From 476138c676c2dbbbbd32bf28729eaf70eaed25df Mon Sep 17 00:00:00 2001
From: Zihong Zheng <zihongz@google.com>
Date: Thu, 7 Sep 2017 18:49:29 -0700
Subject: [PATCH] [GCE kube-up] Don't provision kubeconfig file on nodes when
 kube-proxy run as a DaemonSet

---
 cluster/addons/kube-proxy/kube-proxy-ds.yaml  | 12 ++----
 cluster/gce/configure-vm.sh                   | 39 ++++---------------
 .../gce/container-linux/configure-helper.sh   | 27 +------------
 cluster/gce/gci/configure-helper.sh           | 27 +------------
 4 files changed, 13 insertions(+), 92 deletions(-)

diff --git a/cluster/addons/kube-proxy/kube-proxy-ds.yaml b/cluster/addons/kube-proxy/kube-proxy-ds.yaml
index 574bbbb785b..a2b41e7db34 100644
--- a/cluster/addons/kube-proxy/kube-proxy-ds.yaml
+++ b/cluster/addons/kube-proxy/kube-proxy-ds.yaml
@@ -37,8 +37,10 @@ spec:
         command:
         - /bin/sh
         - -c
-        - kube-proxy {{kubeconfig}} {{cluster_cidr}} --resource-container="" --oom-score-adj=-998 {{params}} 1>>/var/log/kube-proxy.log 2>&1
-        {{container_env}}
+        - kube-proxy {{cluster_cidr}} --resource-container="" --oom-score-adj=-998 {{params}} 1>>/var/log/kube-proxy.log 2>&1
+        env:
+        - name: KUBERNETES_SERVICE_HOST
+          value: {{kubernetes_service_host_env_value}}
         {{kube_cache_mutation_detector_env_name}}
           {{kube_cache_mutation_detector_env_value}}
         securityContext:
@@ -47,9 +49,6 @@ spec:
         - mountPath: /var/log
           name: varlog
           readOnly: false
-        - mountPath: /var/lib/kube-proxy/kubeconfig
-          name: kubeconfig
-          readOnly: false
         - mountPath: /run/xtables.lock
           name: xtables-lock
           readOnly: false
@@ -57,9 +56,6 @@ spec:
       - name: varlog
         hostPath:
           path: /var/log
-      - name: kubeconfig
-        hostPath:
-          path: /var/lib/kube-proxy/kubeconfig
       - name: xtables-lock
         hostPath:
           path: /run/xtables.lock
diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh
index 09e22b351a3..8f1610471ab 100755
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@@ -662,13 +662,12 @@ EOF
 #
 #  - When run as static pods, use the CA_CERT and KUBE_PROXY_TOKEN to generate a
 #    kubeconfig file for the kube-proxy to securely connect to the apiserver.
-#  - When run as a daemonset, generate a kubeconfig file specific to service account.
 function create-salt-kubeproxy-auth() {
   local -r kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig"
-  local kubeconfig_content=""
   if [ ! -e "${kube_proxy_kubeconfig_file}" ]; then
-    if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
-      kubeconfig_content="\
+    mkdir -p /srv/salt-overlay/salt/kube-proxy
+    (umask 077;
+        cat > "${kube_proxy_kubeconfig_file}" <<EOF
 apiVersion: v1
 kind: Config
 users:
@@ -684,33 +683,7 @@ contexts:
     cluster: local
     user: kube-proxy
   name: service-account-context
-current-context: service-account-context"
-    else
-      # Generate kubeconfig specific to service account.
-      kubeconfig_content="\
-apiVersion: v1
-kind: Config
-clusters:
-- cluster:
-    certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-    server: https://${KUBERNETES_MASTER_NAME}
-  name: default
-contexts:
-- context:
-    cluster: default
-    namespace: default
-    user: default
-  name: default
-current-context: default
-users:
-- name: default
-  user:
-    tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token"
-    fi
-    mkdir -p /srv/salt-overlay/salt/kube-proxy
-    (umask 077;
-        cat > "${kube_proxy_kubeconfig_file}" <<EOF
-${kubeconfig_content}
+current-context: service-account-context
 EOF
 )
   fi
@@ -886,7 +859,9 @@ if [[ -z "${is_push}" ]]; then
   create-node-pki
   create-salt-pillar
   create-salt-kubelet-auth
-  create-salt-kubeproxy-auth
+  if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
+    create-salt-kubeproxy-auth
+  fi
   download-release
   configure-salt
   remove-docker-artifacts
diff --git a/cluster/gce/container-linux/configure-helper.sh b/cluster/gce/container-linux/configure-helper.sh
index 09afb2c5539..b4eef8e4f42 100755
--- a/cluster/gce/container-linux/configure-helper.sh
+++ b/cluster/gce/container-linux/configure-helper.sh
@@ -385,30 +385,6 @@ current-context: service-account-context
 EOF
 }
 
