mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 04:06:03 +00:00
Clean up unused exec auth from cluster setup
This commit is contained in:
Jordan Liggitt
parent
475f7af1c1
commit
548c339867
@ -1029,36 +1029,6 @@ EOF
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ -n "${WEBHOOK_GKE_EXEC_AUTH:-}" ]]; then
|
||||
if [[ -z "${EXEC_AUTH_PLUGIN_URL:-}" ]]; then
|
||||
1>&2 echo "You requested GKE exec auth support for webhooks, but EXEC_AUTH_PLUGIN_URL was not specified. This configuration depends on gke-exec-auth-plugin for authenticating to the webhook endpoint."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ -z "${TOKEN_URL:-}" || -z "${TOKEN_BODY:-}" || -z "${TOKEN_BODY_UNQUOTED:-}" ]]; then
|
||||
1>&2 echo "You requested GKE exec auth support for webhooks, but TOKEN_URL, TOKEN_BODY, and TOKEN_BODY_UNQUOTED were not provided. gke-exec-auth-plugin requires these values for its configuration."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# kubeconfig to be used by webhooks with GKE exec auth support. Note that
|
||||
# the path to gke-exec-auth-plugin is the path when mounted inside the
|
||||
# kube-apiserver pod.
|
||||
cat <<EOF >/etc/srv/kubernetes/webhook.kubeconfig
|
||||
apiVersion: v1
|
||||
kind: Config
|
||||
users:
|
||||
- name: '*.googleapis.com'
|
||||
user:
|
||||
exec:
|
||||
apiVersion: "client.authentication.k8s.io/v1alpha1"
|
||||
command: /usr/bin/gke-exec-auth-plugin
|
||||
args:
|
||||
- --mode=alt-token
|
||||
- --alt-token-url=${TOKEN_URL}
|
||||
- --alt-token-body=${TOKEN_BODY_UNQUOTED}
|
||||
EOF
|
||||
fi
|
||||
|
||||
if [[ -n "${ADMISSION_CONTROL:-}" ]]; then
|
||||
# Emit a basic admission control configuration file, with no plugins specified.
|
||||
cat <<EOF >/etc/srv/kubernetes/admission_controller_config.yaml
|
||||
@ -1089,8 +1059,7 @@ EOF
|
||||
|
||||
1>&2 echo "ImagePolicyWebhook admission control plugin requested. Configuring it to point at ${GCP_IMAGE_VERIFICATION_URL}"
|
||||
|
||||
# ImagePolicyWebhook does not use gke-exec-auth-plugin for authenticating
|
||||
# to the webhook endpoint. Emit its special kubeconfig.
|
||||
# ImagePolicyWebhook needs special kubeconfig for authenticating to the webhook endpoint.
|
||||
cat <<EOF >/etc/srv/kubernetes/gcp_image_review.kubeconfig
|
||||
clusters:
|
||||
- name: gcp-image-review-server
|
||||
@ -1120,23 +1089,6 @@ EOF
|
||||
denyTTL: 30
|
||||
retryBackoff: 500
|
||||
defaultAllow: true
|
||||
EOF
|
||||
fi
|
||||
|
||||
# If GKE exec auth for webhooks has been requested, then
|
||||
# ValidatingAdmissionWebhook should use it. Otherwise, run with the default
|
||||
# config.
|
||||
if [[ -n "${WEBHOOK_GKE_EXEC_AUTH:-}" ]]; then
|
||||
1>&2 echo "ValidatingAdmissionWebhook requested, and WEBHOOK_GKE_EXEC_AUTH specified. Configuring ValidatingAdmissionWebhook to use gke-exec-auth-plugin."
