Skip to content

Unprivileged user kerberos #1571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wbclark wants to merge 11 commits into from
Closed

Unprivileged user kerberos #1571

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
672aeb7
Use fully qualified collection names in playbooks/
wbclark Aug 24, 2022
4da2826
Use fully qualified collection names in roles/
wbclark Aug 29, 2022
ebb1898
Replace include with include_tasks
wbclark Aug 29, 2022
86da61a
Dont compare Booleans to literal True/False
wbclark Aug 29, 2022
588605e
Name all role tasks and capitalize names
wbclark Aug 29, 2022
c5fb671
Capitalize task names in playbooks/
wbclark Aug 29, 2022
7d9b182
Improve Jinja2 spacing
wbclark Aug 29, 2022
2bc1f49
Optionally add additional groups to unprivileged_user
wbclark Aug 31, 2022
27e491c
Use authorized_key module and optionally import shh pubkey from GitHub
wbclark Aug 31, 2022
625308a
Use community.general.sudoers for unprivileged_user sudoers control
wbclark Aug 31, 2022
8bc3978
Add options to configure unprivileged_user for Kerberos auth
wbclark Aug 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions playbooks/collect_debug.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,19 +11,19 @@
- role: sos_report
tasks:
- name: "Find bats files"
find:
ansible.builtin.find:
paths: "{{ bats_output_dir }}"
patterns: "*.tap"
register: bats_results

- name: "Copy bats results"
fetch:
ansible.builtin.fetch:
src: "{{ item.path }}"
dest: "{{ remote_dir }}"
with_items: "{{ bats_results.files }}"

- name: "Find smoker files"
find:
ansible.builtin.find:
paths: "{{ smoker_output_dir }}"
patterns:
- "junit.xml"
Expand All @@ -34,20 +34,20 @@
register: smoker_results

- name: "Copy smoker results"
fetch:
ansible.builtin.fetch:
src: "{{ item.path }}"
dest: "{{ remote_dir }}"
with_items: "{{ smoker_results.files }}"

- name: "Find backup files"
find:
ansible.builtin.find:
paths: "{{ backup_output_dir }}"
recurse: True
hidden: True
register: backup_results

- name: "Copy backup results"
fetch:
ansible.builtin.fetch:
src: "{{ item.path }}"
dest: "{{ remote_dir }}"
with_items: "{{ backup_results.files }}"
146 changes: 73 additions & 73 deletions playbooks/kubevirt.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,53 +13,53 @@
- selinux
- epel_repositories
tasks:
- name: disable swap
command: swapoff -a
- name: Disable swap
ansible.builtin.command: swapoff -a

- name: deconfigure swap
mount:
- name: Deconfigure swap
ansible.posix.mount:
src: /swapfile
fstype: swap
path: none
state: absent

- name: modprobe br_netfilter
modprobe:
- name: Modprobe br_netfilter
community.general.modprobe:
name: br_netfilter

- name: configure bridge iptables
sysctl:
- name: Configure bridge iptables
ansible.posix.sysctl:
name: "{{ item }}"
value: 1
sysctl_file: /etc/sysctl.d/k8s.conf
with_items:
- net.bridge.bridge-nf-call-ip6tables
- net.bridge.bridge-nf-call-iptables

- name: install needed network manager libs
yum:
- name: Install needed network manager libs
ansible.builtin.yum:
name:
- NetworkManager-glib
- NetworkManager

- name: Configure bridge
nmcli:
community.general.nmcli:
state: present
type: bridge
conn_name: foreman

- name: install docker
yum:
- name: Install docker
ansible.builtin.yum:
name: docker

- name: enable docker
service:
- name: Enable docker
ansible.builtin.service:
name: docker
enabled: true
state: started

- name: k8s repo
yum_repository:
- name: Enable kubernetes repo
ansible.builtin.yum_repository:
name: kubernetes
description: Kubernetes
baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
Expand All @@ -69,102 +69,102 @@
gpgkey: https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude: kube*

- name: install kubelet kubeadm kubectl
yum:
- name: Install kubelet kubeadm kubectl
ansible.builtin.yum:
name:
- kubelet-{{ kubernetes_version }}
- kubeadm-{{ kubernetes_version }}
- kubectl-{{ kubernetes_version }}
disable_excludes: kubernetes

- name: create /etc/systemd/system/kubelet.service.d/
file:
- name: Create /etc/systemd/system/kubelet.service.d/
ansible.builtin.file:
path: /etc/systemd/system/kubelet.service.d/
state: directory

