Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
a590e5f2
Commit
a590e5f2
authored
Apr 22, 2015
by
Zach Loafman
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #7178 from GoogleCloudPlatform/revert-7113-kube-proxy-token
Revert "Added kube-proxy token."
parents
f12a5946
86468cd2
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
14 additions
and
32 deletions
+14
-32
create-dynamic-salt-files.sh
cluster/aws/templates/create-dynamic-salt-files.sh
+2
-7
configure-vm.sh
cluster/gce/configure-vm.sh
+6
-13
util.sh
cluster/gce/util.sh
+5
-8
provision-master.sh
cluster/vagrant/provision-master.sh
+1
-4
No files found.
cluster/aws/templates/create-dynamic-salt-files.sh
View file @
a590e5f2
...
@@ -40,19 +40,14 @@ mkdir -p /srv/salt-overlay/salt/nginx
...
@@ -40,19 +40,14 @@ mkdir -p /srv/salt-overlay/salt/nginx
echo
$MASTER_HTPASSWD
>
/srv/salt-overlay/salt/nginx/htpasswd
echo
$MASTER_HTPASSWD
>
/srv/salt-overlay/salt/nginx/htpasswd
# Generate and distribute a shared secret (bearer token) to
# Generate and distribute a shared secret (bearer token) to
# apiserver and
nodes so that kubelet/kube-proxy
can authenticate to
# apiserver and
kubelet so that kubelet
can authenticate to
# apiserver to send events.
# apiserver to send events.
# This works on CoreOS, so it should work on a lot of distros.
# This works on CoreOS, so it should work on a lot of distros.
kubelet_token
=
$(
cat
/dev/urandom |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2> /dev/null
)
kubelet_token
=
$(
cat
/dev/urandom |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2> /dev/null
)
# Same thing for kube-proxy.
kube_proxy_token
=
$(
cat
/dev/urandom |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2> /dev/null
)
# Make a list of tokens and usernames to be pushed to the apiserver
mkdir
-p
/srv/salt-overlay/salt/kube-apiserver
mkdir
-p
/srv/salt-overlay/salt/kube-apiserver
known_tokens_file
=
"/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
known_tokens_file
=
"/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
(
umask
u
=
rw,go
=
;
echo
""
>
$known_tokens_file
)
(
umask
u
=
rw,go
=
;
echo
"
$kubelet_token
,kubelet,kubelet"
>
$known_tokens_file
)
echo
"
$kubelet_token
,kubelet,kubelet"
>>
$known_tokens_file
;
echo
"
$kube_proxy_token
,kube_proxy,kube_proxy"
>>
$known_tokens_file
mkdir
-p
/srv/salt-overlay/salt/kubelet
mkdir
-p
/srv/salt-overlay/salt/kubelet
kubelet_auth_file
=
"/srv/salt-overlay/salt/kubelet/kubernetes_auth"
kubelet_auth_file
=
"/srv/salt-overlay/salt/kubelet/kubernetes_auth"
...
...
cluster/gce/configure-vm.sh
View file @
a590e5f2
...
@@ -73,23 +73,17 @@ for k,v in yaml.load(sys.stdin).iteritems():
...
@@ -73,23 +73,17 @@ for k,v in yaml.load(sys.stdin).iteritems():
fi
fi
}
}
function
ensure-kube-token
s
()
{
function
ensure-kube-token
()
{
# We bake the KUBELET_TOKEN in separately to avoid auth information
# We bake the KUBELET_TOKEN in separately to avoid auth information
# having to be re-communicated on kube-push. (Otherwise the client
# having to be re-communicated on kube-push. (Otherwise the client
# has to keep the bearer token around to handle generating a valid
# has to keep the bearer token around to handle generating a valid
# kube-env.)
# kube-env.)
if
[[
-z
"
${
KUBELET_TOKEN
:-}
"
]]
&&
[[
!
-e
"
${
KNOWN_TOKENS_FILE
}
"
]]
;
then
if
[[
-z
"
${
KUBELET_TOKEN
:-}
"
]]
&&
[[
!
-e
"
${
KNOWN_TOKENS_FILE
}
"
]]
;
then
until
KUBELET_TOKEN
=
$(
curl-metadata kube
let
-token
)
;
do
until
KUBELET_TOKEN
=
$(
curl-metadata kube-token
)
;
do
echo
'Waiting for metadata KUBELET_TOKEN...'
echo
'Waiting for metadata KUBELET_TOKEN...'
sleep
3
sleep
3
done
done
fi
fi
if
[[
-z
"
${
KUBE_PROXY_TOKEN
:-}
"
]]
&&
[[
!
