From 4a6eb7eaa2b96bf34ac35fc536d90726e4bca19b Mon Sep 17 00:00:00 2001
From: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
Date: Tue, 17 Jan 2023 08:56:32 +0100
Subject: [PATCH] enable back kubelet_authorization_mode_webhook by default
(#9662)
In 6db6c8678c31621934c2253faa331174bf9fa49a, this was disabled becaue
kubesrpay gave too much permissions that were not needed. This commit
re-enable back this option by default and also removes the extra
permissions that kubespray gave that were in fact not needed.
Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
---
docs/hardening.md | 1 +
.../cluster_roles/tasks/main.yml | 38 ++-----------------
.../templates/node-webhook-cr.yml.j2 | 20 ----------
.../templates/node-webhook-crb.yml.j2 | 17 ---------
roles/kubespray-defaults/defaults/main.yaml | 2 +-
5 files changed, 6 insertions(+), 72 deletions(-)
delete mode 100644 roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2
delete mode 100644 roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2
diff --git a/docs/hardening.md b/docs/hardening.md
index b3359b74b..5aa8fcfb0 100644
--- a/docs/hardening.md
+++ b/docs/hardening.md
@@ -85,6 +85,7 @@ kube_kubeadm_scheduler_extra_args:
etcd_deployment_type: kubeadm
## kubelet
+kubelet_authorization_mode_webhook: true
kubelet_authentication_token_webhook: true
kube_read_only_port: 0
kubelet_rotate_server_certificates: true
diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
index ddbddba4b..f0e07018c 100644
--- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml
+++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
@@ -37,55 +37,25 @@
- node_crb_manifest.changed
- inventory_hostname == groups['kube_control_plane'][0]
-- name: Kubernetes Apps | Add webhook ClusterRole that grants access to proxy, stats, log, spec, and metrics on a kubelet
- template:
- src: "node-webhook-cr.yml.j2"
- dest: "{{ kube_config_dir }}/node-webhook-cr.yml"
- mode: 0640
- register: node_webhook_cr_manifest
- when:
- - rbac_enabled
- - kubelet_authorization_mode_webhook
- - inventory_hostname == groups['kube_control_plane'][0]
- tags: node-webhook
-
-- name: Apply webhook ClusterRole
+- name: Kubernetes Apps | Remove old webhook ClusterRole
kube:
name: "system:node-webhook"
kubectl: "{{ bin_dir }}/kubectl"
resource: "clusterrole"
- filename: "{{ kube_config_dir }}/node-webhook-cr.yml"
- state: latest
+ state: absent
when:
- rbac_enabled
- - kubelet_authorization_mode_webhook
- - node_webhook_cr_manifest.changed
- inventory_hostname == groups['kube_control_plane'][0]
tags: node-webhook
-- name: Kubernetes Apps | Add ClusterRoleBinding for system:nodes to webhook ClusterRole
- template:
- src: "node-webhook-crb.yml.j2"
- dest: "{{ kube_config_dir }}/node-webhook-crb.yml"
- mode: 0640
- register: node_webhook_crb_manifest
- when:
- - rbac_enabled
- - kubelet_authorization_mode_webhook
- - inventory_hostname == groups['kube_control_plane'][0]
- tags: node-webhook
-
-- name: Grant system:nodes the webhook ClusterRole
+- name: Kubernetes Apps | Remove old webhook ClusterRoleBinding
kube:
name: "system:node-webhook"
kubectl: "{{ bin_dir }}/kubectl"
resource: "clusterrolebinding"
- filename: "{{ kube_config_dir }}/node-webhook-crb.yml"
- state: latest
+ state: absent
when:
- rbac_enabled
- - kubelet_authorization_mode_webhook
- - node_webhook_crb_manifest.changed
- inventory_hostname == groups['kube_control_plane'][0]
tags: node-webhook
diff --git a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2
deleted file mode 100644
index bf9aaf73f..000000000
--- a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2
+++ /dev/null
@@ -1,20 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- annotations:
- rbac.authorization.kubernetes.io/autoupdate: "true"
- labels:
- kubernetes.io/bootstrapping: rbac-defaults
- name: system:node-webhook
-rules:
- - apiGroups:
- - ""
- resources:
- - nodes/proxy
- - nodes/stats
- - nodes/log
- - nodes/spec
- - nodes/metrics
- verbs:
- - "*"
diff --git a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2
deleted file mode 100644
index 68aed5cb5..000000000
--- a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2
+++ /dev/null
@@ -1,17 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- annotations:
- rbac.authorization.kubernetes.io/autoupdate: "true"
- labels:
- kubernetes.io/bootstrapping: rbac-defaults
- name: system:node-webhook
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: system:node-webhook
-subjects:
-- apiGroup: rbac.authorization.k8s.io
- kind: Group
- name: system:nodes
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 6d91768bd..b02744dbc 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -480,7 +480,7 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
kubelet_authentication_token_webhook: true
# When enabled, access to the kubelet API requires authorization by delegation to the API server
-kubelet_authorization_mode_webhook: false
+kubelet_authorization_mode_webhook: true
# kubelet uses certificates for authenticating to the Kubernetes API
# Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration
--
GitLab