Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
c8ce55fe
Commit
c8ce55fe
authored
Feb 09, 2017
by
Mike Danese
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Revert "Merge pull request #41132 from kubernetes/revert-40893-kubelet-auth"
This reverts commit
fd560782
, reversing changes made to
d953402c
.
parent
2e005f5a
Hide whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
61 additions
and
50 deletions
+61
-50
apiserver-node-proxy-binding.yaml
cluster/addons/rbac/apiserver-node-proxy-binding.yaml
+14
-0
node-proxy-role.yaml
cluster/addons/rbac/node-proxy-role.yaml
+23
-0
common.sh
cluster/common.sh
+4
-11
configure-vm.sh
cluster/gce/configure-vm.sh
+3
-10
configure-helper.sh
cluster/gce/gci/configure-helper.sh
+10
-13
upgrade.sh
cluster/gce/upgrade.sh
+0
-3
default
cluster/saltbase/salt/kubelet/default
+2
-5
init.sls
cluster/saltbase/salt/kubelet/init.sls
+4
-8
exceptions.txt
hack/verify-flags/exceptions.txt
+1
-0
No files found.
cluster/addons/rbac/apiserver-node-proxy-binding.yaml
0 → 100644
View file @
c8ce55fe
apiVersion
:
rbac.authorization.k8s.io/v1beta1
kind
:
ClusterRoleBinding
metadata
:
name
:
apiserver-node-proxy
labels
:
kubernetes.io/cluster-service
:
"
true"
roleRef
:
apiGroup
:
rbac.authorization.k8s.io
kind
:
ClusterRole
name
:
node-proxy
subjects
:
-
apiVersion
:
rbac/v1beta1
kind
:
User
name
:
kube-apiserver
cluster/addons/rbac/node-proxy-role.yaml
0 → 100644
View file @
c8ce55fe
apiVersion
:
rbac.authorization.k8s.io/v1beta1
kind
:
ClusterRole
metadata
:
name
:
node-proxy
labels
:
kubernetes.io/cluster-service
:
"
true"
rules
:
-
apiGroups
:
-
"
"
resources
:
-
nodes/proxy
verbs
:
-
create
-
get
-
apiGroups
:
-
"
"
resources
:
-
nodes/log
-
nodes/stats
-
nodes/metrics
-
nodes/spec
verbs
:
-
get
cluster/common.sh
View file @
c8ce55fe
...
...
@@ -585,7 +585,6 @@ function build-kube-master-certs {
cat
>
$file
<<
EOF
KUBEAPISERVER_CERT:
$(
yaml-quote
${
KUBEAPISERVER_CERT_BASE64
:-})
KUBEAPISERVER_KEY:
$(
yaml-quote
${
KUBEAPISERVER_KEY_BASE64
:-})
KUBELET_AUTH_CA_CERT:
$(
yaml-quote
${
KUBELET_AUTH_CA_CERT_BASE64
:-})
CA_KEY:
$(
yaml-quote
${
CA_KEY_BASE64
:-})
EOF
}
...
...
@@ -802,7 +801,6 @@ EOF
KUBERNETES_MASTER:
$(
yaml-quote
"false"
)
ZONE:
$(
yaml-quote
${
ZONE
})
EXTRA_DOCKER_OPTS:
$(
yaml-quote
${
EXTRA_DOCKER_OPTS
:-})
KUBELET_AUTH_CA_CERT:
$(
yaml-quote
${
KUBELET_AUTH_CA_CERT_BASE64
:-})
EOF
if
[
-n
"
${
KUBEPROXY_TEST_ARGS
:-}
"
]
;
then
cat
>>
$file
<<
EOF
...
...
