diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 82ac4b5771f..ba2c920a2b7 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1029,36 +1029,6 @@ EOF fi fi - if [[ -n "${WEBHOOK_GKE_EXEC_AUTH:-}" ]]; then - if [[ -z "${EXEC_AUTH_PLUGIN_URL:-}" ]]; then - 1>&2 echo "You requested GKE exec auth support for webhooks, but EXEC_AUTH_PLUGIN_URL was not specified. This configuration depends on gke-exec-auth-plugin for authenticating to the webhook endpoint." - exit 1 - fi - - if [[ -z "${TOKEN_URL:-}" || -z "${TOKEN_BODY:-}" || -z "${TOKEN_BODY_UNQUOTED:-}" ]]; then - 1>&2 echo "You requested GKE exec auth support for webhooks, but TOKEN_URL, TOKEN_BODY, and TOKEN_BODY_UNQUOTED were not provided. gke-exec-auth-plugin requires these values for its configuration." - exit 1 - fi - - # kubeconfig to be used by webhooks with GKE exec auth support. Note that - # the path to gke-exec-auth-plugin is the path when mounted inside the - # kube-apiserver pod. - cat </etc/srv/kubernetes/webhook.kubeconfig -apiVersion: v1 -kind: Config -users: -- name: '*.googleapis.com' - user: - exec: - apiVersion: "client.authentication.k8s.io/v1alpha1" - command: /usr/bin/gke-exec-auth-plugin - args: - - --mode=alt-token - - --alt-token-url=${TOKEN_URL} - - --alt-token-body=${TOKEN_BODY_UNQUOTED} -EOF - fi - if [[ -n "${ADMISSION_CONTROL:-}" ]]; then # Emit a basic admission control configuration file, with no plugins specified. cat </etc/srv/kubernetes/admission_controller_config.yaml @@ -1089,8 +1059,7 @@ EOF 1>&2 echo "ImagePolicyWebhook admission control plugin requested. Configuring it to point at ${GCP_IMAGE_VERIFICATION_URL}" - # ImagePolicyWebhook does not use gke-exec-auth-plugin for authenticating - # to the webhook endpoint. Emit its special kubeconfig. + # ImagePolicyWebhook needs special kubeconfig for authenticating to the webhook endpoint. cat </etc/srv/kubernetes/gcp_image_review.kubeconfig clusters: - name: gcp-image-review-server @@ -1120,23 +1089,6 @@ EOF denyTTL: 30 retryBackoff: 500 defaultAllow: true -EOF - fi - - # If GKE exec auth for webhooks has been requested, then - # ValidatingAdmissionWebhook should use it. Otherwise, run with the default - # config. - if [[ -n "${WEBHOOK_GKE_EXEC_AUTH:-}" ]]; then - 1>&2 echo "ValidatingAdmissionWebhook requested, and WEBHOOK_GKE_EXEC_AUTH specified. Configuring ValidatingAdmissionWebhook to use gke-exec-auth-plugin." - - # Append config for ValidatingAdmissionWebhook to the shared admission - # controller configuration file. - cat <>/etc/srv/kubernetes/admission_controller_config.yaml -- name: ValidatingAdmissionWebhook - configuration: - apiVersion: apiserver.config.k8s.io/v1alpha1 - kind: WebhookAdmission - kubeConfigFile: /etc/srv/kubernetes/webhook.kubeconfig EOF fi fi diff --git a/cluster/gce/gci/configure-kubeapiserver.sh b/cluster/gce/gci/configure-kubeapiserver.sh index fb216efe609..87d9f3126f5 100644 --- a/cluster/gce/gci/configure-kubeapiserver.sh +++ b/cluster/gce/gci/configure-kubeapiserver.sh @@ -247,15 +247,6 @@ function start-kube-apiserver { params+=" --admission-control-config-file=/etc/srv/kubernetes/admission_controller_config.yaml" fi - # If GKE exec auth support is requested for webhooks, then - # gke-exec-auth-plugin needs to be mounted into the kube-apiserver container. - local webhook_exec_auth_plugin_mount="" - local webhook_exec_auth_plugin_volume="" - if [[ -n "${WEBHOOK_GKE_EXEC_AUTH:-}" ]]; then - webhook_exec_auth_plugin_mount='{"name": "gkeauth", "mountPath": "/usr/bin/gke-exec-auth-plugin", "readOnly": true},' - webhook_exec_auth_plugin_volume='{"name": "gkeauth", "hostPath": {"path": "/home/kubernetes/bin/gke-exec-auth-plugin", "type": "File"}},' - fi - if [[ -n "${KUBE_APISERVER_REQUEST_TIMEOUT:-}" ]]; then