mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 12:15:52 +00:00
fixes kubeadm 1221 to remove AuditPolicyConfiguration
Added conversion test and failure.
This commit is contained in:
parent
7712766daf
commit
064f74b2e8
@ -30,7 +30,6 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} {
|
|||||||
return []interface{}{
|
return []interface{}{
|
||||||
fuzzInitConfiguration,
|
fuzzInitConfiguration,
|
||||||
fuzzClusterConfiguration,
|
fuzzClusterConfiguration,
|
||||||
fuzzAuditPolicyConfiguration,
|
|
||||||
fuzzComponentConfigs,
|
fuzzComponentConfigs,
|
||||||
fuzzNodeRegistration,
|
fuzzNodeRegistration,
|
||||||
fuzzDNS,
|
fuzzDNS,
|
||||||
@ -55,10 +54,6 @@ func fuzzInitConfiguration(obj *kubeadm.InitConfiguration, c fuzz.Continue) {
|
|||||||
Duration: constants.DefaultControlPlaneTimeout,
|
Duration: constants.DefaultControlPlaneTimeout,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
AuditPolicyConfiguration: kubeadm.AuditPolicyConfiguration{
|
|
||||||
LogDir: constants.StaticPodAuditPolicyLogDir,
|
|
||||||
LogMaxAge: &v1beta1.DefaultAuditPolicyLogMaxAge,
|
|
||||||
},
|
|
||||||
DNS: kubeadm.DNS{
|
DNS: kubeadm.DNS{
|
||||||
Type: kubeadm.CoreDNS,
|
Type: kubeadm.CoreDNS,
|
||||||
},
|
},
|
||||||
@ -118,14 +113,6 @@ func fuzzDNS(obj *kubeadm.DNS, c fuzz.Continue) {
|
|||||||
obj.Type = kubeadm.CoreDNS
|
obj.Type = kubeadm.CoreDNS
|
||||||
}
|
}
|
||||||
|
|
||||||
func fuzzAuditPolicyConfiguration(obj *kubeadm.AuditPolicyConfiguration, c fuzz.Continue) {
|
|
||||||
c.FuzzNoCustom(obj)
|
|
||||||
|
|
||||||
// Pinning values for fields that get defaults if fuzz value is empty string or nil (thus making the round trip test fail)
|
|
||||||
obj.LogDir = "foo"
|
|
||||||
obj.LogMaxAge = new(int32)
|
|
||||||
}
|
|
||||||
|
|
||||||
func fuzzComponentConfigs(obj *kubeadm.ComponentConfigs, c fuzz.Continue) {
|
func fuzzComponentConfigs(obj *kubeadm.ComponentConfigs, c fuzz.Continue) {
|
||||||
// This is intentionally empty because component config does not exists in the public api
|
// This is intentionally empty because component config does not exists in the public api
|
||||||
// (empty mean all ComponentConfigs fields nil, and this is necessary for getting roundtrip passing)
|
// (empty mean all ComponentConfigs fields nil, and this is necessary for getting roundtrip passing)
|
||||||
|
@ -115,9 +115,6 @@ type ClusterConfiguration struct {
|
|||||||
// UseHyperKubeImage controls if hyperkube should be used for Kubernetes components instead of their respective separate images
|
// UseHyperKubeImage controls if hyperkube should be used for Kubernetes components instead of their respective separate images
|
||||||
UseHyperKubeImage bool
|
UseHyperKubeImage bool
|
||||||
|
|
||||||
// AuditPolicyConfiguration defines the options for the api server audit system.
|
|
||||||
AuditPolicyConfiguration AuditPolicyConfiguration
|
|
||||||
|
|
||||||
// FeatureGates enabled by the user.
|
// FeatureGates enabled by the user.
|
||||||
FeatureGates map[string]bool
|
FeatureGates map[string]bool
|
||||||
|
|
||||||
@ -418,17 +415,6 @@ type HostPathMount struct {
|
|||||||
PathType v1.HostPathType
|
PathType v1.HostPathType
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuditPolicyConfiguration holds the options for configuring the api server audit policy.
|
|
||||||
type AuditPolicyConfiguration struct {
|
|
||||||
// Path is the local path to an audit policy.
|
|
||||||
Path string
|
|
||||||
// LogDir is the local path to the directory where logs should be stored.
|
|
||||||
LogDir string
|
|
||||||
// LogMaxAge is the number of days logs will be stored for. 0 indicates forever.
|
|
||||||
LogMaxAge *int32
|
|
||||||
//TODO(chuckha) add other options for audit policy.
|
|
||||||
}
|
|
||||||
|
|
||||||
// CommonConfiguration defines the list of common configuration elements and the getter
|
// CommonConfiguration defines the list of common configuration elements and the getter
|
||||||
// methods that must exist for both the InitConfiguration and JoinConfiguration objects.
|
// methods that must exist for both the InitConfiguration and JoinConfiguration objects.
|
||||||
// This is used internally to deduplicate the kubeadm preflight checks.
|
// This is used internally to deduplicate the kubeadm preflight checks.
