github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Revert "Merge pull request #41132 from kubernetes/revert-40893-kubelet-auth" 

This reverts commit fd56078298, reversing
changes made to d953402cdf.
pull/6/head
Mike Danese 2017-02-09 10:37:30 -08:00
parent 2e005f5ace
commit c8ce55fef4
9 changed files with 61 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
cluster/addons/rbac/apiserver-node-proxy-binding.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: apiserver-node-proxy
labels:
kubernetes.io/cluster-service: "true"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: node-proxy
subjects:
- apiVersion: rbac/v1beta1
kind: User
name: kube-apiserver

23
cluster/addons/rbac/node-proxy-role.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: node-proxy
labels:
kubernetes.io/cluster-service: "true"
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
verbs:
- create
- get
- apiGroups:
- ""
resources:
- nodes/log
- nodes/stats
- nodes/metrics
- nodes/spec
verbs:
- get

15
cluster/common.sh
View File

@ -585,7 +585,6 @@ function build-kube-master-certs {
cat >$file <<EOF cat >$file <<EOF
KUBEAPISERVER_CERT: $(yaml-quote ${KUBEAPISERVER_CERT_BASE64:-}) KUBEAPISERVER_CERT: $(yaml-quote ${KUBEAPISERVER_CERT_BASE64:-})
KUBEAPISERVER_KEY: $(yaml-quote ${KUBEAPISERVER_KEY_BASE64:-}) KUBEAPISERVER_KEY: $(yaml-quote ${KUBEAPISERVER_KEY_BASE64:-})
KUBELET_AUTH_CA_CERT: $(yaml-quote ${KUBELET_AUTH_CA_CERT_BASE64:-})
CA_KEY: $(yaml-quote ${CA_KEY_BASE64:-}) CA_KEY: $(yaml-quote ${CA_KEY_BASE64:-})
EOF EOF
} }
@ -802,7 +801,6 @@ EOF
KUBERNETES_MASTER: $(yaml-quote "false") KUBERNETES_MASTER: $(yaml-quote "false")
ZONE: $(yaml-quote ${ZONE}) ZONE: $(yaml-quote ${ZONE})
EXTRA_DOCKER_OPTS: $(yaml-quote ${EXTRA_DOCKER_OPTS:-}) EXTRA_DOCKER_OPTS: $(yaml-quote ${EXTRA_DOCKER_OPTS:-})
KUBELET_AUTH_CA_CERT: $(yaml-quote ${KUBELET_AUTH_CA_CERT_BASE64:-})
EOF EOF
if [ -n "${KUBEPROXY_TEST_ARGS:-}" ]; then if [ -n "${KUBEPROXY_TEST_ARGS:-}" ]; then
cat >>$file <<EOF cat >>$file <<EOF
@ -970,9 +968,8 @@ function create-certs {
KUBELET_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubelet.key" | base64 | tr -d '\r\n') KUBELET_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubelet.key" | base64 | tr -d '\r\n')
KUBECFG_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kubecfg.crt" | base64 | tr -d '\r\n') KUBECFG_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kubecfg.crt" | base64 | tr -d '\r\n')
KUBECFG_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubecfg.key" | base64 | tr -d '\r\n') KUBECFG_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubecfg.key" | base64 | tr -d '\r\n')
KUBELET_AUTH_CA_CERT_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/ca.crt" | base64 | tr -d '\r\n') KUBEAPISERVER_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kube-apiserver.crt" | base64 | tr -d '\r\n')
KUBEAPISERVER_CERT_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/issued/kube-apiserver.crt" | base64 | tr -d '\r\n') KUBEAPISERVER_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kube-apiserver.key" | base64 | tr -d '\r\n')
KUBEAPISERVER_KEY_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/private/kube-apiserver.key" | base64 | tr -d '\r\n')
} }
# Runs the easy RSA commands to generate certificate files. # Runs the easy RSA commands to generate certificate files.
@ -999,6 +996,7 @@ function generate-certs {
# this puts the cert into pki/ca.crt and the key into pki/private/ca.key # this puts the cert into pki/ca.crt and the key into pki/private/ca.key
./easyrsa --batch "--req-cn=${PRIMARY_CN}@$(date +%s)" build-ca nopass ./easyrsa --batch "--req-cn=${PRIMARY_CN}@$(date +%s)" build-ca nopass
./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass ./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass
./easyrsa build-client-full kube-apiserver nopass
download-cfssl download-cfssl
@ -1014,12 +1012,7 @@ function generate-certs {
./easyrsa --dn-mode=org \ ./easyrsa --dn-mode=org \
--req-cn=kubecfg --req-org=system:masters \ --req-cn=kubecfg --req-org=system:masters \
--req-c= --req-st= --req-city= --req-email= --req-ou= \ --req-c= --req-st= --req-city= --req-email= --req-ou= \
build-client-full kubecfg nopass build-client-full kubecfg nopass) &>${cert_create_debug_output} || {
cd ../kubelet
./easyrsa init-pki
./easyrsa --batch "--req-cn=kubelet@$(date +%s)" build-ca nopass
./easyrsa build-client-full kube-apiserver nopass) &>${cert_create_debug_output} || {
# If there was an error in the subshell, just die. # If there was an error in the subshell, just die.
# TODO(roberthbailey): add better error handling here # TODO(roberthbailey): add better error handling here
cat "${cert_create_debug_output}" >&2 cat "${cert_create_debug_output}" >&2