- name: enable kubelet accounting
copy:
- name: Enable kubelet accounting
ansible.builtin.copy:
dest: /etc/systemd/system/kubelet.service.d/11-cgroups.conf
content: |
[Service]
CPUAccounting=true
MemoryAccounting=true

- name: reload systemd
systemd:
- name: Reload systemd
ansible.builtin.systemd:
daemon_reload: yes

- name: enable kubelet
service:
- name: Enable kubelet
ansible.builtin.service:
name: kubelet
enabled: true
state: started

- name: init cluster
command: kubeadm init --pod-network-cidr={{ pod_network }} --apiserver-advertise-address={{ ansible_eth0['ipv4']['address'] }}
- name: Init cluster
ansible.builtin.command: kubeadm init --pod-network-cidr={{ pod_network }} --apiserver-advertise-address={{ ansible_eth0['ipv4']['address'] }}
args:
creates: /etc/kubernetes/admin.conf

- name: untaint master
command: kubectl taint nodes --all node-role.kubernetes.io/master-
- name: Untaint master
ansible.builtin.command: kubectl taint nodes --all node-role.kubernetes.io/master-
register: untaint_master
failed_when: false
changed_when: untaint_master.rc == 0
environment:
KUBECONFIG: /etc/kubernetes/admin.conf

- name: deploy flannel
command: kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/{{ flannel_version }}/Documentation/kube-flannel.yml
- name: Deploy flannel
ansible.builtin.command: kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/{{ flannel_version }}/Documentation/kube-flannel.yml
args:
creates: /etc/cni/net.d/10-flannel.conflist
environment:
KUBECONFIG: /etc/kubernetes/admin.conf

- name: deploy network namespace
command: kubectl apply -f https://github.com/kubevirt/cluster-network-addons-operator/releases/download/{{ network_operator }}/namespace.yaml
- name: Deploy network namespace
ansible.builtin.command: kubectl apply -f https://github.com/kubevirt/cluster-network-addons-operator/releases/download/{{ network_operator }}/namespace.yaml
args:
creates: /etc/cni/net.d/multus.d/multus.kubeconfig
environment:
KUBECONFIG: /etc/kubernetes/admin.conf

- name: deploy network crd
command: kubectl apply -f https://github.com/kubevirt/cluster-network-addons-operator/releases/download/{{ network_operator }}/network-addons-config.crd.yaml
- name: Deploy network crd
ansible.builtin.command: kubectl apply -f https://github.com/kubevirt/cluster-network-addons-operator/releases/download/{{ network_operator }}/network-addons-config.crd.yaml
args:
creates: /etc/cni/net.d/multus.d/multus.kubeconfig
environment:
KUBECONFIG: /etc/kubernetes/admin.conf

- name: deploy network operator
command: kubectl apply -f https://github.com/kubevirt/cluster-network-addons-operator/releases/download/{{ network_operator }}/operator.yaml
- name: Deploy network operator
ansible.builtin.command: kubectl apply -f https://github.com/kubevirt/cluster-network-addons-operator/releases/download/{{ network_operator }}/operator.yaml
args:
creates: /etc/cni/net.d/multus.d/multus.kubeconfig
environment:
KUBECONFIG: /etc/kubernetes/admin.conf

- name: deploy kubevirt operator
command: kubectl apply -f https://github.com/kubevirt/kubevirt/releases/download/{{ kubevirt_version }}/kubevirt-operator.yaml
- name: Deploy kubevirt operator
ansible.builtin.command: kubectl apply -f https://github.com/kubevirt/kubevirt/releases/download/{{ kubevirt_version }}/kubevirt-operator.yaml
args:
creates: /var/lib/kubelet/device-plugins/kubevirt-tun.sock
environment:
KUBECONFIG: /etc/kubernetes/admin.conf

- name: deploy kubevirt cr
command: kubectl apply -f https://github.com/kubevirt/kubevirt/releases/download/{{ kubevirt_version }}/kubevirt-cr.yaml
- name: Deploy kubevirt cr
ansible.builtin.command: kubectl apply -f https://github.com/kubevirt/kubevirt/releases/download/{{ kubevirt_version }}/kubevirt-cr.yaml
args:
creates: /var/lib/kubelet/device-plugins/kubevirt-tun.sock
environment:
KUBECONFIG: /etc/kubernetes/admin.conf

- name: check for NetworkAddonsConfig
command: kubectl get networkaddonsconfigs cluster
- name: Check for NetworkAddonsConfig
ansible.builtin.command: kubectl get networkaddonsconfigs cluster
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
failed_when: false
changed_when: false
register: netaddonsconfig

- name: prepare NetworkAddonsConfig file
copy:
- name: Prepare NetworkAddonsConfig file
ansible.builtin.copy:
dest: /tmp/netaddonsconfig
content: |
apiVersion: networkaddonsoperator.network.kubevirt.io/v1alpha1
Expand All @@ -178,33 +178,33 @@
linuxBridge: {}
when: netaddonsconfig.rc != 0

- name: create NetworkAddonsConfig
command: kubectl create -f /tmp/netaddonsconfig
- name: Create NetworkAddonsConfig
ansible.builtin.command: kubectl create -f /tmp/netaddonsconfig
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
when: netaddonsconfig.rc != 0

- name: install virtctl
get_url:
- name: Install virtctl
ansible.builtin.get_url:
url: https://github.com/kubevirt/kubevirt/releases/download/{{ kubevirt_version }}/virtctl-{{ kubevirt_version }}-linux-amd64
dest: /usr/bin/virtctl
mode: u=rwx,g=rx,o=rx

- name: wait for the network to be ready
command: kubectl wait networkaddonsconfig cluster --for condition=Ready --timeout=300s
- name: Wait for the network to be ready
ansible.builtin.command: kubectl wait networkaddonsconfig cluster --for condition=Ready --timeout=300s
environment:
KUBECONFIG: /etc/kubernetes/admin.conf

- name: check for bridge-foreman NetworkAttachmentDefinition
command: kubectl get net-attach-def bridge-foreman
- name: Check for bridge-foreman NetworkAttachmentDefinition
ansible.builtin.command: kubectl get net-attach-def bridge-foreman
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
failed_when: false
changed_when: false
register: bridge_foreman_net_attach

- name: prepare bridge-foreman NetworkAttachmentDefinition file
copy:
- name: Prepare bridge-foreman NetworkAttachmentDefinition file
ansible.builtin.copy:
dest: /tmp/bridge-foreman-net-attach-def
content: |
apiVersion: "k8s.cni.cncf.io/v1"
Expand All @@ -220,22 +220,22 @@
}'
when: bridge_foreman_net_attach.rc != 0

- name: create bridge-foreman NetworkAttachmentDefinition
command: kubectl create -f /tmp/bridge-foreman-net-attach-def
- name: Create bridge-foreman NetworkAttachmentDefinition
ansible.builtin.command: kubectl create -f /tmp/bridge-foreman-net-attach-def
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
when: bridge_foreman_net_attach.rc != 0

- name: check for foreman-account ServiceAccount
command: kubectl get sa foreman-account
- name: Check for foreman-account ServiceAccount
ansible.builtin.command: kubectl get sa foreman-account
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
failed_when: false
changed_when: false
register: foreman_service_sa

- name: prepare foreman-account ServiceAccount file
copy:
- name: Prepare foreman-account ServiceAccount file
ansible.builtin.copy:
dest: /tmp/foreman-account-sa
content: |
apiVersion: v1
Expand All @@ -258,34 +258,34 @@
namespace: default
when: foreman_service_sa.rc != 0

- name: create foreman-account ServiceAccount
command: kubectl create -f /tmp/foreman-account-sa
- name: Create foreman-account ServiceAccount
ansible.builtin.command: kubectl create -f /tmp/foreman-account-sa
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
when: foreman_service_sa.rc != 0

- name: create /home/vagrant/.kube
file:
- name: Create /home/vagrant/.kube
ansible.builtin.file:
path: /home/vagrant/.kube
state: directory
owner: vagrant
group: vagrant

- name: deploy kube config
copy:
- name: Deploy kube config
ansible.builtin.copy:
src: /etc/kubernetes/admin.conf
dest: /home/vagrant/.kube/config
remote_src: yes
owner: vagrant
group: vagrant

- name: get foreman-account secret
shell: "set -o pipefail && kubectl get secrets $(kubectl get sa foreman-account -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 -d | xargs"
- name: Get foreman-account secret
ansible.builtin.shell: "set -o pipefail && kubectl get secrets $(kubectl get sa foreman-account -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 -d | xargs"
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
changed_when: false
register: foreman_account_secret

- name: show foreman-account secret
debug:
- name: Show foreman-account secret
ansible.builtin.debug:
msg: "{{ foreman_account_secret.stdout }}"
Loading