mkdir -p /etc/kubernetes/keystone-auth
cat <<EOF > /etc/kubernetes/keystone-auth/serviceaccount.yaml
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: keystone-auth
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: keystone-auth
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: keystone-auth
namespace: kube-system
EOF
kubectl apply -f /etc/kubernetes/keystone-auth/serviceaccount.yaml
cat <<EOF > /etc/kubernetes/keystone-auth/policy-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: keystone-auth-policy
namespace: kube-system
data:
policies: |
[
{
"resource": {
"verbs": ["get", "list", "watch"],
"resources": ["pods"],
"version": "*",
"namespace": "default"
},
"match": [
{
"type": "role",
"values": ["member"]
},
{
"type": "project",
"values": ["demo"]
}
]
}
]
EOF
kubectl apply -f /etc/kubernetes/keystone-auth/policy-config.yaml
kubectl create secret generic keystone-auth-certs \
--from-file=cert-file=/etc/kubernetes/pki/apiserver.crt \
--from-file=key-file=/etc/kubernetes/pki/apiserver.key \
-n kube-system
keystone_auth_url="http://192.168.206.8/identity/v3"
cat <<EOF > /etc/kubernetes/keystone-auth/keystone-auth.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: keystone-auth
namespace: kube-system
labels:
k8s-app: keystone-auth
spec:
serviceName: keystone-auth
replicas: 1
selector:
matchLabels:
k8s-app: keystone-auth
template:
metadata:
labels:
k8s-app: keystone-auth
spec:
serviceAccountName: keystone-auth
tolerations:
- effect: NoSchedule # Make sure the pod can be scheduled on master kubelet.
operator: Exists
- key: CriticalAddonsOnly # Mark the pod as a critical add-on for rescheduling.
operator: Exists
- effect: NoExecute
operator: Exists
nodeSelector:
node-role.kubernetes.io/master: "" # 貌似跑在 worker 上有问题
containers:
- name: keystone-auth
image: k8scloudprovider/k8s-keystone-auth:latest
imagePullPolicy: Always
args:
- ./bin/k8s-keystone-auth
- --tls-cert-file
- /etc/kubernetes/pki/cert-file
- --tls-private-key-file
- /etc/kubernetes/pki/key-file
- --policy-configmap-name
- keystone-auth-policy
- --keystone-url
- ${keystone_auth_url}
volumeMounts:
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
ports:
- containerPort: 8443
volumes:
- name: k8s-certs
secret:
secretName: keystone-auth-certs
---
kind: Service
apiVersion: v1
metadata:
name: keystone-auth
namespace: kube-system
spec:
selector:
k8s-app: keystone-auth
ports:
- protocol: TCP
port: 8443
targetPort: 8443
EOF
kubectl apply -f /etc/kubernetes/keystone-auth/keystone-auth.yaml
# 放在 pki 目录是图方便,因为 kube-api 需要访问
keystone_auth_service_addr=10.99.112.152
cat <<EOF > /etc/kubernetes/pki/webhookconfig.yaml
---
apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:
insecure-skip-tls-verify: true
server: https://${keystone_auth_service_addr}:8443/webhook
name: webhook
users:
- name: webhook
contexts:
- context:
cluster: webhook
user: webhook
name: webhook
current-context: webhook
EOF
sed -i '/image:/ i \ \ \ \ - --authentication-token-webhook-config-file=/etc/kubernetes/pki/webhookconfig.yaml' /etc/kubernetes/manifests/kube-apiserver.yaml
sed -i '/image:/ i \ \ \ \ - --authorization-webhook-config-file=/etc/kubernetes/pki/webhookconfig.yaml' /etc/kubernetes/manifests/kube-apiserver.yaml
sed -i "/authorization-mode/c \ \ \ \ - --authorization-mode=Node,Webhook,RBAC" /etc/kubernetes/manifests/kube-apiserver.yaml