|
||||||
|
@ -129,6 +129,10 @@ func Convert_v1alpha3_ClusterConfiguration_To_kubeadm_ClusterConfiguration(in *C
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(in.AuditPolicyConfiguration.Path) > 0 {
|
||||||
|
return errors.New("AuditPolicyConfiguration has been removed from ClusterConfiguration. Please cleanup ClusterConfiguration.AuditPolicyConfiguration fields")
|
||||||
|
}
|
||||||
|
|
||||||
out.APIServer.ExtraArgs = in.APIServerExtraArgs
|
out.APIServer.ExtraArgs = in.APIServerExtraArgs
|
||||||
out.APIServer.CertSANs = in.APIServerCertSANs
|
out.APIServer.CertSANs = in.APIServerCertSANs
|
||||||
out.APIServer.TimeoutForControlPlane = &metav1.Duration{
|
out.APIServer.TimeoutForControlPlane = &metav1.Duration{
|
||||||
|
@ -56,6 +56,35 @@ func TestJoinConfigurationConversion(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestInitConfigurationConversion(t *testing.T) {
|
||||||
|
testcases := map[string]struct {
|
||||||
|
old *InitConfiguration
|
||||||
|
expectedErr bool
|
||||||
|
}{
|
||||||
|
"conversion succeeds": {
|
||||||
|
old: &InitConfiguration{},
|
||||||
|
expectedErr: false,
|
||||||
|
},
|
||||||
|
"feature gates fails to be converted": {
|
||||||
|
old: &InitConfiguration{
|
||||||
|
ClusterConfiguration: ClusterConfiguration{
|
||||||
|
AuditPolicyConfiguration: AuditPolicyConfiguration{
|
||||||
|
Path: "test",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expectedErr: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
for _, tc := range testcases {
|
||||||
|
internal := &kubeadm.InitConfiguration{}
|
||||||
|
err := Convert_v1alpha3_InitConfiguration_To_kubeadm_InitConfiguration(tc.old, internal, nil)
|
||||||
|
if (err != nil) != tc.expectedErr {
|
||||||
|
t.Errorf("no error was expected but '%s' was found", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestConvertToUseHyperKubeImage(t *testing.T) {
|
func TestConvertToUseHyperKubeImage(t *testing.T) {
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
desc string
|
desc string
|
||||||
|
@ -47,16 +47,6 @@ func RegisterConversions(s *runtime.Scheme) error {
|
|||||||
}); err != nil {
|
}); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := s.AddGeneratedConversionFunc((*AuditPolicyConfiguration)(nil), (*kubeadm.AuditPolicyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
|
||||||
return Convert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(a.(*AuditPolicyConfiguration), b.(*kubeadm.AuditPolicyConfiguration), scope)
|
|
||||||
}); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if err := s.AddGeneratedConversionFunc((*kubeadm.AuditPolicyConfiguration)(nil), (*AuditPolicyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
|
||||||
return Convert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(a.(*kubeadm.AuditPolicyConfiguration), b.(*AuditPolicyConfiguration), scope)
|
|
||||||
}); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if err := s.AddGeneratedConversionFunc((*BootstrapToken)(nil), (*kubeadm.BootstrapToken)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
if err := s.AddGeneratedConversionFunc((*BootstrapToken)(nil), (*kubeadm.BootstrapToken)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||||
return Convert_v1alpha3_BootstrapToken_To_kubeadm_BootstrapToken(a.(*BootstrapToken), b.(*kubeadm.BootstrapToken), scope)
|
return Convert_v1alpha3_BootstrapToken_To_kubeadm_BootstrapToken(a.(*BootstrapToken), b.(*kubeadm.BootstrapToken), scope)
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
@ -252,30 +242,6 @@ func Convert_kubeadm_APIEndpoint_To_v1alpha3_APIEndpoint(in *kubeadm.APIEndpoint
|
|||||||
return autoConvert_kubeadm_APIEndpoint_To_v1alpha3_APIEndpoint(in, out, s)
|
return autoConvert_kubeadm_APIEndpoint_To_v1alpha3_APIEndpoint(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in *AuditPolicyConfiguration, out *kubeadm.AuditPolicyConfiguration, s conversion.Scope) error {
|
|
||||||
out.Path = in.Path
|
|
||||||
out.LogDir = in.LogDir
|
|
||||||
out.LogMaxAge = (*int32)(unsafe.Pointer(in.LogMaxAge))
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Convert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration is an autogenerated conversion function.
|
|
||||||
func Convert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in *AuditPolicyConfiguration, out *kubeadm.AuditPolicyConfiguration, s conversion.Scope) error {
|
|
||||||
return autoConvert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in, out, s)
|
|
||||||
}
|
|
||||||
|
|
||||||
func autoConvert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(in *kubeadm.AuditPolicyConfiguration, out *AuditPolicyConfiguration, s conversion.Scope) error {
|
|
||||||
out.Path = in.Path
|
|
||||||
out.LogDir = in.LogDir
|
|
||||||
out.LogMaxAge = (*int32)(unsafe.Pointer(in.LogMaxAge))
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Convert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration is an autogenerated conversion function.
|
|
||||||
func Convert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(in *kubeadm.AuditPolicyConfiguration, out *AuditPolicyConfiguration, s conversion.Scope) error {
|
|
||||||
return autoConvert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(in, out, s)
|
|
||||||
}
|
|
||||||
|
|
||||||
func autoConvert_v1alpha3_BootstrapToken_To_kubeadm_BootstrapToken(in *BootstrapToken, out *kubeadm.BootstrapToken, s conversion.Scope) error {
|
func autoConvert_v1alpha3_BootstrapToken_To_kubeadm_BootstrapToken(in *BootstrapToken, out *kubeadm.BootstrapToken, s conversion.Scope) error {
|
||||||
out.Token = (*kubeadm.BootstrapTokenString)(unsafe.Pointer(in.Token))
|
out.Token = (*kubeadm.BootstrapTokenString)(unsafe.Pointer(in.Token))
|
||||||
out.Description = in.Description
|
out.Description = in.Description
|
||||||
@ -347,9 +313,7 @@ func autoConvert_v1alpha3_ClusterConfiguration_To_kubeadm_ClusterConfiguration(i
|
|||||||
out.CertificatesDir = in.CertificatesDir
|
out.CertificatesDir = in.CertificatesDir
|
||||||
out.ImageRepository = in.ImageRepository
|
out.ImageRepository = in.ImageRepository
|
||||||
// WARNING: in.UnifiedControlPlaneImage requires manual conversion: does not exist in peer-type
|
// WARNING: in.UnifiedControlPlaneImage requires manual conversion: does not exist in peer-type
|
||||||
if err := Convert_v1alpha3_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(&in.AuditPolicyConfiguration, &out.AuditPolicyConfiguration, s); err != nil {
|
// WARNING: in.AuditPolicyConfiguration requires manual conversion: does not exist in peer-type
|
||||||
return err
|
|
||||||
}
|
|
||||||
out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
|
out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
|
||||||
out.ClusterName = in.ClusterName
|
out.ClusterName = in.ClusterName
|
||||||
return nil
|
return nil
|
||||||
@ -373,9 +337,6 @@ func autoConvert_kubeadm_ClusterConfiguration_To_v1alpha3_ClusterConfiguration(i
|
|||||||
out.ImageRepository = in.ImageRepository
|
out.ImageRepository = in.ImageRepository
|
||||||
// INFO: in.CIImageRepository opted out of conversion generation
|
// INFO: in.CIImageRepository opted out of conversion generation
|
||||||
// WARNING: in.UseHyperKubeImage requires manual conversion: does not exist in peer-type
|
// WARNING: in.UseHyperKubeImage requires manual conversion: does not exist in peer-type
|
||||||
if err := Convert_kubeadm_AuditPolicyConfiguration_To_v1alpha3_AuditPolicyConfiguration(&in.AuditPolicyConfiguration, &out.AuditPolicyConfiguration, s); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
|
out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
|
||||||
out.ClusterName = in.ClusterName
|
out.ClusterName = in.ClusterName
|
||||||
return nil
|
return nil
|
||||||
|
@ -101,7 +101,6 @@ func SetDefaults_ClusterConfiguration(obj *ClusterConfiguration) {
|
|||||||
|
|
||||||
SetDefaults_DNS(obj)
|
SetDefaults_DNS(obj)
|
||||||
SetDefaults_Etcd(obj)
|
SetDefaults_Etcd(obj)
|
||||||
SetDefaults_AuditPolicyConfiguration(obj)
|
|
||||||
SetDefaults_APIServer(&obj.APIServer)
|
SetDefaults_APIServer(&obj.APIServer)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -184,16 +183,6 @@ func SetDefaults_FileDiscovery(obj *FileDiscovery) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// SetDefaults_AuditPolicyConfiguration sets default values for the AuditPolicyConfiguration
|
|
||||||
func SetDefaults_AuditPolicyConfiguration(obj *ClusterConfiguration) {
|
|
||||||
if obj.AuditPolicyConfiguration.LogDir == "" {
|
|
||||||
obj.AuditPolicyConfiguration.LogDir = constants.StaticPodAuditPolicyLogDir
|
|
||||||
}
|
|
||||||
if obj.AuditPolicyConfiguration.LogMaxAge == nil {
|
|
||||||
obj.AuditPolicyConfiguration.LogMaxAge = &DefaultAuditPolicyLogMaxAge
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// SetDefaults_BootstrapTokens sets the defaults for the .BootstrapTokens field
|
// SetDefaults_BootstrapTokens sets the defaults for the .BootstrapTokens field
|
||||||
// If the slice is empty, it's defaulted with one token. Otherwise it just loops
|
// If the slice is empty, it's defaulted with one token. Otherwise it just loops
|
||||||
// through the slice and sets the defaults for the omitempty fields that are TTL,
|
// through the slice and sets the defaults for the omitempty fields that are TTL,
|
||||||
|
@ -106,9 +106,6 @@ type ClusterConfiguration struct {
|
|||||||
// UseHyperKubeImage controls if hyperkube should be used for Kubernetes components instead of their respective separate images
|
// UseHyperKubeImage controls if hyperkube should be used for Kubernetes components instead of their respective separate images
|
||||||
UseHyperKubeImage bool `json:"useHyperKubeImage,omitempty"`
|
UseHyperKubeImage bool `json:"useHyperKubeImage,omitempty"`
|
||||||
|
|
||||||
// AuditPolicyConfiguration defines the options for the api server audit system
|
|
||||||
AuditPolicyConfiguration AuditPolicyConfiguration `json:"auditPolicy"`
|
|
||||||
|
|
||||||
// FeatureGates enabled by the user.
|
// FeatureGates enabled by the user.
|
||||||
FeatureGates map[string]bool `json:"featureGates,omitempty"`
|
FeatureGates map[string]bool `json:"featureGates,omitempty"`
|
||||||
|
|
||||||
@ -384,14 +381,3 @@ type HostPathMount struct {
|
|||||||
// PathType is the type of the HostPath.
|
// PathType is the type of the HostPath.
|
||||||
PathType v1.HostPathType `json:"pathType,omitempty"`
|
PathType v1.HostPathType `json:"pathType,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuditPolicyConfiguration holds the options for configuring the api server audit policy.
|
|
||||||
type AuditPolicyConfiguration struct {
|
|
||||||
// Path is the local path to an audit policy.
|
|
||||||
Path string `json:"path"`
|
|
||||||
// LogDir is the local path to the directory where logs should be stored.
|
|
||||||
LogDir string `json:"logDir"`
|
|
||||||
// LogMaxAge is the number of days logs will be stored for. 0 indicates forever.
|
|
||||||
LogMaxAge *int32 `json:"logMaxAge,omitempty"`
|
|
||||||
//TODO(chuckha) add other options for audit policy.
|
|
||||||
}
|
|
||||||
|
@ -57,16 +57,6 @@ func RegisterConversions(s *runtime.Scheme) error {
|
|||||||
}); err != nil {
|
}); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := s.AddGeneratedConversionFunc((*AuditPolicyConfiguration)(nil), (*kubeadm.AuditPolicyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
|
||||||
return Convert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(a.(*AuditPolicyConfiguration), b.(*kubeadm.AuditPolicyConfiguration), scope)
|
|
||||||
}); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if err := s.AddGeneratedConversionFunc((*kubeadm.AuditPolicyConfiguration)(nil), (*AuditPolicyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
|
||||||
return Convert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(a.(*kubeadm.AuditPolicyConfiguration), b.(*AuditPolicyConfiguration), scope)
|
|
||||||
}); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if err := s.AddGeneratedConversionFunc((*BootstrapToken)(nil), (*kubeadm.BootstrapToken)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
if err := s.AddGeneratedConversionFunc((*BootstrapToken)(nil), (*kubeadm.BootstrapToken)(nil), func(a, b interface{}, scope conversion.Scope) error {
|
||||||
return Convert_v1beta1_BootstrapToken_To_kubeadm_BootstrapToken(a.(*BootstrapToken), b.(*kubeadm.BootstrapToken), scope)
|
return Convert_v1beta1_BootstrapToken_To_kubeadm_BootstrapToken(a.(*BootstrapToken), b.(*kubeadm.BootstrapToken), scope)
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
@ -310,30 +300,6 @@ func Convert_kubeadm_APIServer_To_v1beta1_APIServer(in *kubeadm.APIServer, out *
|
|||||||
return autoConvert_kubeadm_APIServer_To_v1beta1_APIServer(in, out, s)
|
return autoConvert_kubeadm_APIServer_To_v1beta1_APIServer(in, out, s)
|
||||||
}
|
}
|
||||||
|
|
||||||
func autoConvert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in *AuditPolicyConfiguration, out *kubeadm.AuditPolicyConfiguration, s conversion.Scope) error {
|
|
||||||
out.Path = in.Path
|
|
||||||
out.LogDir = in.LogDir
|
|
||||||
out.LogMaxAge = (*int32)(unsafe.Pointer(in.LogMaxAge))
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Convert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration is an autogenerated conversion function.
|
|
||||||
func Convert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in *AuditPolicyConfiguration, out *kubeadm.AuditPolicyConfiguration, s conversion.Scope) error {
|
|
||||||
return autoConvert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(in, out, s)
|
|
||||||
}
|
|
||||||
|
|
||||||
func autoConvert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(in *kubeadm.AuditPolicyConfiguration, out *AuditPolicyConfiguration, s conversion.Scope) error {
|
|
||||||
out.Path = in.Path
|
|
||||||
out.LogDir = in.LogDir
|
|
||||||
out.LogMaxAge = (*int32)(unsafe.Pointer(in.LogMaxAge))
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Convert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration is an autogenerated conversion function.
