k3s/cmd/kubeadm/app/constants/constants.go

/*
Copyright 2016 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package constants

import (
	"path/filepath"
	"time"

	"k8s.io/client-go/pkg/api/v1"
	"k8s.io/kubernetes/pkg/util/version"
)

const (
	// KubernetesDir is the directory kubernetes owns for storing various configuration files
	KubernetesDir = "/etc/kubernetes"

	ManifestsSubDirName = "manifests"

	CACertAndKeyBaseName = "ca"
	CACertName           = "ca.crt"
	CAKeyName            = "ca.key"

	APIServerCertAndKeyBaseName = "apiserver"
	APIServerCertName           = "apiserver.crt"
	APIServerKeyName            = "apiserver.key"

	APIServerKubeletClientCertAndKeyBaseName = "apiserver-kubelet-client"
	APIServerKubeletClientCertName           = "apiserver-kubelet-client.crt"
	APIServerKubeletClientKeyName            = "apiserver-kubelet-client.key"

	ServiceAccountKeyBaseName    = "sa"
	ServiceAccountPublicKeyName  = "sa.pub"
	ServiceAccountPrivateKeyName = "sa.key"

	FrontProxyCACertAndKeyBaseName = "front-proxy-ca"
	FrontProxyCACertName           = "front-proxy-ca.crt"
	FrontProxyCAKeyName            = "front-proxy-ca.key"

	FrontProxyClientCertAndKeyBaseName = "front-proxy-client"
	FrontProxyClientCertName           = "front-proxy-client.crt"
	FrontProxyClientKeyName            = "front-proxy-client.key"

	AdminKubeConfigFileName             = "admin.conf"
	KubeletKubeConfigFileName           = "kubelet.conf"
	ControllerManagerKubeConfigFileName = "controller-manager.conf"
	SchedulerKubeConfigFileName         = "scheduler.conf"

	// Some well-known users and groups in the core Kubernetes authorization system

	ControllerManagerUser = "system:kube-controller-manager"
	SchedulerUser         = "system:kube-scheduler"
	MastersGroup          = "system:masters"
	NodesGroup            = "system:nodes"

	// Constants for what we name our ServiceAccounts with limited access to the cluster in case of RBAC
	KubeDNSServiceAccountName   = "kube-dns"
	KubeProxyServiceAccountName = "kube-proxy"

	// APICallRetryInterval defines how long kubeadm should wait before retrying a failed API operation
	APICallRetryInterval = 500 * time.Millisecond
	// DiscoveryRetryInterval specifies how long kubeadm should wait before retrying to connect to the master when doing discovery
	DiscoveryRetryInterval = 5 * time.Second

	// Minimum amount of nodes the Service subnet should allow.
	// We need at least ten, because the DNS service is always at the tenth cluster clusterIP
	MinimumAddressesInServiceSubnet = 10

	// DefaultTokenDuration specifies the default amount of time that a bootstrap token will be valid
	// Default behaviour is "never expire" == 0
	DefaultTokenDuration = 0

	// LabelNodeRoleMaster specifies that a node is a master
	// It's copied over to kubeadm until it's merged in core: https://github.com/kubernetes/kubernetes/pull/39112
	LabelNodeRoleMaster = "node-role.kubernetes.io/master"

	// MinExternalEtcdVersion indicates minimum external etcd version which kubeadm supports
	MinExternalEtcdVersion = "3.0.14"

	// DefaultAdmissionControl specifies the default admission control options that will be used
	DefaultAdmissionControl = "Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds"
)

var (

	// MasterToleration is the toleration to apply on the PodSpec for being able to run that Pod on the master
	MasterToleration = v1.Toleration{
		Key:    LabelNodeRoleMaster,
		Effect: v1.TaintEffectNoSchedule,
	}

	AuthorizationPolicyPath        = filepath.Join(KubernetesDir, "abac_policy.json")
	AuthorizationWebhookConfigPath = filepath.Join(KubernetesDir, "webhook_authz.conf")

	// DefaultTokenUsages specifies the default functions a token will get
	DefaultTokenUsages = []string{"signing", "authentication"}

	// MinimumControlPlaneVersion specifies the minimum control plane version kubeadm can deploy
	MinimumControlPlaneVersion = version.MustParseSemantic("v1.6.0")

	// MinimumCSRSARApproverVersion specifies the minimum kubernetes version that can be used for enabling the new-in-v1.7 CSR approver based on a SubjectAccessReview
	MinimumCSRSARApproverVersion = version.MustParseSemantic("v1.7.0-beta.0")

