diff --git a/cluster/centos/config-default.sh b/cluster/centos/config-default.sh index 559300a7ba4..da60816435f 100755 --- a/cluster/centos/config-default.sh +++ b/cluster/centos/config-default.sh @@ -41,6 +41,9 @@ export SERVICE_CLUSTER_IP_RANGE=${SERVICE_CLUSTER_IP_RANGE:-"192.168.3.0/24"} # define the IP range used for flannel overlay network, should not conflict with above SERVICE_CLUSTER_IP_RANGE export FLANNEL_NET=${FLANNEL_NET:-"172.16.0.0/16"} +# Admission Controllers to invoke prior to persisting objects in cluster +export ADMISSION_CONTROL=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,ResourceQuota,SecurityContextDeny + # Extra options to set on the Docker command line. # This is useful for setting --insecure-registry for local registries. export DOCKER_OPTS=${DOCKER_OPTS:-""} diff --git a/cluster/centos/master/scripts/apiserver.sh b/cluster/centos/master/scripts/apiserver.sh index 967bc1a5f31..53c4e5fcce3 100755 --- a/cluster/centos/master/scripts/apiserver.sh +++ b/cluster/centos/master/scripts/apiserver.sh @@ -18,6 +18,7 @@ MASTER_ADDRESS=${1:-"8.8.8.18"} ETCD_SERVERS=${2:-"http://8.8.8.18:4001"} SERVICE_CLUSTER_IP_RANGE=${3:-"10.10.10.0/24"} +ADMISSION_CONTROL=${4:-""} cat </opt/kubernetes/cfg/kube-apiserver # --logtostderr=true: log to standard error instead of files @@ -52,8 +53,21 @@ KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" # LimitRanger, AlwaysDeny, SecurityContextDeny, NamespaceExists, # NamespaceLifecycle, NamespaceAutoProvision, DenyExecOnPrivileged, # AlwaysAdmit, ServiceAccount, ResourceQuota -#KUBE_ADMISSION_CONTROL="" +#KUBE_ADMISSION_CONTROL="--admission-control=\"${ADMISSION_CONTROL}\"" +# --client-ca-file="": If set, any request presenting a client certificate signed +# by one of the authorities in the client-ca-file is authenticated with an identity +# corresponding to the CommonName of the client certificate. +KUBE_API_CLIENT_CA_FILE="--client-ca-file=/srv/kubernetes/ca.crt" + +# --tls-cert-file="": File containing x509 Certificate for HTTPS. (CA cert, if any, +# concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file +# and --tls-private-key-file are not provided, a self-signed certificate and key are +# generated for the public address and saved to /var/run/kubernetes. +KUBE_API_TLS_CERT_FILE="--tls-cert-file=/srv/kubernetes/server.cert" + +# --tls-private-key-file="": File containing x509 private key matching --tls-cert-file. +KUBE_API_TLS_PRIVATE_KEY_FILE="--tls-private-key-file=/srv/kubernetes/server.key" EOF KUBE_APISERVER_OPTS=" \${KUBE_LOGTOSTDERR} \\ @@ -63,7 +77,10 @@ KUBE_APISERVER_OPTS=" \${KUBE_LOGTOSTDERR} \\ \${KUBE_API_PORT} \\ \${MINION_PORT} \\ \${KUBE_ALLOW_PRIV} \\ - \${KUBE_SERVICE_ADDRESSES}" + \${KUBE_SERVICE_ADDRESSES} \\ + \${KUBE_API_CLIENT_CA_FILE} \\ + \${KUBE_API_TLS_CERT_FILE} \\ + \${KUBE_API_TLS_PRIVATE_KEY_FILE}" cat </usr/lib/systemd/system/kube-apiserver.service diff --git a/cluster/centos/master/scripts/controller-manager.sh b/cluster/centos/master/scripts/controller-manager.sh index 3631a88c751..b6fb216c8de 100755 --- a/cluster/centos/master/scripts/controller-manager.sh +++ b/cluster/centos/master/scripts/controller-manager.sh @@ -22,11 +22,20 @@ KUBE_LOGTOSTDERR="--logtostderr=true" KUBE_LOG_LEVEL="--v=4" KUBE_MASTER="--master=${MASTER_ADDRESS}:8080" +# --root-ca-file="": If set, this root certificate authority will be included in +# service account's token secret. This must be a valid PEM-encoded CA bundle. +KUBE_CONTROLLER_MANAGER_ROOT_CA_FILE="--root-ca-file=/srv/kubernetes/ca.crt" + +# --service-account-private-key-file="": Filename containing a PEM-encoded