|
|
||||||
func Convert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(in *kubeadm.AuditPolicyConfiguration, out *AuditPolicyConfiguration, s conversion.Scope) error {
|
|
||||||
return autoConvert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(in, out, s)
|
|
||||||
}
|
|
||||||
|
|
||||||
func autoConvert_v1beta1_BootstrapToken_To_kubeadm_BootstrapToken(in *BootstrapToken, out *kubeadm.BootstrapToken, s conversion.Scope) error {
|
func autoConvert_v1beta1_BootstrapToken_To_kubeadm_BootstrapToken(in *BootstrapToken, out *kubeadm.BootstrapToken, s conversion.Scope) error {
|
||||||
out.Token = (*kubeadm.BootstrapTokenString)(unsafe.Pointer(in.Token))
|
out.Token = (*kubeadm.BootstrapTokenString)(unsafe.Pointer(in.Token))
|
||||||
out.Description = in.Description
|
out.Description = in.Description
|
||||||
@ -436,9 +402,6 @@ func autoConvert_v1beta1_ClusterConfiguration_To_kubeadm_ClusterConfiguration(in
|
|||||||
out.CertificatesDir = in.CertificatesDir
|
out.CertificatesDir = in.CertificatesDir
|
||||||
out.ImageRepository = in.ImageRepository
|
out.ImageRepository = in.ImageRepository
|
||||||
out.UseHyperKubeImage = in.UseHyperKubeImage
|
out.UseHyperKubeImage = in.UseHyperKubeImage
|
||||||
if err := Convert_v1beta1_AuditPolicyConfiguration_To_kubeadm_AuditPolicyConfiguration(&in.AuditPolicyConfiguration, &out.AuditPolicyConfiguration, s); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
|
out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
|
||||||
out.ClusterName = in.ClusterName
|
out.ClusterName = in.ClusterName
|
||||||
return nil
|
return nil
|
||||||
@ -475,9 +438,6 @@ func autoConvert_kubeadm_ClusterConfiguration_To_v1beta1_ClusterConfiguration(in
|
|||||||
out.ImageRepository = in.ImageRepository
|
out.ImageRepository = in.ImageRepository
|
||||||
// INFO: in.CIImageRepository opted out of conversion generation
|
// INFO: in.CIImageRepository opted out of conversion generation
|
||||||
out.UseHyperKubeImage = in.UseHyperKubeImage
|
out.UseHyperKubeImage = in.UseHyperKubeImage
|
||||||
if err := Convert_kubeadm_AuditPolicyConfiguration_To_v1beta1_AuditPolicyConfiguration(&in.AuditPolicyConfiguration, &out.AuditPolicyConfiguration, s); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
|
out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
|
||||||
out.ClusterName = in.ClusterName
|
out.ClusterName = in.ClusterName
|
||||||
return nil
|
return nil
|
||||||
|
@ -69,27 +69,6 @@ func (in *APIServer) DeepCopy() *APIServer {
|
|||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *AuditPolicyConfiguration) DeepCopyInto(out *AuditPolicyConfiguration) {
|
|
||||||
*out = *in
|
|
||||||
if in.LogMaxAge != nil {
|
|
||||||
in, out := &in.LogMaxAge, &out.LogMaxAge
|
|
||||||
*out = new(int32)
|
|
||||||
**out = **in
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditPolicyConfiguration.
|
|
||||||
func (in *AuditPolicyConfiguration) DeepCopy() *AuditPolicyConfiguration {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(AuditPolicyConfiguration)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *BootstrapToken) DeepCopyInto(out *BootstrapToken) {
|
func (in *BootstrapToken) DeepCopyInto(out *BootstrapToken) {
|
||||||
*out = *in
|
*out = *in
|
||||||
@ -177,7 +156,6 @@ func (in *ClusterConfiguration) DeepCopyInto(out *ClusterConfiguration) {
|
|||||||
in.ControllerManager.DeepCopyInto(&out.ControllerManager)
|
in.ControllerManager.DeepCopyInto(&out.ControllerManager)
|
||||||
in.Scheduler.DeepCopyInto(&out.Scheduler)
|
in.Scheduler.DeepCopyInto(&out.Scheduler)
|
||||||
out.DNS = in.DNS
|
out.DNS = in.DNS
|
||||||
in.AuditPolicyConfiguration.DeepCopyInto(&out.AuditPolicyConfiguration)
|
|
||||||
if in.FeatureGates != nil {
|
if in.FeatureGates != nil {
|
||||||
in, out := &in.FeatureGates, &out.FeatureGates
|
in, out := &in.FeatureGates, &out.FeatureGates
|
||||||
*out = make(map[string]bool, len(*in))
|
*out = make(map[string]bool, len(*in))
|
||||||
|
@ -71,27 +71,6 @@ func (in *APIServer) DeepCopy() *APIServer {
|
|||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
|
||||||
func (in *AuditPolicyConfiguration) DeepCopyInto(out *AuditPolicyConfiguration) {
|
|
||||||
*out = *in
|
|
||||||
if in.LogMaxAge != nil {
|
|
||||||
in, out := &in.LogMaxAge, &out.LogMaxAge
|
|
||||||
*out = new(int32)
|
|
||||||
**out = **in
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditPolicyConfiguration.
