Support Kerberos in helm charts as option (#24)

* Support kerberos as option

* Use a secret for keytabs

* Address review comments

* Address review comments

Author: kimoonkim

charts/README.md

@@ -11,3 +11,6 @@ the following order.
      `hdfs-namenode-k8s/README.md` for how to launch.
   2. `hdfs-datanode-k8s`: Launches the hdfs datanode daemons. See
      `hdfs-datanode-k8s/README.md` for how to launch.
+
+Kerberos is supported. See the `kerberosEnabled` option in the namenode and
+datanode charts.

charts/hdfs-datanode-k8s/README.md

@@ -9,13 +9,26 @@ HDFS `datanodes` running inside a kubernetes cluster. See the other chart for
   $ kubectl label node YOUR-MASTER-NAME hdfs-datanode-exclude=yes
   ```
 
-  2. Launch this helm chart, `hdfs-datanode-k8s`.
+  2. (Skip this if you do not plan to enable Kerberos)
+     Conduct the Kerberos setups described in the namenode
+     [README.md](../hdfs-namenode-k8s/README.md), if you have not done that
+     already.
+
+  3. Launch this helm chart, `hdfs-datanode-k8s`.
 
   ```
   $ helm install -n my-hdfs-datanode hdfs-datanode-k8s
   ```
 
-  3. Confirm the daemons are launched.
+  If enabling Kerberos, specify necessary options. For instance,
+
+  ```
+  $ helm install -n my-hdfs-datanode  \
+      --set kerberosEnabled=true,kerberosRealm=MYCOMPANY.COM hdfs-datanode-k8s
+  ```
+  The two variables above are required. For other variables, see values.yaml.
+
+  4. Confirm the daemons are launched.
 
   ```
   $ kubectl get pods | grep hdfs-datanode-
@@ -24,7 +37,10 @@ HDFS `datanodes` running inside a kubernetes cluster. See the other chart for
   ```
 
 `Datanode` daemons run on every cluster node. They also mount k8s `hostPath`
-local disk volumes.
+local disk volumes.  You may want to restrict access of `hostPath`
+using `pod security policy`.
+See [reference](https://github.com/kubernetes/examples/blob/master/staging/podsecuritypolicy/rbac/README.md))
+
 
 `Datanodes` are using `hostNetwork` to register to `namenode` using
 physical IPs.
@@ -34,4 +50,4 @@ Note they run under the `default` namespace.
 ###Credits
 
 This chart is using public Hadoop docker images hosted by
-  [uhopper](https://hub.docker.com/u/uhopper/).
+[uhopper](https://hub.docker.com/u/uhopper/).

charts/hdfs-datanode-k8s/templates/datanode-daemonset.yaml

@@ -32,6 +32,46 @@ spec:
         - name: datanode
           image: uhopper/hadoop-datanode:2.7.2
           env:
+            # The following env vars are listed according to low-to-high precedence order.
+            # i.e. Whoever comes last will override the earlier value of the same variable.
+            {{- if .Values.kerberosEnabled }}
+            - name: CORE_CONF_hadoop_security_authentication
+              value: kerberos
+            - name: CORE_CONF_hadoop_security_authorization
+              value: "true"
+            - name: CORE_CONF_hadoop_rpc_protection
+              value: privacy
+            - name: HDFS_CONF_dfs_block_access_token_enable
+              value: "true"
+            - name: HDFS_CONF_dfs_encrypt_data_transfer
+              value: "true"
+            - name: HDFS_CONF_dfs_datanode_kerberos_principal
+              value: hdfs/_HOST@{{ required "A valid kerberosRealm entry required!" .Values.kerberosRealm }}
+            - name:  HDFS_CONF_dfs_datanode_kerberos_https_principal
+              value: http/_HOST@{{ required "A valid kerberosRealm entry required!" .Values.kerberosRealm }}
+            - name: HDFS_CONF_dfs_web_authentication_kerberos_principal
+              value: http/_HOST@{{ required "A valid kerberosRealm entry required!" .Values.kerberosRealm }}
+            - name: HDFS_CONF_dfs_datanode_keytab_file
+              value: /etc/security/hdfs.keytab
+            {{- if .Values.jsvcEnabled }}
+            - name: HDFS_CONF_dfs_datanode_address
+              value: 0.0.0.0:1004
+            - name: HDFS_CONF_dfs_datanode_http_address
+              value: 0.0.0.0:1006
+            - name: HADOOP_SECURE_DN_USER
+              value: root
+            - name: JSVC_OUTFILE
+              value: /dev/stdout
+            - name: JSVC_ERRFILE
+              value: /dev/stderr
+            - name: JSVC_HOME
+              value: /jsvc-home
+            {{- end }}
+            {{- end }}
+            {{- range $key, $value := .Values.customHadoopConfig }}
+            - name: {{ $key | quote }}
+              value: {{ $value | quote }}
+            {{- end }}
             - name: CORE_CONF_fs_defaultFS
               value: hdfs://hdfs-namenode-0.hdfs-namenode.default.svc.cluster.local:8020
             # The below uses two loops to make sure the last item does not have comma. It uses index 0
@@ -48,26 +88,63 @@ spec:
