enable tls bootstrap in GCE/GKE

2017-05-22 19:34:37 -07:00 · 2017-05-22 19:34:37 -07:00 · ae91ecb62e
parent 14a1cdd208
commit ae91ecb62e
5 changed files with 81 additions and 9 deletions
--- a/cluster/addons/rbac/kubelet-certificate-management.yaml
+++ b/cluster/addons/rbac/kubelet-certificate-management.yaml
@ -0,0 +1,61 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: gce:beta:kubelet-certificate-bootstrap
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gce:beta:kubelet-certificate-bootstrap
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: kubelet
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: gce:beta:kubelet-certificate-rotation
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gce:beta:kubelet-certificate-rotation
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:nodes
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: gce:beta:kubelet-certificate-bootstrap
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - "certificates.k8s.io"
+  resources:
+  - certificatesigningrequests/nodeclient
+  verbs:
+  - "create"
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: gce:beta:kubelet-certificate-rotation
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - "certificates.k8s.io"
+  resources:
+  - certificatesigningrequests/selfnodeclient
+  verbs:
+  - "create"
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@ -615,7 +615,7 @@ function convert-bytes-gce-kube() {
 #    connect to the apiserver.

 function create-salt-kubelet-auth() {
-  local -r kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/kubeconfig"
+  local -r kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/bootstrap-kubeconfig"
  if [ ! -e "${kubelet_kubeconfig_file}" ]; then
    mkdir -p /srv/salt-overlay/salt/kubelet
    (umask 077;
@ -630,7 +630,7 @@ users:
 clusters:
 - name: local
  cluster:
-    server: https://kubernetes-master
+    server: https://${KUBERNETES_MASTER_NAME}
    certificate-authority: ${CA_CERT_BUNDLE_PATH}
 contexts:
 - context:
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -427,7 +427,7 @@ EOF

 function create-kubelet-kubeconfig {
  echo "Creating kubelet kubeconfig file"
-  cat <<EOF >/var/lib/kubelet/kubeconfig
+  cat <<EOF >/var/lib/kubelet/bootstrap-kubeconfig
 apiVersion: v1
 kind: Config
 users:
@ -439,6 +439,7 @@ clusters:
 - name: local
  cluster:
    certificate-authority: ${CA_CERT_BUNDLE_PATH}
+    server: https://${KUBERNETES_MASTER_NAME}
 contexts:
 - context:
    cluster: local
@ -689,7 +690,11 @@ function start-kubelet {
    flags+=" --enable-debugging-handlers=false"
    flags+=" --hairpin-mode=none"
    if [[ "${REGISTER_MASTER_KUBELET:-false}" == "true" ]]; then
-      flags+=" --api-servers=https://${KUBELET_APISERVER}"
+      #TODO(mikedanese): allow static pods to start before creating a client
+      #flags+=" --experimental-bootstrap-kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig"
+      #flags+=" --kubeconfig=/var/lib/kubelet/kubeconfig"
+      flags+=" --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig"
+      flags+=" --require-kubeconfig"
      flags+=" --register-schedulable=false"
    else
      # Standalone mode (not widely used?)
@ -698,7 +703,9 @@ function start-kubelet {
  else # For nodes
    flags+="${NODE_KUBELET_TEST_ARGS:-}"
    flags+=" --enable-debugging-handlers=true"
-    flags+=" --api-servers=https://${KUBERNETES_MASTER_NAME}"
+    flags+=" --experimental-bootstrap-kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig"
+    flags+=" --require-kubeconfig"
+    flags+=" --kubeconfig=/var/lib/kubelet/kubeconfig"
    if [[ "${HAIRPIN_MODE:-}" == "promiscuous-bridge" ]] || \
       [[ "${HAIRPIN_MODE:-}" == "hairpin-veth" ]] || \
       [[ "${HAIRPIN_MODE:-}" == "none" ]]; then
--- a/cluster/saltbase/salt/kubelet/default
+++ b/cluster/saltbase/salt/kubelet/default
@ -38,6 +38,10 @@
  {% endif -%}
 {% endif -%}

+{% if grains.cloud == 'gce' -%}
+  {% set api_servers = "--experimental-bootstrap-kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig --require-kubeconfig --kubeconfig=/var/lib/kubelet/kubeconfig" -%}
+{% endif -%}
+
 {% set cloud_provider = "" -%}
 {% if grains.cloud is defined and grains.cloud not in ['vagrant', 'photon-controller', 'azure-legacy'] -%}
  {% set cloud_provider = "--cloud-provider=" + grains.cloud -%}
--- a/cluster/saltbase/salt/kubelet/init.sls
+++ b/cluster/saltbase/salt/kubelet/init.sls
@ -23,9 +23,9 @@
 # won't be able to parse it as JSON and it will not be able to publish events
 # to the apiserver. You'll see a single error line in the kubelet start up file
 # about this.
-/var/lib/kubelet/kubeconfig:
+/var/lib/kubelet/bootstrap-kubeconfig:
  file.managed:
-    - source: salt://kubelet/kubeconfig
+    - source: salt://kubelet/bootstrap-kubeconfig
    - user: root
    - group: root
    - mode: 400
@ -60,7 +60,7 @@ fix-service-kubelet:
      - file: /usr/local/bin/kubelet
      - file: {{ pillar.get('systemd_system_path') }}/kubelet.service
      - file: {{ environment_file }}
-      - file: /var/lib/kubelet/kubeconfig
+      - file: /var/lib/kubelet/bootstrap-kubeconfig
 {% if grains.cloud != 'gce' %}
      - file: /var/lib/kubelet/ca.crt
 {% endif %}
@ -90,7 +90,7 @@ kubelet:
      - file: /usr/lib/systemd/system/kubelet.service
 {% endif %}
      - file: {{ environment_file }}
-      - file: /var/lib/kubelet/kubeconfig
+      - file: /var/lib/kubelet/bootstrap-kubeconfig
 {% if grains.cloud != 'gce' %}
      - file: /var/lib/kubelet/ca.crt
 {% endif %}