Merge pull request #92 from gianrubio/rbac-auth-plugin

Add experimental feature to enable rbac authorization plugin

Author: mumoshu

config/config.go

@@ -31,6 +31,11 @@ const (
 
 func NewDefaultCluster() *Cluster {
 	experimental := Experimental{
+		AuditLog{
+			Enabled: false,
+			MaxAge:  30,
+			LogPath: "/dev/stdout",
+		},
 		AwsEnvironment{
 			Enabled: false,
 		},
@@ -48,6 +53,11 @@ func NewDefaultCluster() *Cluster {
 		NodeLabel{
 			Enabled: false,
 		},
+		Plugins{
+			Rbac{
+				Enabled: false,
+			},
+		},
 		WaitSignal{
 			Enabled:      false,
 			MaxBatchSize: 1,
@@ -273,11 +283,13 @@ type Subnet struct {
 }
 
 type Experimental struct {
+	AuditLog              AuditLog              `yaml:"auditLog"`
 	AwsEnvironment        AwsEnvironment        `yaml:"awsEnvironment"`
 	EphemeralImageStorage EphemeralImageStorage `yaml:"ephemeralImageStorage"`
 	LoadBalancer          LoadBalancer          `yaml:"loadBalancer"`
 	NodeDrainer           NodeDrainer           `yaml:"nodeDrainer"`
 	NodeLabel             NodeLabel             `yaml:"nodeLabel"`
+	Plugins               Plugins               `yaml:"plugins"`
 	WaitSignal            WaitSignal            `yaml:"waitSignal"`
 }
 
@@ -286,6 +298,12 @@ type AwsEnvironment struct {
 	Environment map[string]string `yaml:"environment"`
 }
 
+type AuditLog struct {
+	Enabled bool   `yaml:"enabled"`
+	MaxAge  int    `yaml:"maxage"`
+	LogPath string `yaml:"logpath"`
+}
+
 type EphemeralImageStorage struct {
 	Enabled    bool   `yaml:"enabled"`
 	Disk       string `yaml:"disk"`
@@ -306,6 +324,14 @@ type LoadBalancer struct {
 	SecurityGroupIds []string `yaml:"securityGroupIds"`
 }
 
+type Plugins struct {
+	Rbac Rbac `yaml:"rbac"`
+}
+
+type Rbac struct {
+	Enabled bool `yaml:"enabled"`
+}
+
 type WaitSignal struct {
 	Enabled      bool `yaml:"enabled"`
 	MaxBatchSize int  `yaml:"maxBatchSize"`

config/templates/cloud-config-controller

@@ -490,13 +490,21 @@ write_files:
           - --allow-privileged=true
           - --service-cluster-ip-range={{.ServiceCIDR}}
           - --secure-port=443
+          {{if .Experimental.AuditLog.Enabled}}
+          - --audit-log-maxage={{.Experimental.AuditLog.MaxAge}}
+          - --audit-log-path={{.Experimental.AuditLog.LogPath}}
+          {{ end }}
+          {{if .Experimental.Plugins.Rbac.Enabled}}
+          - --authorization-mode=RBAC
+          - --authorization-rbac-super-user=kube-admin
+          {{ end }}
           - --advertise-address=$private_ipv4
           - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
           - --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
           - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
           - --client-ca-file=/etc/kubernetes/ssl/ca.pem
           - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
-          - --runtime-config=extensions/v1beta1/networkpolicies=true,batch/v2alpha1
+          - --runtime-config=extensions/v1beta1/networkpolicies=true,batch/v2alpha1{{if .Experimental.Plugins.Rbac.Enabled}},rbac.authorization.k8s.io/v1alpha1=true{{ end }}
           - --cloud-provider=aws
           livenessProbe:
             httpGet:

config/templates/cluster.yaml

@@ -187,6 +187,13 @@ kmsKeyArn: "{{.KMSKeyARN}}"
 #     enabled: true
 #     environment:
 #       CFNSTACK: '{ "Ref" : "AWS::StackId" }'
+#   plugins:
+#     rbac:
+#       enabled: true
+#   auditLog:
+#     enabled: true
+#     maxage: 30
+#     logpath: /dev/stdout
 #   waitSignal:
 #     enabled: true
 #   # This option has not yet been tested with rkt as container runtime