Unverified Commit 16c31670 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #62352 from mikedanese/fixalpha3

Automatic merge from submit-queue (batch tested with PRs 62448, 59317, 59947, 62418, 62352). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kubelet: add configuration to optionally enable server tls bootstrap right now if the RotateKubeletServerCertificate feature is enabled, kubelet will bootstrap server tls. this is undesirable if the deployment is not or cannot run an approver to handle these certificate signing requests. Fixes https://github.com/kubernetes/kubernetes/issues/62077 ```release-note NONE ```
parents 9261a1ca 54f5f675
...@@ -187,6 +187,7 @@ var ( ...@@ -187,6 +187,7 @@ var (
"KubeReserved[*]", "KubeReserved[*]",
"KubeletCgroups", "KubeletCgroups",
"MakeIPTablesUtilChains", "MakeIPTablesUtilChains",
"ServerTLSBootstrap",
"StaticPodURL", "StaticPodURL",
"StaticPodURLHeader[*][*]", "StaticPodURLHeader[*][*]",
"MaxOpenFiles", "MaxOpenFiles",
......
...@@ -81,6 +81,12 @@ type KubeletConfiguration struct { ...@@ -81,6 +81,12 @@ type KubeletConfiguration struct {
// TLSMinVersion is the minimum TLS version supported. // TLSMinVersion is the minimum TLS version supported.
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
TLSMinVersion string TLSMinVersion string
// serverTLSBootstrap enables server certificate bootstrap. Instead of self
// signing a serving certificate, the Kubelet will request a certificate from
// the certificates.k8s.io API. This requires an approver to approve the
// certificate signing requests. The RotateKubeletServerCertificate feature
// must be enabled.
ServerTLSBootstrap bool
// authentication specifies how requests to the Kubelet's server are authenticated // authentication specifies how requests to the Kubelet's server are authenticated
Authentication KubeletAuthentication Authentication KubeletAuthentication
// authorization specifies how requests to the Kubelet's server are authorized // authorization specifies how requests to the Kubelet's server are authorized
......
...@@ -107,6 +107,13 @@ type KubeletConfiguration struct { ...@@ -107,6 +107,13 @@ type KubeletConfiguration struct {
// Default: "" // Default: ""
// +optional // +optional
TLSMinVersion string `json:"tlsMinVersion,omitempty"` TLSMinVersion string `json:"tlsMinVersion,omitempty"`
// serverTLSBootstrap enables server certificate bootstrap. Instead of self
// signing a serving certificate, the Kubelet will request a certificate from
// the certificates.k8s.io API. This requires an approver to approve the
// certificate signing requests. The RotateKubeletServerCertificate feature
// must be enabled.
// Default: false
ServerTLSBootstrap bool `json:"serverTLSBootstrap,omitempty"`
// authentication specifies how requests to the Kubelet's server are authenticated // authentication specifies how requests to the Kubelet's server are authenticated
// Defaults: // Defaults:
// anonymous: // anonymous:
......
...@@ -154,6 +154,7 @@ func autoConvert_v1beta1_KubeletConfiguration_To_kubeletconfig_KubeletConfigurat ...@@ -154,6 +154,7 @@ func autoConvert_v1beta1_KubeletConfiguration_To_kubeletconfig_KubeletConfigurat
out.TLSPrivateKeyFile = in.TLSPrivateKeyFile out.TLSPrivateKeyFile = in.TLSPrivateKeyFile
out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites)) out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites))
out.TLSMinVersion = in.TLSMinVersion out.TLSMinVersion = in.TLSMinVersion
out.ServerTLSBootstrap = in.ServerTLSBootstrap
if err := Convert_v1beta1_KubeletAuthentication_To_kubeletconfig_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil { if err := Convert_v1beta1_KubeletAuthentication_To_kubeletconfig_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil {
return err return err
} }
...@@ -275,6 +276,7 @@ func autoConvert_kubeletconfig_KubeletConfiguration_To_v1beta1_KubeletConfigurat ...@@ -275,6 +276,7 @@ func autoConvert_kubeletconfig_KubeletConfiguration_To_v1beta1_KubeletConfigurat
out.TLSPrivateKeyFile = in.TLSPrivateKeyFile out.TLSPrivateKeyFile = in.TLSPrivateKeyFile
out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites)) out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites))
out.TLSMinVersion = in.TLSMinVersion out.TLSMinVersion = in.TLSMinVersion
out.ServerTLSBootstrap = in.ServerTLSBootstrap
if err := Convert_kubeletconfig_KubeletAuthentication_To_v1beta1_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil { if err := Convert_kubeletconfig_KubeletAuthentication_To_v1beta1_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil {
return err return err
} }
......