|
|
||||||
func (in *AuditPolicyConfiguration) DeepCopy() *AuditPolicyConfiguration {
|
|
||||||
if in == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
out := new(AuditPolicyConfiguration)
|
|
||||||
in.DeepCopyInto(out)
|
|
||||||
return out
|
|
||||||
}
|
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *BootstrapToken) DeepCopyInto(out *BootstrapToken) {
|
func (in *BootstrapToken) DeepCopyInto(out *BootstrapToken) {
|
||||||
*out = *in
|
*out = *in
|
||||||
@ -180,7 +159,6 @@ func (in *ClusterConfiguration) DeepCopyInto(out *ClusterConfiguration) {
|
|||||||
in.ControllerManager.DeepCopyInto(&out.ControllerManager)
|
in.ControllerManager.DeepCopyInto(&out.ControllerManager)
|
||||||
in.Scheduler.DeepCopyInto(&out.Scheduler)
|
in.Scheduler.DeepCopyInto(&out.Scheduler)
|
||||||
out.DNS = in.DNS
|
out.DNS = in.DNS
|
||||||
in.AuditPolicyConfiguration.DeepCopyInto(&out.AuditPolicyConfiguration)
|
|
||||||
if in.FeatureGates != nil {
|
if in.FeatureGates != nil {
|
||||||
in, out := &in.FeatureGates, &out.FeatureGates
|
in, out := &in.FeatureGates, &out.FeatureGates
|
||||||
*out = make(map[string]bool, len(*in))
|
*out = make(map[string]bool, len(*in))
|
||||||
|
@ -43,7 +43,6 @@ go_library(
|
|||||||
"//cmd/kubeadm/app/preflight:go_default_library",
|
"//cmd/kubeadm/app/preflight:go_default_library",
|
||||||
"//cmd/kubeadm/app/util:go_default_library",
|
"//cmd/kubeadm/app/util:go_default_library",
|
||||||
"//cmd/kubeadm/app/util/apiclient:go_default_library",
|
"//cmd/kubeadm/app/util/apiclient:go_default_library",
|
||||||
"//cmd/kubeadm/app/util/audit:go_default_library",
|
|
||||||
"//cmd/kubeadm/app/util/config:go_default_library",
|
"//cmd/kubeadm/app/util/config:go_default_library",
|
||||||
"//cmd/kubeadm/app/util/dryrun:go_default_library",
|
"//cmd/kubeadm/app/util/dryrun:go_default_library",
|
||||||
"//cmd/kubeadm/app/util/kubeconfig:go_default_library",
|
"//cmd/kubeadm/app/util/kubeconfig:go_default_library",
|
||||||
|
@ -19,16 +19,11 @@ package phases
|
|||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
|
||||||
"path/filepath"
|
|
||||||
|
|
||||||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
||||||
"k8s.io/kubernetes/cmd/kubeadm/app/cmd/options"
|
"k8s.io/kubernetes/cmd/kubeadm/app/cmd/options"
|
||||||
"k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/workflow"
|
"k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases/workflow"
|
||||||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||||
"k8s.io/kubernetes/cmd/kubeadm/app/features"
|
|
||||||
"k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane"
|
"k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane"
|
||||||
auditutil "k8s.io/kubernetes/cmd/kubeadm/app/util/audit"
|
|
||||||
"k8s.io/kubernetes/pkg/util/normalizer"
|
"k8s.io/kubernetes/pkg/util/normalizer"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -145,22 +140,6 @@ func runControlPlaneSubPhase(component string) func(c workflow.RunData) error {
|
|||||||
}
|
}
|
||||||
cfg := data.Cfg()
|
cfg := data.Cfg()
|
||||||
|
|
||||||
// special case to handle audit policy for the API server
|
|
||||||
if component == kubeadmconstants.KubeAPIServer && features.Enabled(cfg.FeatureGates, features.Auditing) {
|
|
||||||
// Setup the AuditPolicy (either it was passed in and exists or it wasn't passed in and generate a default policy)
|
|
||||||
if cfg.AuditPolicyConfiguration.Path != "" {
|
|
||||||
// TODO(chuckha) ensure passed in audit policy is valid so users don't have to find the error in the api server log.
|
|
||||||
if _, err := os.Stat(cfg.AuditPolicyConfiguration.Path); err != nil {
|
|
||||||
return fmt.Errorf("error getting file info for audit policy file %q [%v]", cfg.AuditPolicyConfiguration.Path, err)
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
cfg.AuditPolicyConfiguration.Path = filepath.Join(data.KubeConfigDir(), kubeadmconstants.AuditPolicyDir, kubeadmconstants.AuditPolicyFile)
|
|
||||||
if err := auditutil.CreateDefaultAuditLogPolicy(cfg.AuditPolicyConfiguration.Path); err != nil {
|
|
||||||
return fmt.Errorf("error creating default audit policy %q [%v]", cfg.AuditPolicyConfiguration.Path, err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
fmt.Printf("[control-plane] Creating static Pod manifest for %q\n", component)
|
fmt.Printf("[control-plane] Creating static Pod manifest for %q\n", component)
|
||||||
if err := controlplane.CreateStaticPodFiles(data.ManifestDir(), cfg, component); err != nil {
|
if err := controlplane.CreateStaticPodFiles(data.ManifestDir(), cfg, component); err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -48,9 +48,6 @@ func TestPrintConfiguration(t *testing.T) {
|
|||||||
expectedBytes: []byte(`[upgrade/config] Configuration used:
|
expectedBytes: []byte(`[upgrade/config] Configuration used:
|
||||||
apiServer: {}
|
apiServer: {}
|
||||||
apiVersion: kubeadm.k8s.io/v1beta1
|
apiVersion: kubeadm.k8s.io/v1beta1
|
||||||
auditPolicy:
|
|
||||||
logDir: ""
|
|
||||||
path: ""
|
|
||||||
certificatesDir: ""
|
certificatesDir: ""
|
||||||
controlPlaneEndpoint: ""
|
controlPlaneEndpoint: ""
|
||||||
controllerManager: {}
|
controllerManager: {}
|
||||||
@ -87,9 +84,6 @@ func TestPrintConfiguration(t *testing.T) {
|
|||||||
expectedBytes: []byte(`[upgrade/config] Configuration used:
|
expectedBytes: []byte(`[upgrade/config] Configuration used:
|
||||||
apiServer: {}
|
apiServer: {}
|
||||||
apiVersion: kubeadm.k8s.io/v1beta1
|
apiVersion: kubeadm.k8s.io/v1beta1
|
||||||
auditPolicy:
|
|
||||||
logDir: ""
|
|
||||||
path: ""
|
|
||||||
certificatesDir: ""
|
certificatesDir: ""
|
||||||
controlPlaneEndpoint: ""
|
controlPlaneEndpoint: ""
|
||||||
controllerManager: {}
|
controllerManager: {}
|
||||||
|
@ -34,9 +34,6 @@ const (
|
|||||||
|
|
||||||
// DynamicKubeletConfig is beta in v1.11
|
// DynamicKubeletConfig is beta in v1.11
|
||||||
