Automatic merge from submit-queue
kubeadm: Move some code from apiclient.go to the dedicated apiconfig phase
**What this PR does / why we need it**:
Add constants and somewhat refactor the RBAC code as well + some cleanup.
I'm planning to rewrite the code in `setupmaster.go` later, but this PR has only the move of the code for easier reviewing.
**Special notes for your reviewer**:
This is broken out from: https://github.com/kubernetes/kubernetes/pull/40556
**Release note**:
```release-note
NONE
```
@mikedanese @pires @dmmcquay @dgoodwin
Automatic merge from submit-queue (batch tested with PRs 40707, 40698)
kubeadm: Default to control plane v1.6.0-alpha.1 and using RBAC
Also use constants for authz modes
**What this PR does / why we need it**:
Defaults to v1.6.0-alpha.1 (will be cut later today) because the certificates API group has been upgraded to beta, so `kubeadm join` at HEAD doesn't work on a `v1.5` cluster anyway.
By defaulting to v1.6.0-alpha.1, we can focus totally on v1.6 for kubeadm at HEAD, we don't support other versions in the upcoming v1.6 kubeadm release because of the alpha -> beta upgrades.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@mikedanese @pires
Automatic merge from submit-queue (batch tested with PRs 40392, 39242, 40579, 40628, 40713)
fixed bug #36988 -- kubeadm join crashes when using multiple API endpoints
**What this PR does / why we need it**:
Simple bug fix for #36988 (kubeadm crashes when trying to join nodes to a master with multiple API endpoints) -- stopChan was getting closed multiple times, once per endpoint. Moved the close into the once.Do(...)
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
fixes#36988
**Special notes for your reviewer**:
this is my first kubernetes commit, just getting familiar with the process, so any/all feedback is appreciated
**Release note**:
Automatic merge from submit-queue (batch tested with PRs 38443, 40145, 40701, 40682)
Move kubeadm etcd SELinux options from container to pod.
**What this PR does / why we need it**:
Works around a bug that surfaces in Docker 1.12+ related to the pause
container's namespace and selinux labels being transferred to the etcd
container when it runs.
At present it appears that applying selinux options to a container may
be broken, or perhaps shouldn't be supported at all. Moving these to the
pod causes all containers (including pause) to run with the correct
labels.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Related to and partial fix for https://github.com/kubernetes/kubeadm/issues/107
This is one of several selinux related fixes in flight for upcoming releases, and newer versions of Docker. To successfully run kubeadm with selinux enforcing right now would like require a recent container-selinux build as uncovered in https://github.com/kubernetes/kubeadm/issues/107, a bugfix for the format labels in #40179, and finally this fix.
**Release note**:
```release-note
Fixed an SELinux issue in kubeadm on Docker 1.12+ by moving etcd SELinux options from container to pod.
```
Works around a bug that surfaces in Docker 1.12+ related to the pause
container's namespace and selinux labels being transferred to the etcd
container when it runs.
At present it appears that applying selinux options to a container may
be broken, or perhaps shouldn't be supported at all. Moving these to the
pod causes all containers (including pause) to run with the correct
labels.
Automatic merge from submit-queue (batch tested with PRs 40132, 39302, 40194, 40619, 40601)
fix error message in TestGetAddonImage
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
**What this PR does / why we need it**:
1. fix incorrect error message in TestGetAddonImage
2. rename some variables to make them more reasonable
Automatic merge from submit-queue (batch tested with PRs 40132, 39302, 40194, 40619, 40601)
fix nil check and typos
**What this PR does / why we need it**:
1. nil error should be checked before defer statement.
2. fix some typos.
Signed-off-by: bruceauyeung ouyang.qinhua@zte.com.cn
Automatic merge from submit-queue
add test tokens for TestValidateToken
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
**What this PR does / why we need it**:
1. add invalid tokens which token ID and token secret contain special characters such as `*`
2. add valid tokens which token ID and token secret contain mixed lowercase characters and numeric numbers
Automatic merge from submit-queue
fix incorrect parameter passing
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn>
**What this PR does / why we need it**:
1. fix incorrect parameter passing when creating error
2. fix ineffectual assignment to err variable.
