mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #52183 from MrHohn/kube-proxy-incluster-host
Automatic merge from submit-queue (batch tested with PRs 52883, 52183, 53915, 53848). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. [GCE kube-up] Don't provision kubeconfig file for kube-proxy service account **What this PR does / why we need it**: Offloading the burden of provisioning kubeconfig file for kube-proxy service account from GCE startup scripts. This also helps us decoupling kube-proxy daemonset upgrade from node upgrade. Previous attempt on https://github.com/kubernetes/kubernetes/pull/51172, using InClusterConfig for kube-proxy based on discussions on https://github.com/kubernetes/client-go/issues/281. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #NONE **Special notes for your reviewer**: /assign @bowei @thockin cc @luxas @murali-reddy **Release note**: ```release-note NONE ```
This commit is contained in:
commit
1c17d985ca
@ -37,8 +37,10 @@ spec:
|
|||||||
command:
|
command:
|
||||||
- /bin/sh
|
- /bin/sh
|
||||||
- -c
|
- -c
|
||||||
- kube-proxy {{kubeconfig}} {{cluster_cidr}} --resource-container="" --oom-score-adj=-998 {{params}} 1>>/var/log/kube-proxy.log 2>&1
|
- kube-proxy {{cluster_cidr}} --resource-container="" --oom-score-adj=-998 {{params}} 1>>/var/log/kube-proxy.log 2>&1
|
||||||
{{container_env}}
|
env:
|
||||||
|
- name: KUBERNETES_SERVICE_HOST
|
||||||
|
value: {{kubernetes_service_host_env_value}}
|
||||||
{{kube_cache_mutation_detector_env_name}}
|
{{kube_cache_mutation_detector_env_name}}
|
||||||
{{kube_cache_mutation_detector_env_value}}
|
{{kube_cache_mutation_detector_env_value}}
|
||||||
securityContext:
|
securityContext:
|
||||||
@ -47,9 +49,6 @@ spec:
|
|||||||
- mountPath: /var/log
|
- mountPath: /var/log
|
||||||
name: varlog
|
name: varlog
|
||||||
readOnly: false
|
readOnly: false
|
||||||
- mountPath: /var/lib/kube-proxy/kubeconfig
|
|
||||||
name: kubeconfig
|
|
||||||
readOnly: false
|
|
||||||
- mountPath: /run/xtables.lock
|
- mountPath: /run/xtables.lock
|
||||||
name: xtables-lock
|
name: xtables-lock
|
||||||
readOnly: false
|
readOnly: false
|
||||||
@ -57,9 +56,6 @@ spec:
|
|||||||
- name: varlog
|
- name: varlog
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/log
|
path: /var/log
|
||||||
- name: kubeconfig
|
|
||||||
hostPath:
|
|
||||||
path: /var/lib/kube-proxy/kubeconfig
|
|
||||||
- name: xtables-lock
|
- name: xtables-lock
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /run/xtables.lock
|
path: /run/xtables.lock
|
||||||
|
@ -667,13 +667,12 @@ EOF
|
|||||||
#
|
#
|
||||||
# - When run as static pods, use the CA_CERT and KUBE_PROXY_TOKEN to generate a
|
# - When run as static pods, use the CA_CERT and KUBE_PROXY_TOKEN to generate a
|
||||||
# kubeconfig file for the kube-proxy to securely connect to the apiserver.
|
# kubeconfig file for the kube-proxy to securely connect to the apiserver.
|
||||||
# - When run as a daemonset, generate a kubeconfig file specific to service account.
|
|
||||||
function create-salt-kubeproxy-auth() {
|
function create-salt-kubeproxy-auth() {
|
||||||
local -r kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig"
|
local -r kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig"
|
||||||
local kubeconfig_content=""
|
|
||||||
if [ ! -e "${kube_proxy_kubeconfig_file}" ]; then
|
if [ ! -e "${kube_proxy_kubeconfig_file}" ]; then
|
||||||
if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
|
mkdir -p /srv/salt-overlay/salt/kube-proxy
|
||||||
kubeconfig_content="\
|
(umask 077;
|
||||||
|
cat > "${kube_proxy_kubeconfig_file}" <<EOF
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Config
|
kind: Config
|
||||||
users:
|
users:
|
||||||
@ -689,33 +688,7 @@ contexts:
|
|||||||
cluster: local
|
cluster: local
|
||||||
user: kube-proxy
|
user: kube-proxy
|
||||||
name: service-account-context
|
name: service-account-context
|
||||||
current-context: service-account-context"
|
current-context: service-account-context
|
||||||
else
|
|
||||||
# Generate kubeconfig specific to service account.
|
|
||||||
kubeconfig_content="\
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Config
|
|
||||||
clusters:
|
|
||||||
- cluster:
|
|
||||||
certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
|
||||||
server: https://${KUBERNETES_MASTER_NAME}
|
|
||||||
name: default
|
|
||||||
contexts:
|
|
||||||
- context:
|
|
||||||
cluster: default
|
|
||||||
namespace: default
|
|
||||||
user: default
|
|
||||||
name: default
|
|
||||||
current-context: default
|
|
||||||
users:
|
|
||||||
- name: default
|
|
||||||
user:
|
|
||||||
tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token"
|
|
||||||
fi
|
|
||||||
mkdir -p /srv/salt-overlay/salt/kube-proxy
|
|
||||||
(umask 077;
|
|
||||||
cat > "${kube_proxy_kubeconfig_file}" <<EOF
|
|
||||||
${kubeconfig_content}
|
|
||||||
EOF
|
EOF
|
||||||
)
|
)
|
||||||
fi
|
fi
|
||||||
@ -891,7 +864,9 @@ if [[ -z "${is_push}" ]]; then
|
|||||||
create-node-pki
|
create-node-pki
|
||||||
create-salt-pillar
|
create-salt-pillar
|
||||||
create-salt-kubelet-auth
|
create-salt-kubelet-auth
|
||||||
create-salt-kubeproxy-auth
|
if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
|
||||||
|
create-salt-kubeproxy-auth
|
||||||
|
fi
|
||||||
download-release
|
download-release
|
||||||
configure-salt
|
configure-salt
|
||||||
remove-docker-artifacts
|
remove-docker-artifacts
|
||||||
|
@ -385,30 +385,6 @@ current-context: service-account-context
|
|||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
function create-kubeproxy-serviceaccount-kubeconfig {
|
|
||||||
echo "Creating kube-proxy serviceaccount kubeconfig file"
|
|
||||||
cat <<EOF >/var/lib/kube-proxy/kubeconfig
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Config
|
|
||||||
clusters:
|
|
||||||
- cluster:
|
|
||||||
certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
|
||||||
server: https://${KUBERNETES_MASTER_NAME}
|
|
||||||
name: default
|
|
||||||
contexts:
|
|
||||||
- context:
|
|
||||||
cluster: default
|
|
||||||
namespace: default
|
|
||||||
user: default
|
|
||||||
name: default
|
|
||||||
current-context: default
|
|
||||||
users:
|
|
||||||
- name: default
|
|
||||||
user:
|
|
||||||
tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
||||||
EOF
|
|
||||||
}
|
|
||||||
|
|
||||||
function create-kubecontrollermanager-kubeconfig {
|
function create-kubecontrollermanager-kubeconfig {
|
||||||
echo "Creating kube-controller-manager kubeconfig file"
|
echo "Creating kube-controller-manager kubeconfig file"
|
||||||
mkdir -p /etc/srv/kubernetes/kube-controller-manager
|
mkdir -p /etc/srv/kubernetes/kube-controller-manager
|
||||||
@ -719,6 +695,7 @@ function prepare-kube-proxy-manifest-variables {
|
|||||||
sed -i -e "s@{{pod_priority}}@${pod_priority}@g" ${src_file}
|
sed -i -e "s@{{pod_priority}}@${pod_priority}@g" ${src_file}
|
||||||
sed -i -e "s@{{ cpurequest }}@100m@g" ${src_file}
|
sed -i -e "s@{{ cpurequest }}@100m@g" ${src_file}
|
||||||
sed -i -e "s@{{api_servers_with_port}}@${api_servers}@g" ${src_file}
|
sed -i -e "s@{{api_servers_with_port}}@${api_servers}@g" ${src_file}
|
||||||
|
sed -i -e "s@{{kubernetes_service_host_env_value}}@${KUBERNETES_MASTER_NAME}@g" ${src_file}
|
||||||
if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then
|
if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then
|
||||||
sed -i -e "s@{{cluster_cidr}}@--cluster-cidr=${CLUSTER_IP_RANGE}@g" ${src_file}
|
sed -i -e "s@{{cluster_cidr}}@--cluster-cidr=${CLUSTER_IP_RANGE}@g" ${src_file}
|
||||||
fi
|
fi
|
||||||
@ -1499,8 +1476,6 @@ else
|
|||||||
create-kubelet-kubeconfig "https://${KUBERNETES_MASTER_NAME}"
|
create-kubelet-kubeconfig "https://${KUBERNETES_MASTER_NAME}"
|
||||||
if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
|
if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
|
||||||
create-kubeproxy-user-kubeconfig
|
create-kubeproxy-user-kubeconfig
|
||||||
else
|
|
||||||
create-kubeproxy-serviceaccount-kubeconfig
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -727,30 +727,6 @@ current-context: service-account-context
|
|||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
function create-kubeproxy-serviceaccount-kubeconfig {
|
|
||||||
echo "Creating kube-proxy serviceaccount kubeconfig file"
|
|
||||||
cat <<EOF >/var/lib/kube-proxy/kubeconfig
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Config
|
|
||||||
clusters:
|
|
||||||
- cluster:
|
|
||||||
certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
|
||||||
server: https://${KUBERNETES_MASTER_NAME}
|
|
||||||
name: default
|
|
||||||
contexts:
|
|
||||||
- context:
|
|
||||||
cluster: default
|
|
||||||
namespace: default
|
|
||||||
user: default
|
|
||||||
name: default
|
|
||||||
current-context: default
|
|
||||||
users:
|
|
||||||
- name: default
|
|
||||||
user:
|
|
||||||
tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
||||||
EOF
|
|
||||||
}
|
|
||||||
|
|
||||||
function create-kubecontrollermanager-kubeconfig {
|
function create-kubecontrollermanager-kubeconfig {
|
||||||
echo "Creating kube-controller-manager kubeconfig file"
|
echo "Creating kube-controller-manager kubeconfig file"
|
||||||
mkdir -p /etc/srv/kubernetes/kube-controller-manager
|
mkdir -p /etc/srv/kubernetes/kube-controller-manager
|
||||||
@ -1119,6 +1095,7 @@ function prepare-kube-proxy-manifest-variables {
|
|||||||
sed -i -e "s@{{pod_priority}}@${pod_priority}@g" ${src_file}
|
sed -i -e "s@{{pod_priority}}@${pod_priority}@g" ${src_file}
|
||||||
sed -i -e "s@{{ cpurequest }}@100m@g" ${src_file}
|
sed -i -e "s@{{ cpurequest }}@100m@g" ${src_file}
|
||||||
sed -i -e "s@{{api_servers_with_port}}@${api_servers}@g" ${src_file}
|
sed -i -e "s@{{api_servers_with_port}}@${api_servers}@g" ${src_file}
|
||||||
|
sed -i -e "s@{{kubernetes_service_host_env_value}}@${KUBERNETES_MASTER_NAME}@g" ${src_file}
|
||||||
if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then
|
if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then
|
||||||
sed -i -e "s@{{cluster_cidr}}@--cluster-cidr=${CLUSTER_IP_RANGE}@g" ${src_file}
|
sed -i -e "s@{{cluster_cidr}}@--cluster-cidr=${CLUSTER_IP_RANGE}@g" ${src_file}
|
||||||
fi
|
fi
|
||||||
@ -2009,8 +1986,6 @@ else
|
|||||||
create-kubelet-kubeconfig ${KUBERNETES_MASTER_NAME}
|
create-kubelet-kubeconfig ${KUBERNETES_MASTER_NAME}
|
||||||
if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
|
if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
|
||||||
create-kubeproxy-user-kubeconfig
|
create-kubeproxy-user-kubeconfig
|
||||||
else
|
|
||||||
create-kubeproxy-serviceaccount-kubeconfig
|
|
||||||
fi
|
fi
|
||||||
if [[ "${ENABLE_NODE_PROBLEM_DETECTOR:-}" == "standalone" ]]; then
|
if [[ "${ENABLE_NODE_PROBLEM_DETECTOR:-}" == "standalone" ]]; then
|
||||||
create-node-problem-detector-kubeconfig
|
create-node-problem-detector-kubeconfig
|
||||||
|
@ -66,6 +66,7 @@ go_library(
|
|||||||
"//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
|
"//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
|
||||||
"//vendor/k8s.io/client-go/kubernetes:go_default_library",
|
"//vendor/k8s.io/client-go/kubernetes:go_default_library",
|
||||||
"//vendor/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
|
"//vendor/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
|
||||||
|
"//vendor/k8s.io/client-go/rest:go_default_library",
|
||||||
"//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
|
"//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
|
||||||
"//vendor/k8s.io/client-go/tools/clientcmd/api:go_default_library",
|
"//vendor/k8s.io/client-go/tools/clientcmd/api:go_default_library",
|
||||||
"//vendor/k8s.io/client-go/tools/record:go_default_library",
|
"//vendor/k8s.io/client-go/tools/record:go_default_library",
|
||||||
|
@ -41,6 +41,7 @@ import (
|
|||||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||||
clientgoclientset "k8s.io/client-go/kubernetes"
|
clientgoclientset "k8s.io/client-go/kubernetes"
|
||||||
v1core "k8s.io/client-go/kubernetes/typed/core/v1"
|
v1core "k8s.io/client-go/kubernetes/typed/core/v1"
|
||||||
|
"k8s.io/client-go/rest"
|
||||||
"k8s.io/client-go/tools/clientcmd"
|
"k8s.io/client-go/tools/clientcmd"
|
||||||
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
|
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
|
||||||
"k8s.io/client-go/tools/record"
|
"k8s.io/client-go/tools/record"
|
||||||
@ -384,15 +385,19 @@ type ProxyServer struct {
|
|||||||
// createClients creates a kube client and an event client from the given config and masterOverride.
|
// createClients creates a kube client and an event client from the given config and masterOverride.
|
||||||
// TODO remove masterOverride when CLI flags are removed.
|
// TODO remove masterOverride when CLI flags are removed.
|
||||||
func createClients(config componentconfig.ClientConnectionConfiguration, masterOverride string) (clientset.Interface, v1core.EventsGetter, error) {
|
func createClients(config componentconfig.ClientConnectionConfiguration, masterOverride string) (clientset.Interface, v1core.EventsGetter, error) {
|
||||||
if len(config.KubeConfigFile) == 0 && len(masterOverride) == 0 {
|
var kubeConfig *rest.Config
|
||||||
glog.Warningf("Neither --kubeconfig nor --master was specified. Using default API client. This might not work.")
|
var err error
|
||||||
}
|
|
||||||
|
|
||||||
// This creates a client, first loading any specified kubeconfig
|
if len(config.KubeConfigFile) == 0 && len(masterOverride) == 0 {
|
||||||
// file, and then overriding the Master flag, if non-empty.
|
glog.Info("Neither kubeconfig file nor master URL was specified. Falling back to in-cluster config.")
|
||||||
kubeConfig, err := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
|
kubeConfig, err = rest.InClusterConfig()
|
||||||
&clientcmd.ClientConfigLoadingRules{ExplicitPath: config.KubeConfigFile},
|
} else {
|
||||||
&clientcmd.ConfigOverrides{ClusterInfo: clientcmdapi.Cluster{Server: masterOverride}}).ClientConfig()
|
// This creates a client, first loading any specified kubeconfig
|
||||||
|
// file, and then overriding the Master flag, if non-empty.
|
||||||
|
kubeConfig, err = clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
|
||||||
|
&clientcmd.ClientConfigLoadingRules{ExplicitPath: config.KubeConfigFile},
|
||||||
|
&clientcmd.ConfigOverrides{ClusterInfo: clientcmdapi.Cluster{Server: masterOverride}}).ClientConfig()
|
||||||
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user