1. 11 Aug, 2017 22 commits
  2. 10 Aug, 2017 18 commits
    • Kubernetes Submit Queue's avatar
      Merge pull request #50468 from monopole/changeNameDuh · f557e0f7
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue
      
      Fix my incorrect username
      
      My mistake - used goog username rather than github.
      
      Again, this is for kubectl extraction, currently blocked by need for many approvers in, e.g. #48580 #48581 #47011, etc.
      f557e0f7
    • Kubernetes Submit Queue's avatar
      Merge pull request #49520 from mattmoyer/bootstrap-pinning · b42a7b30
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue
      
      kubeadm: enhanced TLS validation for token-based discovery in `kubeadm join`
      
      **What this PR does / why we need it**:
      This PR implements enhanced TLS validation for `kubeadm join` when using token-based TLS discovery. Without this enhancement, `kubeadm join` has some less-than-ideal security properties. Specifically, in the case where a bootstrap token is compromised, the attacker can impersonate the API server to newly bootstrapping clients ([more discussion in the design proposal](https://docs.google.com/document/d/1SP4P7LJWSA8vUXj27UvKdVEdhpo5Fp0QHNo4TXvLQbw/edit?ts=5971498a)).
      
      The gist of this enhancement is to support public key pinning in the style of [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4). When bootstrapping, `kubeadm` can now be configured with a whitelist of root CA public keys. It can then validate that the cluster it connects to is operated by the owner of one of those public keys.
      
      These public key hashes are short enough that the entire `kubeadm join` command can still be copy-pasted relatively easily (not as easily as before, but ~160 characters). Using a public key hash rather than a hash over the entire certificate allows certificates to be reissued with updated expirations without invalidating existing key pins.
      
      This change adds two new command line flags (and associated config parameters):
       - **`--discovery-token-ca-cert-hash sha256:<hash>`:**
         Validates that the cluster root CA has a public key fingerprint that matches one of the specified values. If this flag is not passed when token-based discovery is being used, a warning is printed. This warning will become an error in 1.9.
       - **`--discovery-token-unsafe-skip-ca-verification`:**
          Disables the warning message when no keys are pinned. In 1.9, this flag will be required _unless_ `--discovery-token-unsafe-skip-ca-verification` is used.
      
      This is fully backwards compatible and client side (kubeadm) only. It will be a breaking change when the flag becomes required in v1.9.
      
      This validation is done after and in addition to the existing bootstrap token signing/MAC mechanism.
      
      #### Example from `kubeadm init`:
      ```
      $ kubeadm init
      [...]
      
      You can now join any number of machines by running the following on each node
      as root:
      
        kubeadm join --token a66ae0.1f8a5ed9a210e187 192.168.42.10:6443 --discovery-token-ca-cert-hash sha256:547c102383c0f26387b961b4e9b8f842dc07c074c8316f238dbcf5563fc3ac35
      ```
      
      #### Example from `kubeadm join`:
      ```
      $ kubeadm join --token a66ae0.1f8a5ed9a210e187 192.168.42.10:6443 --discovery-token-ca-cert-hash sha256:547c102383c0f26387b961b4e9b8f842dc07c074c8316f238dbcf5563fc3ac35
      [kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
      [preflight] Running pre-flight checks
      [discovery] Trying to connect to API Server "192.168.42.10:6443"
      [discovery] Created cluster-info discovery client, requesting info from "https://192.168.42.10:6443"
      [discovery] Requesting info from "https://192.168.42.10:6443" again to validate TLS against the pinned public key
      [discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "192.168.42.10:6443"
      [discovery] Successfully established connection with API Server "192.168.42.10:6443"
      
      Node join complete:
      * Certificate signing request sent to master and response
        received.
      * Kubelet informed of new secure connection details.
      
      Run 'kubectl get nodes' on the master to see this machine join.
      ```
      
      **Which issue this PR fixes**:
      ref https://github.com/kubernetes/features/issues/130
      fixes: https://github.com/kubernetes/kubeadm/issues/365
      
      **Special notes for your reviewer**:
      This was proposed and discussed briefly by SIG-cluster-lifecycle and SIG-auth. The design proposal is [in Google Docs](https://docs.google.com/document/d/1SP4P7LJWSA8vUXj27UvKdVEdhpo5Fp0QHNo4TXvLQbw/edit?ts=5971498a).
      
      There is a documentation change needed to explain the security properties of `kubeadm join` with and without `--discovery-token-ca-cert-hash`. This page should be linked by to by the warning message when you don't pass either of the new flags (I have it pointing [here](https://kubernetes.io/docs/admin/kubeadm/#kubeadm-join) for now, which I think will be the right place). I will follow up with this documentation shortly.
      
      **Release note**:
      ```release-note
      kubeadm: added enhanced TLS validation for token-based discovery in `kubeadm join` using a new `--discovery-token-ca-cert-hash` flag.
      ```
      
      /cc @luxas @jbeda @ericchiang
      b42a7b30
    • Jeffrey Regan's avatar
      Fix my incorrect username in #46649 · bc3794b6
      Jeffrey Regan authored
      My mistake - used goog username rather than github.
      bc3794b6
    • ymqytw's avatar
      move logs to kubectl/util · d7659dff
      ymqytw authored
      d7659dff
    • Bobby (Babak) Salamat's avatar
      autogenerated files · 68926a22
      Bobby (Babak) Salamat authored
      68926a22
    • Bobby (Babak) Salamat's avatar
      Add a heap data store to client-go · 6cad5bbf
      Bobby (Babak) Salamat authored
      6cad5bbf
    • Matt Moyer's avatar
      kubeadm: generated deepcopy for `k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm`… · 358806e1
      Matt Moyer authored
      kubeadm: generated deepcopy for `k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm` and `k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha1`.
      358806e1
    • Matt Moyer's avatar
      kubeadm: implement TLS discovery root CA pinning. · 1be639d6
      Matt Moyer authored
      This change adds the `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join` and corresponding fields on the kubeadm NodeConfiguration struct. These flags configure enhanced TLS validation for token-based discovery.
      