-e
"
${
KNOWN_TOKENS_FILE
}
"
]]
;
then
until
KUBE_PROXY_TOKEN
=
$(
curl-metadata kube-proxy-token
)
;
do
echo
'Waiting for metadata KUBE_PROXY_TOKEN...'
sleep
3
done
fi
}
}
function
remove-docker-artifacts
()
{
function
remove-docker-artifacts
()
{
...
@@ -258,7 +252,7 @@ EOF
...
@@ -258,7 +252,7 @@ EOF
# This should only happen on cluster initialization. Uses
# This should only happen on cluster initialization. Uses
# MASTER_HTPASSWORD to generate the nginx/htpasswd file, and the
# MASTER_HTPASSWORD to generate the nginx/htpasswd file, and the
# KUBELET_TOKEN
and KUBE_PROXY_TOKEN
, to generate known_tokens.csv
# KUBELET_TOKEN
, plus /dev/urandom
, to generate known_tokens.csv
# (KNOWN_TOKENS_FILE). After the first boot and on upgrade, these
# (KNOWN_TOKENS_FILE). After the first boot and on upgrade, these
# files exist on the master-pd and should never be touched again
# files exist on the master-pd and should never be touched again
# (except perhaps an additional service account, see NB below.)
# (except perhaps an additional service account, see NB below.)
...
@@ -272,9 +266,8 @@ function create-salt-auth() {
...
@@ -272,9 +266,8 @@ function create-salt-auth() {
if
[
!
-e
"
${
KNOWN_TOKENS_FILE
}
"
]
;
then
if
[
!
-e
"
${
KNOWN_TOKENS_FILE
}
"
]
;
then
mkdir
-p
/srv/salt-overlay/salt/kube-apiserver
mkdir
-p
/srv/salt-overlay/salt/kube-apiserver
(
umask
077
;
echo
""
>
"
${
KNOWN_TOKENS_FILE
}
"
)
(
umask
077
;
echo
"
${
KUBELET_TOKEN
}
,kubelet,kubelet"
>>
"
${
KNOWN_TOKENS_FILE
}
"
echo
"
${
KUBELET_TOKEN
}
,kubelet,kubelet"
>
"
${
KNOWN_TOKENS_FILE
}
"
)
echo
"
${
KUBE_PROXY_TOKEN
}
,kube_proxy,kube_proxy"
>>
"
${
KNOWN_TOKENS_FILE
}
"
mkdir
-p
/srv/salt-overlay/salt/kubelet
mkdir
-p
/srv/salt-overlay/salt/kubelet
kubelet_auth_file
=
"/srv/salt-overlay/salt/kubelet/kubernetes_auth"
kubelet_auth_file
=
"/srv/salt-overlay/salt/kubelet/kubernetes_auth"
...
@@ -429,7 +422,7 @@ if [[ -z "${is_push}" ]]; then
...
@@ -429,7 +422,7 @@ if [[ -z "${is_push}" ]]; then
ensure-install-dir
ensure-install-dir
set-kube-env
set-kube-env
[[
"
${
KUBERNETES_MASTER
}
"
==
"true"
]]
&&
mount-master-pd
[[
"
${
KUBERNETES_MASTER
}
"
==
"true"
]]
&&
mount-master-pd
ensure-kube-token
s
ensure-kube-token
create-salt-pillar
create-salt-pillar
create-salt-auth
create-salt-auth
download-release
download-release
...
...
cluster/gce/util.sh
View file @
a590e5f2
...
@@ -594,12 +594,11 @@ function kube-up {
...
@@ -594,12 +594,11 @@ function kube-up {
--zone
"
${
ZONE
}
"
\
--zone
"
${
ZONE
}
"
\
--size
"10GB"
--size
"10GB"
# Generate a bearer token for
kubelets in this cluster. We push this
# Generate a bearer token for
this cluster. We push this separately
#
separately
from the other cluster variables so that the client (this
# from the other cluster variables so that the client (this
# computer) can forget it later. This should disappear with
# computer) can forget it later. This should disappear with
# https://github.com/GoogleCloudPlatform/kubernetes/issues/3168
# https://github.com/GoogleCloudPlatform/kubernetes/issues/3168
KUBELET_TOKEN
=
$(
dd
if
=
/dev/urandom
bs
=
128
count
=
1 2>/dev/null |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2>/dev/null
)
KUBELET_TOKEN
=
$(
dd
if
=
/dev/urandom
bs
=
128
count
=
1 2>/dev/null |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2>/dev/null
)
KUBE_PROXY_TOKEN
=
$(
dd
if
=
/dev/urandom
bs
=
128
count
=
1 2>/dev/null |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2>/dev/null
)
# Reserve the master's IP so that it can later be transferred to another VM
# Reserve the master's IP so that it can later be transferred to another VM
# without disrupting the kubelets. IPs are associated with regions, not zones,
# without disrupting the kubelets. IPs are associated with regions, not zones,
...
