Merge pull request #8718 from vishh/kube2sky

Avoid making connections to the apiserver insecure by default in kube2sky
2015-06-02 14:11:58 -07:00 · 2015-06-02 14:11:58 -07:00 · aa2f0be626
parent 808932c079 404558f29c
commit aa2f0be626
4 changed files with 38 additions and 24 deletions
--- a/cluster/addons/dns/kube2sky/Changelog
+++ b/cluster/addons/dns/kube2sky/Changelog
@ -5,3 +5,8 @@

 ## Version 1.7 (May 25 2015 Vishnu Kannan <vishnuk@google.com>)
 - Adding support for headless services. All pods backing a headless service is addressible via DNS RR.
+
+
+## Version 1.8 (May 18 2015 Vishnu Kannan <vishnuk@google.com>)
+- Avoid making connections to the master insecure by default
+- Let users override the master URL in kubeconfig via a flag
--- a/cluster/addons/dns/kube2sky/Makefile
+++ b/cluster/addons/dns/kube2sky/Makefile
@ -4,7 +4,7 @@

 .PHONY: all kube2sky container push clean test

-TAG = 1.7
+TAG = 1.8
 PREFIX = gcr.io/google_containers

 all: container
--- a/cluster/addons/dns/kube2sky/kube2sky.go
+++ b/cluster/addons/dns/kube2sky/kube2sky.go
@ -34,7 +34,6 @@ import (
 	kclient "github.com/GoogleCloudPlatform/kubernetes/pkg/client"
 	kcache "github.com/GoogleCloudPlatform/kubernetes/pkg/client/cache"
 	kclientcmd "github.com/GoogleCloudPlatform/kubernetes/pkg/client/clientcmd"
-	kclientcmdapi "github.com/GoogleCloudPlatform/kubernetes/pkg/client/clientcmd/api"
 	kframework "github.com/GoogleCloudPlatform/kubernetes/pkg/controller/framework"
 	kSelector "github.com/GoogleCloudPlatform/kubernetes/pkg/fields"
 	tools "github.com/GoogleCloudPlatform/kubernetes/pkg/tools"
@ -50,7 +49,7 @@ var (
 	argEtcdMutationTimeout = flag.Duration("etcd_mutation_timeout", 10*time.Second, "crash after retrying etcd mutation for a specified duration")
 	argEtcdServer          = flag.String("etcd-server", "http://127.0.0.1:4001", "URL to etcd server")
 	argKubecfgFile         = flag.String("kubecfg_file", "", "Location of kubecfg file for access to kubernetes service")
-	argKubeMasterUrl       = flag.String("kube_master_url", "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}", "Url to reach kubernetes master. Env variables in this flag will be expanded.")
+	argKubeMasterURL       = flag.String("kube_master_url", "", "URL to reach kubernetes master. Env variables in this flag will be expanded.")
 )

 const (
@ -335,37 +334,46 @@ func newEtcdClient(etcdServer string) (*etcd.Client, error) {
 	return client, nil
 }

-func getKubeMasterUrl() (string, error) {
-	if *argKubeMasterUrl == "" {
-		return "", fmt.Errorf("no --kube_master_url specified")
-	}
-	parsedUrl, err := url.Parse(os.ExpandEnv(*argKubeMasterUrl))
+func getKubeMasterURL() (string, error) {
+	parsedURL, err := url.Parse(os.ExpandEnv(*argKubeMasterURL))
 	if err != nil {
-		return "", fmt.Errorf("failed to parse --kube_master_url %s - %v", *argKubeMasterUrl, err)
+		return "", fmt.Errorf("failed to parse --kube_master_url %s - %v", *argKubeMasterURL, err)
 	}
-	if parsedUrl.Scheme == "" || parsedUrl.Host == "" || parsedUrl.Host == ":" {
-		return "", fmt.Errorf("invalid --kube_master_url specified %s", *argKubeMasterUrl)
+	if parsedURL.Scheme == "" || parsedURL.Host == "" || parsedURL.Host == ":" {
+		return "", fmt.Errorf("invalid --kube_master_url specified %s", *argKubeMasterURL)
 	}
-	return parsedUrl.String(), nil
+	return parsedURL.String(), nil
 }

 // TODO: evaluate using pkg/client/clientcmd
 func newKubeClient() (*kclient.Client, error) {
-	var config *kclient.Config
-	masterUrl, err := getKubeMasterUrl()
-	if err != nil {
-		return nil, err
+	var (
+		config    *kclient.Config
+		err       error
+		masterURL string
+	)
+	if *argKubeMasterURL != "" {
+		masterURL, err = getKubeMasterURL()
+		if err != nil {
+			return nil, err
+		}
 	}
 	if *argKubecfgFile == "" {
+		if masterURL == "" {
+			return nil, fmt.Errorf("--kube_master_url must be set when --kubecfg_file is not set")
+		}
 		config = &kclient.Config{
-			Host:    masterUrl,
+			Host:    masterURL,
 			Version: "v1beta3",
 		}
 	} else {
-		var err error
+		overrides := &kclientcmd.ConfigOverrides{}
+		if masterURL != "" {
+			overrides.ClusterInfo.Server = masterURL
+		}
 		if config, err = kclientcmd.NewNonInteractiveDeferredLoadingClientConfig(
 			&kclientcmd.ClientConfigLoadingRules{ExplicitPath: *argKubecfgFile},
-			&kclientcmd.ConfigOverrides{ClusterInfo: kclientcmdapi.Cluster{Server: masterUrl, InsecureSkipTLSVerify: true}}).ClientConfig(); err != nil {
+			overrides).ClientConfig(); err != nil {
 			return nil, err
 		}
 	}
--- a/cluster/addons/dns/skydns-rc.yaml.in
+++ b/cluster/addons/dns/skydns-rc.yaml.in
@ -1,21 +1,21 @@
 apiVersion: v1beta3
 kind: ReplicationController
 metadata:
-  name: kube-dns-v1
+  name: kube-dns-v2
  namespace: default
  labels:
-    k8s-app: kube-dns-v1
+    k8s-app: kube-dns-v2
    kubernetes.io/cluster-service: "true"
 spec:
  replicas: {{ pillar['dns_replicas'] }}
  selector:
    k8s-app: kube-dns
-    version: v1
+    version: v2
  template:
    metadata:
      labels:
        k8s-app: kube-dns
-        version: v1
+        version: v2
        kubernetes.io/cluster-service: "true"
    spec:
      containers:
@ -30,11 +30,12 @@ spec:
        - -initial-cluster-token
        - skydns-etcd
      - name: kube2sky
-        image: gcr.io/google_containers/kube2sky:1.7
+        image: gcr.io/google_containers/kube2sky:1.8
        args:
        # command = "/kube2sky"
        - -domain={{ pillar['dns_domain'] }}
        - -kubecfg_file=/etc/dns_token/kubeconfig
+        - -kube_master_url=https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}
        volumeMounts:
        - mountPath: /etc/dns_token
          name: dns-token