Adding RBAC support in kubernetes config (V2) (#694)

* Adding RBAC support in kubernetes config * Enable metric test in k8s * Pass namespace to yaml templates, update API call * Use RbacAuthorizationV1beta1Api * Fix python k8s api * Pass in svc account to deployment * Use latest minikube * Revert "Use latest minikube" This reverts commit 50dbf75. * use default service account for prom * clean up * Deleting cluster role instead of namespaced role * removed service_account_name from start_prom
ucbrise · May 31, 2019 · 2599acd · 2599acd
1 parent 001f9d5
commit 2599acd
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 4 deletions.
diff --git a/bin/run_travis.sh b/bin/run_travis.sh
@@ -71,7 +71,5 @@ retry_test() {
 retry_test python kubernetes_integration_test.py; sleep 30
 retry_test python kubernetes_multi_frontend.py; sleep 30
 retry_test python kubernetes_namespace.py; sleep 30
-retry_test python multi_tenancy_test.py --kubernetes
-
-# TODO: disabled for now, will re-enable after RBAC PR
-# time python clipper_metric_kube.py
+retry_test python multi_tenancy_test.py --kubernetes; sleep 30
+retry_test python clipper_metric_kube.py
diff --git a/clipper_admin/clipper_admin/kubernetes/kubernetes_container_manager.py b/clipper_admin/clipper_admin/kubernetes/kubernetes_container_manager.py
@@ -63,6 +63,10 @@
         'deployment': 'prom_deployment.yaml',
         'config': 'prom_configmap.yaml'
     },
+    'rbac': {
+        'clusterrole': 'rbac_cluster_role.yaml',
+        'clusterrolebinding': 'rbac_cluster_role_binding.yaml',
+    },
     'model': {
         'deployment': 'model-container-template.yaml'
     }
@@ -163,6 +167,8 @@ def __init__(self,
         configuration.assert_hostname = False
         self._k8s_v1 = client.CoreV1Api()
         self._k8s_beta = client.ExtensionsV1beta1Api()
+        self._k8s_rbac = client.RbacAuthorizationV1beta1Api()
+
 
         # Create the template engine
         # Config: Any variable missing -> Error
@@ -249,6 +255,7 @@ def start_clipper(self,
                       qf_http_timeout_request,
                       qf_http_timeout_content,
                       num_frontend_replicas=1):
+        self._config_rbac()
         self._start_redis()
         self._start_mgmt(mgmt_frontend_image)
         self.num_frontend_replicas = num_frontend_replicas
@@ -383,6 +390,21 @@ def _start_prometheus(self):
             self._k8s_v1.create_namespaced_service(
                 body=service_data, namespace=self.k8s_namespace)
 
+    def _config_rbac(self):
+        with _pass_conflicts():
+            clusterrole_data = self._generate_config(
+                CONFIG_FILES['rbac']['clusterrole'],
+                cluster_name=self.cluster_name, namespace=self.k8s_namespace)
+            self._k8s_rbac.create_cluster_role(
+                body=clusterrole_data)
+
+        with _pass_conflicts():
+            clusterrolebinding_data = self._generate_config(
+                CONFIG_FILES['rbac']['clusterrolebinding'],
+                cluster_name=self.cluster_name, namespace=self.k8s_namespace)
+            self._k8s_rbac.create_cluster_role_binding(
+                body=clusterrolebinding_data)
+
     def _generate_config(self, file_path, **kwargs):
         template = self.template_engine.get_template(file_path)
         rendered = template.render(**kwargs)
@@ -659,6 +681,12 @@ def stop_all(self, graceful=True):
 
             self._k8s_v1.delete_collection_namespaced_config_map(
                 namespace=self.k8s_namespace, label_selector=cluster_selector)
+
+            self._k8s_rbac.delete_collection_cluster_role(
+                label_selector=cluster_selector)
+
+            self._k8s_rbac.delete_collection_cluster_role_binding(
+                label_selector=cluster_selector)
         except ApiException as e:
             logging.warning(
                 "Exception deleting kubernetes resources: {}".format(e))

diff --git a/clipper_admin/clipper_admin/kubernetes/rbac_cluster_role.yaml b/clipper_admin/clipper_admin/kubernetes/rbac_cluster_role.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    ai.clipper.container.label: {{ cluster_name }}
+    ai.clipper.name: prom-cluster-role
+  name: {{cluster_name}}-prometheus
+rules:
+- apiGroups: [""]
+  resources:
+  - nodes
+  - nodes/proxy
+  - services
+  - endpoints
+  - pods
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs: ["get", "list", "watch"]
+- nonResourceURLs: ["/metrics"]
+  verbs: ["get"]
diff --git a/clipper_admin/clipper_admin/kubernetes/rbac_cluster_role_binding.yaml b/clipper_admin/clipper_admin/kubernetes/rbac_cluster_role_binding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    ai.clipper.container.label: {{ cluster_name }}
+    ai.clipper.name: prom-cluster-role-binding
+  name: {{cluster_name}}-prometheus
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{cluster_name}}-prometheus
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: {{ namespace }}