Support token authentication for network proxy

cluster/gce/addons/konnectivity-agent/konnectivity-agent-ds.yaml

@@ -22,11 +22,6 @@ spec:
       tolerations:
         - key: "CriticalAddonsOnly"
           operator: "Exists"
-      hostNetwork: true
-      volumes:
-        - name: pki
-          hostPath:
-            path: /etc/srv/kubernetes/pki/konnectivity-agent
       containers:
         - image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.4
           name: konnectivity-agent
@@ -35,7 +30,8 @@ spec:
                   "--logtostderr=true",
                   "--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
                   "--proxy-server-host=__APISERVER_IP__",
-                  "--proxy-server-port=8132"
+                  "--proxy-server-port=8132",
+                  "--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token"
                   ]
           env:
             - name: POD_NAME
@@ -50,10 +46,20 @@ spec:
             limits:
               cpu: 50m
               memory: 30Mi
+          volumeMounts:
+            - mountPath: /var/run/secrets/tokens
+              name: konnectivity-agent-token
           livenessProbe:
             httpGet:
-              host: 127.0.0.1
               port: 8093
               path: /healthz
             initialDelaySeconds: 15
             timeoutSeconds: 15
+      serviceAccountName: konnectivity-agent
+      volumes:
+        - name: konnectivity-agent-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  path: konnectivity-agent-token
+                  audience: system:konnectivity-server

cluster/gce/addons/konnectivity-agent/konnectivity-agent-rbac.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: konnectivity-agent
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile

cluster/gce/addons/konnectivity-agent/konnectivity-rbac.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:konnectivity-server
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: system:konnectivity-server

cluster/gce/gci/configure-helper.sh

@@ -654,6 +654,11 @@ function create-master-auth {
   if [[ -n "${ADDON_MANAGER_TOKEN:-}" ]]; then
     append_or_replace_prefixed_line "${known_tokens_csv}" "${ADDON_MANAGER_TOKEN},"           "system:addon-manager,uid:system:addon-manager,system:masters"
   fi
+  if [[ -n "${KONNECTIVITY_SERVER_TOKEN:-}" ]]; then
+    append_or_replace_prefixed_line "${known_tokens_csv}" "${KONNECTIVITY_SERVER_TOKEN},"     "system:konnectivity-server,uid:system:konnectivity-server"
+    create-kubeconfig "konnectivity-server" ${KONNECTIVITY_SERVER_TOKEN}
+  fi
+
   if [[ -n "${EXTRA_STATIC_AUTH_COMPONENTS:-}" ]]; then
     # Create a static Bearer token and kubeconfig for extra, comma-separated components.
     IFS="," read -r -a extra_components <<< "${EXTRA_STATIC_AUTH_COMPONENTS:-}"
@@ -810,7 +815,8 @@ egressSelections:
     proxyProtocol: HTTPConnect
     transport:
       uds:
-        udsName: /etc/srv/kubernetes/konnectivity/konnectivity-server.socket
+        udsName: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket
+
 - name: master
   connection:
     proxyProtocol: Direct
@@ -1652,13 +1658,17 @@ function prepare-konnectivity-server-manifest {
   params+=("--log-file=/var/log/konnectivity-server.log")
   params+=("--logtostderr=false")
   params+=("--log-file-max-size=0")
-  params+=("--uds-name=/etc/srv/kubernetes/konnectivity/konnectivity-server.socket")
+  params+=("--uds-name=/etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket")
   params+=("--cluster-cert=/etc/srv/kubernetes/pki/apiserver.crt")
   params+=("--cluster-key=/etc/srv/kubernetes/pki/apiserver.key")
   params+=("--mode=http-connect")
   params+=("--server-port=0")
   params+=("--agent-port=$1")
   params+=("--admin-port=$2")
+  params+=("--agent-namespace=kube-system")
+  params+=("--agent-service-account=konnectivity-agent")
+  params+=("--kubeconfig=/etc/srv/kubernetes/konnectivity-server/kubeconfig")
+  params+=("--authentication-audience=system:konnectivity-server")
   konnectivity_args=""
   for param in "${params[@]}"; do
     konnectivity_args+=", \"${param}\""
@@ -2469,7 +2479,7 @@ function setup-node-termination-handler-manifest {
 }
 
 function setup-konnectivity-agent-manifest {
-    local -r manifest="/etc/kubernetes/addons/konnectivity-agent/daemonset.yaml"
+    local -r manifest="/etc/kubernetes/addons/konnectivity-agent/konnectivity-agent-ds.yaml"
     sed -i "s|__APISERVER_IP__|${KUBERNETES_MASTER_NAME}|g" "${manifest}"
 }
 
@@ -2777,6 +2787,10 @@ function main() {
   if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" != "true" ]]; then
     KUBE_BOOTSTRAP_TOKEN="$(secure_random 32)"
   fi
+  if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
+    KONNECTIVITY_SERVER_TOKEN="$(secure_random 32)"
+  fi
+
 
   setup-os-params
   config-ip-firewall

cluster/gce/manifests/konnectivity-server.yaml

@@ -39,7 +39,7 @@ spec:
       mountPath: /etc/srv/kubernetes/pki
       readOnly: true
     - name: konnectivity-uds
-      mountPath: /etc/srv/kubernetes/konnectivity
+      mountPath: /etc/srv/kubernetes/konnectivity-server
       readOnly: false
   volumes:
   - name: varlogkonnectivityserver
@@ -51,5 +51,5 @@ spec:
       path: /etc/srv/kubernetes/pki
   - name: konnectivity-uds
     hostPath:
-      path: /etc/srv/kubernetes/konnectivity
+      path: /etc/srv/kubernetes/konnectivity-server
       type: DirectoryOrCreate