github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #1418 from brendandburns/auth 

Complete the mitm prevention on GCE.
pull/6/head
Joe Beda 2014-09-24 09:30:23 -07:00
parent 88fdb659bc cafd20b233
commit fd60599ad4
3 changed files with 25 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
cluster/gce/util.sh
View File

@ -254,9 +254,25 @@ function kube-up {
echo echo
echo " https://${user}:${passwd}@${KUBE_MASTER_IP}" echo " https://${user}:${passwd}@${KUBE_MASTER_IP}"
echo echo
echo "Security note: The server above uses a self signed certificate. This is"
echo " subject to \"Man in the middle\" type attacks."
kube_cert=".kubecfg.crt"
kube_key=".kubecfg.key"
ca_cert=".kubernetes.ca.crt"
(umask 077 && gcutil pull "${MASTER_NAME}" /usr/share/nginx/kubecfg.crt "${HOME}/${kube_cert}" && chmod 0600 "${HOME}/${kube_cert}")
(umask 077 && gcutil pull "${MASTER_NAME}" /usr/share/nginx/kubecfg.key "${HOME}/${kube_key}" && chmod 0600 "${HOME}/${kube_key}")
(umask 077 && gcutil pull "${MASTER_NAME}" /usr/share/nginx/ca.crt "${HOME}/${ca_cert}" && chmod 0600 "${HOME}/${ca_cert}")
(umask 077 && \
cat << EOF > ~/.kubernetes_auth
{
"User": "$user",
"Password": "$passwd",
"CAFile": "$HOME/$ca_crt",
"CertFile": "$HOME/$kube_crt",
"KeyFile": "$HOME/$kube_key",
}
EOF && \
chmod 0600 ~/.kubernetes_auth)
} }
# Delete a kubernetes cluster # Delete a kubernetes cluster

4
cluster/saltbase/salt/nginx/kubernetes-site
View File

@ -38,8 +38,8 @@ server {
ssl_session_timeout 5m; ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
location / { location / {

10
cluster/saltbase/salt/nginx/make-ca-cert.sh
View File

@ -39,9 +39,9 @@ cd easy-rsa-master/easyrsa3
./easyrsa --batch build-ca nopass > /dev/null 2>&1 ./easyrsa --batch build-ca nopass > /dev/null 2>&1
./easyrsa --subject-alt-name=IP:$cert_ip build-server-full kubernetes-master nopass > /dev/null 2>&1 ./easyrsa --subject-alt-name=IP:$cert_ip build-server-full kubernetes-master nopass > /dev/null 2>&1
./easyrsa build-client-full kubecfg nopass > /dev/null 2>&1 ./easyrsa build-client-full kubecfg nopass > /dev/null 2>&1
cp pki/issued/kubernetes-master.crt /usr/share/nginx/server.cert > /dev/null 2>&1 cp -p pki/issued/kubernetes-master.crt /usr/share/nginx/server.cert > /dev/null 2>&1
cp pki/private/kubernetes-master.key /usr/share/nginx/server.key > /dev/null 2>&1 cp -p pki/private/kubernetes-master.key /usr/share/nginx/server.key > /dev/null 2>&1
cp pki/ca.crt /usr/share/nginx/ca.crt cp -p pki/ca.crt /usr/share/nginx/ca.crt
cp pki/issued/kubecfg.crt /usr/share/nginx/kubecfg.crt cp -p pki/issued/kubecfg.crt /usr/share/nginx/kubecfg.crt
cp pki/private/kubecfg.key /usr/share/nginx/kubecfg.key cp -p pki/private/kubecfg.key /usr/share/nginx/kubecfg.key