prod{access,vider}: implement
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.
Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.
In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.
We also update relevant documentation.
Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
diff --git a/cluster/clustercfg/clustercfg.py b/cluster/clustercfg/clustercfg.py
index 24fa745..b6d790b 100644
--- a/cluster/clustercfg/clustercfg.py
+++ b/cluster/clustercfg/clustercfg.py
@@ -57,7 +57,7 @@
def configure_k8s(username, ca, cert, key):
subprocess.check_call([
'kubectl', 'config',
- 'set-cluster', cluster,
+ 'set-cluster', 'admin.' + cluster,
'--certificate-authority=' + ca,
'--embed-certs=true',
'--server=https://' + cluster + ':4001',
@@ -71,13 +71,13 @@
])
subprocess.check_call([
'kubectl', 'config',
- 'set-context', cluster,
- '--cluster=' + cluster,
+ 'set-context', 'admin.' + cluster,
+ '--cluster=' + 'admin.' + cluster,
'--user=' + username,
])
subprocess.check_call([
'kubectl', 'config',
- 'use-context', cluster,
+ 'use-context', 'admin.' + cluster,
])
@@ -86,6 +86,18 @@
sys.stderr.write("Usage: admincreds q3k\n")
return 1
username = args[0]
+ print("")
+ print("WARNING WARNING WARNING WARNING WARNING WARNING")
+ print("===============================================")
+ print("")
+ print("You are requesting ADMIN credentials.")
+ print("")
+ print("You likely shouldn't be doing this, and")
+ print("instead should be using `prodaccess`.")
+ print("")
+ print("===============================================")
+ print("WARNING WARNING WARNING WARNING WARNING WARNING")
+ print("")
## Make kube certificates.
certs_root = os.path.join(local_root, 'cluster/certs')
@@ -169,6 +181,10 @@
## Make kube certificates.
ca_kube = ca.CA(ss, certs_root, 'kube', 'kubernetes main CA')
+ # Make prodvider intermediate CA.
+ c = ca_kube.make_cert('ca-kube-prodvider', o='Warsaw Hackerspace', ou='kubernetes prodvider intermediate', hosts=['kubernetes prodvider intermediate CA'], profile='intermediate')
+ c.ensure()
+
# Make kubelet certificate (per node).
c = ca_kube.make_cert('kube-kubelet-'+fqdn, o='system:nodes', ou='Kubelet', hosts=['system:node:'+fqdn, fqdn])
c.upload_pki(r, pki_config('kube.kubelet'))