forked from theopenlab/spark
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add job definition about K8S+keystone authentication+authorization sc…
…enario (apache#103) * Add job definition about K8S+keystone authentication+authorization scenario For #theopenlab/openlab/issues/31 For #theopenlab/openlab/issues/30 * Add job definition about K8S+keystone authentication+authorization scenario For #theopenlab/openlab/issues/31 For #theopenlab/openlab/issues/30 * Add job definition for kubernetes/cloud-provider-openstack + LB and Octavia scenario (apache#100) * Add job definition for kubernetes/cloud-provider-openstack + LB and Octavia scenario For apache#97 * fix some nits * Update the way to query network id * Add job definition about K8S+keystone authentication+authorization scenario For #theopenlab/openlab/issues/31 For #theopenlab/openlab/issues/30 * Add job definition about K8S+keystone authentication+authorization scenario For #theopenlab/openlab/issues/31 For #theopenlab/openlab/issues/30 * improve resource cleanup * update * improve resource cleanup
- Loading branch information
Showing
6 changed files
with
212 additions
and
2 deletions.
There are no files selected for viewing
4 changes: 4 additions & 0 deletions
4
.../cloud-provider-openstack-acceptance-test-keystone-authentication-authorization/post.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| - hosts: all | ||
| become: yes | ||
| roles: | ||
| - collect-k8s-logs |
194 changes: 194 additions & 0 deletions
194
...s/cloud-provider-openstack-acceptance-test-keystone-authentication-authorization/run.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,194 @@ | ||
| - name: Set up Kubernetes local cluster | ||
| hosts: all | ||
| roles: | ||
| - install-k8s-jobs-dependences | ||
| become: yes | ||
| tasks: | ||
| - name: Set up Kubernetes local cluster | ||
| shell: | ||
| cmd: | | ||
| set -e | ||
| apt-get install python-pip -y | ||
| pip install -U python-openstackclient | ||
| export OS_DOMAIN_NAME=$(echo '{{ vexxhost_credentials.user_domain_name }}') | ||
| export OS_AUTH_TYPE=$(echo '{{ vexxhost_credentials.auth_type }}') | ||
| export OS_IDENTITY_API_VERSION=$(echo '{{ vexxhost_credentials.identity_api_version }}') | ||
| export OS_VOLUME_API_VERSION=$(echo '{{ vexxhost_credentials.volume_api_version }}') | ||
| export OS_INTERFACE=$(echo '{{ vexxhost_credentials.interface }}') | ||
| export OS_AUTH_URL=$(echo '{{ vexxhost_credentials.auth_url }}') | ||
| export OS_PROJECT_ID=$(echo '{{ vexxhost_credentials.project_id }}') | ||
| export OS_PROJECT_NAME=$(echo '{{ vexxhost_credentials.project_name }}') | ||
| export OS_USER_DOMAIN_NAME=$(echo '{{ vexxhost_credentials.user_domain_name }}') | ||
| export OS_PROJECT_DOMAIN_ID=$(echo '{{ vexxhost_credentials.project_domain_id }}') | ||
| export OS_USERNAME=$(echo '{{ vexxhost_credentials.username }}') | ||
| export OS_PASSWORD=$(echo '{{ vexxhost_credentials.password }}') | ||
| export OS_REGION_NAME=$(echo '{{ vexxhost_credentials.region_name }}') | ||
| if [[ ! -d "/etc/kubernetes/" ]]; then | ||
| sudo mkdir -p /etc/kubernetes/ | ||
| fi | ||
| chown zuul /etc/kubernetes/ | ||
| cat << EOF >> /etc/kubernetes/cloud-config | ||
| [Global] | ||
| domain-name = ${OS_PROJECT_DOMAIN_NAME-$OS_PROJECT_DOMAIN_ID} | ||
| tenant-id = $OS_PROJECT_ID | ||
| auth-url = $OS_AUTH_URL | ||
| password = $OS_PASSWORD | ||
| username = $OS_USERNAME | ||
| region = $OS_REGION_NAME | ||
| [BlockStorage] | ||
| bs-version = v2 | ||
| EOF | ||
| cat << EOF >> /etc/kubernetes/webhook.kubeconfig | ||
| apiVersion: v1 | ||