	// MinimumAPIAggregationVersion specifies the minimum kubernetes version that can be used enabling the API aggregation in the apiserver and the front proxy flags
	MinimumAPIAggregationVersion = version.MustParseSemantic("v1.7.0-alpha.1")
)
Generate two certs and two private keys; only the necessary ones; make the certs and kubeconfig phases work with valid files already on-disk and some cleanup 2017-01-20 22:33:06 +00:00			`/*`
			`Copyright 2016 The Kubernetes Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package constants`

kubeadm: Always enable RBAC, validate authz mode and improve the code slightly 2017-02-23 13:30:24 +00:00			`import (`
path.Join to filepath.Join 2017-05-29 17:15:04 +00:00			`"path/filepath"`
kubeadm: Always enable RBAC, validate authz mode and improve the code slightly 2017-02-23 13:30:24 +00:00			`"time"`
kubeadm: Use a new label for marking and tainting the master node 2017-02-23 17:43:09 +00:00
			`"k8s.io/client-go/pkg/api/v1"`
kubeadm: Make kubeadm use the right CSR approver for the right version 2017-06-06 04:47:18 +00:00			`"k8s.io/kubernetes/pkg/util/version"`
kubeadm: Always enable RBAC, validate authz mode and improve the code slightly 2017-02-23 13:30:24 +00:00			`)`
Move the apiCallRetryInterval constants to a common place and a little bit cleanup 2017-02-01 22:05:14 +00:00
Generate two certs and two private keys; only the necessary ones; make the certs and kubeconfig phases work with valid files already on-disk and some cleanup 2017-01-20 22:33:06 +00:00			`const (`
kubeadm: Always enable RBAC, validate authz mode and improve the code slightly 2017-02-23 13:30:24 +00:00			`// KubernetesDir is the directory kubernetes owns for storing various configuration files`
			`KubernetesDir = "/etc/kubernetes"`
add check to authorization config 2017-02-10 06:14:40 +00:00
1. Fix create volume of CertificatesDir. 2. Replace "manifests" to kubeadmconstants.ManifestsDirName 2017-05-31 03:04:17 +00:00			`ManifestsSubDirName = "manifests"`

Generate two certs and two private keys; only the necessary ones; make the certs and kubeconfig phases work with valid files already on-disk and some cleanup 2017-01-20 22:33:06 +00:00			`CACertAndKeyBaseName = "ca"`
			`CACertName = "ca.crt"`
			`CAKeyName = "ca.key"`

			`APIServerCertAndKeyBaseName = "apiserver"`
			`APIServerCertName = "apiserver.crt"`
			`APIServerKeyName = "apiserver.key"`
Fix up the misunderstanding about the apiserver kubelet client cert 2017-01-23 19:45:48 +00:00
			`APIServerKubeletClientCertAndKeyBaseName = "apiserver-kubelet-client"`
			`APIServerKubeletClientCertName = "apiserver-kubelet-client.crt"`
			`APIServerKubeletClientKeyName = "apiserver-kubelet-client.key"`
Default to control plane v1.6.0-alpha.1 for clusters deployed with kubeadm and using RBAC. Also use constants for authz modes 2017-01-31 07:24:15 +00:00
Use a dedicated key for service account token signing 2017-02-11 17:10:06 +00:00			`ServiceAccountKeyBaseName = "sa"`
			`ServiceAccountPublicKeyName = "sa.pub"`
			`ServiceAccountPrivateKeyName = "sa.key"`

add front proxy to kubeadm created kube-apiservers 2017-02-15 15:47:58 +00:00			`FrontProxyCACertAndKeyBaseName = "front-proxy-ca"`
			`FrontProxyCACertName = "front-proxy-ca.crt"`
			`FrontProxyCAKeyName = "front-proxy-ca.key"`

			`FrontProxyClientCertAndKeyBaseName = "front-proxy-client"`
			`FrontProxyClientCertName = "front-proxy-client.crt"`
			`FrontProxyClientKeyName = "front-proxy-client.key"`

kubeadm: Generate kubeconfig files for controller-manager and scheduler and use them; secures the control plane communication 2017-02-23 19:28:03 +00:00			`AdminKubeConfigFileName = "admin.conf"`
			`KubeletKubeConfigFileName = "kubelet.conf"`
			`ControllerManagerKubeConfigFileName = "controller-manager.conf"`
			`SchedulerKubeConfigFileName = "scheduler.conf"`

			`// Some well-known users and groups in the core Kubernetes authorization system`

			`ControllerManagerUser = "system:kube-controller-manager"`
			`SchedulerUser = "system:kube-scheduler"`
			`MastersGroup = "system:masters"`
			`NodesGroup = "system:nodes"`

