From ff4c372eaaa8ee1705bf5f0fcb380bd1675ef651 Mon Sep 17 00:00:00 2001 From: Jake Sanders Date: Mon, 6 May 2019 19:21:21 -0700 Subject: [PATCH 1/2] ensure that kubectl works when the master insecure port is disabled --- cluster/gce/gci/configure-helper.sh | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index b573460310..6ff75644f0 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -579,6 +579,9 @@ function create-master-auth { if [[ -n "${KUBE_BEARER_TOKEN:-}" ]]; then append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}," "admin,admin,system:masters" fi + if [[ -n "${KUBE_BOOTSTRAP_TOKEN:-}" ]]; then + append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BOOTSTRAP_TOKEN}," "system:cluster-bootstrap,uid:system:cluster-bootstrap,system:masters" + fi if [[ -n "${KUBE_CONTROLLER_MANAGER_TOKEN:-}" ]]; then append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager" fi @@ -2825,6 +2828,14 @@ function wait-till-apiserver-ready() { done } +function ensure-bootstrap-kubectl-auth { + # Creating an authenticated kubeconfig is only necessary if the insecure port is disabled. + if [[ -n "${KUBE_BOOTSTRAP_TOKEN}" ]]; then + create-kubeconfig "cluster-bootstrap" ${KUBE_BOOTSTRAP_TOKEN} + export KUBECONFIG=/etc/srv/kubernetes/cluster-bootstrap/kubeconfig + fi +} + ########### Main Function ########### function main() { echo "Start to configure instance for kubernetes" @@ -2872,10 +2883,12 @@ function main() { fi fi - # generate the controller manager, scheduler and cluster autoscaler tokens here since they are only used on the master. KUBE_CONTROLLER_MANAGER_TOKEN="$(secure_random 32)" KUBE_SCHEDULER_TOKEN="$(secure_random 32)" KUBE_CLUSTER_AUTOSCALER_TOKEN="$(secure_random 32)" + if [[ "${ENABLE_APISERVER_INSECURE_PORT:-true}" != "true" ]]; then + KUBE_BOOTSTRAP_TOKEN="$(secure_random 32)" + fi if [[ "${ENABLE_L7_LOADBALANCING:-}" == "glbc" ]]; then GCE_GLBC_TOKEN="$(secure_random 32)" fi @@ -2892,6 +2905,7 @@ function main() { create-node-pki create-master-pki create-master-auth + ensure-bootstrap-kubectl-auth create-master-kubelet-auth create-master-etcd-auth create-master-etcd-apiserver-auth From e4d521e82531bfad7e9706a22f34bc93faa1c47a Mon Sep 17 00:00:00 2001 From: Jake Sanders Date: Mon, 6 May 2019 19:23:50 -0700 Subject: [PATCH 2/2] disable the apiserver insecure port by default in configure-helper --- cluster/gce/gci/configure-helper.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 6ff75644f0..a2c9e2bc51 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1540,7 +1540,7 @@ function start-kube-apiserver { params+=" --etcd-keyfile=${ETCD_APISERVER_CLIENT_KEY_PATH}" fi params+=" --secure-port=443" - if [[ "${ENABLE_APISERVER_INSECURE_PORT:-true}" != "true" ]]; then + if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" != "true" ]]; then # Default is :8080 params+=" --insecure-port=0" fi @@ -2886,7 +2886,7 @@ function main() { KUBE_CONTROLLER_MANAGER_TOKEN="$(secure_random 32)" KUBE_SCHEDULER_TOKEN="$(secure_random 32)" KUBE_CLUSTER_AUTOSCALER_TOKEN="$(secure_random 32)" - if [[ "${ENABLE_APISERVER_INSECURE_PORT:-true}" != "true" ]]; then + if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" != "true" ]]; then KUBE_BOOTSTRAP_TOKEN="$(secure_random 32)" fi if [[ "${ENABLE_L7_LOADBALANCING:-}" == "glbc" ]]; then