Revert "Merge pull request #41132 from kubernetes/revert-40893-kubelet-auth"

This reverts commit fd56078298, reversing changes made to d953402cdf.
2017-02-09 10:37:30 -08:00 · 2017-02-09 10:37:30 -08:00 · c8ce55fef4
parent 2e005f5ace
commit c8ce55fef4
9 changed files with 61 additions and 50 deletions
--- a/cluster/addons/rbac/apiserver-node-proxy-binding.yaml
+++ b/cluster/addons/rbac/apiserver-node-proxy-binding.yaml
@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: apiserver-node-proxy
+  labels:
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: node-proxy
+subjects:
+- apiVersion: rbac/v1beta1
+  kind: User
+  name: kube-apiserver
--- a/cluster/addons/rbac/node-proxy-role.yaml
+++ b/cluster/addons/rbac/node-proxy-role.yaml
@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: node-proxy
+  labels:
+    kubernetes.io/cluster-service: "true"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes/proxy
+  verbs:
+  - create
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - nodes/log
+  - nodes/stats
+  - nodes/metrics
+  - nodes/spec
+  verbs:
+  - get
--- a/cluster/common.sh
+++ b/cluster/common.sh
@ -585,7 +585,6 @@ function build-kube-master-certs {
  cat >$file <<EOF
 KUBEAPISERVER_CERT: $(yaml-quote ${KUBEAPISERVER_CERT_BASE64:-})
 KUBEAPISERVER_KEY: $(yaml-quote ${KUBEAPISERVER_KEY_BASE64:-})
-KUBELET_AUTH_CA_CERT: $(yaml-quote ${KUBELET_AUTH_CA_CERT_BASE64:-})
 CA_KEY: $(yaml-quote ${CA_KEY_BASE64:-})
 EOF
 }
@ -802,7 +801,6 @@ EOF
 KUBERNETES_MASTER: $(yaml-quote "false")
 ZONE: $(yaml-quote ${ZONE})
 EXTRA_DOCKER_OPTS: $(yaml-quote ${EXTRA_DOCKER_OPTS:-})
-KUBELET_AUTH_CA_CERT: $(yaml-quote ${KUBELET_AUTH_CA_CERT_BASE64:-})
 EOF
    if [ -n "${KUBEPROXY_TEST_ARGS:-}" ]; then
      cat >>$file <<EOF
@ -970,9 +968,8 @@ function create-certs {
  KUBELET_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubelet.key" | base64 | tr -d '\r\n')
  KUBECFG_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kubecfg.crt" | base64 | tr -d '\r\n')
  KUBECFG_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubecfg.key" | base64 | tr -d '\r\n')
-  KUBELET_AUTH_CA_CERT_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/ca.crt" | base64 | tr -d '\r\n')
-  KUBEAPISERVER_CERT_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/issued/kube-apiserver.crt" | base64 | tr -d '\r\n')
-  KUBEAPISERVER_KEY_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/private/kube-apiserver.key" | base64 | tr -d '\r\n')
+  KUBEAPISERVER_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kube-apiserver.crt" | base64 | tr -d '\r\n')
+  KUBEAPISERVER_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kube-apiserver.key" | base64 | tr -d '\r\n')
 }

 # Runs the easy RSA commands to generate certificate files.
@ -999,6 +996,7 @@ function generate-certs {
    # this puts the cert into pki/ca.crt and the key into pki/private/ca.key
    ./easyrsa --batch "--req-cn=${PRIMARY_CN}@$(date +%s)" build-ca nopass
    ./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass
+    ./easyrsa build-client-full kube-apiserver nopass