| clusters: | ||
| - cluster: | ||
| insecure-skip-tls-verify: true | ||
| server: https://localhost:8443/webhook | ||
| name: webhook | ||
| contexts: | ||
| - context: | ||
| cluster: webhook | ||
| user: webhook | ||
| name: webhook | ||
| current-context: webhook | ||
| kind: Config | ||
| preferences: {} | ||
| users: | ||
| - name: webhook | ||
| EOF | ||
| set -x | ||
| make depend | ||
| make build | ||
| mkdir -p "{{ ansible_user_dir }}/.kube" | ||
| export API_HOST_IP="172.17.0.1" | ||
| export KUBELET_HOST="0.0.0.0" | ||
| echo "Stopping firewall and allow all traffic..." | ||
| iptables -F | ||
| iptables -X | ||
| iptables -t nat -F | ||
| iptables -t nat -X | ||
| iptables -t mangle -F | ||
| iptables -t mangle -X | ||
| iptables -P INPUT ACCEPT | ||
| iptables -P FORWARD ACCEPT | ||
| iptables -P OUTPUT ACCEPT | ||
| export ALLOW_SECURITY_CONTEXT=true | ||
| export ENABLE_CRI=false | ||
| export ENABLE_HOSTPATH_PROVISIONER=true | ||
| export ENABLE_SINGLE_CA_SIGNER=true | ||
| # export KUBE_ENABLE_CLUSTER_DASHBOARD=true | ||
| export KUBE_ENABLE_CLUSTER_DNS=false | ||
| export LOG_LEVEL=10 | ||
| # we want to use the openstack cloud provider | ||
| export CLOUD_PROVIDER=openstack | ||
| # we want to run a separate cloud-controller-manager for openstack | ||
| export EXTERNAL_CLOUD_PROVIDER=true | ||
| # DO NOT change the location of the cloud-config file. It is important for the old cinder provider to work | ||
| export CLOUD_CONFIG=/etc/kubernetes/cloud-config | ||
| # specify the OCCM binary | ||
| export EXTERNAL_CLOUD_PROVIDER_BINARY="{{ ansible_user_dir }}/{{ zuul.project.src_dir }}/openstack-cloud-controller-manager" | ||
| # Cleanup some directories just in case | ||
| sudo rm -rf /var/lib/kubelet/* | ||
| # location of where the kubernetes processes log their output | ||
| mkdir -p /opt/stack/logs/ | ||
| export LOG_DIR=/opt/stack/logs | ||
| # We need this for one of the conformance tests | ||
| export ALLOW_PRIVILEGED=true | ||
| # Just kick off all the processes and drop down to the command line | ||
| export ENABLE_DAEMON=true | ||
| # We need the hostname to match the name of the vm started by openstack | ||
| export HOSTNAME_OVERRIDE=$(curl http://169.254.169.254/openstack/latest/meta_data.json | python -c "import sys, json; print json.load(sys.stdin)['name']") | ||
| cp ./examples/webhook/policy.json /etc/kubernetes/ | ||
| pushd ${GOPATH}/src/k8s.io/kubernetes | ||
| export AUTHORIZATION_MODE="Webhook,Node" | ||
| # TODO: Following is workaround for supporting keystone webhook in local-up-cluster.sh tool, it should be landed in the official kubernetes repo | ||
| sed 's/curl --max-time 1/curl --max-time 5/g' -i ./hack/lib/util.sh | ||
| sed '583,587 d' -i ./hack/local-up-cluster.sh | ||
| sed '555 a \ --authentication-token-webhook-config-file=/etc/kubernetes/webhook.kubeconfig \\' -i ./hack/local-up-cluster.sh | ||
| sed '555 a \ --authorization-webhook-config-file=/etc/kubernetes/webhook.kubeconfig \\' -i ./hack/local-up-cluster.sh | ||
| # -E preserves the current env vars, but we need to special case PATH | ||
| sudo -E PATH=$PATH SHELLOPTS=$SHELLOPTS ./hack/local-up-cluster.sh -O | ||
| nohup "{{ ansible_user_dir }}/{{ zuul.project.src_dir }}/k8s-keystone-auth" \ | ||
| --tls-cert-file /var/run/kubernetes/serving-kube-apiserver.crt \ | ||
| --tls-private-key-file /var/run/kubernetes/serving-kube-apiserver.key \ | ||
| --keystone-policy-file /etc/kubernetes/policy.json \ | ||
| --log-dir=${LOG_DIR} \ | ||
| --v=10 \ | ||
| --keystone-url ${OS_AUTH_URL} >"${LOG_DIR}/keystone-auth.log" 2>&1 & | ||
