Added kube-proxy token.

Generates the new token on AWS, GCE, Vagrant. Renames instance metadata from "kube-token" to "kubelet-token". (Is this okay for GKE?) Having separate tokens for kubelet and kube-proxy permits using principle of least privilege, makes it easy to rate limit the clients separately, allows annotation of apiserver logs with the client identity at a finer grain than just source-ip.
2025-09-02 17:57:33 +00:00 · 2015-04-21 09:09:45 -07:00
parent 4b9a64bcd8
commit 2ca8a9d15d
4 changed files with 32 additions and 14 deletions
--- a/cluster/vagrant/provision-master.sh
+++ b/cluster/vagrant/provision-master.sh
@@ -137,10 +137,13 @@ EOF
 known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
 if [[ ! -f "${known_tokens_file}" ]]; then
  kubelet_token=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null)
+  kube_proxy_token=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null)

  mkdir -p /srv/salt-overlay/salt/kube-apiserver
  known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
-  (umask u=rw,go= ; echo "$kubelet_token,kubelet,kubelet" > $known_tokens_file)
+  (umask u=rw,go= ; echo "" > $known_tokens_file)
+  echo "$kubelet_token,kubelet,kubelet" >> $known_tokens_file
+  echo "$kube_proxy_token,kube-proxy,kube-proxy" >> $known_tokens_file

  mkdir -p /srv/salt-overlay/salt/kubelet
  kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"