6d5b84a458
The default value of the kubernetes keystone authorization webhook is grossly outdated (v0.2). This patch set brings the default up to the latest of this patch set (v1.19). Change-Id: Idbf8d027ad6d5f4fb8bdedaf3047c06c66eef27d Signed-off-by: Tin Lam <tin@irrational.io>
558 lines
12 KiB
YAML
558 lines
12 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
---
|
|
labels:
|
|
api:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
test:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
images:
|
|
tags:
|
|
kubernetes_keystone_webhook: docker.io/k8scloudprovider/k8s-keystone-auth:v1.19.0
|
|
scripted_test: docker.io/openstackhelm/heat:newton-ubuntu_xenial
|
|
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
|
|
image_repo_sync: docker.io/docker:17.07.0
|
|
pull_policy: IfNotPresent
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
network:
|
|
api:
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
nginx.ingress.kubernetes.io/secure-backends: "true"
|
|
external_policy_local: false
|
|
node_port:
|
|
enabled: false
|
|
port: 30601
|
|
|
|
pod:
|
|
security_context:
|
|
kubernetes_keystone_webhook:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
kubernetes_keystone_webhook:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
mandatory_access_control:
|
|
type: apparmor
|
|
kubernetes-keystone-webhook:
|
|
kubernetes-keystone-webhook: runtime/default
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
weight:
|
|
default: 10
|
|
replicas:
|
|
api: 1
|
|
resources:
|
|
enabled: false
|
|
api:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "256Mi"
|
|
cpu: "200m"
|
|
jobs:
|
|
tests:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "256Mi"
|
|
cpu: "200m"
|
|
mounts:
|
|
kubernetes_keystone_webhook_api:
|
|
init_container: null
|
|
kubernetes_keystone_webhook_api: null
|
|
kubernetes_keystone_webhook_tests:
|
|
init_container: null
|
|
kubernetes_keystone_webhook_tests: null
|
|
|
|
release_group: null
|
|
|
|
conf:
|
|
policy:
|
|
- resource:
|
|
verbs:
|
|
- "*"
|
|
resources:
|
|
- "*"
|
|
namespace: "*"
|
|
version: "*"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin
|
|
- resource:
|
|
verbs:
|
|
- "*"
|
|
resources:
|
|
- "*"
|
|
namespace: "kube-system"
|
|
version: "*"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- kube-system-admin
|
|
- resource:
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
resources:
|
|
- "*"
|
|
namespace: "kube-system"
|
|
version: "*"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- kube-system-viewer
|
|
- resource:
|
|
verbs:
|
|
- "*"
|
|
resources:
|
|
- "*"
|
|
namespace: "openstack"
|
|
version: "*"
|
|
match:
|
|
- type: project
|
|
values:
|
|
- openstack-system
|
|
- resource:
|
|
verbs:
|
|
- "*"
|
|
resources:
|
|
- "*"
|
|
namespace: "*"
|
|
version: "*"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster
|
|
- nonresource:
|
|
verbs:
|
|
- "*"
|
|
path: "*"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster
|
|
- resource:
|
|
resources:
|
|
- pods
|
|
- pods/attach
|
|
- pods/exec
|
|
- pods/portforward
|
|
- pods/proxy
|
|
- configmaps
|
|
- endpoints
|
|
- persistentvolumeclaims
|
|
- replicationcontrollers
|
|
- replicationcontrollers/scale
|
|
- secrets
|
|
- serviceaccounts
|
|
- services
|
|
- services/proxy
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- deletecollection
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
namespace: "*"
|
|
version: ""
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_editor
|
|
- resource:
|
|
resources:
|
|
- bindings
|
|
- events
|
|
- limitranges
|
|
- namespaces/status
|
|
- pods/log
|
|
- pods/status
|
|
- replicationcontrollers/status
|
|
- resourcequotas
|
|
- resourcequotas/status
|
|
- namespaces
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
namespace: "*"
|
|
version: ""
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_editor
|
|
- resource:
|
|
resources:
|
|
- serviceaccounts
|
|
verbs:
|
|
- impersonate
|
|
namespace: "*"
|
|
version: ""
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_editor
|
|
- resource:
|
|
resources:
|
|
- daemonsets
|
|
- deployments
|
|
- deployments/rollback
|
|
- deployments/scale
|
|
- replicasets
|
|
- replicasets/scale
|
|
- statefulsets
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- deletecollection
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
namespace: "*"
|
|
version: "apps"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_editor
|
|
- resource:
|
|
resources:
|
|
- horizontalpodautoscalers
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- deletecollection
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
namespace: "*"
|
|
version: "autoscaling"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_editor
|
|