@@ -970,9 +968,8 @@ function create-certs {
KUBELET_KEY_BASE64
=
$(
cat
"
${
CERT_DIR
}
/pki/private/kubelet.key"
|
base64
|
tr
-d
'\r\n'
)
KUBECFG_CERT_BASE64
=
$(
cat
"
${
CERT_DIR
}
/pki/issued/kubecfg.crt"
|
base64
|
tr
-d
'\r\n'
)
KUBECFG_KEY_BASE64
=
$(
cat
"
${
CERT_DIR
}
/pki/private/kubecfg.key"
|
base64
|
tr
-d
'\r\n'
)
KUBELET_AUTH_CA_CERT_BASE64
=
$(
cat
"
${
KUBE_TEMP
}
/easy-rsa-master/kubelet/pki/ca.crt"
|
base64
|
tr
-d
'\r\n'
)
KUBEAPISERVER_CERT_BASE64
=
$(
cat
"
${
KUBE_TEMP
}
/easy-rsa-master/kubelet/pki/issued/kube-apiserver.crt"
|
base64
|
tr
-d
'\r\n'
)
KUBEAPISERVER_KEY_BASE64
=
$(
cat
"
${
KUBE_TEMP
}
/easy-rsa-master/kubelet/pki/private/kube-apiserver.key"
|
base64
|
tr
-d
'\r\n'
)
KUBEAPISERVER_CERT_BASE64
=
$(
cat
"
${
CERT_DIR
}
/pki/issued/kube-apiserver.crt"
|
base64
|
tr
-d
'\r\n'
)
KUBEAPISERVER_KEY_BASE64
=
$(
cat
"
${
CERT_DIR
}
/pki/private/kube-apiserver.key"
|
base64
|
tr
-d
'\r\n'
)
}
# Runs the easy RSA commands to generate certificate files.
...
...
@@ -999,6 +996,7 @@ function generate-certs {
# this puts the cert into pki/ca.crt and the key into pki/private/ca.key
./easyrsa
--batch
"--req-cn=
${
PRIMARY_CN
}
@
$(
date
+%s
)
"
build-ca nopass
./easyrsa
--subject-alt-name
=
"
${
SANS
}
"
build-server-full
"
${
MASTER_NAME
}
"
nopass
./easyrsa build-client-full kube-apiserver nopass
download-cfssl
...
...
@@ -1014,12 +1012,7 @@ function generate-certs {
./easyrsa
--dn-mode
=
org
\
--req-cn
=
kubecfg
--req-org
=
system:masters
\
--req-c
=
--req-st
=
--req-city
=
--req-email
=
--req-ou
=
\
build-client-full kubecfg nopass
cd
../kubelet
./easyrsa init-pki
./easyrsa
--batch
"--req-cn=kubelet@
$(
date
+%s
)
"
build-ca nopass
./easyrsa build-client-full kube-apiserver nopass
)
&>
${
cert_create_debug_output
}
||
{
build-client-full kubecfg nopass
)
&>
${
cert_create_debug_output
}
||
{
# If there was an error in the subshell, just die.
# TODO(roberthbailey): add better error handling here
cat
"
${
cert_create_debug_output
}
"
>
&2
...
...
cluster/gce/configure-vm.sh
View file @
c8ce55fe
...
...
@@ -632,11 +632,6 @@ EOF
scheduling_algorithm_provider: '
$(
echo
"
${
SCHEDULING_ALGORITHM_PROVIDER
}
"
|
sed
-e
"s/'/''/g"
)
'
EOF
fi
if
[
-n
"
${
KUBELET_AUTH_CA_CERT
:-}
"
]
;
then
cat
<<
EOF
>>/srv/salt-overlay/pillar/cluster-params.sls
kubelet_auth_ca_cert: /var/lib/kubelet/kubelet_auth_ca.crt
EOF
fi
}
# The job of this function is simple, but the basic regular expression syntax makes
...
...
@@ -755,11 +750,9 @@ current-context: service-account-context
EOF
)
fi
local
-r
kubelet_auth_ca_file
=
"/srv/salt-overlay/salt/kubelet/kubelet_auth_ca.crt"
if
[
!
-e
"
${
kubelet_auth_ca_file
}
"
]
&&
[[
!
-z
"
${
KUBELET_AUTH_CA_CERT
:-}
"
]]
;
then
(
umask
077
;
echo
"
${
KUBELET_AUTH_CA_CERT
}
"
|
base64
--decode
>
"
${
kubelet_auth_ca_file
}
"
)
fi
local
-r
client_ca_file
=
"/srv/salt-overlay/salt/kubelet/ca.crt"
(
umask
077
;
echo
"
${
KUBELET_CA_CERT
}
"
|
base64
--decode
>
"
${
client_ca_file
}
"
)
}
# This should happen both on cluster initialization and node upgrades.
...