DynamicKubeletConfig = "DynamicKubeletConfig"
|
DynamicKubeletConfig = "DynamicKubeletConfig"
|
||||||
|
|
||||||
// Auditing is beta in 1.8
|
|
||||||
Auditing = "Auditing"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var coreDNSMessage = "featureGates:CoreDNS has been removed in v1.13\n" +
|
var coreDNSMessage = "featureGates:CoreDNS has been removed in v1.13\n" +
|
||||||
@ -46,7 +43,6 @@ var coreDNSMessage = "featureGates:CoreDNS has been removed in v1.13\n" +
|
|||||||
var InitFeatureGates = FeatureList{
|
var InitFeatureGates = FeatureList{
|
||||||
CoreDNS: {FeatureSpec: utilfeature.FeatureSpec{Default: true, PreRelease: utilfeature.Deprecated}, HiddenInHelpText: true, DeprecationMessage: coreDNSMessage},
|
CoreDNS: {FeatureSpec: utilfeature.FeatureSpec{Default: true, PreRelease: utilfeature.Deprecated}, HiddenInHelpText: true, DeprecationMessage: coreDNSMessage},
|
||||||
DynamicKubeletConfig: {FeatureSpec: utilfeature.FeatureSpec{Default: false, PreRelease: utilfeature.Beta}},
|
DynamicKubeletConfig: {FeatureSpec: utilfeature.FeatureSpec{Default: false, PreRelease: utilfeature.Beta}},
|
||||||
Auditing: {FeatureSpec: utilfeature.FeatureSpec{Default: false, PreRelease: utilfeature.Alpha}},
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Feature represents a feature being gated
|
// Feature represents a feature being gated
|
||||||
|
@ -23,7 +23,6 @@ go_test(
|
|||||||
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/util/version:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/util/version:go_default_library",
|
||||||
"//vendor/k8s.io/utils/pointer:go_default_library",
|
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -36,7 +35,6 @@ go_library(
|
|||||||
importpath = "k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane",
|
importpath = "k8s.io/kubernetes/cmd/kubeadm/app/phases/controlplane",
|
||||||
deps = [
|
deps = [
|
||||||
"//cmd/kubeadm/app/apis/kubeadm:go_default_library",
|
"//cmd/kubeadm/app/apis/kubeadm:go_default_library",
|
||||||
"//cmd/kubeadm/app/apis/kubeadm/v1beta1:go_default_library",
|
|
||||||
"//cmd/kubeadm/app/constants:go_default_library",
|
"//cmd/kubeadm/app/constants:go_default_library",
|
||||||
"//cmd/kubeadm/app/features:go_default_library",
|
"//cmd/kubeadm/app/features:go_default_library",
|
||||||
"//cmd/kubeadm/app/images:go_default_library",
|
"//cmd/kubeadm/app/images:go_default_library",
|
||||||
|
@ -29,7 +29,6 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/util/version"
|
"k8s.io/apimachinery/pkg/util/version"
|
||||||
"k8s.io/klog"
|
"k8s.io/klog"
|
||||||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
||||||
kubeadmapiv1beta1 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta1"
|
|
||||||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||||
"k8s.io/kubernetes/cmd/kubeadm/app/features"
|
"k8s.io/kubernetes/cmd/kubeadm/app/features"
|
||||||
"k8s.io/kubernetes/cmd/kubeadm/app/images"
|
"k8s.io/kubernetes/cmd/kubeadm/app/images"
|
||||||
@ -179,15 +178,6 @@ func getAPIServerCommand(cfg *kubeadmapi.InitConfiguration) []string {
|
|||||||
defaultArguments["feature-gates"] = "DynamicKubeletConfig=true"
|
defaultArguments["feature-gates"] = "DynamicKubeletConfig=true"
|
||||||
}
|
}
|
||||||
|
|
||||||
if features.Enabled(cfg.FeatureGates, features.Auditing) {
|
|
||||||
defaultArguments["audit-policy-file"] = kubeadmconstants.GetStaticPodAuditPolicyFile()
|
|
||||||
defaultArguments["audit-log-path"] = filepath.Join(kubeadmconstants.StaticPodAuditPolicyLogDir, kubeadmconstants.AuditPolicyLogFile)
|
|
||||||
if cfg.AuditPolicyConfiguration.LogMaxAge == nil {
|
|
||||||
defaultArguments["audit-log-maxage"] = fmt.Sprintf("%d", kubeadmapiv1beta1.DefaultAuditPolicyLogMaxAge)
|
|
||||||
} else {
|
|
||||||
defaultArguments["audit-log-maxage"] = fmt.Sprintf("%d", *cfg.AuditPolicyConfiguration.LogMaxAge)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if cfg.APIServer.ExtraArgs == nil {
|
if cfg.APIServer.ExtraArgs == nil {
|
||||||
cfg.APIServer.ExtraArgs = map[string]string{}
|
cfg.APIServer.ExtraArgs = map[string]string{}
|
||||||
}
|
}
|
||||||
|
@ -34,7 +34,6 @@ import (
|
|||||||
authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
|
authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
|
||||||
|
|
||||||
testutil "k8s.io/kubernetes/cmd/kubeadm/test"
|
testutil "k8s.io/kubernetes/cmd/kubeadm/test"
|
||||||
utilpointer "k8s.io/utils/pointer"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -189,11 +188,6 @@ func TestGetAPIServerCommand(t *testing.T) {
|
|||||||
ClusterConfiguration: kubeadmapi.ClusterConfiguration{
|
ClusterConfiguration: kubeadmapi.ClusterConfiguration{
|
||||||
Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
|
Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
|
||||||
CertificatesDir: testCertsDir,
|
CertificatesDir: testCertsDir,
|
||||||
AuditPolicyConfiguration: kubeadmapi.AuditPolicyConfiguration{
|
|
||||||
Path: "/foo/bar",
|
|
||||||
LogDir: "/foo/baz",
|
|
||||||
LogMaxAge: utilpointer.Int32Ptr(10),
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
expected: []string{
|
expected: []string{
|
||||||
@ -353,52 +347,6 @@ func TestGetAPIServerCommand(t *testing.T) {
|
|||||||
"--etcd-servers=http://127.0.0.1:2379,http://127.0.0.1:2380",
|
"--etcd-servers=http://127.0.0.1:2379,http://127.0.0.1:2380",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
|
||||||
name: "auditing is enabled with a custom log max age of 0",
|
|
||||||
cfg: &kubeadmapi.InitConfiguration{
|
|
||||||
LocalAPIEndpoint: kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "2001:db8::1"},
|
|
||||||
ClusterConfiguration: kubeadmapi.ClusterConfiguration{
|
|
||||||
Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
|
|
||||||
FeatureGates: map[string]bool{features.Auditing: true},
|
|
||||||
CertificatesDir: testCertsDir,
|
|
||||||