11
cluster/gce/configure-vm.sh
View File

@ -630,11 +630,6 @@ EOF
if [ -n "${SCHEDULING_ALGORITHM_PROVIDER:-}" ]; then if [ -n "${SCHEDULING_ALGORITHM_PROVIDER:-}" ]; then
cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
scheduling_algorithm_provider: '$(echo "${SCHEDULING_ALGORITHM_PROVIDER}" | sed -e "s/'/''/g")' scheduling_algorithm_provider: '$(echo "${SCHEDULING_ALGORITHM_PROVIDER}" | sed -e "s/'/''/g")'
EOF
fi
if [ -n "${KUBELET_AUTH_CA_CERT:-}" ]; then
cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
kubelet_auth_ca_cert: /var/lib/kubelet/kubelet_auth_ca.crt
EOF EOF
fi fi
} }
@ -755,11 +750,9 @@ current-context: service-account-context
EOF EOF
) )
fi fi
local -r kubelet_auth_ca_file="/srv/salt-overlay/salt/kubelet/kubelet_auth_ca.crt" local -r client_ca_file="/srv/salt-overlay/salt/kubelet/ca.crt"
if [ ! -e "${kubelet_auth_ca_file}" ] && [[ ! -z "${KUBELET_AUTH_CA_CERT:-}" ]]; then
(umask 077; (umask 077;
echo "${KUBELET_AUTH_CA_CERT}" | base64 --decode > "${kubelet_auth_ca_file}") echo "${KUBELET_CA_CERT}" | base64 --decode > "${client_ca_file}")
fi
} }
# This should happen both on cluster initialization and node upgrades. # This should happen both on cluster initialization and node upgrades.

