forked from Azure/AgentBaker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
enable-anonymous-auth-for-non-rbac.yaml
64 lines (63 loc) · 2.02 KB
/
enable-anonymous-auth-for-non-rbac.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: enableanonymousauth
namespace: kube-system
labels:
app: enableanonymousauth
spec:
selector:
matchLabels:
name: enableanonymousauth
template:
metadata:
labels:
name: enableanonymousauth
spec:
hostPID: true
hostNetwork: true
nodeSelector:
beta.kubernetes.io/os: linux
containers:
- name: nsenter
image: alpine
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
command:
- nsenter
- --target
- "1"
- --mount
- --uts
- --ipc
- --net
- --pid
- --
- sh
- -c
- |
#! /bin/sh
set -u
while true; do
if [ ! -e /etc/default/kubeletconfig.json ]; then
echo "/etc/default/kubeletconfig.json not found. Skipping..."
sleep infinity
fi
x509=`cat /etc/default/kubeletconfig.json | jq '.authentication.x509'`
if [ "$x509" != "{}" ]; then
echo "x509 not empty, skipping..."
sleep infinity
fi
anonymousauth=`cat /etc/default/kubeletconfig.json | jq '.authentication.anonymous.enabled'`
if [ "$anonymousauth" = true ]; then
echo "anonymous-auth is already enabled. Skipping..."
sleep infinity
fi
cp /etc/default/kubeletconfig.json /etc/default/kubeletconfig.json.bak
tmp=$(mktemp)
jq '.authentication.anonymous.enabled = true' /etc/default/kubeletconfig.json > "$tmp" && mv "$tmp" /etc/default/kubeletconfig.json
chmod +r /etc/default/kubeletconfig.json
cat /etc/default/kubeletconfig.json | jq '.authentication.anonymous'
systemctl restart kubelet
done