params+=" --min-request-timeout=${KUBE_APISERVER_REQUEST_TIMEOUT}" fi @@ -392,8 +383,6 @@ function start-kube-apiserver { sed -i -e "s@{{audit_policy_config_volume}}@${audit_policy_config_volume}@g" "${src_file}" sed -i -e "s@{{audit_webhook_config_mount}}@${audit_webhook_config_mount}@g" "${src_file}" sed -i -e "s@{{audit_webhook_config_volume}}@${audit_webhook_config_volume}@g" "${src_file}" - sed -i -e "s@{{webhook_exec_auth_plugin_mount}}@${webhook_exec_auth_plugin_mount}@g" "${src_file}" - sed -i -e "s@{{webhook_exec_auth_plugin_volume}}@${webhook_exec_auth_plugin_volume}@g" "${src_file}" sed -i -e "s@{{konnectivity_socket_mount}}@${default_konnectivity_socket_mnt}@g" "${src_file}" sed -i -e "s@{{konnectivity_socket_volume}}@${default_konnectivity_socket_vol}@g" "${src_file}" sed -i -e "s@{{healthcheck_ip}}@${healthcheck_ip}@g" "${src_file}" diff --git a/cluster/gce/gci/configure.sh b/cluster/gce/gci/configure.sh index 68db258f6e3..4f1e240db07 100644 --- a/cluster/gce/gci/configure.sh +++ b/cluster/gce/gci/configure.sh @@ -374,32 +374,6 @@ EOF rm -f "${crictl}" } -function install-exec-auth-plugin { - if [[ ! "${EXEC_AUTH_PLUGIN_URL:-}" ]]; then - return - fi - local -r plugin_url="${EXEC_AUTH_PLUGIN_URL}" - local -r plugin_hash="${EXEC_AUTH_PLUGIN_HASH}" - - if is-preloaded "gke-exec-auth-plugin" "${plugin_hash}"; then - echo "gke-exec-auth-plugin is preloaded" - return - fi - - echo "Downloading gke-exec-auth-plugin binary" - download-or-bust "${plugin_hash}" "${plugin_url}" - mv "${KUBE_HOME}/gke-exec-auth-plugin" "${KUBE_BIN}/gke-exec-auth-plugin" - chmod a+x "${KUBE_BIN}/gke-exec-auth-plugin" - - if [[ ! "${EXEC_AUTH_PLUGIN_LICENSE_URL:-}" ]]; then - return - fi - local -r license_url="${EXEC_AUTH_PLUGIN_LICENSE_URL}" - echo "Downloading gke-exec-auth-plugin license" - download-or-bust "" "${license_url}" - mv "${KUBE_HOME}/LICENSES/LICENSE" "${KUBE_BIN}/gke-exec-auth-plugin-license" -} - function install-kube-manifests { # Put kube-system pods manifests in ${KUBE_HOME}/kube-manifests/. local dst_dir="${KUBE_HOME}/kube-manifests" @@ -673,9 +647,6 @@ function install-kube-binary-config { # Install crictl on each node. log-wrap "InstallCrictl" install-crictl - # TODO(awly): include the binary and license in the OS image. - log-wrap "InstallExecAuthPlugin" install-exec-auth-plugin - # Clean up. rm -rf "${KUBE_HOME}/kubernetes" rm -f "${KUBE_HOME}/${server_binary_tar}" diff --git a/cluster/gce/manifests/kube-apiserver.manifest b/cluster/gce/manifests/kube-apiserver.manifest index 10c3411e640..45da29f1dfe 100644 --- a/cluster/gce/manifests/kube-apiserver.manifest +++ b/cluster/gce/manifests/kube-apiserver.manifest @@ -74,7 +74,6 @@ {{csc_config_mount}} {{audit_policy_config_mount}} {{audit_webhook_config_mount}} - {{webhook_exec_auth_plugin_mount}} {{konnectivity_socket_mount}} { "name": "srvkube", "mountPath": "/etc/srv/kubernetes", @@ -116,7 +115,6 @@ {{csc_config_volume}} {{audit_policy_config_volume}} {{audit_webhook_config_volume}} - {{webhook_exec_auth_plugin_volume}} {{konnectivity_socket_volume}} { "name": "srvkube", "hostPath": { diff --git a/cluster/gce/windows/common.psm1 b/cluster/gce/windows/common.psm1 index 83566ee9c29..0cffc12450b 100644 --- a/cluster/gce/windows/common.psm1 +++ b/cluster/gce/windows/common.psm1 @@ -648,17 +648,6 @@ function Test-IsTestCluster { return $false } -# Returns true if this node uses a plugin to support authentication to the -# master, e.g. for TPM-based authentication. $KubeEnv is a hash table -# containing the kube-env metadata keys+values. -function Test-NodeUsesAuthPlugin { - param ( - [parameter(Mandatory=$true)] [hashtable]$KubeEnv - ) - - return $KubeEnv.Contains('EXEC_AUTH_PLUGIN_URL') -} - # Permanently adds a