    download-cfssl

@ -1014,12 +1012,7 @@ function generate-certs {
    ./easyrsa --dn-mode=org \
      --req-cn=kubecfg --req-org=system:masters \
      --req-c= --req-st= --req-city= --req-email= --req-ou= \
-      build-client-full kubecfg nopass
-
-    cd ../kubelet
-    ./easyrsa init-pki
-    ./easyrsa --batch "--req-cn=kubelet@$(date +%s)" build-ca nopass
-    ./easyrsa build-client-full kube-apiserver nopass) &>${cert_create_debug_output} || {
+      build-client-full kubecfg nopass) &>${cert_create_debug_output} || {
    # If there was an error in the subshell, just die.
    # TODO(roberthbailey): add better error handling here
    cat "${cert_create_debug_output}" >&2
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@ -630,11 +630,6 @@ EOF
    if [ -n "${SCHEDULING_ALGORITHM_PROVIDER:-}" ]; then
      cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
 scheduling_algorithm_provider: '$(echo "${SCHEDULING_ALGORITHM_PROVIDER}" | sed -e "s/'/''/g")'
-EOF
-    fi
-    if [ -n "${KUBELET_AUTH_CA_CERT:-}" ]; then
-      cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
-kubelet_auth_ca_cert: /var/lib/kubelet/kubelet_auth_ca.crt
 EOF
    fi
 }
@ -755,11 +750,9 @@ current-context: service-account-context
 EOF
 )
  fi
-  local -r kubelet_auth_ca_file="/srv/salt-overlay/salt/kubelet/kubelet_auth_ca.crt"
-  if [ ! -e "${kubelet_auth_ca_file}" ] && [[ ! -z "${KUBELET_AUTH_CA_CERT:-}" ]]; then
-    (umask 077;
-      echo "${KUBELET_AUTH_CA_CERT}" | base64 --decode > "${kubelet_auth_ca_file}")
-  fi
+  local -r client_ca_file="/srv/salt-overlay/salt/kubelet/ca.crt"
+  (umask 077;
+    echo "${KUBELET_CA_CERT}" | base64 --decode > "${client_ca_file}")
 }

 # This should happen both on cluster initialization and node upgrades.
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -369,12 +369,7 @@ contexts:
  name: service-account-context
 current-context: service-account-context
 EOF
-}
-
-function create-kubelet-auth-ca {
-  if [[ -n "${KUBELET_AUTH_CA_CERT:-}" ]]; then
-    echo "${KUBELET_AUTH_CA_CERT}" | base64 --decode > "/var/lib/kubelet/kubelet_auth_ca.crt"
-  fi
+  echo "${KUBELET_CA_CERT}" | base64 -d > /var/lib/kubelet/ca.crt
 }

 # Uses KUBELET_CA_CERT (falling back to CA_CERT), KUBELET_CERT, and KUBELET_KEY
@ -388,7 +383,6 @@ function create-master-kubelet-auth {
    REGISTER_MASTER_KUBELET="true"
    create-kubelet-kubeconfig
  fi
-
 }

 function create-kubeproxy-kubeconfig {
@ -582,9 +576,7 @@ function start-kubelet {
       [[ "${HAIRPIN_MODE:-}" == "none" ]]; then
      flags+=" --hairpin-mode=${HAIRPIN_MODE}"
    fi
-    if [ -n "${KUBELET_AUTH_CA_CERT:-}" ]; then
-      flags+=" --anonymous-auth=false --client-ca-file=/var/lib/kubelet/kubelet_auth_ca.crt"
-    fi
+    flags+=" --anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/var/lib/kubelet/ca.crt"
  fi
  # Network plugin
  if [[ -n "${NETWORK_PROVIDER:-}" ]]; then
@ -837,8 +829,10 @@ function start-kube-apiserver {
  params+=" --secure-port=443"
  params+=" --tls-cert-file=/etc/srv/kubernetes/server.cert"
  params+=" --tls-private-key-file=/etc/srv/kubernetes/server.key"
-  params+=" --kubelet-client-certificate=/etc/srv/kubernetes/kubeapiserver.cert"
-  params+=" --kubelet-client-key=/etc/srv/kubernetes/kubeapiserver.key"
+  if [[ -e /etc/srv/kubernetes/kubeapiserver.cert ]] && [[ -e /etc/srv/kubernetes/kubeapiserver.key ]]; then
+    params+=" --kubelet-client-certificate=/etc/srv/kubernetes/kubeapiserver.cert"
+    params+=" --kubelet-client-key=/etc/srv/kubernetes/kubeapiserver.key"
+  fi
  params+=" --token-auth-file=/etc/srv/kubernetes/known_tokens.csv"
  if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then
    params+=" --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv"
@ -1107,9 +1101,13 @@ function start-kube-addons {
  local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
  local -r dst_dir="/etc/kubernetes/addons"

+  # TODO(mikedanese): only enable these in e2e
  # prep the additional bindings that are particular to e2e users and groups
  setup-addon-manifests "addons" "e2e-rbac-bindings"

+  # prep addition kube-up specific rbac objects
+  setup-addon-manifests "addons" "rbac"
+
  # Set up manifests of other addons.
  if [[ "${ENABLE_CLUSTER_MONITORING:-}" == "influxdb" ]] || \
     [[ "${ENABLE_CLUSTER_MONITORING:-}" == "google" ]] || \
@ -1353,7 +1351,6 @@ if [[ "${KUBERNETES_MASTER:-}" == "true" ]]; then
  create-master-etcd-auth
 else
  create-kubelet-kubeconfig
-  create-kubelet-auth-ca
  create-kubeproxy-kubeconfig
 fi