Move some code from apiclient.go to the dedicated apiconfig phase package. Add constants and somewhat refactor the RBAC code as well 2017-02-01 17:06:51 +00:00			`// Constants for what we name our ServiceAccounts with limited access to the cluster in case of RBAC`
			`KubeDNSServiceAccountName = "kube-dns"`
			`KubeProxyServiceAccountName = "kube-proxy"`
Move the apiCallRetryInterval constants to a common place and a little bit cleanup 2017-02-01 22:05:14 +00:00
			`// APICallRetryInterval defines how long kubeadm should wait before retrying a failed API operation`
			`APICallRetryInterval = 500 * time.Millisecond`
Hook up kubeadm against the BootstrapSigner/BootstrapTokenAuthenticator 2017-03-04 09:17:52 +00:00			`// DiscoveryRetryInterval specifies how long kubeadm should wait before retrying to connect to the master when doing discovery`
			`DiscoveryRetryInterval = 5 * time.Second`
Validate the minimum subnet cidr so there are always 10 available addresses 2017-02-06 17:34:06 +00:00
			`// Minimum amount of nodes the Service subnet should allow.`
			`// We need at least ten, because the DNS service is always at the tenth cluster clusterIP`
			`MinimumAddressesInServiceSubnet = 10`
kubeadm: Aggregate the token functionality in sane packages. - Factor out token constants to kubeadmconstants. - Move cmd/kubeadm/app/util/{,token/}tokens.go - Use the token-id, token-secret, etc constants provided by the bootstrapapi package - Move cmd/kubeadm/app/master/tokens.go to cmd/kubeadm/app/phases/token/csv.go This refactor basically makes it possible to hook up kubeadm to the BootstrapSigner controller later on 2017-02-16 20:22:30 +00:00
			`// DefaultTokenDuration specifies the default amount of time that a bootstrap token will be valid`
kubeadm: Implement the kubeadm token command fully and move it out of the experimental subsection 2017-02-27 10:56:03 +00:00			`// Default behaviour is "never expire" == 0`
			`DefaultTokenDuration = 0`
kubeadm: Aggregate the token functionality in sane packages. - Factor out token constants to kubeadmconstants. - Move cmd/kubeadm/app/util/{,token/}tokens.go - Use the token-id, token-secret, etc constants provided by the bootstrapapi package - Move cmd/kubeadm/app/master/tokens.go to cmd/kubeadm/app/phases/token/csv.go This refactor basically makes it possible to hook up kubeadm to the BootstrapSigner controller later on 2017-02-16 20:22:30 +00:00
kubeadm: Use a new label for marking and tainting the master node 2017-02-23 17:43:09 +00:00			`// LabelNodeRoleMaster specifies that a node is a master`
			`// It's copied over to kubeadm until it's merged in core: https://github.com/kubernetes/kubernetes/pull/39112`
			`LabelNodeRoleMaster = "node-role.kubernetes.io/master"`

preflight check external etcd version Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn> 2017-02-23 09:33:16 +00:00			`// MinExternalEtcdVersion indicates minimum external etcd version which kubeadm supports`
			`MinExternalEtcdVersion = "3.0.14"`
Make the CLI arguments for the control plane overridable 2017-02-27 00:41:34 +00:00
			`// DefaultAdmissionControl specifies the default admission control options that will be used`
Add Initializers to all admission control paths by default 2017-05-26 04:10:00 +00:00			`DefaultAdmissionControl = "Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds"`
Generate two certs and two private keys; only the necessary ones; make the certs and kubeconfig phases work with valid files already on-disk and some cleanup 2017-01-20 22:33:06 +00:00			`)`
kubeadm: Always enable RBAC, validate authz mode and improve the code slightly 2017-02-23 13:30:24 +00:00
			`var (`
kubeadm: Use a new label for marking and tainting the master node 2017-02-23 17:43:09 +00:00
			`// MasterToleration is the toleration to apply on the PodSpec for being able to run that Pod on the master`
			`MasterToleration = v1.Toleration{`
			`Key: LabelNodeRoleMaster,`
			`Effect: v1.TaintEffectNoSchedule,`
			`}`

path.Join to filepath.Join 2017-05-29 17:15:04 +00:00			`AuthorizationPolicyPath = filepath.Join(KubernetesDir, "abac_policy.json")`
			`AuthorizationWebhookConfigPath = filepath.Join(KubernetesDir, "webhook_authz.conf")`
kubeadm: Implement the kubeadm token command fully and move it out of the experimental subsection 2017-02-27 10:56:03 +00:00
			`// DefaultTokenUsages specifies the default functions a token will get`
			`DefaultTokenUsages = []string{"signing", "authentication"}`
kubeadm: Make kubeadm use the right CSR approver for the right version 2017-06-06 04:47:18 +00:00
			`// MinimumControlPlaneVersion specifies the minimum control plane version kubeadm can deploy`
			`MinimumControlPlaneVersion = version.MustParseSemantic("v1.6.0")`

			`// MinimumCSRSARApproverVersion specifies the minimum kubernetes version that can be used for enabling the new-in-v1.7 CSR approver based on a SubjectAccessReview`
			`MinimumCSRSARApproverVersion = version.MustParseSemantic("v1.7.0-beta.0")`

			`// MinimumAPIAggregationVersion specifies the minimum kubernetes version that can be used enabling the API aggregation in the apiserver and the front proxy flags`
			`MinimumAPIAggregationVersion = version.MustParseSemantic("v1.7.0-alpha.1")`
kubeadm: Always enable RBAC, validate authz mode and improve the code slightly 2017-02-23 13:30:24 +00:00			`)`