- resource:
|
|
resources:
|
|
- cronjobs
|
|
- jobs
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- deletecollection
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
namespace: "*"
|
|
version: "batch"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_editor
|
|
- resource:
|
|
resources:
|
|
- daemonsets
|
|
- deployments
|
|
- deployments/rollback
|
|
- deployments/scale
|
|
- ingresses
|
|
- networkpolicies
|
|
- replicasets
|
|
- replicasets/scale
|
|
- replicationcontrollers/scale
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- deletecollection
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
namespace: "*"
|
|
version: "extensions"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_editor
|
|
- resource:
|
|
resources:
|
|
- poddisruptionbudgets
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- deletecollection
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
namespace: "*"
|
|
version: "policy"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_editor
|
|
- resource:
|
|
resources:
|
|
- networkpolicies
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- deletecollection
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
namespace: "*"
|
|
version: "networking.k8s.io"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_editor
|
|
- resource:
|
|
resources:
|
|
- configmaps
|
|
- endpoints
|
|
- persistentvolumeclaims
|
|
- pods
|
|
- replicationcontrollers
|
|
- replicationcontrollers/scale
|
|
- serviceaccounts
|
|
- services
|
|
- bindings
|
|
- events
|
|
- limitranges
|
|
- namespaces/status
|
|
- pods/log
|
|
- pods/status
|
|
- replicationcontrollers/status
|
|
- resourcequotas
|
|
- resourcequotas/status
|
|
- namespaces
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
namespace: "*"
|
|
version: ""
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_viewer
|
|
- resource:
|
|
resources:
|
|
- daemonsets
|
|
- deployments
|
|
- deployments/scale
|
|
- replicasets
|
|
- replicasets/scale
|
|
- statefulsets
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
namespace: "*"
|
|
version: "apps"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_viewer
|
|
- resource:
|
|
resources:
|
|
- horizontalpodautoscalers
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
namespace: "*"
|
|
version: "autoscaling"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_viewer
|
|
- resource:
|
|
resources:
|
|
- cronjobs
|
|
- jobs
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
namespace: "*"
|
|
version: "batch"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_viewer
|
|
- resource:
|
|
resources:
|
|
- daemonsets
|
|
- deployments
|
|
- deployments/scale
|
|
- ingresses
|
|
- networkpolicies
|
|
- replicasets
|
|
- replicasets/scale
|
|
- replicationcontrollers/scale
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
namespace: "*"
|
|
version: "extensions"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_viewer
|
|
- resource:
|
|
resources:
|
|
- poddisruptionbudgets
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
namespace: "*"
|
|
version: "policy"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_viewer
|
|
- resource:
|
|
resources:
|
|
- networkpolicies
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
namespace: "*"
|
|
version: "networking.k8s.io"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin_k8cluster_viewer
|
|
|
|
secrets:
|
|
identity:
|
|
admin: kubernetes-keystone-webhook-admin
|
|
certificates:
|
|
api: kubernetes-keystone-webhook-certs
|
|
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
kubernetes:
|
|
auth:
|
|
api:
|
|
tls:
|
|
crt: null
|
|
key: null
|
|
identity:
|
|
name: keystone
|
|
namespace: null
|
|
auth:
|
|
admin:
|
|
region_name: RegionOne
|
|
username: admin
|
|
password: password
|
|
project_name: admin
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
hosts:
|
|
default: keystone
|
|
internal: keystone-api
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /v3
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 80
|
|
internal: 5000
|
|
kubernetes_keystone_webhook:
|
|
namespace: null
|
|
name: k8sksauth
|
|
hosts:
|
|
default: k8sksauth-api
|
|
public: k8sksauth
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /webhook
|
|
scheme:
|
|
default: https
|
|
port:
|
|
api:
|
|
default: 8443
|
|
public: 443
|
|
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- k8sksauth-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
static:
|
|
api:
|
|
jobs: null
|
|
services: null
|
|
|
|
manifests:
|
|
api_secret: true
|
|
configmap_etc: true
|
|
configmap_bin: true
|
|
deployment: true
|
|
ingress_webhook: true
|
|
pod_test: true
|
|
secret_certificates: true
|
|
secret_keystone: true
|
|
service_ingress_api: true
|
|
service: true
|
|
...
|