|
||||
|
||||
# Append config for ValidatingAdmissionWebhook to the shared admission
|
||||
# controller configuration file.
|
||||
cat <<EOF >>/etc/srv/kubernetes/admission_controller_config.yaml
|
||||
- name: ValidatingAdmissionWebhook
|
||||
configuration:
|
||||
apiVersion: apiserver.config.k8s.io/v1alpha1
|
||||
kind: WebhookAdmission
|
||||
kubeConfigFile: /etc/srv/kubernetes/webhook.kubeconfig
|
||||
EOF
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -247,15 +247,6 @@ function start-kube-apiserver {
|
||||
params+=" --admission-control-config-file=/etc/srv/kubernetes/admission_controller_config.yaml"
|
||||
fi
|
||||
|
||||
# If GKE exec auth support is requested for webhooks, then
|
||||
# gke-exec-auth-plugin needs to be mounted into the kube-apiserver container.
|
||||
local webhook_exec_auth_plugin_mount=""
|
||||
local webhook_exec_auth_plugin_volume=""
|
||||
if [[ -n "${WEBHOOK_GKE_EXEC_AUTH:-}" ]]; then
|
||||
webhook_exec_auth_plugin_mount='{"name": "gkeauth", "mountPath": "/usr/bin/gke-exec-auth-plugin", "readOnly": true},'
|
||||
webhook_exec_auth_plugin_volume='{"name": "gkeauth", "hostPath": {"path": "/home/kubernetes/bin/gke-exec-auth-plugin", "type": "File"}},'
|
||||
fi
|
||||
|
||||
if [[ -n "${KUBE_APISERVER_REQUEST_TIMEOUT:-}" ]]; then
|
||||
params+=" --min-request-timeout=${KUBE_APISERVER_REQUEST_TIMEOUT}"
|
||||
fi
|
||||
@ -392,8 +383,6 @@ function start-kube-apiserver {
|
||||
sed -i -e "s@{{audit_policy_config_volume}}@${audit_policy_config_volume}@g" "${src_file}"
|
||||
sed -i -e "s@{{audit_webhook_config_mount}}@${audit_webhook_config_mount}@g" "${src_file}"
|
||||
sed -i -e "s@{{audit_webhook_config_volume}}@${audit_webhook_config_volume}@g" "${src_file}"
|
||||
sed -i -e "s@{{webhook_exec_auth_plugin_mount}}@${webhook_exec_auth_plugin_mount}@g" "${src_file}"
|
||||
sed -i -e "s@{{webhook_exec_auth_plugin_volume}}@${webhook_exec_auth_plugin_volume}@g" "${src_file}"
|
||||
sed -i -e "s@{{konnectivity_socket_mount}}@${default_konnectivity_socket_mnt}@g" "${src_file}"
|
||||
sed -i -e "s@{{konnectivity_socket_volume}}@${default_konnectivity_socket_vol}@g" "${src_file}"
|
||||
sed -i -e "s@{{healthcheck_ip}}@${healthcheck_ip}@g" "${src_file}"
|
||||
|
||||
@ -374,32 +374,6 @@ EOF
|
||||
rm -f "${crictl}"
|
||||
}
|
||||
|
||||
function install-exec-auth-plugin {
|
||||
if [[ ! "${EXEC_AUTH_PLUGIN_URL:-}" ]]; then
|
||||
return
|
||||
fi
|
||||
local -r plugin_url="${EXEC_AUTH_PLUGIN_URL}"
|
||||
local -r plugin_hash="${EXEC_AUTH_PLUGIN_HASH}"
|
||||
|
||||
if is-preloaded "gke-exec-auth-plugin" "${plugin_hash}"; then
|
||||
echo "gke-exec-auth-plugin is preloaded"
|
||||
return
|
||||
fi
|
||||
|
||||
echo "Downloading gke-exec-auth-plugin binary"
|
||||
download-or-bust "${plugin_hash}" "${plugin_url}"
|
||||
mv "${KUBE_HOME}/gke-exec-auth-plugin" "${KUBE_BIN}/gke-exec-auth-plugin"
|
||||
chmod a+x "${KUBE_BIN}/gke-exec-auth-plugin"
|
||||
|
||||
if [[ ! "${EXEC_AUTH_PLUGIN_LICENSE_URL:-}" ]]; then
|
||||
return
|
||||
fi
|
||||
local -r license_url="${EXEC_AUTH_PLUGIN_LICENSE_URL}"
|
||||
echo "Downloading gke-exec-auth-plugin license"
|
||||
download-or-bust "" "${license_url}"
|
||||
mv "${KUBE_HOME}/LICENSES/LICENSE" "${KUBE_BIN}/gke-exec-auth-plugin-license"