| # sudo of local-up-cluster mucks with permissions | ||
| sudo chmod -R 777 "{{ ansible_user_dir }}/.kube" | ||
| sudo chmod 777 /var/run/kubernetes/client-admin.key | ||
| # set up the config we need for kubectl to work | ||
| cluster/kubectl.sh config set-cluster local --server=https://localhost:6443 --certificate-authority=/var/run/kubernetes/server-ca.crt | ||
| cluster/kubectl.sh config set-credentials myself --client-key=/var/run/kubernetes/client-admin.key --client-certificate=/var/run/kubernetes/client-admin.crt | ||
| cluster/kubectl.sh config set-context local --cluster=local --user=myself | ||
| cluster/kubectl.sh config use-context local | ||
| # Hack for RBAC for all for the new cloud-controller process, we need to do better than this | ||
| cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:default kube-system-cluster-admin-1 --clusterrole cluster-admin | ||
| cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:pvl-controller kube-system-cluster-admin-2 --clusterrole cluster-admin | ||
| cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:cloud-node-controller kube-system-cluster-admin-3 --clusterrole cluster-admin | ||
| cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:cloud-controller-manager kube-system-cluster-admin-4 --clusterrole cluster-admin | ||
| cluster/kubectl.sh create clusterrolebinding --user system:serviceaccount:kube-system:shared-informers kube-system-cluster-admin-5 --clusterrole cluster-admin | ||
| cluster/kubectl.sh create clusterrolebinding --user system:kube-controller-manager kube-system-cluster-admin-6 --clusterrole cluster-admin | ||
| { | ||
| TOKEN=$(openstack token issue -f value -c id) | ||
| authenticated_info=`cat << EOF | curl -kvs -XPOST -d @- https://localhost:8443/webhook | python -c "import sys, json; print json.load(sys.stdin)" | ||
| { | ||
| "apiVersion": "authentication.k8s.io/v1beta1", | ||
| "kind": "TokenReview", | ||
| "metadata": { | ||
| "creationTimestamp": null | ||
| }, | ||
| "spec": { | ||
| "token": "$TOKEN" | ||
| } | ||
| } | ||
| EOF` | ||
| base_body=`cat << EOF | python -c "import sys, json; print json.load(sys.stdin)" | ||
| { | ||
| "apiVersion": "authorization.k8s.io/v1beta1", | ||
| "kind": "SubjectAccessReview", | ||
| "spec": { | ||
| "resourceAttributes": { | ||
| "namespace": "default", | ||
| "verb": "get", | ||
| "group": "", | ||
| "resource": "pods" | ||
| } | ||
| } | ||
| } | ||
| EOF` | ||
| authorization_body=$(python -c "import json; s1=${authenticated_info}; s2=${base_body}; \ | ||
| s2['spec']['user']=s1['status']['user']['username']; \ | ||
| s2['spec']['group']=s1['status']['user']['groups']; \ | ||
| s2['spec']['extra']=s1['status']['user']['extra'];print json.dumps(s2)") | ||
| allowed=$(echo $authorization_body | curl -kvs -XPOST -d @- https://localhost:8443/webhook | python -mjson.tool) | ||
| } 1> /dev/null 2>&1 | ||
| echo ${allowed} | ||
| [[ "${allowed}" =~ '"allowed": true' ]] && echo "Testing k8s-keystone-auth sucessfully!" | ||
| cluster/kubectl.sh config set-credentials openstackuser --auth-provider=openstack | ||
| cluster/kubectl.sh config set-context --cluster=local --user=openstackuser openstackuser@local | ||
| cluster/kubectl.sh config use-context openstackuser@local | ||
| if ! cluster/kubectl.sh get pods; then | ||
| echo "Testing kubernetes+keystone authentication and authorizatio failed!" | ||
| exit 1 | ||
| fi | ||
| popd | ||
| executable: /bin/bash | ||
| chdir: '{{ zuul.project.src_dir }}' | ||
| environment: '{{ golang_env }}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters