mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 11:21:47 +00:00
[GCE kube-up] Don't provision kubeconfig file on nodes when kube-proxy run as a DaemonSet
This commit is contained in:
Zihong Zheng
parent
bc9d4ad66e
commit
476138c676
@ -37,8 +37,10 @@ spec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- kube-proxy {{kubeconfig}} {{cluster_cidr}} --resource-container="" --oom-score-adj=-998 {{params}} 1>>/var/log/kube-proxy.log 2>&1
|
||||
{{container_env}}
|
||||
- kube-proxy {{cluster_cidr}} --resource-container="" --oom-score-adj=-998 {{params}} 1>>/var/log/kube-proxy.log 2>&1
|
||||
env:
|
||||
- name: KUBERNETES_SERVICE_HOST
|
||||
value: {{kubernetes_service_host_env_value}}
|
||||
{{kube_cache_mutation_detector_env_name}}
|
||||
{{kube_cache_mutation_detector_env_value}}
|
||||
securityContext:
|
||||
@ -47,9 +49,6 @@ spec:
|
||||
- mountPath: /var/log
|
||||
name: varlog
|
||||
readOnly: false
|
||||
- mountPath: /var/lib/kube-proxy/kubeconfig
|
||||
name: kubeconfig
|
||||
readOnly: false
|
||||
- mountPath: /run/xtables.lock
|
||||
name: xtables-lock
|
||||
readOnly: false
|
||||
@ -57,9 +56,6 @@ spec:
|
||||
- name: varlog
|
||||
hostPath:
|
||||
path: /var/log
|
||||
- name: kubeconfig
|
||||
hostPath:
|
||||
path: /var/lib/kube-proxy/kubeconfig
|
||||
- name: xtables-lock
|
||||
hostPath:
|
||||
path: /run/xtables.lock
|
||||
|
||||
@ -662,13 +662,12 @@ EOF
|
||||
#
|
||||
# - When run as static pods, use the CA_CERT and KUBE_PROXY_TOKEN to generate a
|
||||
# kubeconfig file for the kube-proxy to securely connect to the apiserver.
|
||||
# - When run as a daemonset, generate a kubeconfig file specific to service account.
|
||||
function create-salt-kubeproxy-auth() {
|
||||
local -r kube_proxy_kubeconfig_file="/srv/salt-overlay/salt/kube-proxy/kubeconfig"
|
||||
local kubeconfig_content=""
|
||||
if [ ! -e "${kube_proxy_kubeconfig_file}" ]; then
|
||||
if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
|
||||
kubeconfig_content="\
|
||||
mkdir -p /srv/salt-overlay/salt/kube-proxy
|
||||
(umask 077;
|
||||
cat > "${kube_proxy_kubeconfig_file}" <<EOF
|
||||
apiVersion: v1
|
||||
kind: Config
|
||||
users:
|
||||
@ -684,33 +683,7 @@ contexts:
|
||||
cluster: local
|
||||
user: kube-proxy
|
||||
name: service-account-context
|
||||
current-context: service-account-context"
|
||||
else
|
||||
# Generate kubeconfig specific to service account.
|
||||
kubeconfig_content="\
|
||||
apiVersion: v1
|
||||
kind: Config
|
||||
clusters:
|
||||
- cluster:
|
||||
certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||
server: https://${KUBERNETES_MASTER_NAME}
|
||||
name: default
|
||||
contexts:
|
||||
- context:
|
||||
cluster: default
|
||||
namespace: default
|
||||
user: default
|
||||
name: default
|
||||
current-context: default
|
||||
users:
|
||||
- name: default
|
||||
user:
|
||||
tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token"
|
||||
fi
|
||||
mkdir -p /srv/salt-overlay/salt/kube-proxy
|
||||
(umask 077;
|
||||
cat > "${kube_proxy_kubeconfig_file}" <<EOF
|
||||
${kubeconfig_content}
|
||||
current-context: service-account-context
|
||||
EOF
|
||||
)
|
||||
fi
|
||||
@ -886,7 +859,9 @@ if [[ -z "${is_push}" ]]; then
|
||||
create-node-pki
|
||||
create-salt-pillar
|
||||
create-salt-kubelet-auth
|
||||
create-salt-kubeproxy-auth
|
||||
if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
|
||||
create-salt-kubeproxy-auth
|
||||
fi
|
||||
download-release
|
||||
configure-salt
|
||||
remove-docker-artifacts
|
||||
|
||||
@ -385,30 +385,6 @@ current-context: service-account-context
|
||||
EOF
|
||||
}
|
||||
|
||||