|
||||
}
|
||||
|
||||
function install-kube-manifests {
|
||||
# Put kube-system pods manifests in ${KUBE_HOME}/kube-manifests/.
|
||||
local dst_dir="${KUBE_HOME}/kube-manifests"
|
||||
@ -673,9 +647,6 @@ function install-kube-binary-config {
|
||||
# Install crictl on each node.
|
||||
log-wrap "InstallCrictl" install-crictl
|
||||
|
||||
# TODO(awly): include the binary and license in the OS image.
|
||||
log-wrap "InstallExecAuthPlugin" install-exec-auth-plugin
|
||||
|
||||
# Clean up.
|
||||
rm -rf "${KUBE_HOME}/kubernetes"
|
||||
rm -f "${KUBE_HOME}/${server_binary_tar}"
|
||||
|
||||
@ -74,7 +74,6 @@
|
||||
{{csc_config_mount}}
|
||||
{{audit_policy_config_mount}}
|
||||
{{audit_webhook_config_mount}}
|
||||
{{webhook_exec_auth_plugin_mount}}
|
||||
{{konnectivity_socket_mount}}
|
||||
{ "name": "srvkube",
|
||||
"mountPath": "/etc/srv/kubernetes",
|
||||
@ -116,7 +115,6 @@
|
||||
{{csc_config_volume}}
|
||||
{{audit_policy_config_volume}}
|
||||
{{audit_webhook_config_volume}}
|
||||
{{webhook_exec_auth_plugin_volume}}
|
||||
{{konnectivity_socket_volume}}
|
||||
{ "name": "srvkube",
|
||||
"hostPath": {
|
||||
|
||||
@ -648,17 +648,6 @@ function Test-IsTestCluster {
|
||||
return $false
|
||||
}
|
||||
|
||||
# Returns true if this node uses a plugin to support authentication to the
|
||||
# master, e.g. for TPM-based authentication. $KubeEnv is a hash table
|
||||
# containing the kube-env metadata keys+values.
|
||||
function Test-NodeUsesAuthPlugin {
|
||||
param (
|
||||
[parameter(Mandatory=$true)] [hashtable]$KubeEnv
|
||||
)
|
||||
|
||||
return $KubeEnv.Contains('EXEC_AUTH_PLUGIN_URL')