19
cluster/gce/gci/configure-helper.sh
View File

@ -369,12 +369,7 @@ contexts:
name: service-account-context name: service-account-context
current-context: service-account-context current-context: service-account-context
EOF EOF
} echo "${KUBELET_CA_CERT}" | base64 -d > /var/lib/kubelet/ca.crt
function create-kubelet-auth-ca {
if [[ -n "${KUBELET_AUTH_CA_CERT:-}" ]]; then
echo "${KUBELET_AUTH_CA_CERT}" | base64 --decode > "/var/lib/kubelet/kubelet_auth_ca.crt"
fi
} }
# Uses KUBELET_CA_CERT (falling back to CA_CERT), KUBELET_CERT, and KUBELET_KEY # Uses KUBELET_CA_CERT (falling back to CA_CERT), KUBELET_CERT, and KUBELET_KEY
@ -388,7 +383,6 @@ function create-master-kubelet-auth {
REGISTER_MASTER_KUBELET="true" REGISTER_MASTER_KUBELET="true"
create-kubelet-kubeconfig create-kubelet-kubeconfig
fi fi
} }
function create-kubeproxy-kubeconfig { function create-kubeproxy-kubeconfig {
@ -582,9 +576,7 @@ function start-kubelet {
[[ "${HAIRPIN_MODE:-}" == "none" ]]; then [[ "${HAIRPIN_MODE:-}" == "none" ]]; then
flags+=" --hairpin-mode=${HAIRPIN_MODE}" flags+=" --hairpin-mode=${HAIRPIN_MODE}"
fi fi
if [ -n "${KUBELET_AUTH_CA_CERT:-}" ]; then flags+=" --anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/var/lib/kubelet/ca.crt"
flags+=" --anonymous-auth=false --client-ca-file=/var/lib/kubelet/kubelet_auth_ca.crt"
fi
fi fi
# Network plugin # Network plugin
if [[ -n "${NETWORK_PROVIDER:-}" ]]; then if [[ -n "${NETWORK_PROVIDER:-}" ]]; then
@ -837,8 +829,10 @@ function start-kube-apiserver {
params+=" --secure-port=443" params+=" --secure-port=443"
params+=" --tls-cert-file=/etc/srv/kubernetes/server.cert" params+=" --tls-cert-file=/etc/srv/kubernetes/server.cert"
params+=" --tls-private-key-file=/etc/srv/kubernetes/server.key" params+=" --tls-private-key-file=/etc/srv/kubernetes/server.key"
if [[ -e /etc/srv/kubernetes/kubeapiserver.cert ]] && [[ -e /etc/srv/kubernetes/kubeapiserver.key ]]; then
params+=" --kubelet-client-certificate=/etc/srv/kubernetes/kubeapiserver.cert" params+=" --kubelet-client-certificate=/etc/srv/kubernetes/kubeapiserver.cert"
params+=" --kubelet-client-key=/etc/srv/kubernetes/kubeapiserver.key" params+=" --kubelet-client-key=/etc/srv/kubernetes/kubeapiserver.key"
fi
params+=" --token-auth-file=/etc/srv/kubernetes/known_tokens.csv" params+=" --token-auth-file=/etc/srv/kubernetes/known_tokens.csv"
if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then
params+=" --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv" params+=" --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv"
@ -1107,9 +1101,13 @@ function start-kube-addons {
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
local -r dst_dir="/etc/kubernetes/addons" local -r dst_dir="/etc/kubernetes/addons"
# TODO(mikedanese): only enable these in e2e
# prep the additional bindings that are particular to e2e users and groups # prep the additional bindings that are particular to e2e users and groups
setup-addon-manifests "addons" "e2e-rbac-bindings" setup-addon-manifests "addons" "e2e-rbac-bindings"
# prep addition kube-up specific rbac objects
setup-addon-manifests "addons" "rbac"
# Set up manifests of other addons. # Set up manifests of other addons.
if [[ "${ENABLE_CLUSTER_MONITORING:-}" == "influxdb" ]] || \ if [[ "${ENABLE_CLUSTER_MONITORING:-}" == "influxdb" ]] || \
[[ "${ENABLE_CLUSTER_MONITORING:-}" == "google" ]] || \ [[ "${ENABLE_CLUSTER_MONITORING:-}" == "google" ]] || \
@ -1353,7 +1351,6 @@ if [[ "${KUBERNETES_MASTER:-}" == "true" ]]; then
create-master-etcd-auth create-master-etcd-auth
else else
create-kubelet-kubeconfig create-kubelet-kubeconfig
create-kubelet-auth-ca
create-kubeproxy-kubeconfig create-kubeproxy-kubeconfig
fi fi

3
cluster/gce/upgrade.sh
View File

@ -233,9 +233,6 @@ function prepare-node-upgrade() {
KUBELET_CERT_BASE64=$(get-env-val "${node_env}" "KUBELET_CERT") KUBELET_CERT_BASE64=$(get-env-val "${node_env}" "KUBELET_CERT")
KUBELET_KEY_BASE64=$(get-env-val "${node_env}" "KUBELET_KEY") KUBELET_KEY_BASE64=$(get-env-val "${node_env}" "KUBELET_KEY")
local master_env=$(get-master-env)
KUBELET_AUTH_CA_CERT_BASE64=$(get-env-val "${master_env}" "KUBELET_AUTH_CA_CERT")
# TODO(zmerlynn): How do we ensure kube-env is written in a ${version}- # TODO(zmerlynn): How do we ensure kube-env is written in a ${version}-
# compatible way? # compatible way?
write-node-env write-node-env

7
cluster/saltbase/salt/kubelet/default
View File

@ -188,10 +188,7 @@
{% set eviction_hard="--eviction-hard=" + pillar['eviction_hard'] %} {% set eviction_hard="--eviction-hard=" + pillar['eviction_hard'] %}
{% endif -%} {% endif -%}
{% set kubelet_auth_ca_cert = "" %} {% set kubelet_auth = "--anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/var/lib/kubelet/ca.crt" %}
{% if pillar['kubelet_auth_ca_cert'] is defined -%}
{% set kubelet_auth_ca_cert="--anonymous-auth=false --client-ca-file=" + pillar['kubelet_auth_ca_cert'] %}
{% endif -%}
# test_args has to be kept at the end, so they'll overwrite any prior configuration # test_args has to be kept at the end, so they'll overwrite any prior configuration
DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{kubelet_auth_ca_cert}} {{feature_gates}} {{test_args}}" DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{kubelet_auth}} {{feature_gates}} {{test_args}}"

12
cluster/saltbase/salt/kubelet/init.sls
View File

@ -31,15 +31,13 @@
- mode: 400 - mode: 400
- makedirs: true - makedirs: true
{% if pillar['kubelet_auth_ca_cert'] is defined %} /var/lib/kubelet/ca.crt:
/var/lib/kubelet/kubelet_auth_ca.crt:
file.managed: file.managed:
- source: salt://kubelet/kubelet_auth_ca.crt - source: salt://kubelet/ca.crt
- user: root - user: root
- group: root - group: root
- mode: 400 - mode: 400
- makedirs: true - makedirs: true
{% endif %}
{% if pillar.get('is_systemd') %} {% if pillar.get('is_systemd') %}
@ -61,7 +59,7 @@ fix-service-kubelet:
- file: {{ pillar.get('systemd_system_path') }}/kubelet.service - file: {{ pillar.get('systemd_system_path') }}/kubelet.service
- file: {{ environment_file }} - file: {{ environment_file }}
- file: /var/lib/kubelet/kubeconfig - file: /var/lib/kubelet/kubeconfig
- file: /var/lib/kubelet/kubelet_auth_ca.crt - file: /var/lib/kubelet/ca.crt
{% else %} {% else %}
@ -89,9 +87,7 @@ kubelet:
{% endif %} {% endif %}
- file: {{ environment_file }} - file: {{ environment_file }}
- file: /var/lib/kubelet/kubeconfig - file: /var/lib/kubelet/kubeconfig
{% if pillar['kubelet_auth_ca_cert'] is defined %} - file: /var/lib/kubelet/ca.crt
- file: /var/lib/kubelet/kubelet_auth_ca.crt
{% endif %}
{% if pillar.get('is_systemd') %} {% if pillar.get('is_systemd') %}
- provider: - provider:
- service: systemd - service: systemd

1
hack/verify-flags/exceptions.txt
View File

@ -14,6 +14,7 @@ cluster/gce/configure-vm.sh: cloud_config: ${CLOUD_CONFIG}
cluster/gce/configure-vm.sh: env-to-grains "feature_gates" cluster/gce/configure-vm.sh: env-to-grains "feature_gates"
cluster/gce/configure-vm.sh: env-to-grains "runtime_config" cluster/gce/configure-vm.sh: env-to-grains "runtime_config"
cluster/gce/configure-vm.sh: kubelet_api_servers: '${KUBELET_APISERVER}' cluster/gce/configure-vm.sh: kubelet_api_servers: '${KUBELET_APISERVER}'
cluster/gce/configure-vm.sh: local -r client_ca_file="/srv/salt-overlay/salt/kubelet/ca.crt"
cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",ABAC" cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",ABAC"
cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",Webhook" cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",Webhook"
cluster/gce/container-linux/configure-helper.sh: grep -o "{{ *pillar\.get('storage_backend', '\(.*\)') *}}" | \ cluster/gce/container-linux/configure-helper.sh: grep -o "{{ *pillar\.get('storage_backend', '\(.*\)') *}}" | \