From 91d5229b9c0e083cae60a8dc3e546145a82c7f93 Mon Sep 17 00:00:00 2001
From: Spyros Trigazis <strigazi@gmail.com>
Date: Wed, 25 Apr 2018 12:22:43 +0000
Subject: [PATCH] k8s_fedora: Add admin user

Add an admin service account and give it the
cluster role. It can be used for access apps
with token authentication like the
kubernetes-dashboard.

Remove the cluster role from the dashboard service account.

Change-Id: I7980c0e72b0d71921e42af7338d02b8a1e563c34
Closes-Bug: #1766284
---
 .../kube-apiserver-to-kubelet-role.sh         | 28 +++++++++++++++++++
 .../fragments/kube-dashboard-service.sh       | 17 -----------
 ...8s-fedora-admin-user-e760f9b0edf49391.yaml |  8 ++++++
 3 files changed, 36 insertions(+), 17 deletions(-)
 create mode 100644 releasenotes/notes/bug-1766284-k8s-fedora-admin-user-e760f9b0edf49391.yaml

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh b/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh
index 39b8a1b6da..b77b85f000 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh
@@ -45,3 +45,31 @@ subjects:
     kind: User
     name: kubernetes
 EOF
+
+# Create an admin user and give it the cluster role.
+ADMIN_RBAC=/srv/magnum/kubernetes/kubernetes-admin-rbac.yaml
+
+[ -f ${ADMIN_RBAC} ] || {
+    echo "Writing File: $ADMIN_RBAC"
+    mkdir -p $(dirname ${ADMIN_RBAC})
+    cat << EOF > ${ADMIN_RBAC}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: admin
+  namespace: kube-system
+EOF
+}
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/kube-dashboard-service.sh b/magnum/drivers/common/templates/kubernetes/fragments/kube-dashboard-service.sh
index 67bcd77499..03149d7058 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/kube-dashboard-service.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/kube-dashboard-service.sh
@@ -196,23 +196,6 @@ spec:
       targetPort: 8443
   selector:
     k8s-app: kubernetes-dashboard
----
-# Grant admin privileges to the dashboard serviceacount
-
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: kubernetes-dashboard
-  labels:
-    k8s-app: kubernetes-dashboard
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: kubernetes-dashboard
-  namespace: kube-system
 EOF
 }
 
diff --git a/releasenotes/notes/bug-1766284-k8s-fedora-admin-user-e760f9b0edf49391.yaml b/releasenotes/notes/bug-1766284-k8s-fedora-admin-user-e760f9b0edf49391.yaml
new file mode 100644
index 0000000000..9049df0035
--- /dev/null
+++ b/releasenotes/notes/bug-1766284-k8s-fedora-admin-user-e760f9b0edf49391.yaml
@@ -0,0 +1,8 @@
+---
+security:
+  - |
+    k8s_fedora Remove cluster role from the kubernetes-dashboard account. When
+    accessing the dashboard and skip authentication, users login with the
+    kunernetes-dashboard service account, if that service account has the
+    cluster role, users have admin access without authentication. Create an
+    admin service account for this use case and others.