      The enhanced TLS validation works by pinning the public key hashes of the cluster CA. This is done by connecting to the `cluster-info` endpoint initially using an unvalidated/unsafe TLS connection. After the cluster info has been loaded, parsed, and validated with the existing symmetric signature/MAC scheme, the root CA is validated against the pinned public key set. A second request is made using validated/safe TLS using the newly-known CA and the result is validated to make sure the same `cluster-info` was returned from both requests.
      
      This validation prevents a class of attacks where a leaked bootstrap token (such as from a compromised worker node) allows an attacker to impersonate the API server.
      
      This change also update `kubeadm init` to print the correct `--discovery-token-ca-cert-hash` flag in the example `kubeadm join` command it prints at the end of initialization.
      1be639d6
    • Matt Moyer's avatar
      kubeadm: add pubkeypin package (public key pinning hash implementation). · 2dd359ba
      Matt Moyer authored
      This change adds a `k8s.io/kubernetes/cmd/kubeadm/app/util/pubkeypin` package which implements x509 public key pinning in the style of RFC7469. This is the public key hash format used by the new `kubeadm join --discovery-token-ca-cert-hash` flag.
      
      Hashes are namespaced with a short type, with "sha256" being the only currently-supported format. Type "sha256" is a hex-encoded SHA-256 hash over the Subject Public Key Info (SPKI) object in DER-encoded ASN.1.
      2dd359ba
    • Yu-Ju Hong's avatar
      GCE: filter addresses by IP when listing · 58ea4e41
      Yu-Ju Hong authored
      Also move the function to gce_addresses.go so that metrics can be
      recorded for the call.
      58ea4e41
    • fangyuhao's avatar
      remove the duplicate address of glusterfs · cade629d
      fangyuhao authored
      cade629d
    • Kubernetes Submit Queue's avatar
      Merge pull request #50450 from aleksandra-malinowska/scalability-tests-clean · b86dd9af
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue
      
      Add Cluster Autoscaler scalability test suite
      
      This suite is intended for manually testing Cluster Autoscaler on large clusters. It isn't supposed to be run automatically (at least for now).
      
      It can be run on Kubemark (with #50440) with the following setup:
      - start Kubemark with NUM_NODES=1 (as we require there to be exactly 1 replica per hollow-node replication controller in this setup)
      - set kubemark-master machine type manually to appropriate type for the Kubemark cluster size. Maximum Kubemark cluster size reached in test run is defined by maxNodes constant, so for maxNodes=1000, please upgrade to n1-standard-32. Adjust if modifying maxNodes.
      - start Cluster Autoscaler pod in the external cluster using image built from version with Kubemark cloud provider (release pending)
      - for grabbing metrics from ClusterAutoscaler (with #50382), add "--include-cluster-autoscaler=true" parameter in addition to regular flags for gathering components' metrics/resource usage during e2e tests
      
      cc @bskiba
      b86dd9af
    • Kubernetes Submit Queue's avatar
      Merge pull request #49215 from rrati/aws-require-cluster-id · e9ab4897
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue
      
      Make ClusterID required for AWS.
      
      **What this PR does / why we need it**:
      Makes ClusterID required for AWS and provides a flag to run in un-tagged mode
      
      fixes #48954 
      
      
      **Release note**:
      ```release-note
      A cluster using the AWS cloud provider will need to label existing nodes and resources with a ClusterID or the kube-controller-manager will not start.  To run without a ClusterID pass --allow-untagged-cloud=true to the kube-controller-manager on startup.
      ```
      e9ab4897
    • mtanino's avatar
      Autogenerated files · 422ce036
      mtanino authored
      422ce036
    • Kubernetes Submit Queue's avatar
      Merge pull request #50440 from bskiba/kubemark_e2e_open · eb700d86
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue (batch tested with PRs 45186, 50440)
      
      Add functionality needed by Cluster Autoscaler to Kubemark Provider.
      
      Make adding nodes asynchronous. Add method for getting target
      size of node group. Add method for getting node group for node.
      Factor out some common code.
      
      **Release note**:
      ```
      NONE
      ```
      eb700d86
    • Kubernetes Submit Queue's avatar
      Merge pull request #45186 from cedriclam/bugfix/FederatedTestsRetryPortAllocation · 548469fe
      Kubernetes Submit Queue authored
      Automatic merge from submit-queue (batch tested with PRs 45186, 50440)
      
      Retry fed-svc creation on diff NodePort during e2e tests
      
      **What this PR does / why we need it**:
      Currently in federated end2end tests, the creation of services are
      done with a randomize NodePort selection take is causing e2e test
      flakes if the creation of a federated service failed if the port is
      not available.
      Now the util.CreateService(...) function is retrying to create the
      service on different nodePort in case of error. The method retry until
      success or all possible NodePorts have been tested and also failed.
      
      **Which issue this PR fixes** 
      fixes #44018
      548469fe
    • mtanino's avatar
      FC plugin: Support WWID for volume identifier · 03e28476
      mtanino authored
      This PR adds World Wide Identifier (WWID) parameter to
      FCVolumeSource as an unique volume identifier.
      
      fixes #48639
      03e28476
    • Jordan Liggitt's avatar
      Typedef visitor to document parameters · 2a28df44
      Jordan Liggitt authored
      2a28df44