directory to the $env:PATH environment variable. function Add-MachineEnvironmentPath { param ( diff --git a/cluster/gce/windows/configure.ps1 b/cluster/gce/windows/configure.ps1 index 9917a07e7c6..7063605d94f 100644 --- a/cluster/gce/windows/configure.ps1 +++ b/cluster/gce/windows/configure.ps1 @@ -162,7 +162,6 @@ try { DownloadAndInstall-Crictl Configure-Crictl Setup-ContainerRuntime - DownloadAndInstall-AuthPlugin DownloadAndInstall-KubernetesBinaries DownloadAndInstall-NodeProblemDetector DownloadAndInstall-CSIProxyBinaries diff --git a/cluster/gce/windows/k8s-node-setup.psm1 b/cluster/gce/windows/k8s-node-setup.psm1 index e61cd1f239c..c684ccc1cf8 100644 --- a/cluster/gce/windows/k8s-node-setup.psm1 +++ b/cluster/gce/windows/k8s-node-setup.psm1 @@ -358,39 +358,6 @@ function Download-HelperScripts { } } -# Downloads the gke-exec-auth-plugin for TPM-based authentication to the -# master, if auth plugin support has been requested for this node (see -# Test-NodeUsesAuthPlugin). -# https://github.com/kubernetes/cloud-provider-gcp/tree/master/cmd/gke-exec-auth-plugin -# -# Required ${kube_env} keys: -# EXEC_AUTH_PLUGIN_LICENSE_URL -# EXEC_AUTH_PLUGIN_HASH -# EXEC_AUTH_PLUGIN_URL -function DownloadAndInstall-AuthPlugin { - if (-not (Test-NodeUsesAuthPlugin ${kube_env})) { - Log-Output 'Skipping download of auth plugin' - return - } - if (-not (ShouldWrite-File "${env:NODE_DIR}\gke-exec-auth-plugin.exe")) { - return - } - - if (-not ($kube_env.ContainsKey('EXEC_AUTH_PLUGIN_LICENSE_URL') -and - $kube_env.ContainsKey('EXEC_AUTH_PLUGIN_HASH') -and - $kube_env.ContainsKey('EXEC_AUTH_PLUGIN_URL'))) { - Log-Output -Fatal ("Missing one or more kube-env keys needed for " + - "downloading auth plugin: $(Out-String $kube_env)") - } - MustDownload-File ` - -URLs ${kube_env}['EXEC_AUTH_PLUGIN_URL'] ` - -Hash ${kube_env}['EXEC_AUTH_PLUGIN_HASH'] ` - -OutFile "${env:NODE_DIR}\gke-exec-auth-plugin.exe" - MustDownload-File ` - -URLs ${kube_env}['EXEC_AUTH_PLUGIN_LICENSE_URL'] ` - -OutFile "${env:LICENSE_DIR}\LICENSE_gke-exec-auth-plugin.txt" -} - # Downloads the Kubernetes binaries from kube-env's NODE_BINARY_TAR_URL and # puts them in a subdirectory of $env:K8S_DIR. # @@ -569,15 +536,6 @@ function Create-NodePki { Log-Output -Fatal 'CA_CERT not present in kube-env' } - # On nodes that use a plugin to support authentication, KUBELET_CERT and - # KUBELET_KEY will not be present - TPM_BOOTSTRAP_CERT and TPM_BOOTSTRAP_KEY - # should be set instead. - if (Test-NodeUsesAuthPlugin ${kube_env}) { - Log-Output ('Skipping KUBELET_CERT and KUBELET_KEY, plugin will be used ' + - 'for authentication') - return - } - if ($kube_env.ContainsKey('KUBELET_CERT')) { $KUBELET_CERT = ${kube_env}['KUBELET_CERT'] Write_PkiData "${KUBELET_CERT}" ${env:KUBELET_CERT_PATH} @@ -668,11 +626,7 @@ function Write_KubeconfigFromMetadata { # Required ${kube_env} keys: # KUBERNETES_MASTER_NAME: the apiserver IP address. function Create-KubeletKubeconfig { - if (Test-NodeUsesAuthPlugin ${kube_env}) { - Write_KubeconfigFromMetadata - } else { - Write_BootstrapKubeconfig - } + Write_BootstrapKubeconfig } # Creates the kubeconfig user file for applications that communicate with Kubernetes. @@ -1058,11 +1012,9 @@ function Start-WorkerServices { ) $kubelet_args = ${default_kubelet_args} + ${kubelet_args} - if (-not (Test-NodeUsesAuthPlugin ${kube_env})) { - Log-Output 'Using bootstrap kubeconfig for authentication' - $kubelet_args = (${kubelet_args} + - "--bootstrap-kubeconfig=${env:BOOTSTRAP_KUBECONFIG}") - } + Log-Output 'Using bootstrap kubeconfig for authentication' + $kubelet_args = (${kubelet_args} + + "--bootstrap-kubeconfig=${env:BOOTSTRAP_KUBECONFIG}") Log-Output "Final kubelet_args: ${kubelet_args}" # Compute kube-proxy args