...@@ -11,10 +11,12 @@ go_library( ...@@ -11,10 +11,12 @@ go_library(
srcs = ["validation.go"], srcs = ["validation.go"],
importpath = "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/validation", importpath = "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/validation",
deps = [ deps = [
"//pkg/features:go_default_library",
"//pkg/kubelet/apis/kubeletconfig:go_default_library", "//pkg/kubelet/apis/kubeletconfig:go_default_library",
"//pkg/kubelet/types:go_default_library", "//pkg/kubelet/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library",
"//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
], ],
) )
......
...@@ -21,6 +21,8 @@ import ( ...@@ -21,6 +21,8 @@ import (
utilerrors "k8s.io/apimachinery/pkg/util/errors" utilerrors "k8s.io/apimachinery/pkg/util/errors"
utilvalidation "k8s.io/apimachinery/pkg/util/validation" utilvalidation "k8s.io/apimachinery/pkg/util/validation"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig" "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig"
kubetypes "k8s.io/kubernetes/pkg/kubelet/types" kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
) )
...@@ -86,6 +88,9 @@ func ValidateKubeletConfiguration(kc *kubeletconfig.KubeletConfiguration) error ...@@ -86,6 +88,9 @@ func ValidateKubeletConfiguration(kc *kubeletconfig.KubeletConfiguration) error
if kc.RegistryPullQPS < 0 { if kc.RegistryPullQPS < 0 {
allErrors = append(allErrors, fmt.Errorf("invalid configuration: RegistryPullQPS (--registry-qps) %v must not be a negative number", kc.RegistryPullQPS)) allErrors = append(allErrors, fmt.Errorf("invalid configuration: RegistryPullQPS (--registry-qps) %v must not be a negative number", kc.RegistryPullQPS))
} }
if kc.ServerTLSBootstrap && !utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) {
allErrors = append(allErrors, fmt.Errorf("invalid configuration: ServerTLSBootstrap %v requires feature gate RotateKubeletServerCertificate", kc.ServerTLSBootstrap))
}
for _, val := range kc.EnforceNodeAllocatable { for _, val := range kc.EnforceNodeAllocatable {
switch val { switch val {
case kubetypes.NodeAllocatableEnforcementKey: case kubetypes.NodeAllocatableEnforcementKey:
......
...@@ -715,7 +715,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration, ...@@ -715,7 +715,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
klet.statusManager = status.NewManager(klet.kubeClient, klet.podManager, klet) klet.statusManager = status.NewManager(klet.kubeClient, klet.podManager, klet)
if utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) && kubeDeps.TLSOptions != nil { if kubeCfg.ServerTLSBootstrap && kubeDeps.TLSOptions != nil && utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) {
var ( var (
ips []net.IP ips []net.IP
names []string names []string
...@@ -1241,8 +1241,8 @@ func (kl *Kubelet) initializeModules() error { ...@@ -1241,8 +1241,8 @@ func (kl *Kubelet) initializeModules() error {
// Start the image manager. // Start the image manager.
kl.imageManager.Start() kl.imageManager.Start()
// Start the certificate manager. // Start the certificate manager if it was enabled.
if utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) { if kl.serverCertificateManager != nil {
kl.serverCertificateManager.Start() kl.serverCertificateManager.Start()
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment