From 0ae4defc9d43b09ad967d90fd86b10a23154fd1d Mon Sep 17 00:00:00 2001 From: Vishnu Kannan Date: Fri, 22 May 2015 16:07:58 -0700 Subject: [PATCH 1/2] Avoid making connections to the apiserver insecure by default in kube2sky. --- cluster/addons/dns/kube2sky/kube2sky.go | 32 +++++++++++++++---------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/cluster/addons/dns/kube2sky/kube2sky.go b/cluster/addons/dns/kube2sky/kube2sky.go index f574174dd0..e220722973 100644 --- a/cluster/addons/dns/kube2sky/kube2sky.go +++ b/cluster/addons/dns/kube2sky/kube2sky.go @@ -34,7 +34,6 @@ import ( kclient "github.com/GoogleCloudPlatform/kubernetes/pkg/client" kcache "github.com/GoogleCloudPlatform/kubernetes/pkg/client/cache" kclientcmd "github.com/GoogleCloudPlatform/kubernetes/pkg/client/clientcmd" - kclientcmdapi "github.com/GoogleCloudPlatform/kubernetes/pkg/client/clientcmd/api" kframework "github.com/GoogleCloudPlatform/kubernetes/pkg/controller/framework" kSelector "github.com/GoogleCloudPlatform/kubernetes/pkg/fields" tools "github.com/GoogleCloudPlatform/kubernetes/pkg/tools" @@ -50,7 +49,7 @@ var ( argEtcdMutationTimeout = flag.Duration("etcd_mutation_timeout", 10*time.Second, "crash after retrying etcd mutation for a specified duration") argEtcdServer = flag.String("etcd-server", "http://127.0.0.1:4001", "URL to etcd server") argKubecfgFile = flag.String("kubecfg_file", "", "Location of kubecfg file for access to kubernetes service") - argKubeMasterUrl = flag.String("kube_master_url", "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}", "Url to reach kubernetes master. Env variables in this flag will be expanded.") + argKubeMasterUrl = flag.String("kube_master_url", "", "Url to reach kubernetes master. Env variables in this flag will be expanded.") ) const ( @@ -336,9 +335,6 @@ func newEtcdClient(etcdServer string) (*etcd.Client, error) { } func getKubeMasterUrl() (string, error) { - if *argKubeMasterUrl == "" { - return "", fmt.Errorf("no --kube_master_url specified") - } parsedUrl, err := url.Parse(os.ExpandEnv(*argKubeMasterUrl)) if err != nil { return "", fmt.Errorf("failed to parse --kube_master_url %s - %v", *argKubeMasterUrl, err) @@ -351,21 +347,33 @@ func getKubeMasterUrl() (string, error) { // TODO: evaluate using pkg/client/clientcmd func newKubeClient() (*kclient.Client, error) { - var config *kclient.Config - masterUrl, err := getKubeMasterUrl() - if err != nil { - return nil, err + var ( + config *kclient.Config + err error + masterURL string + ) + if *argKubeMasterUrl != "" { + masterURL, err = getKubeMasterUrl() + if err != nil { + return nil, err + } } if *argKubecfgFile == "" { + if masterURL == "" { + return nil, fmt.Errorf("--kube_master_url must be set when --kubecfg_file is not set") + } config = &kclient.Config{ - Host: masterUrl, + Host: masterURL, Version: "v1beta3", } } else { - var err error + overrides := &kclientcmd.ConfigOverrides{} + if masterURL != "" { + overrides.ClusterInfo.Server = masterURL + } if config, err = kclientcmd.NewNonInteractiveDeferredLoadingClientConfig( &kclientcmd.ClientConfigLoadingRules{ExplicitPath: *argKubecfgFile}, - &kclientcmd.ConfigOverrides{ClusterInfo: kclientcmdapi.Cluster{Server: masterUrl, InsecureSkipTLSVerify: true}}).ClientConfig(); err != nil { + overrides).ClientConfig(); err != nil { return nil, err } } From 404558f29c75584ae6fba15e69e64b9f893fb89e Mon Sep 17 00:00:00 2001 From: Vishnu Kannan Date: Thu, 28 May 2015 11:07:09 -0700 Subject: [PATCH 2/2] New release of kube2sky v1.8 --- cluster/addons/dns/kube2sky/Changelog | 5 +++++ cluster/addons/dns/kube2sky/Makefile | 2 +- cluster/addons/dns/kube2sky/kube2sky.go | 18 +++++++++--------- cluster/addons/dns/skydns-rc.yaml.in | 11 ++++++----- 4 files changed, 21 insertions(+), 15 deletions(-) diff --git a/cluster/addons/dns/kube2sky/Changelog b/cluster/addons/dns/kube2sky/Changelog index 4075602aaa..b9e755d397 100644 --- a/cluster/addons/dns/kube2sky/Changelog +++ b/cluster/addons/dns/kube2sky/Changelog @@ -5,3 +5,8 @@ ## Version 1.7 (May 25 2015 Vishnu Kannan ) - Adding support for headless services. All pods backing a headless service is addressible via DNS RR. + + +## Version 1.8 (May 18 2015 Vishnu Kannan ) +- Avoid making connections to the master insecure by default +- Let users override the master URL in kubeconfig via a flag diff --git a/cluster/addons/dns/kube2sky/Makefile b/cluster/addons/dns/kube2sky/Makefile index 2f565bc0bb..deadd8feab 100644 --- a/cluster/addons/dns/kube2sky/Makefile +++ b/cluster/addons/dns/kube2sky/Makefile @@ -4,7 +4,7 @@ .PHONY: all kube2sky container push clean test -TAG = 1.7 +TAG = 1.8 PREFIX = gcr.io/google_containers all: container diff --git a/cluster/addons/dns/kube2sky/kube2sky.go b/cluster/addons/dns/kube2sky/kube2sky.go index e220722973..75e205c711 100644 --- a/cluster/addons/dns/kube2sky/kube2sky.go +++ b/cluster/addons/dns/kube2sky/kube2sky.go @@ -49,7 +49,7 @@ var ( argEtcdMutationTimeout = flag.Duration("etcd_mutation_timeout", 10*time.Second, "crash after retrying etcd mutation for a specified duration") argEtcdServer = flag.String("etcd-server", "http://127.0.0.1:4001", "URL to etcd server") argKubecfgFile = flag.String("kubecfg_file", "", "Location of kubecfg file for access to kubernetes service") - argKubeMasterUrl = flag.String("kube_master_url", "", "Url to reach kubernetes master. Env variables in this flag will be expanded.") + argKubeMasterURL = flag.String("kube_master_url", "", "URL to reach kubernetes master. Env variables in this flag will be expanded.") ) const ( @@ -334,15 +334,15 @@ func newEtcdClient(etcdServer string) (*etcd.Client, error) { return client, nil } -func getKubeMasterUrl() (string, error) { - parsedUrl, err := url.Parse(os.ExpandEnv(*argKubeMasterUrl)) +func getKubeMasterURL() (string, error) { + parsedURL, err := url.Parse(os.ExpandEnv(*argKubeMasterURL)) if err != nil { - return "", fmt.Errorf("failed to parse --kube_master_url %s - %v", *argKubeMasterUrl, err) + return "", fmt.Errorf("failed to parse --kube_master_url %s - %v", *argKubeMasterURL, err) } - if parsedUrl.Scheme == "" || parsedUrl.Host == "" || parsedUrl.Host == ":" { - return "", fmt.Errorf("invalid --kube_master_url specified %s", *argKubeMasterUrl) + if parsedURL.Scheme == "" || parsedURL.Host == "" || parsedURL.Host == ":" { + return "", fmt.Errorf("invalid --kube_master_url specified %s", *argKubeMasterURL) } - return parsedUrl.String(), nil + return parsedURL.String(), nil } // TODO: evaluate using pkg/client/clientcmd @@ -352,8 +352,8 @@ func newKubeClient() (*kclient.Client, error) { err error masterURL string ) - if *argKubeMasterUrl != "" { - masterURL, err = getKubeMasterUrl() + if *argKubeMasterURL != "" { + masterURL, err = getKubeMasterURL() if err != nil { return nil, err } diff --git a/cluster/addons/dns/skydns-rc.yaml.in b/cluster/addons/dns/skydns-rc.yaml.in index 32d08db49f..e821fd7b17 100644 --- a/cluster/addons/dns/skydns-rc.yaml.in +++ b/cluster/addons/dns/skydns-rc.yaml.in @@ -1,21 +1,21 @@ apiVersion: v1beta3 kind: ReplicationController metadata: - name: kube-dns-v1 + name: kube-dns-v2 namespace: default labels: - k8s-app: kube-dns-v1 + k8s-app: kube-dns-v2 kubernetes.io/cluster-service: "true" spec: replicas: {{ pillar['dns_replicas'] }} selector: k8s-app: kube-dns - version: v1 + version: v2 template: metadata: labels: k8s-app: kube-dns - version: v1 + version: v2 kubernetes.io/cluster-service: "true" spec: containers: @@ -30,11 +30,12 @@ spec: - -initial-cluster-token - skydns-etcd - name: kube2sky - image: gcr.io/google_containers/kube2sky:1.7 + image: gcr.io/google_containers/kube2sky:1.8 args: # command = "/kube2sky" - -domain={{ pillar['dns_domain'] }} - -kubecfg_file=/etc/dns_token/kubeconfig + - -kube_master_url=https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT} volumeMounts: - mountPath: /etc/dns_token name: dns-token