...
cluster/gce/gci/configure-helper.sh
View file @
c8ce55fe
...
...
@@ -369,12 +369,7 @@ contexts:
name: service-account-context
current-context: service-account-context
EOF
}
function
create-kubelet-auth-ca
{
if
[[
-n
"
${
KUBELET_AUTH_CA_CERT
:-}
"
]]
;
then
echo
"
${
KUBELET_AUTH_CA_CERT
}
"
|
base64
--decode
>
"/var/lib/kubelet/kubelet_auth_ca.crt"
fi
echo
"
${
KUBELET_CA_CERT
}
"
|
base64
-d
>
/var/lib/kubelet/ca.crt
}
# Uses KUBELET_CA_CERT (falling back to CA_CERT), KUBELET_CERT, and KUBELET_KEY
...
...
@@ -388,7 +383,6 @@ function create-master-kubelet-auth {
REGISTER_MASTER_KUBELET
=
"true"
create-kubelet-kubeconfig
fi
}
function
create-kubeproxy-kubeconfig
{
...
...
@@ -582,9 +576,7 @@ function start-kubelet {
[[
"
${
HAIRPIN_MODE
:-}
"
==
"none"
]]
;
then
flags+
=
" --hairpin-mode=
${
HAIRPIN_MODE
}
"
fi
if
[
-n
"
${
KUBELET_AUTH_CA_CERT
:-}
"
]
;
then
flags+
=
" --anonymous-auth=false --client-ca-file=/var/lib/kubelet/kubelet_auth_ca.crt"
fi
flags+
=
" --anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/var/lib/kubelet/ca.crt"
fi
# Network plugin
if
[[
-n
"
${
NETWORK_PROVIDER
:-}
"
]]
;
then
...
...
@@ -837,8 +829,10 @@ function start-kube-apiserver {
params+
=
" --secure-port=443"
params+
=
" --tls-cert-file=/etc/srv/kubernetes/server.cert"
params+
=
" --tls-private-key-file=/etc/srv/kubernetes/server.key"
params+
=
" --kubelet-client-certificate=/etc/srv/kubernetes/kubeapiserver.cert"
params+
=
" --kubelet-client-key=/etc/srv/kubernetes/kubeapiserver.key"
if
[[
-e
/etc/srv/kubernetes/kubeapiserver.cert
]]
&&
[[
-e
/etc/srv/kubernetes/kubeapiserver.key
]]
;
then
params+
=
" --kubelet-client-certificate=/etc/srv/kubernetes/kubeapiserver.cert"
params+
=
" --kubelet-client-key=/etc/srv/kubernetes/kubeapiserver.key"
fi
params+
=
" --token-auth-file=/etc/srv/kubernetes/known_tokens.csv"
if
[[
-n
"
${
KUBE_PASSWORD
:-}
"
&&
-n
"
${
KUBE_USER
:-}
"
]]
;
then
params+
=
" --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv"
...
...
@@ -1107,9 +1101,13 @@ function start-kube-addons {
local
-r
src_dir
=
"
${
KUBE_HOME
}
/kube-manifests/kubernetes/gci-trusty"
local
-r
dst_dir
=
"/etc/kubernetes/addons"
# TODO(mikedanese): only enable these in e2e
# prep the additional bindings that are particular to e2e users and groups
setup-addon-manifests
"addons"
"e2e-rbac-bindings"
# prep addition kube-up specific rbac objects
setup-addon-manifests
"addons"
"rbac"
# Set up manifests of other addons.
if
[[
"
${
ENABLE_CLUSTER_MONITORING
:-}
"
==
"influxdb"
]]
||
\
[[
"
${
ENABLE_CLUSTER_MONITORING
:-}
"
==
"google"
]]
||
\
...
...
