates/kops/default.yaml b/rootfs/templates/kops/default.yaml index 128394515..913c3aa73 100644 --- a/rootfs/templates/kops/default.yaml +++ b/rootfs/templates/kops/default.yaml @@ -31,10 +31,26 @@ spec: api: loadBalancer: type: Public - {{- if bool (getenv "KOPS_AUTHORIZATION_RBAC_ENABLED" "false") }} + hooks: + {{- if bool (getenv "KOPS_AWS_IAM_AUTHENTICATOR_ENABLED" "false") }} + - name: kops-hook-authenticator-config.service + before: + - kubelet.service + roles: [Master] + manifest: | + [Unit] + Description=Download AWS Authenticator configs from S3 + [Service] + Type=oneshot + ExecStart=/bin/mkdir -p /srv/kubernetes/aws-iam-authenticator + ExecStart=/usr/local/bin/aws s3 cp --recursive {{ getenv "KOPS_STATE_STORE" }}/{{ getenv "CLUSTER_NAME" }}/addons/authenticator /srv/kubernetes/aws-iam-authenticator/ kubeAPIServer: + {{- if bool (getenv "KOPS_AUTHORIZATION_RBAC_ENABLED" "false") }} authorizationMode: {{ getenv "KOPS_KUBE_API_SERVER_AUTHORIZATION_MODE" "RBAC,AlwaysAllow" }} authorizationRbacSuperUser: {{ getenv "KOPS_KUBE_API_SERVER_AUTHORIZATION_RBAC_SUPER_USER" "admin" }} + {{- if bool (getenv "KOPS_AWS_IAM_AUTHENTICATOR_ENABLED" "false") }} + authenticationTokenWebhookConfigFile: /srv/kubernetes/aws-iam-authenticator/kubeconfig.yaml + {{- end }} {{- end }} authorization: {{- if bool (getenv "KOPS_AUTHORIZATION_RBAC_ENABLED" "false") }} From 8a3e2597936b612153589484e641b5159c941766 Mon Sep 17 00:00:00 2001 From: Alexander Babai Date: Wed, 19 Sep 2018 12:15:37 +0300 Subject: [PATCH 2/3] refactor(kops): fix yaml --- rootfs/templates/kops/default.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rootfs/templates/kops/default.yaml b/rootfs/templates/kops/default.yaml index 913c3aa73..a5e7661e9 100644 --- a/rootfs/templates/kops/default.yaml +++ b/rootfs/templates/kops/default.yaml @@ -36,8 +36,9 @@ spec: - name: kops-hook-authenticator-config.service before: - kubelet.service - roles: [Master] - manifest: | + roles: + - Master + manifest: |- [Unit] Description=Download AWS Authenticator configs from S3 [Service] From 70012c773ece33d180995e52ff325278e9716495 Mon Sep 17 00:00:00 2001 From: Alexander Babai Date: Wed, 19 Sep 2018 15:31:11 +0300 Subject: [PATCH 3/3] refactor(kops): fix template --- rootfs/templates/kops/default.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rootfs/templates/kops/default.yaml b/rootfs/templates/kops/default.yaml index a5e7661e9..4bb7233eb 100644 --- a/rootfs/templates/kops/default.yaml +++ b/rootfs/templates/kops/default.yaml @@ -44,7 +44,8 @@ spec: [Service] Type=oneshot ExecStart=/bin/mkdir -p /srv/kubernetes/aws-iam-authenticator - ExecStart=/usr/local/bin/aws s3 cp --recursive {{ getenv "KOPS_STATE_STORE" }}/{{ getenv "CLUSTER_NAME" }}/addons/authenticator /srv/kubernetes/aws-iam-authenticator/ + ExecStart=/usr/local/bin/aws s3 cp --recursive {{ getenv "KOPS_STATE_STORE" }}/{{ getenv "KOPS_CLUSTER_NAME" }}/addons/authenticator /srv/kubernetes/aws-iam-authenticator/ + {{- end }} kubeAPIServer: {{- if bool (getenv "KOPS_AUTHORIZATION_RBAC_ENABLED" "false") }} authorizationMode: {{ getenv "KOPS_KUBE_API_SERVER_AUTHORIZATION_MODE" "RBAC,AlwaysAllow" }}