|
||||
}
|
||||
|
||||
# Permanently adds a directory to the $env:PATH environment variable.
|
||||
function Add-MachineEnvironmentPath {
|
||||
param (
|
||||
|
||||
@ -162,7 +162,6 @@ try {
|
||||
DownloadAndInstall-Crictl
|
||||
Configure-Crictl
|
||||
Setup-ContainerRuntime
|
||||
DownloadAndInstall-AuthPlugin
|
||||
DownloadAndInstall-KubernetesBinaries
|
||||
DownloadAndInstall-NodeProblemDetector
|
||||
DownloadAndInstall-CSIProxyBinaries
|
||||
|
||||
@ -358,39 +358,6 @@ function Download-HelperScripts {
|
||||
}
|
||||
}
|
||||
|
||||
# Downloads the gke-exec-auth-plugin for TPM-based authentication to the
|
||||
# master, if auth plugin support has been requested for this node (see
|
||||
# Test-NodeUsesAuthPlugin).
|
||||
# https://github.com/kubernetes/cloud-provider-gcp/tree/master/cmd/gke-exec-auth-plugin
|
||||
#
|
||||
# Required ${kube_env} keys:
|
||||
# EXEC_AUTH_PLUGIN_LICENSE_URL
|
||||
# EXEC_AUTH_PLUGIN_HASH
|
||||
# EXEC_AUTH_PLUGIN_URL
|
||||
function DownloadAndInstall-AuthPlugin {
|
||||
if (-not (Test-NodeUsesAuthPlugin ${kube_env})) {
|
||||
Log-Output 'Skipping download of auth plugin'
|
||||
return
|
||||
}
|
||||
if (-not (ShouldWrite-File "${env:NODE_DIR}\gke-exec-auth-plugin.exe")) {
|
||||
return
|
||||
}
|
||||
|
||||
if (-not ($kube_env.ContainsKey('EXEC_AUTH_PLUGIN_LICENSE_URL') -and
|
||||
$kube_env.ContainsKey('EXEC_AUTH_PLUGIN_HASH') -and
|
||||
$kube_env.ContainsKey('EXEC_AUTH_PLUGIN_URL'))) {
|
||||
Log-Output -Fatal ("Missing one or more kube-env keys needed for " +
|
||||
"downloading auth plugin: $(Out-String $kube_env)")
|
||||
}
|
||||
MustDownload-File `
|
||||
-URLs ${kube_env}['EXEC_AUTH_PLUGIN_URL'] `
|
||||
-Hash ${kube_env}['EXEC_AUTH_PLUGIN_HASH'] `
|
||||
-OutFile "${env:NODE_DIR}\gke-exec-auth-plugin.exe"
|
||||
MustDownload-File `
|
||||
-URLs ${kube_env}['EXEC_AUTH_PLUGIN_LICENSE_URL'] `
|
||||
-OutFile "${env:LICENSE_DIR}\LICENSE_gke-exec-auth-plugin.txt"
|
||||
}
|
||||
|
||||
# Downloads the Kubernetes binaries from kube-env's NODE_BINARY_TAR_URL and
|
||||
# puts them in a subdirectory of $env:K8S_DIR.
|
||||
#
|
||||
@ -569,15 +536,6 @@ function Create-NodePki {
|
||||
Log-Output -Fatal 'CA_CERT not present in kube-env'
|
||||
}
|
||||
|
||||
# On nodes that use a plugin to support authentication, KUBELET_CERT and
|
||||
# KUBELET_KEY will not be present - TPM_BOOTSTRAP_CERT and TPM_BOOTSTRAP_KEY
|
||||
# should be set instead.
|
||||
if (Test-NodeUsesAuthPlugin ${kube_env}) {
|
||||
Log-Output ('Skipping KUBELET_CERT and KUBELET_KEY, plugin will be used ' +
|
||||
'for authentication')
|
||||
return
|
||||
}
|
||||
|
||||
if ($kube_env.ContainsKey('KUBELET_CERT')) {
|
||||
$KUBELET_CERT = ${kube_env}['KUBELET_CERT']
|
||||
Write_PkiData "${KUBELET_CERT}" ${env:KUBELET_CERT_PATH}
|
||||
@ -668,11 +626,7 @@ function Write_KubeconfigFromMetadata {
|
||||
# Required ${kube_env} keys:
|
||||
# KUBERNETES_MASTER_NAME: the apiserver IP address.
|
||||
function Create-KubeletKubeconfig {
|
||||
if (Test-NodeUsesAuthPlugin ${kube_env}) {
|
||||
Write_KubeconfigFromMetadata
|
||||
} else {
|
||||
Write_BootstrapKubeconfig
|
||||
}
|
||||
Write_BootstrapKubeconfig
|
||||
}
|
||||
|
||||
# Creates the kubeconfig user file for applications that communicate with Kubernetes.
|
||||
@ -1058,11 +1012,9 @@ function Start-WorkerServices {
|
||||
)
|
||||
|
||||
$kubelet_args = ${default_kubelet_args} + ${kubelet_args}
|
||||
if (-not (Test-NodeUsesAuthPlugin ${kube_env})) {
|
||||
Log-Output 'Using bootstrap kubeconfig for authentication'
|
||||
$kubelet_args = (${kubelet_args} +
|
||||
"--bootstrap-kubeconfig=${env:BOOTSTRAP_KUBECONFIG}")
|
||||
}
|
||||
Log-Output 'Using bootstrap kubeconfig for authentication'
|
||||
$kubelet_args = (${kubelet_args} +
|
||||
"--bootstrap-kubeconfig=${env:BOOTSTRAP_KUBECONFIG}")
|
||||
Log-Output "Final kubelet_args: ${kubelet_args}"
|
||||
|
||||
# Compute kube-proxy args
|
||||
|
||||
Loading…
Reference in New Issue
Block a user