Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add structured authentication configuration #11841

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
+84 −4
Open

add structured authentication configuration #11841

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8296d2a
add structured authentication configuration
Payback159 Dec 30, 2024
ae451fc
Move configuration from kube_oidc to own top-level configuration. Exp…
Payback159 Jan 2, 2025
17418b8
add structured authentication conf
Payback159 Jan 14, 2025
88dbf80
fix yamllint missing space
Payback159 Jan 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 47 additions & 2 deletions roles/kubernetes/control-plane/defaults/main/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,50 @@ kube_api_runtime_config: []
kube_token_auth: false
kube_oidc_auth: false

## Structured authentication config
## Structured AuthenticationConfiguration is a new feature in Kubernetes v1.29+ (GA in v1.32) that configures the API server's authentication modes with a structured configuration file.
## Note: The `--authentication-config` and `--oidc-*` flags are mutually exclusive. The two features cannot be used at the same time.
## Docs: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration
## Examples: https://kubernetes.io/blog/2024/04/25/structured-authentication-moves-to-beta/#how-to-use-structured-authentication-configuration
## KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3331-structured-authentication-configuration
kube_apiserver_use_authentication_config_file: false
kube_apiserver_authentication_jwt_provider: []
# Example
# - issuer:
# url: "https://issuer1.example.com"
# audiences:
# - audience1
# - audience2
# audienceMatchPolicy: MatchAny
# claimMappings:
# username:
# expression: "claims.username"
# groups:
# expression: "claims.groups"
# uid:
# expression: "claims.uid"
# userValidationRules:
# - expression: "!user.username.startsWith('system:')"
# message: "username cannot use reserved system: prefix"
# - issuer:
# url: "https://issuer2.example.com"
# discoveryURL: "https://discovery.example.com/.well-known/openid-configuration"
# audiences:
# - audience3
# - audience4
# audienceMatchPolicy: MatchAny
# claimMappings:
# username:
# expression: "claims.username"
# groups:
# expression: "claims.groups"
# uid:
# expression: "claims.uid"
# userValidationRules:
# - expression: "!user.username.startsWith('kubespray:')"
# message: "username cannot use reserved kubespray: prefix"


## Variables for webhook token auth https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
kube_webhook_token_auth: false
kube_webhook_token_auth_url_skip_tls_verify: false
Expand All @@ -162,9 +206,10 @@ kube_apiserver_admission_plugins_podnodeselector_default_node_selector: ""
# kube_oidc_client_id: kubernetes
## Optional settings for OIDC
# kube_oidc_username_claim: sub
# kube_oidc_username_prefix: 'oidc:'
# kube_oidc_username_prefix: "oidc:"
# kube_oidc_groups_claim: groups
# kube_oidc_groups_prefix: 'oidc:'
# kube_oidc_groups_prefix: "oidc:"
# kube_oidc_uid_claim: "sub"
# Copy oidc CA file to the following path if needed
# kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
# Optionally include a base64-encoded oidc CA cert
Expand Down
14 changes: 14 additions & 0 deletions roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,20 @@
mode: "0640"
when: kube_apiserver_tracing


- name: Kubeadm | Configure Structured Authentication
copy:
content: "{{ authn_config | to_nice_yaml(indent=2, sort_keys=false) }}"
dest: "{{ kube_config_dir }}/apiserver-authentication-config.yaml"
mode: "0640"
vars:
authn_config:
apiVersion: apiserver.config.k8s.io/{{ 'v1alpha1' if kube_version is version('v1.30.0', '<') else 'v1beta1' if
kube_version is version('v1.32.0', '<') else 'v1' }}
kind: AuthenticationConfiguration
jwt: "{{ kube_apiserver_authentication_config_jwt_provider }}"
when: kube_apiserver_use_authentication_config_file

# Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint.
- name: Set kubeadm_config_api_fqdn define
set_fact:
Expand Down
12 changes: 11 additions & 1 deletion roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ apiServer:
{% if kube_apiserver_service_account_lookup %}
service-account-lookup: "{{ kube_apiserver_service_account_lookup }}"
{% endif %}
{% if kube_oidc_auth | default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
{% if kube_oidc_auth and kube_oidc_url is defined and kube_oidc_client_id is defined %}
oidc-issuer-url: "{{ kube_oidc_url }}"
oidc-client-id: "{{ kube_oidc_client_id }}"
{% if kube_oidc_ca_file is defined %}
Expand All @@ -177,6 +177,9 @@ apiServer:
oidc-groups-prefix: "{{ kube_oidc_groups_prefix }}"
{% endif %}
{% endif %}
{% if kube_apiserver_use_authentication_config_file %}
authentication-config: {{ kube_config_dir }}/apiserver-authentication-config.yaml
{% endif %}
{% if kube_webhook_token_auth | default(false) %}
authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
{% endif %}
Expand Down Expand Up @@ -270,6 +273,13 @@ apiServer:
readOnly: false
pathType: DirectoryOrCreate
{% endif %}
{% if kube_apiserver_use_authentication_config_file %}
- name: structauth
hostPath: {{ kube_config_dir }}/apiserver-authentication-config.yaml
mountPath: {{ kube_config_dir }}/apiserver-authentication-config.yaml
readOnly: true
pathType: DirectoryOrCreate
{% endif %}
{% if kube_apiserver_tracing %}
- name: tracing
hostPath: {{ kube_config_dir }}/tracing
Expand Down
13 changes: 12 additions & 1 deletion roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ apiServer:
- name: service-account-lookup
value: "{{ kube_apiserver_service_account_lookup }}"
{% endif %}
{% if kube_oidc_auth | default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
{% if kube_oidc_auth and kube_oidc_url is defined and kube_oidc_client_id is defined %}
- name: oidc-issuer-url
value: "{{ kube_oidc_url }}"
- name: oidc-client-id
Expand All @@ -213,6 +213,10 @@ apiServer:
value: "{{ kube_oidc_groups_prefix }}"
{% endif %}
{% endif %}
{% if kube_apiserver_use_authentication_config_file %}
- name: authentication-config
value: "{{ kube_config_dir }}/apiserver-authentication-config.yaml"
{% endif %}
{% if kube_webhook_token_auth | default(false) %}
- name: authentication-token-webhook-config-file
value: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
Expand Down Expand Up @@ -327,6 +331,13 @@ apiServer:
readOnly: false
pathType: DirectoryOrCreate
{% endif %}
{% if kube_apiserver_use_authentication_config_file %}
- name: structauth
hostPath: {{ kube_config_dir }}/apiserver-authentication-config.yaml
mountPath: {{ kube_config_dir }}/apiserver-authentication-config.yaml
readOnly: true
pathType: DirectoryOrCreate
{% endif %}
{% if kube_apiserver_tracing %}
- name: tracing
hostPath: {{ kube_config_dir }}/tracing
Expand Down