Clean up unused exec auth from cluster setup

This commit is contained in:
Jordan Liggitt 2022-03-19 10:47:38 -04:00
parent 475f7af1c1
commit 548c339867
7 changed files with 5 additions and 155 deletions

View File

@ -1029,36 +1029,6 @@ EOF
fi
fi
if [[ -n "${WEBHOOK_GKE_EXEC_AUTH:-}" ]]; then
if [[ -z "${EXEC_AUTH_PLUGIN_URL:-}" ]]; then
1>&2 echo "You requested GKE exec auth support for webhooks, but EXEC_AUTH_PLUGIN_URL was not specified. This configuration depends on gke-exec-auth-plugin for authenticating to the webhook endpoint."
exit 1
fi
if [[ -z "${TOKEN_URL:-}" || -z "${TOKEN_BODY:-}" || -z "${TOKEN_BODY_UNQUOTED:-}" ]]; then
1>&2 echo "You requested GKE exec auth support for webhooks, but TOKEN_URL, TOKEN_BODY, and TOKEN_BODY_UNQUOTED were not provided. gke-exec-auth-plugin requires these values for its configuration."
exit 1
fi
# kubeconfig to be used by webhooks with GKE exec auth support. Note that
# the path to gke-exec-auth-plugin is the path when mounted inside the
# kube-apiserver pod.
cat <<EOF >/etc/srv/kubernetes/webhook.kubeconfig
apiVersion: v1
kind: Config
users:
- name: '*.googleapis.com'
user:
exec:
apiVersion: "client.authentication.k8s.io/v1alpha1"
command: /usr/bin/gke-exec-auth-plugin
args:
- --mode=alt-token
- --alt-token-url=${TOKEN_URL}
- --alt-token-body=${TOKEN_BODY_UNQUOTED}
EOF
fi
if [[ -n "${ADMISSION_CONTROL:-}" ]]; then
# Emit a basic admission control configuration file, with no plugins specified.
cat <<EOF >/etc/srv/kubernetes/admission_controller_config.yaml
@ -1089,8 +1059,7 @@ EOF
1>&2 echo "ImagePolicyWebhook admission control plugin requested. Configuring it to point at ${GCP_IMAGE_VERIFICATION_URL}"
# ImagePolicyWebhook does not use gke-exec-auth-plugin for authenticating
# to the webhook endpoint. Emit its special kubeconfig.
# ImagePolicyWebhook needs special kubeconfig for authenticating to the webhook endpoint.
cat <<EOF >/etc/srv/kubernetes/gcp_image_review.kubeconfig
clusters:
- name: gcp-image-review-server
@ -1120,23 +1089,6 @@ EOF
denyTTL: 30
retryBackoff: 500
defaultAllow: true
EOF
fi
# If GKE exec auth for webhooks has been requested, then
# ValidatingAdmissionWebhook should use it. Otherwise, run with the default
# config.
if [[ -n "${WEBHOOK_GKE_EXEC_AUTH:-}" ]]; then
1>&2 echo "ValidatingAdmissionWebhook requested, and WEBHOOK_GKE_EXEC_AUTH specified. Configuring ValidatingAdmissionWebhook to use gke-exec-auth-plugin."
# Append config for ValidatingAdmissionWebhook to the shared admission
# controller configuration file.
cat <<EOF >>/etc/srv/kubernetes/admission_controller_config.yaml
- name: ValidatingAdmissionWebhook
configuration:
apiVersion: apiserver.config.k8s.io/v1alpha1
kind: WebhookAdmission
kubeConfigFile: /etc/srv/kubernetes/webhook.kubeconfig
EOF
fi
fi

View File

@ -247,15 +247,6 @@ function start-kube-apiserver {
params+=" --admission-control-config-file=/etc/srv/kubernetes/admission_controller_config.yaml"
fi
# If GKE exec auth support is requested for webhooks, then
# gke-exec-auth-plugin needs to be mounted into the kube-apiserver container.
local webhook_exec_auth_plugin_mount=""
local webhook_exec_auth_plugin_volume=""
if [[ -n "${WEBHOOK_GKE_EXEC_AUTH:-}" ]]; then
webhook_exec_auth_plugin_mount='{"name": "gkeauth", "mountPath": "/usr/bin/gke-exec-auth-plugin", "readOnly": true},'
webhook_exec_auth_plugin_volume='{"name": "gkeauth", "hostPath": {"path": "/home/kubernetes/bin/gke-exec-auth-plugin", "type": "File"}},'
fi
if [[ -n "${KUBE_APISERVER_REQUEST_TIMEOUT:-}" ]]; then
params+=" --min-request-timeout=${KUBE_APISERVER_REQUEST_TIMEOUT}"
fi
@ -392,8 +383,6 @@ function start-kube-apiserver {
sed -i -e "s@{{audit_policy_config_volume}}@${audit_policy_config_volume}@g" "${src_file}"
sed -i -e "s@{{audit_webhook_config_mount}}@${audit_webhook_config_mount}@g" "${src_file}"
sed -i -e "s@{{audit_webhook_config_volume}}@${audit_webhook_config_volume}@g" "${src_file}"
sed -i -e "s@{{webhook_exec_auth_plugin_mount}}@${webhook_exec_auth_plugin_mount}@g" "${src_file}"
sed -i -e "s@{{webhook_exec_auth_plugin_volume}}@${webhook_exec_auth_plugin_volume}@g" "${src_file}"
sed -i -e "s@{{konnectivity_socket_mount}}@${default_konnectivity_socket_mnt}@g" "${src_file}"
sed -i -e "s@{{konnectivity_socket_volume}}@${default_konnectivity_socket_vol}@g" "${src_file}"
sed -i -e "s@{{healthcheck_ip}}@${healthcheck_ip}@g" "${src_file}"

View File

@ -374,32 +374,6 @@ EOF
rm -f "${crictl}"
}
function install-exec-auth-plugin {
if [[ ! "${EXEC_AUTH_PLUGIN_URL:-}" ]]; then
return
fi
local -r plugin_url="${EXEC_AUTH_PLUGIN_URL}"
local -r plugin_hash="${EXEC_AUTH_PLUGIN_HASH}"
if is-preloaded "gke-exec-auth-plugin" "${plugin_hash}"; then
echo "gke-exec-auth-plugin is preloaded"
return
fi
echo "Downloading gke-exec-auth-plugin binary"
download-or-bust "${plugin_hash}" "${plugin_url}"
mv "${KUBE_HOME}/gke-exec-auth-plugin" "${KUBE_BIN}/gke-exec-auth-plugin"
chmod a+x "${KUBE_BIN}/gke-exec-auth-plugin"
if [[ ! "${EXEC_AUTH_PLUGIN_LICENSE_URL:-}" ]]; then
return
fi
local -r license_url="${EXEC_AUTH_PLUGIN_LICENSE_URL}"
echo "Downloading gke-exec-auth-plugin license"
download-or-bust "" "${license_url}"
mv "${KUBE_HOME}/LICENSES/LICENSE" "${KUBE_BIN}/gke-exec-auth-plugin-license"
}
function install-kube-manifests {
# Put kube-system pods manifests in ${KUBE_HOME}/kube-manifests/.
local dst_dir="${KUBE_HOME}/kube-manifests"
@ -673,9 +647,6 @@ function install-kube-binary-config {
# Install crictl on each node.
log-wrap "InstallCrictl" install-crictl
# TODO(awly): include the binary and license in the OS image.
log-wrap "InstallExecAuthPlugin" install-exec-auth-plugin
# Clean up.
rm -rf "${KUBE_HOME}/kubernetes"
rm -f "${KUBE_HOME}/${server_binary_tar}"

View File

@ -74,7 +74,6 @@
{{csc_config_mount}}
{{audit_policy_config_mount}}
{{audit_webhook_config_mount}}
{{webhook_exec_auth_plugin_mount}}
{{konnectivity_socket_mount}}
{ "name": "srvkube",
"mountPath": "/etc/srv/kubernetes",
@ -116,7 +115,6 @@
{{csc_config_volume}}
{{audit_policy_config_volume}}
{{audit_webhook_config_volume}}
{{webhook_exec_auth_plugin_volume}}
{{konnectivity_socket_volume}}
{ "name": "srvkube",
"hostPath": {

View File

@ -648,17 +648,6 @@ function Test-IsTestCluster {
return $false
}
# Returns true if this node uses a plugin to support authentication to the
# master, e.g. for TPM-based authentication. $KubeEnv is a hash table
# containing the kube-env metadata keys+values.
function Test-NodeUsesAuthPlugin {
param (
[parameter(Mandatory=$true)] [hashtable]$KubeEnv
)
return $KubeEnv.Contains('EXEC_AUTH_PLUGIN_URL')
}
# Permanently adds a directory to the $env:PATH environment variable.
function Add-MachineEnvironmentPath {
param (

View File

@ -162,7 +162,6 @@ try {
DownloadAndInstall-Crictl
Configure-Crictl
Setup-ContainerRuntime
DownloadAndInstall-AuthPlugin
DownloadAndInstall-KubernetesBinaries
DownloadAndInstall-NodeProblemDetector
DownloadAndInstall-CSIProxyBinaries

View File

@ -358,39 +358,6 @@ function Download-HelperScripts {
}
}
# Downloads the gke-exec-auth-plugin for TPM-based authentication to the
# master, if auth plugin support has been requested for this node (see
# Test-NodeUsesAuthPlugin).
# https://github.com/kubernetes/cloud-provider-gcp/tree/master/cmd/gke-exec-auth-plugin
#
# Required ${kube_env} keys:
# EXEC_AUTH_PLUGIN_LICENSE_URL
# EXEC_AUTH_PLUGIN_HASH
# EXEC_AUTH_PLUGIN_URL
function DownloadAndInstall-AuthPlugin {
if (-not (Test-NodeUsesAuthPlugin ${kube_env})) {
Log-Output 'Skipping download of auth plugin'
return
}
if (-not (ShouldWrite-File "${env:NODE_DIR}\gke-exec-auth-plugin.exe")) {
return
}
if (-not ($kube_env.ContainsKey('EXEC_AUTH_PLUGIN_LICENSE_URL') -and
$kube_env.ContainsKey('EXEC_AUTH_PLUGIN_HASH') -and
$kube_env.ContainsKey('EXEC_AUTH_PLUGIN_URL'))) {
Log-Output -Fatal ("Missing one or more kube-env keys needed for " +
"downloading auth plugin: $(Out-String $kube_env)")
}
MustDownload-File `
-URLs ${kube_env}['EXEC_AUTH_PLUGIN_URL'] `
-Hash ${kube_env}['EXEC_AUTH_PLUGIN_HASH'] `
-OutFile "${env:NODE_DIR}\gke-exec-auth-plugin.exe"
MustDownload-File `
-URLs ${kube_env}['EXEC_AUTH_PLUGIN_LICENSE_URL'] `
-OutFile "${env:LICENSE_DIR}\LICENSE_gke-exec-auth-plugin.txt"
}
# Downloads the Kubernetes binaries from kube-env's NODE_BINARY_TAR_URL and
# puts them in a subdirectory of $env:K8S_DIR.
#
@ -569,15 +536,6 @@ function Create-NodePki {
Log-Output -Fatal 'CA_CERT not present in kube-env'
}
# On nodes that use a plugin to support authentication, KUBELET_CERT and
# KUBELET_KEY will not be present - TPM_BOOTSTRAP_CERT and TPM_BOOTSTRAP_KEY
# should be set instead.
if (Test-NodeUsesAuthPlugin ${kube_env}) {
Log-Output ('Skipping KUBELET_CERT and KUBELET_KEY, plugin will be used ' +
'for authentication')
return
}
if ($kube_env.ContainsKey('KUBELET_CERT')) {
$KUBELET_CERT = ${kube_env}['KUBELET_CERT']
Write_PkiData "${KUBELET_CERT}" ${env:KUBELET_CERT_PATH}
@ -668,11 +626,7 @@ function Write_KubeconfigFromMetadata {
# Required ${kube_env} keys:
# KUBERNETES_MASTER_NAME: the apiserver IP address.
function Create-KubeletKubeconfig {
if (Test-NodeUsesAuthPlugin ${kube_env}) {
Write_KubeconfigFromMetadata
} else {
Write_BootstrapKubeconfig
}
Write_BootstrapKubeconfig
}
# Creates the kubeconfig user file for applications that communicate with Kubernetes.
@ -1058,11 +1012,9 @@ function Start-WorkerServices {
)
$kubelet_args = ${default_kubelet_args} + ${kubelet_args}
if (-not (Test-NodeUsesAuthPlugin ${kube_env})) {
Log-Output 'Using bootstrap kubeconfig for authentication'
$kubelet_args = (${kubelet_args} +
"--bootstrap-kubeconfig=${env:BOOTSTRAP_KUBECONFIG}")
}
Log-Output 'Using bootstrap kubeconfig for authentication'
$kubelet_args = (${kubelet_args} +
"--bootstrap-kubeconfig=${env:BOOTSTRAP_KUBECONFIG}")
Log-Output "Final kubelet_args: ${kubelet_args}"
# Compute kube-proxy args