-function create-kubeproxy-serviceaccount-kubeconfig {
-  echo "Creating kube-proxy serviceaccount kubeconfig file"
-  cat <<EOF >/var/lib/kube-proxy/kubeconfig
-apiVersion: v1
-kind: Config
-clusters:
-- cluster:
-    certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-    server: https://${KUBERNETES_MASTER_NAME}
-  name: default
-contexts:
-- context:
-    cluster: default
-    namespace: default
-    user: default
-  name: default
-current-context: default
-users:
-- name: default
-  user:
-    tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-EOF
-}
-
 function create-kubecontrollermanager-kubeconfig {
   echo "Creating kube-controller-manager kubeconfig file"
   mkdir -p /etc/srv/kubernetes/kube-controller-manager
@@ -719,6 +695,7 @@ function prepare-kube-proxy-manifest-variables {
   sed -i -e "s@{{pod_priority}}@${pod_priority}@g" ${src_file}
   sed -i -e "s@{{ cpurequest }}@100m@g" ${src_file}
   sed -i -e "s@{{api_servers_with_port}}@${api_servers}@g" ${src_file}
+  sed -i -e "s@{{kubernetes_service_host_env_value}}@${KUBERNETES_MASTER_NAME}@g" ${src_file}
   if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then
     sed -i -e "s@{{cluster_cidr}}@--cluster-cidr=${CLUSTER_IP_RANGE}@g" ${src_file}
   fi
@@ -1494,8 +1471,6 @@ else
   create-kubelet-kubeconfig "https://${KUBERNETES_MASTER_NAME}"
   if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
     create-kubeproxy-user-kubeconfig
-  else
-    create-kubeproxy-serviceaccount-kubeconfig
   fi
 fi
 
diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index 03dab163efe..1863e1c996f 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -727,30 +727,6 @@ current-context: service-account-context
 EOF
 }
 
-function create-kubeproxy-serviceaccount-kubeconfig {
-  echo "Creating kube-proxy serviceaccount kubeconfig file"
-  cat <<EOF >/var/lib/kube-proxy/kubeconfig
-apiVersion: v1
-kind: Config
-clusters:
-- cluster:
-    certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-    server: https://${KUBERNETES_MASTER_NAME}
-  name: default
-contexts:
-- context:
-    cluster: default
-    namespace: default
-    user: default
-  name: default
-current-context: default
-users:
-- name: default
-  user:
-    tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-EOF
-}
-
 function create-kubecontrollermanager-kubeconfig {
   echo "Creating kube-controller-manager kubeconfig file"
   mkdir -p /etc/srv/kubernetes/kube-controller-manager
@@ -1119,6 +1095,7 @@ function prepare-kube-proxy-manifest-variables {
   sed -i -e "s@{{pod_priority}}@${pod_priority}@g" ${src_file}
   sed -i -e "s@{{ cpurequest }}@100m@g" ${src_file}
   sed -i -e "s@{{api_servers_with_port}}@${api_servers}@g" ${src_file}
+  sed -i -e "s@{{kubernetes_service_host_env_value}}@${KUBERNETES_MASTER_NAME}@g" ${src_file}
   if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then
     sed -i -e "s@{{cluster_cidr}}@--cluster-cidr=${CLUSTER_IP_RANGE}@g" ${src_file}
   fi
@@ -2000,8 +1977,6 @@ else
   create-kubelet-kubeconfig ${KUBERNETES_MASTER_NAME}
   if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
     create-kubeproxy-user-kubeconfig
-  else
-    create-kubeproxy-serviceaccount-kubeconfig
   fi
   if [[ "${ENABLE_NODE_PROBLEM_DETECTOR:-}" == "standalone" ]]; then
     create-node-problem-detector-kubeconfig