private +# RSA key used to sign service account tokens. +KUBE_CONTROLLER_MANAGER_SERVICE_ACCOUNT_PRIVATE_KEY_FILE="--service-account-private-key-file=/srv/kubernetes/server.key" EOF KUBE_CONTROLLER_MANAGER_OPTS=" \${KUBE_LOGTOSTDERR} \\ \${KUBE_LOG_LEVEL} \\ - \${KUBE_MASTER}" + \${KUBE_MASTER} \\ + \${KUBE_CONTROLLER_MANAGER_ROOT_CA_FILE} \\ + \${KUBE_CONTROLLER_MANAGER_SERVICE_ACCOUNT_PRIVATE_KEY_FILE}" cat </usr/lib/systemd/system/kube-controller-manager.service [Unit] diff --git a/cluster/centos/util.sh b/cluster/centos/util.sh index d9baa43ddaf..fdcb299101d 100755 --- a/cluster/centos/util.sh +++ b/cluster/centos/util.sh @@ -150,7 +150,7 @@ function verify-master() { validated="1" ((try_count=try_count+2)) if [[ ${try_count} -gt ${PROCESS_CHECK_TIMEOUT} ]]; then - printf "\nWarning: Process \"${daemon}\" status check timeout, please check manually.\n" + printf "\nWarning: Process \"${daemon}\" failed to run on ${MASTER}, please check.\n" exit 1 fi sleep 2 @@ -178,7 +178,7 @@ function verify-minion() { validated="1" ((try_count=try_count+2)) if [[ ${try_count} -gt ${PROCESS_CHECK_TIMEOUT} ]] ; then - printf "\nWarning: Process \"${daemon}\" status check timeout, please check manually.\n" + printf "\nWarning: Process \"${daemon}\" failed to run on ${1}, please check.\n" exit 1 fi sleep 2 @@ -237,13 +237,14 @@ function provision-master() { ensure-setup-dir ${MASTER} # scp -r ${SSH_OPTS} master config-default.sh copy-files.sh util.sh "${MASTER}:${KUBE_TEMP}" - kube-scp ${MASTER} "${ROOT}/binaries/master ${ROOT}/master ${ROOT}/config-default.sh ${ROOT}/util.sh" "${KUBE_TEMP}" + kube-scp ${MASTER} "${ROOT}/../saltbase/salt/generate-cert/make-ca-cert.sh ${ROOT}/binaries/master ${ROOT}/master ${ROOT}/config-default.sh ${ROOT}/util.sh" "${KUBE_TEMP}" ( echo "cp -r ${KUBE_TEMP}/master/bin /opt/kubernetes" echo "chmod -R +x /opt/kubernetes/bin" + echo "bash ${KUBE_TEMP}/make-ca-cert.sh ${master_ip} IP:${master_ip},IP:${SERVICE_CLUSTER_IP_RANGE%.*}.1,DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local" echo "bash ${KUBE_TEMP}/master/scripts/etcd.sh" - echo "bash ${KUBE_TEMP}/master/scripts/apiserver.sh ${master_ip} ${ETCD_SERVERS} ${SERVICE_CLUSTER_IP_RANGE}" + echo "bash ${KUBE_TEMP}/master/scripts/apiserver.sh ${master_ip} ${ETCD_SERVERS} ${SERVICE_CLUSTER_IP_RANGE} ${ADMISSION_CONTROL}" echo "bash ${KUBE_TEMP}/master/scripts/controller-manager.sh ${master_ip}" echo "bash ${KUBE_TEMP}/master/scripts/scheduler.sh ${master_ip}" @@ -265,10 +266,10 @@ function provision-minion() { local master_ip=${MASTER#*@} local minion=$1 local minion_ip=${minion#*@} - ensure-setup-dir ${minion_ip} + ensure-setup-dir ${minion} # scp -r ${SSH_OPTS} minion config-default.sh copy-files.sh util.sh "${minion_ip}:${KUBE_TEMP}" - kube-scp ${minion_ip} "${ROOT}/binaries/minion ${ROOT}/minion ${ROOT}/config-default.sh ${ROOT}/util.sh" ${KUBE_TEMP} + kube-scp ${minion} "${ROOT}/binaries/minion ${ROOT}/minion ${ROOT}/config-default.sh ${ROOT}/util.sh" ${KUBE_TEMP} ( echo "cp -r ${KUBE_TEMP}/minion/bin /opt/kubernetes" echo "chmod -R +x /opt/kubernetes/bin" @@ -278,7 +279,7 @@ function provision-minion() { echo "bash ${KUBE_TEMP}/minion/scripts/kubelet.sh ${master_ip} ${minion_ip}" echo "bash ${KUBE_TEMP}/minion/scripts/proxy.sh ${master_ip}" - ) | kube-ssh "${minion_ip}" + ) | kube-ssh "${minion}" } # Create dirs that'll be used during setup on target machine. @@ -297,7 +298,7 @@ function ensure-setup-dir() { function kube-ssh() { local host="$1" shift - ssh ${SSH_OPTS-} "${host}" "$@" >/dev/null 2>&1 + ssh ${SSH_OPTS-} "${host}" "$@" # >/dev/null 2>&1 } # Copy file recursively over ssh