AuditPolicyConfiguration: kubeadmapi.AuditPolicyConfiguration{
|
|
||||||
LogMaxAge: utilpointer.Int32Ptr(0),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
expected: []string{
|
|
||||||
"kube-apiserver",
|
|
||||||
"--insecure-port=0",
|
|
||||||
"--enable-admission-plugins=NodeRestriction",
|
|
||||||
"--service-cluster-ip-range=bar",
|
|
||||||
"--service-account-key-file=" + testCertsDir + "/sa.pub",
|
|
||||||
"--client-ca-file=" + testCertsDir + "/ca.crt",
|
|
||||||
"--tls-cert-file=" + testCertsDir + "/apiserver.crt",
|
|
||||||
"--tls-private-key-file=" + testCertsDir + "/apiserver.key",
|
|
||||||
"--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt",
|
|
||||||
"--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key",
|
|
||||||
fmt.Sprintf("--secure-port=%d", 123),
|
|
||||||
"--allow-privileged=true",
|
|
||||||
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
|
|
||||||
"--enable-bootstrap-token-auth=true",
|
|
||||||
"--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt",
|
|
||||||
"--proxy-client-key-file=/var/lib/certs/front-proxy-client.key",
|
|
||||||
"--requestheader-username-headers=X-Remote-User",
|
|
||||||
"--requestheader-group-headers=X-Remote-Group",
|
|
||||||
"--requestheader-extra-headers-prefix=X-Remote-Extra-",
|
|
||||||
"--requestheader-client-ca-file=" + testCertsDir + "/front-proxy-ca.crt",
|
|
||||||
"--requestheader-allowed-names=front-proxy-client",
|
|
||||||
"--authorization-mode=Node,RBAC",
|
|
||||||
"--advertise-address=2001:db8::1",
|
|
||||||
fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
|
|
||||||
"--etcd-cafile=" + testCertsDir + "/etcd/ca.crt",
|
|
||||||
"--etcd-certfile=" + testCertsDir + "/apiserver-etcd-client.crt",
|
|
||||||
"--etcd-keyfile=" + testCertsDir + "/apiserver-etcd-client.key",
|
|
||||||
"--audit-policy-file=/etc/kubernetes/audit/audit.yaml",
|
|
||||||
"--audit-log-path=/var/log/kubernetes/audit/audit.log",
|
|
||||||
"--audit-log-maxage=0",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
name: "ensure the DynamicKubelet flag gets passed through",
|
name: "ensure the DynamicKubelet flag gets passed through",
|
||||||
cfg: &kubeadmapi.InitConfiguration{
|
cfg: &kubeadmapi.InitConfiguration{
|
||||||
@ -447,7 +395,7 @@ func TestGetAPIServerCommand(t *testing.T) {
|
|||||||
ClusterConfiguration: kubeadmapi.ClusterConfiguration{
|
ClusterConfiguration: kubeadmapi.ClusterConfiguration{
|
||||||
Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
|
Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
|
||||||
CertificatesDir: testCertsDir,
|
CertificatesDir: testCertsDir,
|
||||||
FeatureGates: map[string]bool{features.DynamicKubeletConfig: true, features.Auditing: true},
|
FeatureGates: map[string]bool{features.DynamicKubeletConfig: true},
|
||||||
APIServer: kubeadmapi.APIServer{
|
APIServer: kubeadmapi.APIServer{
|
||||||
ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
|
ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
|
||||||
ExtraArgs: map[string]string{
|
ExtraArgs: map[string]string{
|
||||||
@ -491,7 +439,6 @@ func TestGetAPIServerCommand(t *testing.T) {
|
|||||||
"--feature-gates=DynamicKubeletConfig=true",
|
"--feature-gates=DynamicKubeletConfig=true",
|
||||||
"--audit-policy-file=/etc/config/audit.yaml",
|
"--audit-policy-file=/etc/config/audit.yaml",
|
||||||
"--audit-log-path=/var/log/kubernetes",
|
"--audit-log-path=/var/log/kubernetes",
|
||||||
"--audit-log-maxage=2",
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -26,7 +26,6 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
||||||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||||
"k8s.io/kubernetes/cmd/kubeadm/app/features"
|
|
||||||
staticpodutil "k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod"
|
staticpodutil "k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -46,7 +45,6 @@ var caCertsExtraVolumePaths = []string{"/etc/pki", "/usr/share/ca-certificates",
|
|||||||
func getHostPathVolumesForTheControlPlane(cfg *kubeadmapi.InitConfiguration) controlPlaneHostPathMounts {
|
func getHostPathVolumesForTheControlPlane(cfg *kubeadmapi.InitConfiguration) controlPlaneHostPathMounts {
|
||||||
hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate
|
hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate
|
||||||
hostPathFileOrCreate := v1.HostPathFileOrCreate
|
hostPathFileOrCreate := v1.HostPathFileOrCreate
|
||||||
hostPathFile := v1.HostPathFile
|
|
||||||
mounts := newControlPlaneHostPathMounts()
|
mounts := newControlPlaneHostPathMounts()
|
||||||
|
|
||||||
// HostPath volumes for the API Server
|
// HostPath volumes for the API Server
|
||||||
@ -55,12 +53,7 @@ func getHostPathVolumesForTheControlPlane(cfg *kubeadmapi.InitConfiguration) con
|
|||||||
mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeCertificatesVolumeName, cfg.CertificatesDir, cfg.CertificatesDir, true, &hostPathDirectoryOrCreate)
|
mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeCertificatesVolumeName, cfg.CertificatesDir, cfg.CertificatesDir, true, &hostPathDirectoryOrCreate)
|
||||||
// Read-only mount for the ca certs (/etc/ssl/certs) directory
|
// Read-only mount for the ca certs (/etc/ssl/certs) directory
|
||||||
mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, caCertsVolumeName, caCertsVolumePath, caCertsVolumePath, true, &hostPathDirectoryOrCreate)
|
mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, caCertsVolumeName, caCertsVolumePath, caCertsVolumePath, true, &hostPathDirectoryOrCreate)
|
||||||
if features.Enabled(cfg.FeatureGates, features.Auditing) {
|
|
||||||
// Read-only mount for the audit policy file.
|
|
||||||
mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeAuditPolicyVolumeName, cfg.AuditPolicyConfiguration.Path, kubeadmconstants.GetStaticPodAuditPolicyFile(), true, &hostPathFile)
|
|
||||||
// Write mount for the audit logs.