                   /hadoop/dfs/data/{{ $index }}
                 {{- end }}
               {{- end }}
-            # We now add custom hadoop configuration provided
-            {{- range $key, $value := .Values.customHadoopConfig }}
-            {{- if and (ne $key "HDFS_CONF_dfs_datanode_data_dir") (ne $key "CORE_CONF_fs_defaultFS") }}
-            - name: {{ $key | quote }}
-              value: {{ $value | quote }}
-            {{- end }}
-            {{- end }}
           livenessProbe:
             initialDelaySeconds: 30
             httpGet:
               host: 127.0.0.1
               path: /
+              {{- if and .Values.kerberosEnabled .Values.jsvcEnabled }}
+              port: 1006
+              {{- else }}
               port: 50075
+              {{- end }}
           securityContext:
             privileged: true
           volumeMounts:
             {{- range $index, $path := .Values.dataNodeHostPath }}
             - name: hdfs-data-{{ $index }}
               mountPath: /hadoop/dfs/data/{{ $index }}
             {{- end }}
+            {{- if .Values.kerberosEnabled }}
+            - name: kerberos-config
+              mountPath: /etc/krb5.conf
+              subPath: {{ .Values.kerberosConfigFileName }}
+              readOnly: true
+            - name: kerberos-keytab-copy
+              mountPath: /etc/security/
+              readOnly: true
+            {{- if .Values.jsvcEnabled }}
+            - name: jsvc-home
+              mountPath: /jsvc-home
+            {{- end }}
+            {{- end }}
+      {{- if and .Values.kerberosEnabled .Values.jsvcEnabled }}
+      initContainers:
+        - name: copy-kerberos-keytab
+          image: busybox:1.27.1
+          command: ['sh', '-c']
+          args:
+            - cp /kerberos-keytabs/$MY_NODE_NAME.keytab /kerberos-keytab-copy/hdfs.keytab
+          env:
+            - name: MY_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - name: kerberos-keytabs
+              mountPath: /kerberos-keytabs
+            - name: kerberos-keytab-copy
+              mountPath: /kerberos-keytab-copy
+        - name: copy-jsvc
+          # Pull by digest because the image doesn't have tags to pin.
+          image: mschlimb/jsvc@sha256:bf20eb9a319e9a2f87473d8da7418d21503a97528b932800b6b8417cd31e30ef
+          command: ['sh', '-c']
+          args:
+            - cp /usr/bin/jsvc /jsvc-home/jsvc
+          volumeMounts:
+            - name: jsvc-home
+              mountPath: /jsvc-home
+      {{- end }}
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -82,3 +159,17 @@ spec:
           hostPath:
             path: {{ $path }}
         {{- end }}
+        {{- if .Values.kerberosEnabled }}
+        - name: kerberos-config
+          configMap:
+            name: {{ .Values.kerberosConfigMap }}
+        - name: kerberos-keytabs
+          secret:
+            secretName: {{ .Values.kerberosKeytabsSecret }}
+        - name: kerberos-keytab-copy
+          emptyDir: {}
+        {{- if .Values.jsvcEnabled }}
+        - name: jsvc-home
+          emptyDir: {}
+        {{- end }}
+        {{- end }}

charts/hdfs-datanode-k8s/values.yaml

@@ -31,3 +31,31 @@ dataNodeHostPath:
 customHadoopConfig: {}
   # Set variables through a hash where env variable is the key, e.g.
   # HDFS_CONF_dfs_datanode_use_datanode_hostname: "false"
+
+# Whether or not Kerberos support is enabled.
+kerberosEnabled: false
+
+# Required to be non-empty if Kerberos is enabled. Specify your Kerberos realm name.
+# This should match the realm name in your Kerberos config file.
+kerberosRealm: ""
+
+# Effective only if Kerberos is enabled. Name of the k8s config map containing
+# the kerberos config file.
+kerberosConfigMap: kerberos-config
+
+# Effective only if Kerberos is enabled. Name of the kerberos config file inside
+# the config map.
+kerberosConfigFileName: krb5.conf
+
+# Effective only if Kerberos is enabled. Name of the k8s secret containing
+# the kerberos keytab files of per-host hdfs principals. The secret should
+# have multiple data items. Each data item name should be formatted as:
+#    `HOST-NAME.keytab`
+# where HOST-NAME should match the cluster node
+# host name that each per-host HDFS principal is associated with.
+kerberosKeytabsSecret: hdfs-kerberos-keytabs
+
+# Effective only if Kerberos is enabled. Enable protection of datanodes using
+# the jsvc utility. See the reference doc at
+# https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-common/SecureMode.html#Secure_DataNode
+jsvcEnabled: true

charts/hdfs-namenode-k8s/README.md

@@ -12,13 +12,68 @@ HDFS `namenode` running inside a kubernetes cluster. See the other chart for
   $ kubectl label nodes YOUR-HOST hdfs-namenode-selector=hdfs-namenode-0
   ```
 
