diff --git a/cluster/rackspace/authorization.sh b/cluster/rackspace/authorization.sh new file mode 100644 index 00000000000..61ff97974b1 --- /dev/null +++ b/cluster/rackspace/authorization.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# Copyright 2015 The Kubernetes Authors All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Create generic token following GCE standard +create_token() { + echo $(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null) +} + +get_token_from_csv() { + KUBE_BEARER_TOKEN=$(awk -F, '/admin/ {print $1}' ${KUBE_TEMP}/${1}_tokens.csv) + KUBELET_TOKEN=$(awk -F, '/kubelet/ {print $1}' ${KUBE_TEMP}/${1}_tokens.csv) + KUBE_PROXY_TOKEN=$(awk -F, '/kube_proxy/ {print $1}' ${KUBE_TEMP}/${1}_tokens.csv) +} + +generate_admin_token() { + echo "$(create_token),admin,admin" >> ${KUBE_TEMP}/${1}_tokens.csv +} + +# Creates a csv file each time called (i.e one per kubelet). +generate_kubelet_tokens() { + echo "$(create_token),kubelet,kubelet" > ${KUBE_TEMP}/${1}_tokens.csv + echo "$(create_token),kube_proxy,kube_proxy" >> ${KUBE_TEMP}/${1}_tokens.csv +} diff --git a/cluster/rackspace/cloud-config/master-cloud-config.yaml b/cluster/rackspace/cloud-config/master-cloud-config.yaml index 0d171c0dd5f..e23f0e5d64b 100644 --- a/cluster/rackspace/cloud-config/master-cloud-config.yaml +++ b/cluster/rackspace/cloud-config/master-cloud-config.yaml @@ -84,7 +84,7 @@ coreos: Requires=download-release.service [Service] ExecStartPre=/usr/bin/ln -sf /opt/kubernetes/server/bin/kube-apiserver /opt/bin/kube-apiserver - ExecStart=/opt/bin/kube-apiserver --address=127.0.0.1 --port=8080 --etcd_servers=http://127.0.0.1:4001 --portal_net=PORTAL_NET --logtostderr=true --cloud_provider=rackspace --cloud_config=/etc/cloud.conf --v=2 + ExecStart=/opt/bin/kube-apiserver --token-auth-file=/var/lib/kubernetes/apiserver/known_tokens.csv --address=127.0.0.1 --port=8080 --etcd_servers=http://127.0.0.1:4001 --portal_net=PORTAL_NET --logtostderr=true --cloud_provider=rackspace --cloud_config=/etc/cloud.conf --v=2 Restart=always RestartSec=2 - name: apiserver-advertiser.service diff --git a/cluster/rackspace/util.sh b/cluster/rackspace/util.sh index 50d7663c007..e9caa8a8e31 100644 --- a/cluster/rackspace/util.sh +++ b/cluster/rackspace/util.sh @@ -21,6 +21,7 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE}")/../.. source $(dirname ${BASH_SOURCE})/${KUBE_CONFIG_FILE-"config-default.sh"} source "${KUBE_ROOT}/cluster/common.sh" +source "${KUBE_ROOT}/cluster/rackspace/authorization.sh" verify-prereqs() { # Make sure that prerequisites are installed. @@ -129,10 +130,29 @@ copy_dev_tarballs() { echo "cluster/rackspace/util.sh: Uploading to Cloud Files" ${SWIFTLY_CMD} put -i ${RELEASE_DIR}/kubernetes-server-linux-amd64.tar.gz \ ${CLOUDFILES_CONTAINER}/${CONTAINER_PREFIX}/kubernetes-server-linux-amd64.tar.gz > /dev/null 2>&1 - + echo "Release pushed." } +prep_known_tokens() { + for (( i=0; i<${#MINION_NAMES[@]}; i++)); do + generate_kubelet_tokens ${MINION_NAMES[i]} + cat ${KUBE_TEMP}/${MINION_NAMES[i]}_token.csv >> ${KUBE_TEMP}/known_tokens.csv + done + + # Generate tokens for other "service accounts". Append to known_tokens. + # + # NB: If this list ever changes, this script actually has to + # change to detect the existence of this file, kill any deleted + # old tokens and add any new tokens (to handle the upgrade case). + local -r service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns") + for account in "${service_accounts[@]}"; do + echo "$(create_token),${account},${account}" >> ${KUBE_TEMP}/known_tokens.csv + done + + generate_admin_token +} + rax-boot-master() { DISCOVERY_URL=$(curl https://discovery.etcd.io/new) @@ -160,6 +180,7 @@ rax-boot-master() { --meta ${MASTER_TAG} \ --meta ETCD=${DISCOVERY_ID} \ --user-data ${KUBE_TEMP}/master-cloud-config.yaml \ +--file /var/lib/kubernetes/apiserver/known_tokens.csv=${KUBE_TEMP}/known_tokens.csv \ --config-drive true \ --nic net-id=${NETWORK_UUID} \ ${MASTER_NAME}" @@ -176,15 +197,19 @@ rax-boot-minions() { for (( i=0; i<${#MINION_NAMES[@]}; i++)); do + get_tokens_from_csv ${MINION_NAMES[i]} + sed -e "s|DISCOVERY_ID|${DISCOVERY_ID}|" \ - -e "s|INDEX|$((i + 1))|g" \ -e "s|CLOUD_FILES_URL|${RELEASE_TMP_URL//&/\\&}|" \ - -e "s|ENABLE_NODE_MONITORING|${ENABLE_NODE_MONITORING:-false}|" \ - -e "s|ENABLE_NODE_LOGGING|${ENABLE_NODE_LOGGING:-false}|" \ - -e "s|LOGGING_DESTINATION|${LOGGING_DESTINATION:-}|" \ - -e "s|ENABLE_CLUSTER_DNS|${ENABLE_CLUSTER_DNS:-false}|" \ -e "s|DNS_SERVER_IP|${DNS_SERVER_IP:-}|" \ -e "s|DNS_DOMAIN|${DNS_DOMAIN:-}|" \ + -e "s|ENABLE_CLUSTER_DNS|${ENABLE_CLUSTER_DNS:-false}|" \ + -e "s|ENABLE_NODE_MONITORING|${ENABLE_NODE_MONITORING:-false}|" \ + -e "s|ENABLE_NODE_LOGGING|${ENABLE_NODE_LOGGING:-false}|" \ + -e "s|INDEX|$((i + 1))|g" \ + -e "s|KUBE_BEARER_TOKEN|${KUBE_BEARER_TOKEN}|" \ + -e "s|KUBE_PROXY_TOKEN|${KUBE_PROXY_TOKEN}|" \ + -e "s|LOGGING_DESTINATION|${LOGGING_DESTINATION:-}|" \ $(dirname $0)/rackspace/cloud-config/minion-cloud-config.yaml > $KUBE_TEMP/minion-cloud-config-$(($i + 1)).yaml @@ -287,6 +312,8 @@ kube-up() { rax-ssh-key echo "cluster/rackspace/util.sh: Starting Cloud Servers" + prep_known_tokens + rax-boot-master rax-boot-minions