From 10545d72b3bcd67c1ad3e9723fac87ec2b473b36 Mon Sep 17 00:00:00 2001 From: Alain Roy Date: Wed, 27 Apr 2016 13:30:21 -0700 Subject: [PATCH] Fixes to allow Kubernetes dashboard (UI) to work The UI didn't work with vSphere kube-up implementation. This fixes that by making the following changes: * Configure the apiserver with admission controls, especially ServiceAccount. This will provide the token to the dashboard pod that it needs to talk to the apiserver. This will also improve other pods that require service accounts. * Add routes to the master so it can communicate with the pods, so hitting the https://MASTER/ui URL will allow it to contact the pods. * Add an extra subject for the cluster IP to the apiserver, so when the dashboard communicates with the apiserver, the certificate matches the IP address it's using. --- cluster/vsphere/config-default.sh | 6 ++++++ .../templates/create-dynamic-salt-files.sh | 3 ++- cluster/vsphere/templates/salt-master.sh | 1 + cluster/vsphere/util.sh | 18 +++++++++++++++++- 4 files changed, 26 insertions(+), 2 deletions(-) diff --git a/cluster/vsphere/config-default.sh b/cluster/vsphere/config-default.sh index d841d0febf..260730c917 100755 --- a/cluster/vsphere/config-default.sh +++ b/cluster/vsphere/config-default.sh @@ -57,5 +57,11 @@ DNS_REPLICAS=1 # Optional: Install Kubernetes UI ENABLE_CLUSTER_UI="${KUBE_ENABLE_CLUSTER_UI:-true}" +# We need to configure subject alternate names (SANs) for the master's certificate +# we generate. While users will connect via the external IP, pods (like the UI) +# will connect via the cluster IP, from the SERVICE_CLUSTER_IP_RANGE. +# In addition to the extra SANS here, we'll also add one for for the service IP. +MASTER_EXTRA_SANS="DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.${DNS_DOMAIN}" + # Optional: if set to true, kube-up will configure the cluster to run e2e tests. E2E_STORAGE_TEST_ENVIRONMENT=${KUBE_E2E_STORAGE_TEST_ENVIRONMENT:-false} diff --git a/cluster/vsphere/templates/create-dynamic-salt-files.sh b/cluster/vsphere/templates/create-dynamic-salt-files.sh index 1dcaa071ff..e85aaacf7d 100755 --- a/cluster/vsphere/templates/create-dynamic-salt-files.sh +++ b/cluster/vsphere/templates/create-dynamic-salt-files.sh @@ -112,7 +112,7 @@ node_instance_prefix: $NODE_INSTANCE_PREFIX service_cluster_ip_range: $SERVICE_CLUSTER_IP_RANGE enable_cluster_monitoring: "${ENABLE_CLUSTER_MONITORING:-none}" enable_cluster_logging: "${ENABLE_CLUSTER_LOGGING:false}" -enable_cluster_ui: "${ENABLE_CLUSTER_UI:false}" +enable_cluster_ui: "${ENABLE_CLUSTER_UI:true}" enable_node_logging: "${ENABLE_NODE_LOGGING:false}" logging_destination: $LOGGING_DESTINATION elasticsearch_replicas: $ELASTICSEARCH_LOGGING_REPLICAS @@ -123,6 +123,7 @@ dns_domain: $DNS_DOMAIN e2e_storage_test_environment: "${E2E_STORAGE_TEST_ENVIRONMENT:-false}" cluster_cidr: "$NODE_IP_RANGES" allocate_node_cidrs: "${ALLOCATE_NODE_CIDRS:-true}" +admission_control: NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota EOF mkdir -p /srv/salt-overlay/salt/nginx diff --git a/cluster/vsphere/templates/salt-master.sh b/cluster/vsphere/templates/salt-master.sh index 81ab17bcb5..f009cd0c8c 100755 --- a/cluster/vsphere/templates/salt-master.sh +++ b/cluster/vsphere/templates/salt-master.sh @@ -27,6 +27,7 @@ grains: - kubernetes-master cbr-cidr: $MASTER_IP_RANGE cloud: vsphere + master_extra_sans: $MASTER_EXTRA_SANS EOF # Auto accept all keys from minions that try to join diff --git a/cluster/vsphere/util.sh b/cluster/vsphere/util.sh index 6dab6c2901..925684045c 100755 --- a/cluster/vsphere/util.sh +++ b/cluster/vsphere/util.sh @@ -326,10 +326,12 @@ function setup-pod-routes { done - # make the pods visible to each other. + # Make the pods visible to each other and to the master. + # The master needs have routes to the pods for the UI to work. local j for (( i=0; i<${#NODE_NAMES[@]}; i++)); do printf "setting up routes for ${NODE_NAMES[$i]}" + kube-ssh "${KUBE_MASTER_IP}" "sudo route add -net ${KUBE_NODE_BRIDGE_NETWORK[${i}]} gw ${KUBE_NODE_IP_ADDRESSES[${i}]}" for (( j=0; j<${#NODE_NAMES[@]}; j++)); do if [[ $i != $j ]]; then kube-ssh ${KUBE_NODE_IP_ADDRESSES[$i]} "sudo route add -net ${KUBE_NODE_BRIDGE_NETWORK[$j]} gw ${KUBE_NODE_IP_ADDRESSES[$j]}" @@ -355,6 +357,18 @@ function kube-up { local htpasswd htpasswd=$(cat "${KUBE_TEMP}/htpasswd") + # This calculation of the service IP should work, but if you choose an + # alternate subnet, there's a small chance you'd need to modify the + # service_ip, below. We'll choose an IP like 10.244.240.1 by taking + # the first three octets of the SERVICE_CLUSTER_IP_RANGE and tacking + # on a .1 + local octets + local service_ip + octets=($(echo "${SERVICE_CLUSTER_IP_RANGE}" | sed -e 's|/.*||' -e 's/\./ /g')) + ((octets[3]+=1)) + service_ip=$(echo "${octets[*]}" | sed 's/ /./g') + MASTER_EXTRA_SANS="IP:${service_ip},DNS:${MASTER_NAME},${MASTER_EXTRA_SANS}" + echo "Starting master VM (this can take a minute)..." ( @@ -371,6 +385,7 @@ function kube-up { echo "readonly ENABLE_NODE_LOGGING='${ENABLE_NODE_LOGGING:-false}'" echo "readonly LOGGING_DESTINATION='${LOGGING_DESTINATION:-}'" echo "readonly ENABLE_CLUSTER_DNS='${ENABLE_CLUSTER_DNS:-false}'" + echo "readonly ENABLE_CLUSTER_UI='${ENABLE_CLUSTER_UI:-false}'" echo "readonly DNS_SERVER_IP='${DNS_SERVER_IP:-}'" echo "readonly DNS_DOMAIN='${DNS_DOMAIN:-}'" echo "readonly KUBE_USER='${KUBE_USER:-}'" @@ -379,6 +394,7 @@ function kube-up { echo "readonly SALT_TAR='${SALT_TAR##*/}'" echo "readonly MASTER_HTPASSWD='${htpasswd}'" echo "readonly E2E_STORAGE_TEST_ENVIRONMENT='${E2E_STORAGE_TEST_ENVIRONMENT:-}'" + echo "readonly MASTER_EXTRA_SANS='${MASTER_EXTRA_SANS:-}'" grep -v "^#" "${KUBE_ROOT}/cluster/vsphere/templates/create-dynamic-salt-files.sh" grep -v "^#" "${KUBE_ROOT}/cluster/vsphere/templates/install-release.sh" grep -v "^#" "${KUBE_ROOT}/cluster/vsphere/templates/salt-master.sh"