@@ -1353,7 +1351,6 @@ if [[ "${KUBERNETES_MASTER:-}" == "true" ]]; then
create-master-etcd-auth
else
create-kubelet-kubeconfig
create-kubelet-auth-ca
create-kubeproxy-kubeconfig
fi
...
...
cluster/gce/upgrade.sh
View file @
c8ce55fe
...
...
@@ -233,9 +233,6 @@ function prepare-node-upgrade() {
KUBELET_CERT_BASE64
=
$(
get-env-val
"
${
node_env
}
"
"KUBELET_CERT"
)
KUBELET_KEY_BASE64
=
$(
get-env-val
"
${
node_env
}
"
"KUBELET_KEY"
)
local
master_env
=
$(
get-master-env
)
KUBELET_AUTH_CA_CERT_BASE64
=
$(
get-env-val
"
${
master_env
}
"
"KUBELET_AUTH_CA_CERT"
)
# TODO(zmerlynn): How do we ensure kube-env is written in a ${version}-
# compatible way?
write-node-env
...
...
cluster/saltbase/salt/kubelet/default
View file @
c8ce55fe
...
...
@@ -188,10 +188,7 @@
{% set eviction_hard="--eviction-hard=" + pillar['eviction_hard'] %}
{% endif -%}
{% set kubelet_auth_ca_cert = "" %}
{% if pillar['kubelet_auth_ca_cert'] is defined -%}
{% set kubelet_auth_ca_cert="--anonymous-auth=false --client-ca-file=" + pillar['kubelet_auth_ca_cert'] %}
{% endif -%}
{% set kubelet_auth = "--anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/var/lib/kubelet/ca.crt" %}
# test_args has to be kept at the end, so they'll overwrite any prior configuration
DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{kubelet_auth
_ca_cert
}} {{feature_gates}} {{test_args}}"
DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{kubelet_auth}} {{feature_gates}} {{test_args}}"
cluster/saltbase/salt/kubelet/init.sls
View file @
c8ce55fe
...
...
@@ -31,15 +31,13 @@
- mode: 400
- makedirs: true
{% if pillar['kubelet_auth_ca_cert'] is defined %}
/var/lib/kubelet/kubelet_auth_ca.crt:
/var/lib/kubelet/ca.crt:
file.managed:
- source: salt://kubelet/
kubelet_auth_
ca.crt
- source: salt://kubelet/ca.crt
- user: root
- group: root
- mode: 400
- makedirs: true
{% endif %}
{% if pillar.get('is_systemd') %}
...
...
@@ -61,7 +59,7 @@ fix-service-kubelet:
- file: {{ pillar.get('systemd_system_path') }}/kubelet.service
- file: {{ environment_file }}
- file: /var/lib/kubelet/kubeconfig
- file: /var/lib/kubelet/
kubelet_auth_
ca.crt
- file: /var/lib/kubelet/ca.crt
{% else %}
...
...
@@ -89,9 +87,7 @@ kubelet:
{% endif %}
- file: {{ environment_file }}
- file: /var/lib/kubelet/kubeconfig
{% if pillar['kubelet_auth_ca_cert'] is defined %}
- file: /var/lib/kubelet/kubelet_auth_ca.crt
{% endif %}
- file: /var/lib/kubelet/ca.crt
{% if pillar.get('is_systemd') %}
- provider:
- service: systemd
...
...
hack/verify-flags/exceptions.txt
View file @
c8ce55fe
...
...
@@ -14,6 +14,7 @@ cluster/gce/configure-vm.sh: cloud_config: ${CLOUD_CONFIG}
cluster/gce/configure-vm.sh: env-to-grains "feature_gates"
cluster/gce/configure-vm.sh: env-to-grains "runtime_config"
cluster/gce/configure-vm.sh: kubelet_api_servers: '${KUBELET_APISERVER}'
cluster/gce/configure-vm.sh: local -r client_ca_file="/srv/salt-overlay/salt/kubelet/ca.crt"
cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",ABAC"
cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",Webhook"
cluster/gce/container-linux/configure-helper.sh: grep -o "{{ *pillar\.get('storage_backend', '\(.*\)') *}}" | \
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment