add structured authentication configuration

inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml

@@ -42,7 +42,6 @@ credentials_dir: "{{ inventory_dir }}/credentials"
 # kube_oidc_auth: false
 # kube_token_auth: false
 
-
 ## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/
 ## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...)
 
@@ -118,7 +117,8 @@ kube_network_node_prefix_ipv6: 120
 
 # The port the API Server will be listening on.
 kube_apiserver_ip: "{{ kube_service_addresses | ansible.utils.ipaddr('net') | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address') }}"
-kube_apiserver_port: 6443  # (https)
+# https port
+kube_apiserver_port: 6443
 
 # Kube-proxy proxyMode configuration.
 # Can be ipvs, iptables

roles/kubernetes/control-plane/defaults/main/kube-apiserver-auth.yml

@@ -0,0 +1,37 @@
+---
+kube_apiserver_structured_auth_jwt_issuers: []
+# Example JWT issuer configuration:
+# kube_apiserver_structured_auth_jwt_issuers:
+#   - issuer:
+#       url: "https://issuer1.example.com"
+#       audiences:
+#         - audience1
+#         - audience2
+#       audienceMatchPolicy: MatchAny
+#     claimMappings:
+#       username:
+#         expression: "claims.username"
+#       groups:
+#         expression: "claims.groups"
+#       uid:
+#         expression: "claims.uid"
+#     userValidationRules:
+#       - expression: "!user.username.startsWith('system:')"
+#         message: "username cannot use reserved system: prefix"
+#   - issuer:
+#       url: "https://issuer2.example.com"
+#       discoveryURL: "https://discovery.example.com/.well-known/openid-configuration"
+#       audiences:
+#         - audience3
+#         - audience4
+#       audienceMatchPolicy: MatchAny
+#     claimMappings:
+#       username:
+#         expression: "claims.username"
+#       groups:
+#         expression: "claims.groups"
+#       uid:
+#         expression: "claims.uid"
+#     userValidationRules:
+#       - expression: "!user.username.startsWith('kubespray:')"
+#         message: "username cannot use reserved kubespray: prefix"

roles/kubernetes/control-plane/defaults/main/main.yml

@@ -162,9 +162,10 @@ kube_apiserver_admission_plugins_podnodeselector_default_node_selector: ""
 # kube_oidc_client_id: kubernetes
 ## Optional settings for OIDC
 # kube_oidc_username_claim: sub
-# kube_oidc_username_prefix: 'oidc:'
+# kube_oidc_username_prefix: "oidc:"
 # kube_oidc_groups_claim: groups
-# kube_oidc_groups_prefix: 'oidc:'
+# kube_oidc_groups_prefix: "oidc:"
+# kube_oidc_uid_claim: "sub"
 # Copy oidc CA file to the following path if needed
 # kube_oidc_ca_file: {{ kube_cert_dir }}/ca.pem
 # Optionally include a base64-encoded oidc CA cert

roles/kubernetes/control-plane/tasks/kubeadm-setup.yml

@@ -82,6 +82,39 @@
     mode: "0640"
   when: kube_apiserver_tracing
 
+- name: Kubeadm | Configure Structured Authentication
+  vars:
+    all_kube_apiserver_feature_gates: "{{ kube_apiserver_feature_gates + kube_feature_gates }}"
+  when:
+    - not kube_oidc_auth
+    - ("StructuredAuthenticationConfiguration=true" in all_kube_apiserver_feature_gates and kube_version | regex_replace("^v", "") is version("1.30.0", "<", version_type="semver"))
+      or
+      ("StructuredAuthenticationConfiguration=false" not in all_kube_apiserver_feature_gates and kube_version | regex_replace("^v", "") is version("1.30.0", ">=", version_type="semver"))
+  block:
+    - name: Kubeadm | Create apiserver authentication config directory
+      file:
+        path: "{{ kube_config_dir }}/authentication"
+        state: directory
+        mode: "0640"
+
+    - name: Merge additional userValidationRules
+      set_fact:
+        kube_apiserver_structured_auth_jwt_issuers: >-
+          {{
+            kube_apiserver_structured_auth_jwt_issuers | map('combine', {
+              'userValidationRules': item.userValidationRules + additional_user_validation_rules
+            }) | list
+          }}
+      loop: "{{ kube_apiserver_structured_auth_jwt_issuers }}"
+      loop_control:
+        loop_var: item
+
+    - name: Kubeadm | Write apiserver authentication config yaml
+      template:
+        src: apiserver-authentication-config.yaml.j2
+        dest: "{{ kube_config_dir }}/authentication/apiserver-authentication-config.yaml"
+        mode: "0640"
+
 # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint.
 - name: Set kubeadm_config_api_fqdn define
   set_fact:

roles/kubernetes/control-plane/templates/apiserver-authentication-config.yaml.j2

@@ -0,0 +1,48 @@
+---
+apiVersion: apiserver.config.k8s.io/v1beta1
+kind: AuthenticationConfiguration
+{% if kube_apiserver_structured_auth_jwt_issuers | length > 0 %}
+jwt:
+{% for issuer in kube_apiserver_structured_auth_jwt_issuers %}
+- issuer:
+    url: "{{ issuer.issuer.url }}"
+{% if issuer.issuer.discoveryURL is defined %}
+    discoveryURL: "{{ issuer.issuer.discoveryURL }}"
+{% endif %}
+    audiences:
+{% for audience in issuer.issuer.audiences %}
+    - {{ audience }}
+{% endfor %}
+    audienceMatchPolicy: {{ issuer.issuer.audienceMatchPolicy }}
+{% if issuer.claimValidationRules is defined %}
+  claimValidationRules:
+{% for validationRule in issuer.claimValidationRules %}
+    expression: "{{ validationRule.expression }}"
+    message: "{{ validationRule.message }}"
+{% endfor %}
+{% endif %}
+  claimMappings:
+    username:
+      expression: "{{ issuer.claimMappings.username.expression }}"
+    groups:
+      expression: "{{ issuer.claimMappings.groups.expression }}"
+    uid:
+      expression: "{{ issuer.claimMappings.uid.expression }}"
+{% if issuer.claimMappings.extra is defined %}
+    extra:
+{% for extra in issuer.claimMappings.extra %}
+    - key: "{{ extra.key }}"
+      expression: "{{ extra.expression }}"
+{% endfor %}
+{% endif %}
+{% if issuer.userValidationRules | length > 0 %}
+  userValidationRules:
+{% for rule in issuer.userValidationRules %}
+  - expression: "{{ rule.expression }}"
+    message: "{{ rule.message }}"
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% else %}
+jwt:
+{% endif %}

roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2

@@ -154,7 +154,7 @@ apiServer:
 {% if kube_apiserver_service_account_lookup %}
     service-account-lookup: "{{ kube_apiserver_service_account_lookup }}"
 {% endif %}
-{% if kube_oidc_auth | default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
+{% if kube_oidc_auth and kube_oidc_url is defined and kube_oidc_client_id is defined %}
     oidc-issuer-url: "{{ kube_oidc_url }}"
     oidc-client-id: "{{ kube_oidc_client_id }}"
 {%   if kube_oidc_ca_file is defined %}
@@ -173,6 +173,9 @@ apiServer:
     oidc-groups-prefix: "{{ kube_oidc_groups_prefix }}"
 {%   endif %}
 {% endif %}
+{% if not kube_oidc_auth %}
+    authentication-config: {{ kube_config_dir }}/authentication/apiserver-authentication-config.yaml
+{% endif %}
 {% if kube_webhook_token_auth | default(false) %}
     authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
 {% endif %}
@@ -261,6 +264,13 @@ apiServer:
     readOnly: false
     pathType: DirectoryOrCreate
 {% endif %}
+{% if not kube_oidc_auth %}
+  - name: structauth
+    hostPath: {{ kube_config_dir }}/authentication
+    mountPath: {{ kube_config_dir }}/authentication
+    readOnly: true
+    pathType: DirectoryOrCreate
+{% endif %}
 {% if kube_apiserver_tracing %}
   - name: tracing
     hostPath: {{ kube_config_dir }}/tracing

roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2

@@ -182,7 +182,7 @@ apiServer:
   - name: service-account-lookup
     value: "{{ kube_apiserver_service_account_lookup }}"
 {% endif %}
-{% if kube_oidc_auth | default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
+{% if kube_oidc_auth and kube_oidc_url is defined and kube_oidc_client_id is defined %}
   - name: oidc-issuer-url
     value: "{{ kube_oidc_url }}"
   - name: oidc-client-id
@@ -208,6 +208,10 @@ apiServer:
     value: "{{ kube_oidc_groups_prefix }}"
 {%   endif %}
 {% endif %}
+{% if not kube_oidc_auth %}
+  - name: authentication-config
+    value: "{{ kube_config_dir }}/authentication/apiserver-authentication-config.yaml"
+{% endif %}
 {% if kube_webhook_token_auth | default(false) %}
   - name: authentication-token-webhook-config-file
     value: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
@@ -317,6 +321,13 @@ apiServer:
     readOnly: false
     pathType: DirectoryOrCreate
 {% endif %}
+{% if not kube_oidc_auth %}
+  - name: structauth
+    hostPath: {{ kube_config_dir }}/authentication
+    mountPath: {{ kube_config_dir }}/authentication
+    readOnly: true
+    pathType: DirectoryOrCreate
+{% endif %}
 {% if kube_apiserver_tracing %}
   - name: tracing
     hostPath: {{ kube_config_dir }}/tracing

roles/kubernetes/control-plane/vars/main.yaml

@@ -7,3 +7,8 @@ kube_apiserver_admission_plugins_needs_configuration:
 - PodSecurity
 - PodNodeSelector
 - ResourceQuota
+additional_user_validation_rules:
+- expression: "!user.username.startsWith('system:')"
+  message: "username cannot used reserved system: prefix"
+- expression: "user.groups.all(group, !group.startsWith('system:'))"
+  message: "groups cannot used reserved system: prefix"