function create-kubeproxy-serviceaccount-kubeconfig {
|
||||
echo "Creating kube-proxy serviceaccount kubeconfig file"
|
||||
cat <<EOF >/var/lib/kube-proxy/kubeconfig
|
||||
apiVersion: v1
|
||||
kind: Config
|
||||
clusters:
|
||||
- cluster:
|
||||
certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||
server: https://${KUBERNETES_MASTER_NAME}
|
||||
name: default
|
||||
contexts:
|
||||
- context:
|
||||
cluster: default
|
||||
namespace: default
|
||||
user: default
|
||||
name: default
|
||||
current-context: default
|
||||
users:
|
||||
- name: default
|
||||
user:
|
||||
tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
EOF
|
||||
}
|
||||
|
||||
function create-kubecontrollermanager-kubeconfig {
|
||||
echo "Creating kube-controller-manager kubeconfig file"
|
||||
mkdir -p /etc/srv/kubernetes/kube-controller-manager
|
||||
@ -719,6 +695,7 @@ function prepare-kube-proxy-manifest-variables {
|
||||
sed -i -e "s@{{pod_priority}}@${pod_priority}@g" ${src_file}
|
||||
sed -i -e "s@{{ cpurequest }}@100m@g" ${src_file}
|
||||
sed -i -e "s@{{api_servers_with_port}}@${api_servers}@g" ${src_file}
|
||||
sed -i -e "s@{{kubernetes_service_host_env_value}}@${KUBERNETES_MASTER_NAME}@g" ${src_file}
|
||||
if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then
|
||||
sed -i -e "s@{{cluster_cidr}}@--cluster-cidr=${CLUSTER_IP_RANGE}@g" ${src_file}
|
||||
fi
|
||||
@ -1494,8 +1471,6 @@ else
|
||||
create-kubelet-kubeconfig "https://${KUBERNETES_MASTER_NAME}"
|
||||
if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
|
||||
create-kubeproxy-user-kubeconfig
|
||||
else
|
||||
create-kubeproxy-serviceaccount-kubeconfig
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
@ -727,30 +727,6 @@ current-context: service-account-context
|
||||
EOF
|
||||
}
|
||||
|
||||
function create-kubeproxy-serviceaccount-kubeconfig {
|
||||
echo "Creating kube-proxy serviceaccount kubeconfig file"
|
||||
cat <<EOF >/var/lib/kube-proxy/kubeconfig
|
||||
apiVersion: v1
|
||||
kind: Config
|
||||
clusters:
|
||||
- cluster:
|
||||
certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||||
server: https://${KUBERNETES_MASTER_NAME}
|
||||
name: default
|
||||
contexts:
|
||||
- context:
|
||||
cluster: default
|
||||
namespace: default
|
||||
user: default
|
||||
name: default
|
||||
current-context: default
|
||||
users:
|
||||
- name: default
|
||||
user:
|
||||
tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
EOF
|
||||
}
|
||||
|
||||
function create-kubecontrollermanager-kubeconfig {
|
||||
echo "Creating kube-controller-manager kubeconfig file"
|
||||
mkdir -p /etc/srv/kubernetes/kube-controller-manager
|
||||
@ -1119,6 +1095,7 @@ function prepare-kube-proxy-manifest-variables {
|
||||
sed -i -e "s@{{pod_priority}}@${pod_priority}@g" ${src_file}
|
||||
sed -i -e "s@{{ cpurequest }}@100m@g" ${src_file}
|
||||
sed -i -e "s@{{api_servers_with_port}}@${api_servers}@g" ${src_file}
|
||||
sed -i -e "s@{{kubernetes_service_host_env_value}}@${KUBERNETES_MASTER_NAME}@g" ${src_file}
|
||||
if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then
|
||||
sed -i -e "s@{{cluster_cidr}}@--cluster-cidr=${CLUSTER_IP_RANGE}@g" ${src_file}
|
||||
fi
|
||||
@ -2000,8 +1977,6 @@ else
|
||||
create-kubelet-kubeconfig ${KUBERNETES_MASTER_NAME}
|
||||
if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
|
||||
create-kubeproxy-user-kubeconfig
|
||||
else
|
||||
create-kubeproxy-serviceaccount-kubeconfig
|
||||
fi
|
||||
if [[ "${ENABLE_NODE_PROBLEM_DETECTOR:-}" == "standalone" ]]; then
|
||||
create-node-problem-detector-kubeconfig
|
||||
|
||||
Loading…
Reference in New Issue
Block a user