From bc9d4ad66e79ee2c451aa1bb7d608f7d0aca77e7 Mon Sep 17 00:00:00 2001 From: Zihong Zheng Date: Thu, 7 Sep 2017 18:34:28 -0700 Subject: [PATCH 1/2] Allow kube-proxy using InClusterConfig() --- cmd/kube-proxy/app/BUILD | 1 + cmd/kube-proxy/app/server.go | 21 +++++++++++++-------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/cmd/kube-proxy/app/BUILD b/cmd/kube-proxy/app/BUILD index c5d12c388f5..348d5ea9b3d 100644 --- a/cmd/kube-proxy/app/BUILD +++ b/cmd/kube-proxy/app/BUILD @@ -66,6 +66,7 @@ go_library( "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library", "//vendor/k8s.io/client-go/kubernetes:go_default_library", "//vendor/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library", + "//vendor/k8s.io/client-go/rest:go_default_library", "//vendor/k8s.io/client-go/tools/clientcmd:go_default_library", "//vendor/k8s.io/client-go/tools/clientcmd/api:go_default_library", "//vendor/k8s.io/client-go/tools/record:go_default_library", diff --git a/cmd/kube-proxy/app/server.go b/cmd/kube-proxy/app/server.go index a79122e9fba..87adc3a9652 100644 --- a/cmd/kube-proxy/app/server.go +++ b/cmd/kube-proxy/app/server.go @@ -41,6 +41,7 @@ import ( utilfeature "k8s.io/apiserver/pkg/util/feature" clientgoclientset "k8s.io/client-go/kubernetes" v1core "k8s.io/client-go/kubernetes/typed/core/v1" + "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" clientcmdapi "k8s.io/client-go/tools/clientcmd/api" "k8s.io/client-go/tools/record" @@ -393,15 +394,19 @@ type ProxyServer struct { // createClients creates a kube client and an event client from the given config and masterOverride. // TODO remove masterOverride when CLI flags are removed. func createClients(config componentconfig.ClientConnectionConfiguration, masterOverride string) (clientset.Interface, v1core.EventsGetter, error) { - if len(config.KubeConfigFile) == 0 && len(masterOverride) == 0 { - glog.Warningf("Neither --kubeconfig nor --master was specified. Using default API client. This might not work.") - } + var kubeConfig *rest.Config + var err error - // This creates a client, first loading any specified kubeconfig - // file, and then overriding the Master flag, if non-empty. - kubeConfig, err := clientcmd.NewNonInteractiveDeferredLoadingClientConfig( - &clientcmd.ClientConfigLoadingRules{ExplicitPath: config.KubeConfigFile}, - &clientcmd.ConfigOverrides{ClusterInfo: clientcmdapi.Cluster{Server: masterOverride}}).ClientConfig() + if len(config.KubeConfigFile) == 0 && len(masterOverride) == 0 { + glog.Info("Neither kubeconfig file nor master URL was specified. Falling back to in-cluster config.") + kubeConfig, err = rest.InClusterConfig() + } else { + // This creates a client, first loading any specified kubeconfig + // file, and then overriding the Master flag, if non-empty. + kubeConfig, err = clientcmd.NewNonInteractiveDeferredLoadingClientConfig( + &clientcmd.ClientConfigLoadingRules{ExplicitPath: config.KubeConfigFile}, + &clientcmd.ConfigOverrides{ClusterInfo: clientcmdapi.Cluster{Server: masterOverride}}).ClientConfig() + } if err != nil { return nil, nil, err } From 476138c676c2dbbbbd32bf28729eaf70eaed25df Mon Sep 17 00:00:00 2001 From: Zihong Zheng Date: Thu, 7 Sep 2017 18:49:29 -0700 Subject: [PATCH 2/2] [GCE kube-up] Don't provision kubeconfig file on nodes when kube-proxy run as a DaemonSet --- cluster/addons/kube-proxy/kube-proxy-ds.yaml | 12 ++---- cluster/gce/configure-vm.sh | 39 ++++--------------- .../gce/container-linux/configure-helper.sh | 27 +------------ cluster/gce/gci/configure-helper.sh | 27 +------------ 4 files changed, 13 insertions(+), 92 deletions(-) diff --git a/cluster/addons/kube-proxy/kube-proxy-ds.yaml b/cluster/addons/kube-proxy/kube-proxy-ds.yaml index 574bbbb785b..a2b41e7db34 100644 --- a/cluster/addons/kube-proxy/kube-proxy-ds.yaml +++ b/cluster/addons/kube-proxy/kube-proxy-ds.yaml @@ -37,8 +37,10 @@ spec: command: - /bin/sh - -c - - kube-proxy {{kubeconfig}} {{cluster_cidr}} --resource-container="" --oom-score-adj=-998 {{params}} 1>>/var/log/kube-proxy.log 2>&1 - {{container_env}} + - kube-proxy {{cluster_cidr}} --resource-container="" --oom-score-adj=-998 {{params}} 1>>/var/log/kube-proxy.log 2>&1 + env: + - name: KUBERNETES_SERVICE_HOST + value: {{kubernetes_service_host_env_value}} {{kube_cache_mutation_detector_env_name}} {{kube_cache_mutation_detector_env_value}} securityContext: @@ -47,9 +49,6 @@ spec: - mountPath: /var/log name: varlog readOnly: false - - mountPath: /var/lib/kube-proxy/kubeconfig - name: kubeconfig - readOnly: false - mountPath: /run/xtables.lock name: xtables-lock readOnly: false @@ -57,9 +56,6 @@ spec: - name: varlog hostPath: path: /var/log - - name: kubeconfig - hostPath: - path: /var/lib/kube-proxy/kubeconfig - name: xtables-lock hostPath: path: /run/xtables.lock diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh index 09e22b351a3..8f1610471ab 100755 --- a/cluster/gce/configure-vm.sh +++ b/cluster/gce/configure-vm.sh @@ -662,13 +662,12 @@ EOF # # - When run as static pods, use the CA_CERT and KUBE_PROXY_TOKEN to generate a # kubeconfig file for the kube-proxy to securely connect to the apiserver. -# - When run as a daemonset, generate a kubeconfig file specific to service account. function create-salt-kubeproxy-auth() { local -r kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig" - local kubeconfig_content="" if [ ! -e "${kube_proxy_kubeconfig_file}" ]; then - if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then - kubeconfig_content="\ + mkdir -p /srv/salt-overlay/salt/kube-proxy + (umask 077; + cat > "${kube_proxy_kubeconfig_file}" < "${kube_proxy_kubeconfig_file}" </var/lib/kube-proxy/kubeconfig -apiVersion: v1 -kind: Config -clusters: -- cluster: - certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - server: https://${KUBERNETES_MASTER_NAME} - name: default -contexts: -- context: - cluster: default - namespace: default - user: default - name: default -current-context: default -users: -- name: default - user: - tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token -EOF -} - function create-kubecontrollermanager-kubeconfig { echo "Creating kube-controller-manager kubeconfig file" mkdir -p /etc/srv/kubernetes/kube-controller-manager @@ -719,6 +695,7 @@ function prepare-kube-proxy-manifest-variables { sed -i -e "s@{{pod_priority}}@${pod_priority}@g" ${src_file} sed -i -e "s@{{ cpurequest }}@100m@g" ${src_file} sed -i -e "s@{{api_servers_with_port}}@${api_servers}@g" ${src_file} + sed -i -e "s@{{kubernetes_service_host_env_value}}@${KUBERNETES_MASTER_NAME}@g" ${src_file} if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then sed -i -e "s@{{cluster_cidr}}@--cluster-cidr=${CLUSTER_IP_RANGE}@g" ${src_file} fi @@ -1494,8 +1471,6 @@ else create-kubelet-kubeconfig "https://${KUBERNETES_MASTER_NAME}" if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then create-kubeproxy-user-kubeconfig - else - create-kubeproxy-serviceaccount-kubeconfig fi fi diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 03dab163efe..1863e1c996f 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -727,30 +727,6 @@ current-context: service-account-context EOF } -function create-kubeproxy-serviceaccount-kubeconfig { - echo "Creating kube-proxy serviceaccount kubeconfig file" - cat </var/lib/kube-proxy/kubeconfig -apiVersion: v1 -kind: Config -clusters: -- cluster: - certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - server: https://${KUBERNETES_MASTER_NAME} - name: default -contexts: -- context: - cluster: default - namespace: default - user: default - name: default -current-context: default -users: -- name: default - user: - tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token -EOF -} - function create-kubecontrollermanager-kubeconfig { echo "Creating kube-controller-manager kubeconfig file" mkdir -p /etc/srv/kubernetes/kube-controller-manager @@ -1119,6 +1095,7 @@ function prepare-kube-proxy-manifest-variables { sed -i -e "s@{{pod_priority}}@${pod_priority}@g" ${src_file} sed -i -e "s@{{ cpurequest }}@100m@g" ${src_file} sed -i -e "s@{{api_servers_with_port}}@${api_servers}@g" ${src_file} + sed -i -e "s@{{kubernetes_service_host_env_value}}@${KUBERNETES_MASTER_NAME}@g" ${src_file} if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then sed -i -e "s@{{cluster_cidr}}@--cluster-cidr=${CLUSTER_IP_RANGE}@g" ${src_file} fi @@ -2000,8 +1977,6 @@ else create-kubelet-kubeconfig ${KUBERNETES_MASTER_NAME} if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then create-kubeproxy-user-kubeconfig - else - create-kubeproxy-serviceaccount-kubeconfig fi if [[ "${ENABLE_NODE_PROBLEM_DETECTOR:-}" == "standalone" ]]; then create-node-problem-detector-kubeconfig