Commit Graph

39 Commits (fa710e7e9bbcaab74a71b0a2234186ed6a7d39c1)

Author SHA1 Message Date
Jeff Grafton ef56a8d6bb Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
Kubernetes Submit Queue 4b41a54eda
Merge pull request #53895 from kad/kubeadm-proxy-transports
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

kubeadm: Utilize transport defaults from API machinery for http calls inside kubeadm

**What this PR does / why we need it**:
Default Go HTTP transport does not allow to use CIDR notations in
NO_PROXY variables, thus for certain HTTP calls that is done inside
kubeadm user needs to put explicitly multiple IP addresses. For most of
calls done via API machinery it is get solved by setting different Proxy
resolver. This patch allows to use CIDR notations in NO_PROXY variables
for currently all other HTTP calls that is made inside kubeadm.

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes/kubeadm#324

**Special notes for your reviewer**:
Based on discussion in #52788, replacing this patch replacing all calls inside kubeadm that are done via DefaultTransport to explicitly defined and initialized with API machinery defaults Transport and http client.

**Release note**:
```release-note
- kubeadm now supports CIDR notations in NO_PROXY environment variable
```
2018-01-19 16:48:06 -08:00
Kubernetes Submit Queue 77ac663df4
Merge pull request #57941 from stewart-yu/improveErrorMessages
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

improve error message for expired tokens

**What this PR does / why we need it**:
When you join a node with a expired tokens, you can get fuzz error messages: `[discovery] Failed to connect to API Server "<cluster-ip>:6443": there is no JWS signed token in the cluster-info ConfigMap. This token id "c33826" is invalid for this cluster, can't connect`, we should improve it.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes [https://github.com/kubernetes/kubeadm/issues/630](https://github.com/kubernetes/kubeadm/issues/630)

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```
2018-01-19 14:34:12 -08:00
Gavin f653d02b05 create auto-gen files 2018-01-17 16:23:03 +08:00
Gavin bb5e156aba Add generic Bootstrap Token constants and helpers to client-go 2018-01-17 16:22:37 +08:00
stewart-yu 528435f8dc improve error message for expired tokens 2018-01-17 09:54:06 +08:00
Jeff Grafton efee0704c6 Autogenerate BUILD files 2017-12-23 13:12:11 -08:00
Kai Chen 67cf959a1d Improve error messages and comments in KubeAdm. 2017-12-14 11:11:58 -08:00
Alexander Kanevskiy 4bd692a3bf kubeadm: Utilize transport defaults from API machinery for http calls
Default Go HTTP transport does not allow to use CIDR notations in
NO_PROXY variables, thus for certain HTTP calls that is done inside
kubeadm user needs to put explicitly multiple IP addresses. For most of
calls done via API machinery it is get solved by setting different Proxy
resolver. This patch allows to use CIDR notations in NO_PROXY variables
for currently all other HTTP calls that is made inside kubeadm.
2017-11-10 14:05:58 +02:00
Kubernetes Submit Queue 1d8f1e268f Merge pull request #47699 from supereagle/fix-typos
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

fix typos: remove duplicated word in comments

**What this PR does / why we need it**: Remove the duplicated word `the` in comments

**Which issue this PR fixes** : fixes #

**Special notes for your reviewer**:

```release-note
NONE
```
2017-10-17 02:35:52 -07:00
Jeff Grafton aee5f457db update BUILD files 2017-10-15 18:18:13 -07:00
Serguei Bezverkhi 42bd500134 kubeadm golint clean up
Closes #375
2017-09-23 08:07:55 -04:00
supereagle 87c29a08e1 fix typos: remove duplicated word in comments 2017-09-16 14:38:10 +08:00
Jeff Grafton a7f49c906d Use buildozer to delete licenses() rules except under third_party/ 2017-08-11 09:32:39 -07:00
Jeff Grafton 33276f06be Use buildozer to remove deprecated automanaged tags 2017-08-11 09:31:50 -07:00
Matt Moyer 1be639d6b0 kubeadm: implement TLS discovery root CA pinning.
This change adds the `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join` and corresponding fields on the kubeadm NodeConfiguration struct. These flags configure enhanced TLS validation for token-based discovery.

The enhanced TLS validation works by pinning the public key hashes of the cluster CA. This is done by connecting to the `cluster-info` endpoint initially using an unvalidated/unsafe TLS connection. After the cluster info has been loaded, parsed, and validated with the existing symmetric signature/MAC scheme, the root CA is validated against the pinned public key set. A second request is made using validated/safe TLS using the newly-known CA and the result is validated to make sure the same `cluster-info` was returned from both requests.

This validation prevents a class of attacks where a leaked bootstrap token (such as from a compromised worker node) allows an attacker to impersonate the API server.

This change also update `kubeadm init` to print the correct `--discovery-token-ca-cert-hash` flag in the example `kubeadm join` command it prints at the end of initialization.
2017-08-10 11:39:25 -05:00
xufei 8ea31945be Fix comment of isHTTPSURL 2017-08-03 15:42:33 +08:00
Matt Moyer 1d9bc00b81 Begin polling for bootstrap cluster info immediately.
The previous behavior was to sleep for `constants.DiscoveryRetryInterval` (5 seconds) before the first request.
2017-07-10 15:40:33 -07:00
Chao Xu 60604f8818 run hack/update-all 2017-06-22 11:31:03 -07:00
Chao Xu f2d3220a11 run root-rewrite-import-client-go-api-types 2017-06-22 11:30:59 -07:00
Mike Danese a05c3c0efd autogenerated 2017-04-14 10:40:57 -07:00
Lucas Käldström 61a284d720
Hook up kubeadm against the BootstrapSigner/BootstrapTokenAuthenticator 2017-03-04 11:17:52 +02:00
Derek McQuay 1d37c6be49
kubeadm: join ux changes 2017-02-28 11:06:08 -08:00
Derek McQuay 389e065ebc
kubeadm: update token to use '.' in discovery pkg 2017-02-21 13:44:52 -08:00
Lucas Käldström 0f1124aff3
kubeadm: Aggregate the token functionality in sane packages.
- Factor out token constants to kubeadmconstants.
 - Move cmd/kubeadm/app/util/{,token/}tokens.go
 - Use the token-id, token-secret, etc constants provided by the bootstrapapi package
 - Move cmd/kubeadm/app/master/tokens.go to cmd/kubeadm/app/phases/token/csv.go

This refactor basically makes it possible to hook up kubeadm to the BootstrapSigner controller later on
2017-02-16 22:22:30 +02:00
Derek McQuay 9758a8f499
kubeadm: added unit tests for discovery pkg
raised test coverage from ~25% to ~71%
2017-02-13 19:53:24 -08:00
Derek McQuay 69dd248747 kubeadm: changed error passing to be more clear
updated flag error in discovery/https, discovery/token, and
discovery/file
2017-02-02 09:18:42 -08:00
deads2k 335ef747d6 mechanical 2017-01-23 10:03:55 -05:00
deads2k cdb2934bbc remove kubernetes copy of clientcmd types 2017-01-19 07:39:19 -05:00
Paulo Pires a34eacc2af
kubeadm: token must be validated before creation, deletion or usage.
Refs kubernetes/kubeadm#104
2017-01-16 19:25:07 +00:00
Paulo Pires 8a195b9a1b
kubeadm: refactored token discovery. 2017-01-11 01:09:34 +00:00
Kubernetes Submit Queue 41d7acc0f5 Merge pull request #39464 from apprenda/kubeadm_93-more_discovery
Automatic merge from submit-queue

Implemented file and HTTPS based discovery for kubeadm

**What this PR does / why we need it**:
This PR implements both file and HTTPS based discovery for `kubeadm`.

**Which issue this PR fixes**:
fixes https://github.com/kubernetes/kubeadm/issues/93
fixes https://github.com/kubernetes/kubeadm/issues/94

**Special notes for your reviewer**:
I'd like to add some tests but 'm sure `kubeconfig` loading is already covered by other tests in `clientcmd` package.

/cc @luxas @pipejakob
2017-01-06 05:42:02 -08:00
Paulo Pires c272bc56b1
kubeadm: flag token discovery pieces to be refactored. 2017-01-06 12:09:50 +00:00
Paulo Pires a519335303
kubeadm: added HTTPS discovery.
Fixes kubernetes/kubeadm#94
2017-01-06 12:08:34 +00:00
Paulo Pires 18370ba0c1
kubeadm: added file discovery.
Fixes kubernetes/kubeadm#93
2017-01-06 12:07:25 +00:00
Jeff Grafton 20d221f75c Enable auto-generating sources rules 2017-01-05 14:14:13 -08:00
Paulo Pires a6cdfdef4b
kubeadm: make sure URL is valid for token discovery. 2017-01-05 08:05:48 +00:00
Mike Danese 161c391f44 autogenerated 2016-12-29 13:04:10 -08:00
Mike Danese 690c7e578b kubeadm: refactor discovery behind an interface 2016-12-15 13:54:49 -08:00