github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

enable tls bootstrap in GCE/GKE

pull/6/head
Mike Danese 2017-05-22 19:34:37 -07:00
parent 14a1cdd208
commit ae91ecb62e
5 changed files with 81 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
cluster/addons/rbac/kubelet-certificate-management.yaml Normal file
View File

@ -0,0 +1,61 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: gce:beta:kubelet-certificate-bootstrap
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gce:beta:kubelet-certificate-bootstrap
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubelet
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: gce:beta:kubelet-certificate-rotation
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gce:beta:kubelet-certificate-rotation
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:nodes
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: gce:beta:kubelet-certificate-bootstrap
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
- "certificates.k8s.io"
resources:
- certificatesigningrequests/nodeclient
verbs:
- "create"
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: gce:beta:kubelet-certificate-rotation
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
- "certificates.k8s.io"
resources:
- certificatesigningrequests/selfnodeclient
verbs:
- "create"

4
cluster/gce/configure-vm.sh
View File

@ -615,7 +615,7 @@ function convert-bytes-gce-kube() {
# connect to the apiserver. # connect to the apiserver.
function create-salt-kubelet-auth() { function create-salt-kubelet-auth() {
local -r kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/kubeconfig" local -r kubelet_kubeconfig_file="/srv/salt-overlay/salt/kubelet/bootstrap-kubeconfig"
if [ ! -e "${kubelet_kubeconfig_file}" ]; then if [ ! -e "${kubelet_kubeconfig_file}" ]; then
mkdir -p /srv/salt-overlay/salt/kubelet mkdir -p /srv/salt-overlay/salt/kubelet
(umask 077; (umask 077;
@ -630,7 +630,7 @@ users:
clusters: clusters:
- name: local - name: local
cluster: cluster:
server: https://kubernetes-master server: https://${KUBERNETES_MASTER_NAME}
certificate-authority: ${CA_CERT_BUNDLE_PATH} certificate-authority: ${CA_CERT_BUNDLE_PATH}
contexts: contexts:
- context: - context:

13
cluster/gce/gci/configure-helper.sh
View File

@ -427,7 +427,7 @@ EOF
function create-kubelet-kubeconfig { function create-kubelet-kubeconfig {
echo "Creating kubelet kubeconfig file" echo "Creating kubelet kubeconfig file"
cat <<EOF >/var/lib/kubelet/kubeconfig cat <<EOF >/var/lib/kubelet/bootstrap-kubeconfig
apiVersion: v1 apiVersion: v1
kind: Config kind: Config
users: users:
@ -439,6 +439,7 @@ clusters:
- name: local - name: local
cluster: cluster:
certificate-authority: ${CA_CERT_BUNDLE_PATH} certificate-authority: ${CA_CERT_BUNDLE_PATH}
server: https://${KUBERNETES_MASTER_NAME}
contexts: contexts:
- context: - context:
cluster: local cluster: local
@ -689,7 +690,11 @@ function start-kubelet {
flags+=" --enable-debugging-handlers=false" flags+=" --enable-debugging-handlers=false"
flags+=" --hairpin-mode=none" flags+=" --hairpin-mode=none"
if [[ "${REGISTER_MASTER_KUBELET:-false}" == "true" ]]; then if [[ "${REGISTER_MASTER_KUBELET:-false}" == "true" ]]; then
flags+=" --api-servers=https://${KUBELET_APISERVER}" #TODO(mikedanese): allow static pods to start before creating a client
#flags+=" --experimental-bootstrap-kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig"
#flags+=" --kubeconfig=/var/lib/kubelet/kubeconfig"
flags+=" --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig"
flags+=" --require-kubeconfig"
flags+=" --register-schedulable=false" flags+=" --register-schedulable=false"
else else
# Standalone mode (not widely used?) # Standalone mode (not widely used?)
@ -698,7 +703,9 @@ function start-kubelet {
else # For nodes else # For nodes
flags+="${NODE_KUBELET_TEST_ARGS:-}" flags+="${NODE_KUBELET_TEST_ARGS:-}"
flags+=" --enable-debugging-handlers=true" flags+=" --enable-debugging-handlers=true"
flags+=" --api-servers=https://${KUBERNETES_MASTER_NAME}" flags+=" --experimental-bootstrap-kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig"
flags+=" --require-kubeconfig"
flags+=" --kubeconfig=/var/lib/kubelet/kubeconfig"
if [[ "${HAIRPIN_MODE:-}" == "promiscuous-bridge" ]] || \ if [[ "${HAIRPIN_MODE:-}" == "promiscuous-bridge" ]] || \
[[ "${HAIRPIN_MODE:-}" == "hairpin-veth" ]] || \ [[ "${HAIRPIN_MODE:-}" == "hairpin-veth" ]] || \
[[ "${HAIRPIN_MODE:-}" == "none" ]]; then [[ "${HAIRPIN_MODE:-}" == "none" ]]; then