--- a/cluster/gce/upgrade.sh
+++ b/cluster/gce/upgrade.sh
@ -233,9 +233,6 @@ function prepare-node-upgrade() {
  KUBELET_CERT_BASE64=$(get-env-val "${node_env}" "KUBELET_CERT")
  KUBELET_KEY_BASE64=$(get-env-val "${node_env}" "KUBELET_KEY")

-  local master_env=$(get-master-env)
-  KUBELET_AUTH_CA_CERT_BASE64=$(get-env-val "${master_env}" "KUBELET_AUTH_CA_CERT")
-
  # TODO(zmerlynn): How do we ensure kube-env is written in a ${version}-
  #                 compatible way?
  write-node-env
--- a/cluster/saltbase/salt/kubelet/default
+++ b/cluster/saltbase/salt/kubelet/default
@ -188,10 +188,7 @@
  {% set eviction_hard="--eviction-hard=" + pillar['eviction_hard'] %}
 {% endif -%}

-{% set kubelet_auth_ca_cert = "" %}
-{% if pillar['kubelet_auth_ca_cert'] is defined -%}
-  {% set kubelet_auth_ca_cert="--anonymous-auth=false --client-ca-file=" + pillar['kubelet_auth_ca_cert'] %}
-{% endif -%}
+{% set kubelet_auth = "--anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/var/lib/kubelet/ca.crt" %}

 # test_args has to be kept at the end, so they'll overwrite any prior configuration
-DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}}  {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{kubelet_auth_ca_cert}} {{feature_gates}} {{test_args}}"
+DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}}  {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{kubelet_auth}} {{feature_gates}} {{test_args}}"
--- a/cluster/saltbase/salt/kubelet/init.sls
+++ b/cluster/saltbase/salt/kubelet/init.sls
@ -31,15 +31,13 @@
    - mode: 400
    - makedirs: true

-{% if pillar['kubelet_auth_ca_cert'] is defined %}
-/var/lib/kubelet/kubelet_auth_ca.crt:
+/var/lib/kubelet/ca.crt:
  file.managed:
-    - source: salt://kubelet/kubelet_auth_ca.crt
+    - source: salt://kubelet/ca.crt
    - user: root
    - group: root
    - mode: 400
    - makedirs: true
-{% endif %}

 {% if pillar.get('is_systemd') %}

@ -61,7 +59,7 @@ fix-service-kubelet:
      - file: {{ pillar.get('systemd_system_path') }}/kubelet.service
      - file: {{ environment_file }}
      - file: /var/lib/kubelet/kubeconfig
-      - file: /var/lib/kubelet/kubelet_auth_ca.crt
+      - file: /var/lib/kubelet/ca.crt

 {% else %}

@ -89,9 +87,7 @@ kubelet:
 {% endif %}
      - file: {{ environment_file }}
      - file: /var/lib/kubelet/kubeconfig
-{% if pillar['kubelet_auth_ca_cert'] is defined  %}
-      - file: /var/lib/kubelet/kubelet_auth_ca.crt
-{% endif %}
+      - file: /var/lib/kubelet/ca.crt
 {% if pillar.get('is_systemd') %}
    - provider:
      - service: systemd
--- a/hack/verify-flags/exceptions.txt
+++ b/hack/verify-flags/exceptions.txt
@ -14,6 +14,7 @@ cluster/gce/configure-vm.sh:  cloud_config: ${CLOUD_CONFIG}
 cluster/gce/configure-vm.sh:  env-to-grains "feature_gates"
 cluster/gce/configure-vm.sh:  env-to-grains "runtime_config"
 cluster/gce/configure-vm.sh:  kubelet_api_servers: '${KUBELET_APISERVER}'
+cluster/gce/configure-vm.sh:  local -r client_ca_file="/srv/salt-overlay/salt/kubelet/ca.crt"
 cluster/gce/container-linux/configure-helper.sh:    authorization_mode+=",ABAC"
 cluster/gce/container-linux/configure-helper.sh:    authorization_mode+=",Webhook"
 cluster/gce/container-linux/configure-helper.sh:    grep -o "{{ *pillar\.get('storage_backend', '\(.*\)') *}}" | \