From 96850dc6005a88bb9a49415d013953cec3497942 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lucas=20K=C3=A4ldstr=C3=B6m?= Date: Tue, 13 Dec 2016 17:51:15 +0200 Subject: [PATCH] Set --anonymous-auth to false on v1.5 clusters to preserve the locked-down v1.4 behaviour --- cmd/kubeadm/app/master/manifests.go | 14 ++++++++++++-- cmd/kubeadm/app/master/manifests_test.go | 1 + 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/cmd/kubeadm/app/master/manifests.go b/cmd/kubeadm/app/master/manifests.go index 59de9406a1..1d9df68cc9 100644 --- a/cmd/kubeadm/app/master/manifests.go +++ b/cmd/kubeadm/app/master/manifests.go @@ -53,7 +53,10 @@ const ( var ( // Minimum version of kube-apiserver that supports --kubelet-preferred-address-types - preferredAddressMinimumVersion = semver.MustParse("1.5.0-beta.2") + preferredAddressAPIServerMinVersion = semver.MustParse("1.5.0") + + // Minimum version of kube-apiserver that has to have --anonymous-auth=false set + anonAuthDisableAPIServerMinVersion = semver.MustParse("1.5.0") ) // WriteStaticPodManifests builds manifest objects based on user provided configuration and then dumps it to disk @@ -303,9 +306,16 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration) []string { // work on bare-metal where hostnames aren't usually resolvable // Omit the "v" in the beginning, otherwise semver will fail k8sVersion, err := semver.Parse(cfg.KubernetesVersion[1:]) - if err == nil && k8sVersion.GTE(preferredAddressMinimumVersion) { + + // If the k8s version is greater than this version, it supports telling it which way it should contact kubelets + if err == nil && k8sVersion.GTE(preferredAddressAPIServerMinVersion) { command = append(command, "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname") } + + // This is a critical "bugfix". Any version above this is vulnarable unless a RBAC/ABAC-authorizer is provided (which kubeadm doesn't for the time being) + if err == nil && k8sVersion.GTE(anonAuthDisableAPIServerMinVersion) { + command = append(command, "--anonymous-auth=false") + } } // Check if the user decided to use an external etcd cluster diff --git a/cmd/kubeadm/app/master/manifests_test.go b/cmd/kubeadm/app/master/manifests_test.go index 6494b9f99f..d6d9e18f18 100644 --- a/cmd/kubeadm/app/master/manifests_test.go +++ b/cmd/kubeadm/app/master/manifests_test.go @@ -447,6 +447,7 @@ func TestGetAPIServerCommand(t *testing.T) { "--allow-privileged", "--advertise-address=foo", "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", + "--anonymous-auth=false", "--etcd-servers=http://127.0.0.1:2379", }, },