github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-02 00:07:50 +00:00
Code Issues Projects Releases Wiki Activity

stop create secrets for dns, it uses the kube-system service account now

Browse Source
This commit is contained in:
Mike Danese 2016-03-29 14:27:28 -07:00
parent 0d0eb0119e
commit 0a821a473d
4 changed files with 2 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cluster/gce/configure-vm.sh
View File

@ -585,7 +585,7 @@ function create-salt-master-auth() {
# NB: If this list ever changes, this script actually has to # NB: If this list ever changes, this script actually has to
# change to detect the existence of this file, kill any deleted # change to detect the existence of this file, kill any deleted
# old tokens and add any new tokens (to handle the upgrade case). # old tokens and add any new tokens (to handle the upgrade case).
local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns") local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring")
for account in "${service_accounts[@]}"; do for account in "${service_accounts[@]}"; do
token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null) token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}" echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}"

2
cluster/gce/coreos/configure-node.sh
View File

@ -256,7 +256,7 @@ function create-salt-master-auth() {
# NB: If this list ever changes, this script actually has to # NB: If this list ever changes, this script actually has to
# change to detect the existence of this file, kill any deleted # change to detect the existence of this file, kill any deleted
# old tokens and add any new tokens (to handle the upgrade case). # old tokens and add any new tokens (to handle the upgrade case).
local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns") local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring")
for account in "${service_accounts[@]}"; do for account in "${service_accounts[@]}"; do
token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null) token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}" echo "${token},${account},${account}" >> "${KNOWN_TOKENS_FILE}"

1
cluster/gce/trusty/configure-helper.sh
View File

@ -309,7 +309,6 @@ create_master_auth() {
add_token_entry "system:controller_manager" "${known_tokens_csv}" add_token_entry "system:controller_manager" "${known_tokens_csv}"
add_token_entry "system:logging" "${known_tokens_csv}" add_token_entry "system:logging" "${known_tokens_csv}"
add_token_entry "system:monitoring" "${known_tokens_csv}" add_token_entry "system:monitoring" "${known_tokens_csv}"
add_token_entry "system:dns" "${known_tokens_csv}"
fi fi
if [ -n "${PROJECT_ID:-}" ] && [ -n "${TOKEN_URL:-}" ] && [ -n "${TOKEN_BODY:-}" ] && [ -n "${NODE_NETWORK:-}" ]; then if [ -n "${PROJECT_ID:-}" ] && [ -n "${TOKEN_URL:-}" ] && [ -n "${TOKEN_BODY:-}" ] && [ -n "${NODE_NETWORK:-}" ]; then

90
cluster/saltbase/salt/kube-addons/kube-addons.sh
View File

@ -22,7 +22,6 @@ KUBECTL=${KUBECTL_BIN:-/usr/local/bin/kubectl}
ADDON_CHECK_INTERVAL_SEC=${TEST_ADDON_CHECK_INTERVAL_SEC:-600} ADDON_CHECK_INTERVAL_SEC=${TEST_ADDON_CHECK_INTERVAL_SEC:-600}
SYSTEM_NAMESPACE=kube-system SYSTEM_NAMESPACE=kube-system
token_dir=${TOKEN_DIR:-/srv/kubernetes}
trusty_master=${TRUSTY_MASTER:-false} trusty_master=${TRUSTY_MASTER:-false}
function ensure_python() { function ensure_python() {
@ -35,72 +34,6 @@ function ensure_python() {
fi fi
} }
function create-kubeconfig-secret() {
local -r token=$1
local -r username=$2
local -r server=$3
local -r safe_username=$(tr -s ':_' '--' <<< "${username}")
# Make a kubeconfig file with the token.
if [[ ! -z "${CA_CERT:-}" ]]; then
# If the CA cert is available, put it into the secret rather than using
# insecure-skip-tls-verify.
read -r -d '' kubeconfig <<EOF
apiVersion: v1
kind: Config
users:
- name: ${username}
user:
token: ${token}
clusters:
- name: local
cluster:
server: ${server}
certificate-authority-data: ${CA_CERT}
contexts:
- context:
cluster: local
user: ${username}
namespace: ${SYSTEM_NAMESPACE}
name: service-account-context
current-context: service-account-context
EOF
else
read -r -d '' kubeconfig <<EOF
apiVersion: v1
kind: Config
users:
- name: ${username}
user:
token: ${token}
clusters:
- name: local
cluster:
server: ${server}
insecure-skip-tls-verify: true
contexts:
- context:
cluster: local
user: ${username}
namespace: ${SYSTEM_NAMESPACE}
name: service-account-context
current-context: service-account-context
EOF
fi
local -r kubeconfig_base64=$(echo "${kubeconfig}" | base64 -w0)
read -r -d '' secretyaml <<EOF
apiVersion: v1
data:
kubeconfig: ${kubeconfig_base64}
kind: Secret
metadata:
name: token-${safe_username}
type: Opaque
EOF
create-resource-from-string "${secretyaml}" 100 10 "Secret-for-token-for-user-${username}" "${SYSTEM_NAMESPACE}" &
}
# $1 filename of addon to start. # $1 filename of addon to start.
# $2 count of tries to start the addon. # $2 count of tries to start the addon.
# $3 delay in seconds between two consecutive tries # $3 delay in seconds between two consecutive tries
@ -196,29 +129,6 @@ done
echo "== default service account in the ${SYSTEM_NAMESPACE} namespace has token ${token_found} ==" echo "== default service account in the ${SYSTEM_NAMESPACE} namespace has token ${token_found} =="
# Generate secrets for "internal service accounts".
# TODO(etune): move to a completely yaml/object based
# workflow so that service accounts can be created
# at the same time as the services that use them.
# NOTE: needs to run as root to read this file.
# Read each line in the csv file of tokens.
# Expect errors when the script is started again.
# NOTE: secrets are created asynchronously, in background.
while read line; do
# Split each line into the token and username.
IFS=',' read -a parts <<< "${line}"
token=${parts[0]}
username=${parts[1]}
# DNS is special, since it's necessary for cluster bootstrapping.
if [[ "${username}" == "system:dns" ]] && [[ ! -z "${KUBERNETES_MASTER_NAME:-}" ]]; then
create-kubeconfig-secret "${token}" "${username}" "https://${KUBERNETES_MASTER_NAME}"
else
# Set the server to https://kubernetes. Pods/components that
# do not have DNS available will have to override the server.
create-kubeconfig-secret "${token}" "${username}" "https://kubernetes.default"
fi
done < "${token_dir}/known_tokens.csv"
# Create admission_control objects if defined before any other addon services. If the limits # Create admission_control objects if defined before any other addon services. If the limits
# are defined in a namespace other than default, we should still create the limits for the # are defined in a namespace other than default, we should still create the limits for the
# default namespace. # default namespace.