-  2. Launch this helm chart, `hdfs-namenode-k8s`.
+  2. (Skip this if you do not plan to enable Kerberos)
+     Prepare Kerberos setup, following the steps below.
+
+     - Create a config map containing your Kerberos config file. This will be
+       mounted onto the namenode and datanode pods.
+
+     ```
+      $ kubectl create configmap kerberos-config --from-file=/etc/krb5.conf
+     ```
+
+     - Generate per-host principal accounts and password keytab files for the namenode
+       and datanode daemons. This is typically done in your Kerberos KDC host. For example,
+       suppose the namenode will run on the k8s cluster node kube-n1.mycompany.com,
+       and your datanodes will run on kube-n1.mycompany.com and kube-n2.mycompany.com.
+       And your Kerberos realm is MYCOMPANY.COM, then
+
+     ```
+      $ kadmin.local -q "addprinc -randkey hdfs/[email protected]"
+      $ kadmin.local -q "addprinc -randkey http/[email protected]"
+      $ mkdir hdfs-keytabs
+      $ kadmin.local -q "ktadd -norandkey  \
+                -k hdfs-keytabs/kube-n1.mycompany.com.keytab  \
+                hdfs/[email protected]  \
+                http/[email protected]"
+
+      $ kadmin.local -q "addprinc -randkey hdfs/[email protected]"
+      $ kadmin.local -q "addprinc -randkey http/[email protected]"
+      $ kadmin.local -q "ktadd -norandkey  \
+                -k hdfs-keytabs/kube-n2.mycompany.com.keytab  \
+                hdfs/[email protected]  \
+                http/[email protected]"
+      $ kadmin.local -q "ktadd -norandkey  \
+                -k hdfs-keytabs/kube-n2.mycompany.com.keytab  \
+                hdfs/[email protected]  \
+                http/[email protected]"
+     ```
+
+     - Create a k8s secret containing all the keytab files. This will be mounted
+       onto the namenode and datanode pods. (You may want to restrict access to
+       this secret using k8s
+       [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/),
+       to minimize exposure of the keytab files.
+     ```
+      $ kubectl create secret generic hdfs-kerberos-keytabs  \
+            --from-file=kube-n1.mycompany.com.keytab  \
+            --from-file=kube-n2.mycompany.com.keytab
+     ```
+
+  3. Launch this namenode helm chart, `hdfs-namenode-k8s`.
 
   ```
   $ helm install -n my-hdfs-namenode hdfs-namenode-k8s
   ```
 
-  3. Confirm the daemon is launched.
+  If enabling Kerberos, specify necessary options. For instance,
+  ```
+  $ helm install -n my-hdfs-namenode  \
+      --set kerberosEnabled=true,kerberosRealm=MYCOMPANY.COM hdfs-namenode-k8s
+  ```
+  The two variables above are required. For other variables, see values.yaml.
+
+  4. Confirm the daemon is launched.
 