4
cluster/saltbase/salt/kubelet/default
View File

@ -38,6 +38,10 @@
{% endif -%} {% endif -%}
{% endif -%} {% endif -%}
{% if grains.cloud == 'gce' -%}
{% set api_servers = "--experimental-bootstrap-kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig --require-kubeconfig --kubeconfig=/var/lib/kubelet/kubeconfig" -%}
{% endif -%}
{% set cloud_provider = "" -%} {% set cloud_provider = "" -%}
{% if grains.cloud is defined and grains.cloud not in ['vagrant', 'photon-controller', 'azure-legacy'] -%} {% if grains.cloud is defined and grains.cloud not in ['vagrant', 'photon-controller', 'azure-legacy'] -%}
{% set cloud_provider = "--cloud-provider=" + grains.cloud -%} {% set cloud_provider = "--cloud-provider=" + grains.cloud -%}

8
cluster/saltbase/salt/kubelet/init.sls
View File

@ -23,9 +23,9 @@
# won't be able to parse it as JSON and it will not be able to publish events # won't be able to parse it as JSON and it will not be able to publish events
# to the apiserver. You'll see a single error line in the kubelet start up file # to the apiserver. You'll see a single error line in the kubelet start up file
# about this. # about this.
/var/lib/kubelet/kubeconfig: /var/lib/kubelet/bootstrap-kubeconfig:
file.managed: file.managed:
- source: salt://kubelet/kubeconfig - source: salt://kubelet/bootstrap-kubeconfig
- user: root - user: root
- group: root - group: root
- mode: 400 - mode: 400
@ -60,7 +60,7 @@ fix-service-kubelet:
- file: /usr/local/bin/kubelet - file: /usr/local/bin/kubelet
- file: {{ pillar.get('systemd_system_path') }}/kubelet.service - file: {{ pillar.get('systemd_system_path') }}/kubelet.service
- file: {{ environment_file }} - file: {{ environment_file }}
- file: /var/lib/kubelet/kubeconfig - file: /var/lib/kubelet/bootstrap-kubeconfig
{% if grains.cloud != 'gce' %} {% if grains.cloud != 'gce' %}
- file: /var/lib/kubelet/ca.crt - file: /var/lib/kubelet/ca.crt
{% endif %} {% endif %}
@ -90,7 +90,7 @@ kubelet:
- file: /usr/lib/systemd/system/kubelet.service - file: /usr/lib/systemd/system/kubelet.service
{% endif %} {% endif %}
- file: {{ environment_file }} - file: {{ environment_file }}
- file: /var/lib/kubelet/kubeconfig - file: /var/lib/kubelet/bootstrap-kubeconfig
{% if grains.cloud != 'gce' %} {% if grains.cloud != 'gce' %}
- file: /var/lib/kubelet/ca.crt - file: /var/lib/kubelet/ca.crt
{% endif %} {% endif %}