github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-30 23:15:14 +00:00
Code Issues Projects Releases Wiki Activity

Support token authentication for network proxy

Browse Source
This commit is contained in:
Jefftree 2020-02-20 15:27:25 -08:00
parent debb1edee1
commit 4c54241c3d
5 changed files with 56 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
cluster/gce/addons/konnectivity-agent/daemonset.yaml → cluster/gce/addons/konnectivity-agent/konnectivity-agent-ds.yaml
View File

@ -22,11 +22,6 @@ spec:
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
hostNetwork: true
volumes:
- name: pki
hostPath:
path: /etc/srv/kubernetes/pki/konnectivity-agent
containers:
- image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.4
name: konnectivity-agent
@ -35,7 +30,8 @@ spec:
"--logtostderr=true",
"--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
"--proxy-server-host=__APISERVER_IP__",
"--proxy-server-port=8132"
"--proxy-server-port=8132",
"--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token"
]
env:
- name: POD_NAME
@ -50,10 +46,20 @@ spec:
limits:
cpu: 50m
memory: 30Mi
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: konnectivity-agent-token
livenessProbe:
httpGet:
host: 127.0.0.1
port: 8093
path: /healthz
initialDelaySeconds: 15
timeoutSeconds: 15
serviceAccountName: konnectivity-agent
volumes:
- name: konnectivity-agent-token
projected:
sources:
- serviceAccountToken:
path: konnectivity-agent-token
audience: system:konnectivity-server

8
cluster/gce/addons/konnectivity-agent/konnectivity-agent-rbac.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: konnectivity-agent
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile

15
cluster/gce/addons/konnectivity-agent/konnectivity-rbac.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:konnectivity-server
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:konnectivity-server

22
cluster/gce/gci/configure-helper.sh
View File

@ -652,8 +652,13 @@ function create-master-auth {
append_or_replace_prefixed_line "${known_tokens_csv}" "${GCE_GLBC_TOKEN}," "system:controller:glbc,uid:system:controller:glbc"
fi
if [[ -n "${ADDON_MANAGER_TOKEN:-}" ]]; then
append_or_replace_prefixed_line "${known_tokens_csv}" "${ADDON_MANAGER_TOKEN}," "system:addon-manager,uid:system:addon-manager,system:masters"
append_or_replace_prefixed_line "${known_tokens_csv}" "${ADDON_MANAGER_TOKEN}," "system:addon-manager,uid:system:addon-manager,system:masters"
fi
if [[ -n "${KONNECTIVITY_SERVER_TOKEN:-}" ]]; then
append_or_replace_prefixed_line "${known_tokens_csv}" "${KONNECTIVITY_SERVER_TOKEN}," "system:konnectivity-server,uid:system:konnectivity-server"
create-kubeconfig "konnectivity-server" ${KONNECTIVITY_SERVER_TOKEN}
fi
if [[ -n "${EXTRA_STATIC_AUTH_COMPONENTS:-}" ]]; then
# Create a static Bearer token and kubeconfig for extra, comma-separated components.
IFS="," read -r -a extra_components <<< "${EXTRA_STATIC_AUTH_COMPONENTS:-}"
@ -810,7 +815,8 @@ egressSelections:
proxyProtocol: HTTPConnect
transport:
uds:
udsName: /etc/srv/kubernetes/konnectivity/konnectivity-server.socket
udsName: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket
- name: master
connection:
proxyProtocol: Direct
@ -1652,13 +1658,17 @@ function prepare-konnectivity-server-manifest {
params+=("--log-file=/var/log/konnectivity-server.log")
params+=("--logtostderr=false")
params+=("--log-file-max-size=0")
params+=("--uds-name=/etc/srv/kubernetes/konnectivity/konnectivity-server.socket")
params+=("--uds-name=/etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket")
params+=("--cluster-cert=/etc/srv/kubernetes/pki/apiserver.crt")
params+=("--cluster-key=/etc/srv/kubernetes/pki/apiserver.key")
params+=("--mode=http-connect")
params+=("--server-port=0")
params+=("--agent-port=$1")
params+=("--admin-port=$2")
params+=("--agent-namespace=kube-system")
params+=("--agent-service-account=konnectivity-agent")
params+=("--kubeconfig=/etc/srv/kubernetes/konnectivity-server/kubeconfig")
params+=("--authentication-audience=system:konnectivity-server")
konnectivity_args=""
for param in "${params[@]}"; do
konnectivity_args+=", \"${param}\""
@ -2469,7 +2479,7 @@ function setup-node-termination-handler-manifest {
}
function setup-konnectivity-agent-manifest {
local -r manifest="/etc/kubernetes/addons/konnectivity-agent/daemonset.yaml"
local -r manifest="/etc/kubernetes/addons/konnectivity-agent/konnectivity-agent-ds.yaml"
sed -i "s|__APISERVER_IP__|${KUBERNETES_MASTER_NAME}|g" "${manifest}"
}
@ -2777,6 +2787,10 @@ function main() {
if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" != "true" ]]; then
KUBE_BOOTSTRAP_TOKEN="$(secure_random 32)"
fi
if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
KONNECTIVITY_SERVER_TOKEN="$(secure_random 32)"
fi
setup-os-params
config-ip-firewall

4
cluster/gce/manifests/konnectivity-server.yaml
View File

@ -39,7 +39,7 @@ spec:
mountPath: /etc/srv/kubernetes/pki
readOnly: true
- name: konnectivity-uds
mountPath: /etc/srv/kubernetes/konnectivity
mountPath: /etc/srv/kubernetes/konnectivity-server
readOnly: false
volumes:
- name: varlogkonnectivityserver
@ -51,5 +51,5 @@ spec:
path: /etc/srv/kubernetes/pki
- name: konnectivity-uds
hostPath:
path: /etc/srv/kubernetes/konnectivity
path: /etc/srv/kubernetes/konnectivity-server
type: DirectoryOrCreate