|
|
||||||
mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeAuditPolicyLogVolumeName, cfg.AuditPolicyConfiguration.LogDir, kubeadmconstants.StaticPodAuditPolicyLogDir, false, &hostPathDirectoryOrCreate)
|
|
||||||
}
|
|
||||||
// If external etcd is specified, mount the directories needed for accessing the CA/serving certs and the private key
|
// If external etcd is specified, mount the directories needed for accessing the CA/serving certs and the private key
|
||||||
if cfg.Etcd.External != nil {
|
if cfg.Etcd.External != nil {
|
||||||
etcdVols, etcdVolMounts := getEtcdCertVolumes(cfg.Etcd.External, cfg.CertificatesDir)
|
etcdVols, etcdVolMounts := getEtcdCertVolumes(cfg.Etcd.External, cfg.CertificatesDir)
|
||||||
|
@ -26,7 +26,6 @@ import (
|
|||||||
"k8s.io/api/core/v1"
|
"k8s.io/api/core/v1"
|
||||||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
||||||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||||
"k8s.io/kubernetes/cmd/kubeadm/app/features"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestGetEtcdCertVolumes(t *testing.T) {
|
func TestGetEtcdCertVolumes(t *testing.T) {
|
||||||
@ -259,7 +258,6 @@ func TestGetEtcdCertVolumes(t *testing.T) {
|
|||||||
func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
|
func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
|
||||||
hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate
|
hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate
|
||||||
hostPathFileOrCreate := v1.HostPathFileOrCreate
|
hostPathFileOrCreate := v1.HostPathFileOrCreate
|
||||||
hostPathFile := v1.HostPathFile
|
|
||||||
volMap := make(map[string]map[string]v1.Volume)
|
volMap := make(map[string]map[string]v1.Volume)
|
||||||
volMap[kubeadmconstants.KubeAPIServer] = map[string]v1.Volume{}
|
volMap[kubeadmconstants.KubeAPIServer] = map[string]v1.Volume{}
|
||||||
volMap[kubeadmconstants.KubeAPIServer]["k8s-certs"] = v1.Volume{
|
volMap[kubeadmconstants.KubeAPIServer]["k8s-certs"] = v1.Volume{
|
||||||
@ -280,24 +278,6 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
volMap[kubeadmconstants.KubeAPIServer]["audit"] = v1.Volume{
|
|
||||||
Name: "audit",
|
|
||||||
VolumeSource: v1.VolumeSource{
|
|
||||||
HostPath: &v1.HostPathVolumeSource{
|
|
||||||
Path: "/foo/bar/baz.yaml",
|
|
||||||
Type: &hostPathFile,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
volMap[kubeadmconstants.KubeAPIServer]["audit-log"] = v1.Volume{
|
|
||||||
Name: "audit-log",
|
|
||||||
VolumeSource: v1.VolumeSource{
|
|
||||||
HostPath: &v1.HostPathVolumeSource{
|
|
||||||
Path: "/bar/foo",
|
|
||||||
Type: &hostPathDirectoryOrCreate,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
volMap[kubeadmconstants.KubeControllerManager] = map[string]v1.Volume{}
|
volMap[kubeadmconstants.KubeControllerManager] = map[string]v1.Volume{}
|
||||||
volMap[kubeadmconstants.KubeControllerManager]["k8s-certs"] = v1.Volume{
|
volMap[kubeadmconstants.KubeControllerManager]["k8s-certs"] = v1.Volume{
|
||||||
Name: "k8s-certs",
|
Name: "k8s-certs",
|
||||||
@ -348,16 +328,6 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
|
|||||||
MountPath: "/etc/ssl/certs",
|
MountPath: "/etc/ssl/certs",
|
||||||
ReadOnly: true,
|
ReadOnly: true,
|
||||||
}
|
}
|
||||||
volMountMap[kubeadmconstants.KubeAPIServer]["audit"] = v1.VolumeMount{
|
|
||||||
Name: "audit",
|
|
||||||
MountPath: "/etc/kubernetes/audit/audit.yaml",
|
|
||||||
ReadOnly: true,
|
|
||||||
}
|
|
||||||
volMountMap[kubeadmconstants.KubeAPIServer]["audit-log"] = v1.VolumeMount{
|
|
||||||
Name: "audit-log",
|
|
||||||
MountPath: "/var/log/kubernetes/audit",
|
|
||||||
ReadOnly: false,
|
|
||||||
}
|
|
||||||
volMountMap[kubeadmconstants.KubeControllerManager] = map[string]v1.VolumeMount{}
|
volMountMap[kubeadmconstants.KubeControllerManager] = map[string]v1.VolumeMount{}
|
||||||
volMountMap[kubeadmconstants.KubeControllerManager]["k8s-certs"] = v1.VolumeMount{
|
volMountMap[kubeadmconstants.KubeControllerManager]["k8s-certs"] = v1.VolumeMount{
|
||||||
Name: "k8s-certs",
|
Name: "k8s-certs",
|
||||||
@ -511,11 +481,6 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
|
|||||||
cfg: &kubeadmapi.ClusterConfiguration{
|
cfg: &kubeadmapi.ClusterConfiguration{
|
||||||
CertificatesDir: testCertsDir,
|
CertificatesDir: testCertsDir,
|
||||||
Etcd: kubeadmapi.Etcd{},
|
Etcd: kubeadmapi.Etcd{},
|
||||||
FeatureGates: map[string]bool{features.Auditing: true},
|
|
||||||
AuditPolicyConfiguration: kubeadmapi.AuditPolicyConfiguration{
|
|
||||||
Path: "/foo/bar/baz.yaml",
|
|
||||||
LogDir: "/bar/foo",
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
vol: volMap,
|
vol: volMap,
|
||||||
volMount: volMountMap,
|
volMount: volMountMap,
|
||||||
|
@ -14,10 +14,6 @@ APIServer:
|
|||||||
PathType: ""
|
PathType: ""
|
||||||
ReadOnly: false
|
ReadOnly: false
|
||||||
TimeoutForControlPlane: 4m0s
|
TimeoutForControlPlane: 4m0s
|
||||||
AuditPolicyConfiguration:
|
|
||||||
LogDir: /var/log/kubernetes/audit
|
|
||||||
LogMaxAge: 2
|
|
||||||
Path: ""
|
|
||||||
BootstrapTokens:
|
BootstrapTokens:
|
||||||
- Description: ""
|
- Description: ""
|
||||||
Expires: null
|
Expires: null
|
||||||
|
@ -31,10 +31,6 @@ apiServer:
|
|||||||
name: WritableVolume
|
name: WritableVolume
|
||||||
timeoutForControlPlane: 4m0s
|
timeoutForControlPlane: 4m0s
|
||||||
apiVersion: kubeadm.k8s.io/v1beta1
|
apiVersion: kubeadm.k8s.io/v1beta1
|
||||||
auditPolicy:
|
|
||||||
logDir: /var/log/kubernetes/audit
|
|
||||||
logMaxAge: 2
|
|
||||||
path: ""
|
|
||||||
certificatesDir: /etc/kubernetes/pki
|
certificatesDir: /etc/kubernetes/pki
|
||||||
clusterName: kubernetes
|
clusterName: kubernetes
|
||||||
controlPlaneEndpoint: ""
|
controlPlaneEndpoint: ""
|
||||||
|
@ -21,10 +21,6 @@ nodeRegistration:
|
|||||||
apiServer:
|
apiServer:
|
||||||
timeoutForControlPlane: 4m0s
|
timeoutForControlPlane: 4m0s
|
||||||
apiVersion: kubeadm.k8s.io/v1beta1
|
apiVersion: kubeadm.k8s.io/v1beta1
|
||||||
auditPolicy:
|
|
||||||
logDir: /var/log/kubernetes/audit
|
|
||||||
logMaxAge: 2
|
|
||||||
path: ""
|
|
||||||
certificatesDir: /var/lib/kubernetes/pki
|
certificatesDir: /var/lib/kubernetes/pki
|
||||||
clusterName: kubernetes
|
clusterName: kubernetes
|
||||||
controlPlaneEndpoint: ""
|
controlPlaneEndpoint: ""
|
||||||
|
Loading…
Reference in New Issue
Block a user