Automatic merge from submit-queue (batch tested with PRs 39538, 40188, 40357, 38214, 40195)
genericapiserver: cut off more dependencies – episode 2
Compare commit subjects.
approved based on #40363
Automatic merge from submit-queue
Wait for the self-hosted control plane during kubeadm init.
**What this PR does / why we need it**:
Currently we are completing kubeadm init while the scheduler and
controller manager are likely still not yet up. In some cases if they
will fail, they won't ever come up.
Instead wait until each pod enters running state before exiting kubeadm.
**Release note**:
```release-note
NONE
```
Currently we are completing kubeadm init while the scheduler and
controller manager are likely still not yet up. In some cases if they
will fail, they won't ever come up.
Instead wait until each pod enters running state before exiting kubeadm.
Automatic merge from submit-queue (batch tested with PRs 40303, 40316)
kubeadm: Fix up the apiserver kubelet client cert
**What this PR does / why we need it**:
I didn't notice that the apiserver serving cert was _only_ a server cert, not both a server and client cert in https://github.com/kubernetes/kubernetes/pull/40292.
This PR fixes that misconception and generates a dedicated client cert for apiserver -> kubelet communication and harmonizes the `ca.crt` path to `/etc/kubernetes/pki/ca.crt` on both master and node.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
```console
$ systemctl cat kubelet
# /lib/systemd/system/kubelet.service
[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=http://kubernetes.io/docs/
[Service]
ExecStart=/usr/bin/kubelet
Restart=always
StartLimitInterval=0
RestartSec=10
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--kubeconfig=/etc/kubernetes/kubelet.conf **--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt** --require-kubeconfig=true"
Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true"
Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local"
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_EXTRA_ARGS
$ curl -k https://localhost:10250/containerLogs/kube-system/weave-net-arm64-4t2xv/weave
Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=proxy)
$ curl --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt --key /etc/kubernetes/pki/apiserver-kubelet-client.key -k https://localhost:10250/containerLogs/kube-system/weave-net-arm64-4t2xv/weave
[Works!!]
```
**Release note**:
```release-note
NONE
```
@liggitt @deads2k
Automatic merge from submit-queue
make client-go tools/auth and tools/clientcmd authoritative
These moved easily. Pure mechanical. I'll have a couple snip pulls for some of the more complicated packages. `pkg/util/homedir` was a transitive that moved with. It was only used in `kubectl` and you'd need it to be consistent with `clientcmd` loading order.
@sttts
Automatic merge from submit-queue (batch tested with PRs 38445, 40292)
kubeadm: Secure apiserver -> kubelet communication and set storage backend to etcd3
**What this PR does / why we need it**:
Switch storage backend to etcd3
Writes ca.crt down to disk so we can set `--client-ca-file=/etc/kubernetes/ca.crt` for the kubelet.
Adds --kubelet-client-{certificate,key} to the apiserver args and make it allowed to access the kubelets
In some cases the `path` dependency is switched to `filepath`
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*:
fixes https://github.com/kubernetes/kubeadm/issues/118
fixes https://github.com/kubernetes/kubeadm/issues/129
**Special notes for your reviewer**:
This PR is should make it possible to secure the apiserver -> kubelet communication.
**Release note**:
```release-note
NONE
```
@pires @mikedanese @andrewrynhard @liggitt @deads2k
Automatic merge from submit-queue (batch tested with PRs 40187, 40231, 40152)
Update client/server cert generation utilities
Limit generated cert usage to client or server use.
Automatic merge from submit-queue (batch tested with PRs 37228, 40146, 40075, 38789, 40189)
Cleanup temp dirs
So funny story my /tmp ran out of space running the unit tests so I am cleaning up all the temp dirs we create.
Automatic merge from submit-queue (batch tested with PRs 37228, 40146, 40075, 38789, 40189)
kubeadm: add optional self-hosted deployment
**What this PR does / why we need it**: add an optional self-hosted deployment type to `kubeadm`, for master components only, namely `apiserver`, `controller-manager` and `scheduler`.
**Which issue this PR fixes**: closes#38407
**Special notes for your reviewer**: /cc @aaronlevy @luxas @dgoodwin
**Release note**:
```release-note
kubeadm: add optional self-hosted deployment for apiserver, controller-manager and scheduler.
```
Kubernetes Submit Queue