Skip to content

salt: generate super-admin by default #4418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Sep 11, 2024
Merged

salt: generate super-admin by default #4418

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1935fc4
salt: generate super-admin by default
eg-ayoub Sep 10, 2024
53a04eb
salt: create admin user with built-in cluster-admin role
eg-ayoub Sep 10, 2024
6d93798
CHANGELOG: entry for add super-admin identity
eg-ayoub Sep 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@

### Enhancements

- Implement super-admin user and bind admin to built-in cluster-admins role
(PR[#4418](https://github.com/scality/metalk8s/pull/4418))

- Bump Kubernetes version to
[1.29.8](https://github.com/kubernetes/kubernetes/releases/tag/v1.29.8)
(PR[#4417](https://github.com/scality/metalk8s/pull/4417))
Expand Down
1 change: 1 addition & 0 deletions buildchain/buildchain/salt_tree.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -477,6 +477,7 @@ def task(self) -> types.TaskDict:
Path("salt/metalk8s/kubectl/configured.sls"),
Path("salt/metalk8s/kubectl/init.sls"),
Path("salt/metalk8s/kubectl/installed.sls"),
Path("salt/metalk8s/kubernetes/admin/deployed.sls"),
Path("salt/metalk8s/kubernetes/apiserver/certs/etcd-client.sls"),
Path("salt/metalk8s/kubernetes/apiserver/certs/front-proxy-client.sls"),
Path("salt/metalk8s/kubernetes/apiserver/certs/init.sls"),
Expand Down
2 changes: 2 additions & 0 deletions pillar/metalk8s/roles/master.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ certificates:
files:
admin:
watched: True
super-admin:
watched: True
controller-manager:
watched: True
kubelet:
Expand Down
6 changes: 6 additions & 0 deletions salt/metalk8s/defaults.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,12 @@ certificates:
days_remaining: 90
days_valid: 365
files:
super-admin:
path: /etc/kubernetes/super-admin.conf
renew:
sls:
- metalk8s.kubernetes.apiserver.kubeconfig
watched: False
admin:
path: /etc/kubernetes/admin.conf
renew:
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/deployed/core.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ include:
- metalk8s.kubernetes.kube-proxy.deployed
- metalk8s.kubernetes.cni.calico.deployed
- metalk8s.kubernetes.coredns.deployed
- metalk8s.kubernetes.admin.deployed
- metalk8s.repo.deployed
- metalk8s.salt.master.deployed
- metalk8s.backup.deployed
Expand Down
15 changes: 15 additions & 0 deletions salt/metalk8s/kubernetes/admin/deployed.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
Deploy admin user ClusterRoleBinding:
metalk8s_kubernetes.object_present:
- manifest:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubeadm:cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: Group
name: kubeadm:cluster-admins
apiGroup: rbac.authorization.k8s.io
21 changes: 20 additions & 1 deletion salt/metalk8s/kubernetes/apiserver/kubeconfig.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,33 @@ include:

{%- set apiserver = 'https://' ~ apiserver_ip ~ ':6443' %}

Create kubeconfig file for super-admin:
metalk8s_kubeconfig.managed:
- name: {{ certificates.kubeconfig.files["super-admin"].path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ kube_api.cert.client_signing_policy }}
- client_cert_info:
CN: "kubernetes-super-admin"
O: "system:masters"
- apiserver: {{ apiserver }}
- cluster: {{ kubernetes.cluster }}
- days_valid: {{
certificates.kubeconfig.files["super-admin"].days_valid |
default(certificates.kubeconfig.days_valid) }}
- days_remaining: {{
certificates.kubeconfig.files["super-admin"].days_remaining |
default(certificates.kubeconfig.days_remaining) }}
- require:
- metalk8s_package_manager: Install m2crypto

Create kubeconfig file for admin:
metalk8s_kubeconfig.managed:
- name: {{ certificates.kubeconfig.files.admin.path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ kube_api.cert.client_signing_policy }}
- client_cert_info:
CN: "kubernetes-admin"
O: "system:masters"
O: "kubeadm:cluster-admins"
- apiserver: {{ apiserver }}
- cluster: {{ kubernetes.cluster }}
- days_valid: {{
Expand Down
1 change: 1 addition & 0 deletions salt/tests/unit/formulas/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -531,6 +531,7 @@ metalk8s:
# Client
- /etc/kubernetes/pki/etcd/salt-master-etcd-client.crt
# Kubeconfig
- /etc/kubernetes/super-admin.conf
- /etc/kubernetes/admin.conf
# Server
- /etc/kubernetes/pki/apiserver.crt
Expand Down
2 changes: 2 additions & 0 deletions salt/tests/unit/formulas/data/base_pillar.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,8 @@ certificates:
watched: true
kubeconfig:
files:
super-admin:
watched: true
admin:
watched: true
controller-manager:
Expand Down
Loading