   ```
   $ kubectl get pods | grep hdfs-namenode
@@ -28,10 +83,12 @@ HDFS `namenode` running inside a kubernetes cluster. See the other chart for
 There will be only one `namenode` instance. i.e. High Availability (HA) is not
 supported at the moment. The `namenode` instance is supposed to be pinned to
 a cluster host using a node label, as shown in the usage above. `Namenode`
-mount a local disk directory using k8s `hostPath` volume.
+mount a local disk directory using k8s `hostPath` volume. You may want to
+restrict access of `hostPath` using `pod security policy`.
+See [reference](https://github.com/kubernetes/examples/blob/master/staging/podsecuritypolicy/rbac/README.md)
 
 `namenode` is using `hostNetwork` so it can see physical IPs of datanodes
-without an overlay network such as weave-net mask them.
+without an overlay network such as weave-net masking them.
 
 ###Credits
 

charts/hdfs-namenode-k8s/templates/namenode-statefulset.yaml

@@ -51,21 +51,67 @@ spec:
         - name: hdfs-namenode
           image: uhopper/hadoop-namenode:2.7.2
           env:
-            - name: CLUSTER_NAME
-              value: hdfs-k8s
-            # We now add custom hadoop configuration provided
+            # The following env vars are listed according to low-to-high precedence order.
+            # i.e. Whoever comes last will override the earlier value of the same variable.
+            {{- if .Values.kerberosEnabled }}
+            - name: CORE_CONF_hadoop_security_authentication
+              value: kerberos
+            - name: CORE_CONF_hadoop_security_authorization
+              value: "true"
+            - name: CORE_CONF_hadoop_rpc_protection
+              value: privacy
+            - name:   HDFS_CONF_dfs_block_access_token_enable
+              value: "true"
+            - name:   HDFS_CONF_dfs_encrypt_data_transfer
+              value: "true"
+            - name: HDFS_CONF_dfs_namenode_kerberos_principal
+              value: hdfs/_HOST@{{ required "A valid kerberosRealm entry required!" .Values.kerberosRealm }}
+            - name:  HDFS_CONF_dfs_namenode_kerberos_https_principal
+              value: http/_HOST@{{ required "A valid kerberosRealm entry required!" .Values.kerberosRealm }}
+            - name: HDFS_CONF_dfs_web_authentication_kerberos_principal
+              value: http/_HOST@{{ required "A valid kerberosRealm entry required!" .Values.kerberosRealm }}
+            - name: HDFS_CONF_dfs_namenode_keytab_file
+              value: /etc/security/hdfs.keytab
+            {{- end }}
             {{- range $key, $value := .Values.customHadoopConfig }}
-            {{- if ne $key "CLUSTER_NAME" }}
             - name: {{ $key | quote }}
               value: {{ $value | quote }}
             {{- end }}
-            {{- end }}
+            - name: CLUSTER_NAME
+              value: hdfs-k8s
           ports:
           - containerPort: 8020
             name: fs
           volumeMounts:
             - name: hdfs-name
               mountPath: /hadoop/dfs/name
+            {{- if .Values.kerberosEnabled }}
+            - name: kerberos-config
+              mountPath: /etc/krb5.conf
+              subPath: {{ .Values.kerberosConfigFileName }}
+              readOnly: true
+            - name: kerberos-keytab-copy
+              mountPath: /etc/security/
+              readOnly: true
+            {{- end }}
+      {{- if .Values.kerberosEnabled }}
+      initContainers:
+        - name: copy-kerberos-keytab
+          image: busybox:1.27.1
+          command: ['sh', '-c']
+          args:
+            - cp /kerberos-keytabs/$MY_NODE_NAME.keytab /kerberos-keytab-copy/hdfs.keytab
+          env:
+            - name: MY_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - name: kerberos-keytabs
+              mountPath: /kerberos-keytabs
+            - name: kerberos-keytab-copy
+              mountPath: /kerberos-keytab-copy
+      {{- end }}
       # Pin the pod to a node. You can label your node like below:
       #   $ kubectl label nodes YOUR-NODE hdfs-namenode-selector=hdfs-namenode-0
       nodeSelector:
@@ -75,3 +121,13 @@ spec:
         - name: hdfs-name
           hostPath:
             path: {{ .Values.nameNodeHostPath }}
+        {{- if .Values.kerberosEnabled }}
+        - name: kerberos-config
+          configMap:
+            name: {{ .Values.kerberosConfigMap }}
+        - name: kerberos-keytabs
+          secret:
+            secretName: {{ .Values.kerberosKeytabsSecret }}
+        - name: kerberos-keytab-copy
+          emptyDir: {}
+        {{- end }}