@@ -626,8 +625,7 @@ function kube-up {
...
@@ -626,8 +625,7 @@ function kube-up {
# Wait for last batch of jobs
# Wait for last batch of jobs
wait-for-jobs
wait-for-jobs
add-instance-metadata
"
${
MASTER_NAME
}
"
"kubelet-token=
${
KUBELET_TOKEN
}
"
add-instance-metadata
"
${
MASTER_NAME
}
"
"kube-token=
${
KUBELET_TOKEN
}
"
add-instance-metadata
"
${
MASTER_NAME
}
"
"kube-proxy-token=
${
KUBE_PROXY_TOKEN
}
"
echo
"Creating minions."
echo
"Creating minions."
...
@@ -642,8 +640,7 @@ function kube-up {
...
@@ -642,8 +640,7 @@ function kube-up {
create-node-template
"
${
NODE_INSTANCE_PREFIX
}
-template"
"
${
scope_flags
[*]
}
"
\
create-node-template
"
${
NODE_INSTANCE_PREFIX
}
-template"
"
${
scope_flags
[*]
}
"
\
"startup-script=
${
KUBE_ROOT
}
/cluster/gce/configure-vm.sh"
\
"startup-script=
${
KUBE_ROOT
}
/cluster/gce/configure-vm.sh"
\
"kube-env=
${
KUBE_TEMP
}
/node-kube-env.yaml"
\
"kube-env=
${
KUBE_TEMP
}
/node-kube-env.yaml"
\
"kubelet-token=
${
KUBELET_TOKEN
}
"
\
"kube-token=
${
KUBELET_TOKEN
}
"
"kube-proxy-token=
${
KUBE_PROXY_TOKEN
}
"
gcloud preview managed-instance-groups
--zone
"
${
ZONE
}
"
\
gcloud preview managed-instance-groups
--zone
"
${
ZONE
}
"
\
create
"
${
NODE_INSTANCE_PREFIX
}
-group"
\
create
"
${
NODE_INSTANCE_PREFIX
}
-group"
\
...
@@ -881,7 +878,7 @@ function kube-push {
...
@@ -881,7 +878,7 @@ function kube-push {
# TODO(zmerlynn): Re-create instance-template with the new
# TODO(zmerlynn): Re-create instance-template with the new
# node-kube-env. This isn't important until the node-ip-range issue
# node-kube-env. This isn't important until the node-ip-range issue
# is solved (because that's blocking automatic dynamic nodes from
# is solved (because that's blocking automatic dynamic nodes from
# working). The node-kube-env has to be composed with the kube
*
-token
# working). The node-kube-env has to be composed with the kube-token
# metadata. Ideally we would have
# metadata. Ideally we would have
# https://github.com/GoogleCloudPlatform/kubernetes/issues/3168
# https://github.com/GoogleCloudPlatform/kubernetes/issues/3168
# implemented before then, though, so avoiding this mess until then.
# implemented before then, though, so avoiding this mess until then.
...
...
cluster/vagrant/provision-master.sh
View file @
a590e5f2
...
@@ -137,13 +137,10 @@ EOF
...
@@ -137,13 +137,10 @@ EOF
known_tokens_file
=
"/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
known_tokens_file
=
"/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
if
[[
!
-f
"
${
known_tokens_file
}
"
]]
;
then
if
[[
!
-f
"
${
known_tokens_file
}
"
]]
;
then
kubelet_token
=
$(
cat
/dev/urandom |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2> /dev/null
)
kubelet_token
=
$(
cat
/dev/urandom |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2> /dev/null
)
kube_proxy_token
=
$(
cat
/dev/urandom |
base64
|
tr
-d
"=+/"
|
dd
bs
=
32
count
=
1 2> /dev/null
)
mkdir
-p
/srv/salt-overlay/salt/kube-apiserver
mkdir
-p
/srv/salt-overlay/salt/kube-apiserver
known_tokens_file
=
"/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
known_tokens_file
=
"/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
(
umask
u
=
rw,go
=
;
echo
""
>
$known_tokens_file
)
(
umask
u
=
rw,go
=
;
echo
"
$kubelet_token
,kubelet,kubelet"
>
$known_tokens_file
)
echo
"
$kubelet_token
,kubelet,kubelet"
>>
$known_tokens_file
echo
"
$kube_proxy_token
,kube-proxy,kube-proxy"
>>
$known_tokens_file
mkdir
-p
/srv/salt-overlay/salt/kubelet
mkdir
-p
/srv/salt-overlay/salt/kubelet
kubelet_auth_file
=
"/srv/salt-overlay/salt/kubelet/kubernetes_auth"
kubelet_auth_file
=
"/srv/salt-overlay/salt/kubelet/kubernetes_auth"
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment