kubelet: add configuration to optionally enable server tls bootstrap

right now if the RotateKubeletServerCertificate feature is enabled,
kubelet will bootstrap server tls. this is undesirable if the deployment
is not or cannot run an approver to handle these certificate signing
requests.
This commit is contained in:
Mike Danese 2018-04-10 11:22:30 -07:00
parent ee4d90aaa6
commit 54f5f6752a
7 changed files with 26 additions and 3 deletions

View File

@ -187,6 +187,7 @@ var (
"KubeReserved[*]", "KubeReserved[*]",
"KubeletCgroups", "KubeletCgroups",
"MakeIPTablesUtilChains", "MakeIPTablesUtilChains",
"ServerTLSBootstrap",
"StaticPodURL", "StaticPodURL",
"StaticPodURLHeader[*][*]", "StaticPodURLHeader[*][*]",
"MaxOpenFiles", "MaxOpenFiles",

View File

@ -81,6 +81,12 @@ type KubeletConfiguration struct {
// TLSMinVersion is the minimum TLS version supported. // TLSMinVersion is the minimum TLS version supported.
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
TLSMinVersion string TLSMinVersion string
// serverTLSBootstrap enables server certificate bootstrap. Instead of self
// signing a serving certificate, the Kubelet will request a certificate from
// the certificates.k8s.io API. This requires an approver to approve the
// certificate signing requests. The RotateKubeletServerCertificate feature
// must be enabled.
ServerTLSBootstrap bool
// authentication specifies how requests to the Kubelet's server are authenticated // authentication specifies how requests to the Kubelet's server are authenticated
Authentication KubeletAuthentication Authentication KubeletAuthentication
// authorization specifies how requests to the Kubelet's server are authorized // authorization specifies how requests to the Kubelet's server are authorized

View File

@ -107,6 +107,13 @@ type KubeletConfiguration struct {
// Default: "" // Default: ""
// +optional // +optional
TLSMinVersion string `json:"tlsMinVersion,omitempty"` TLSMinVersion string `json:"tlsMinVersion,omitempty"`
// serverTLSBootstrap enables server certificate bootstrap. Instead of self
// signing a serving certificate, the Kubelet will request a certificate from
// the certificates.k8s.io API. This requires an approver to approve the
// certificate signing requests. The RotateKubeletServerCertificate feature
// must be enabled.
// Default: false
ServerTLSBootstrap bool `json:"serverTLSBootstrap,omitempty"`
// authentication specifies how requests to the Kubelet's server are authenticated // authentication specifies how requests to the Kubelet's server are authenticated
// Defaults: // Defaults:
// anonymous: // anonymous:

View File

@ -154,6 +154,7 @@ func autoConvert_v1beta1_KubeletConfiguration_To_kubeletconfig_KubeletConfigurat
out.TLSPrivateKeyFile = in.TLSPrivateKeyFile out.TLSPrivateKeyFile = in.TLSPrivateKeyFile
out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites)) out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites))
out.TLSMinVersion = in.TLSMinVersion out.TLSMinVersion = in.TLSMinVersion
out.ServerTLSBootstrap = in.ServerTLSBootstrap
if err := Convert_v1beta1_KubeletAuthentication_To_kubeletconfig_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil { if err := Convert_v1beta1_KubeletAuthentication_To_kubeletconfig_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil {
return err return err
} }
@ -275,6 +276,7 @@ func autoConvert_kubeletconfig_KubeletConfiguration_To_v1beta1_KubeletConfigurat
out.TLSPrivateKeyFile = in.TLSPrivateKeyFile out.TLSPrivateKeyFile = in.TLSPrivateKeyFile
out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites)) out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites))
out.TLSMinVersion = in.TLSMinVersion out.TLSMinVersion = in.TLSMinVersion
out.ServerTLSBootstrap = in.ServerTLSBootstrap
if err := Convert_kubeletconfig_KubeletAuthentication_To_v1beta1_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil { if err := Convert_kubeletconfig_KubeletAuthentication_To_v1beta1_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil {
return err return err
} }

View File

@ -11,10 +11,12 @@ go_library(
srcs = ["validation.go"], srcs = ["validation.go"],
importpath = "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/validation", importpath = "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/validation",
deps = [ deps = [
"//pkg/features:go_default_library",
"//pkg/kubelet/apis/kubeletconfig:go_default_library", "//pkg/kubelet/apis/kubeletconfig:go_default_library",
"//pkg/kubelet/types:go_default_library", "//pkg/kubelet/types:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library",
"//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
], ],
) )

View File

@ -21,6 +21,8 @@ import (
utilerrors "k8s.io/apimachinery/pkg/util/errors" utilerrors "k8s.io/apimachinery/pkg/util/errors"
utilvalidation "k8s.io/apimachinery/pkg/util/validation" utilvalidation "k8s.io/apimachinery/pkg/util/validation"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig" "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig"
kubetypes "k8s.io/kubernetes/pkg/kubelet/types" kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
) )
@ -86,6 +88,9 @@ func ValidateKubeletConfiguration(kc *kubeletconfig.KubeletConfiguration) error
if kc.RegistryPullQPS < 0 { if kc.RegistryPullQPS < 0 {
allErrors = append(allErrors, fmt.Errorf("invalid configuration: RegistryPullQPS (--registry-qps) %v must not be a negative number", kc.RegistryPullQPS)) allErrors = append(allErrors, fmt.Errorf("invalid configuration: RegistryPullQPS (--registry-qps) %v must not be a negative number", kc.RegistryPullQPS))
} }
if kc.ServerTLSBootstrap && !utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) {
allErrors = append(allErrors, fmt.Errorf("invalid configuration: ServerTLSBootstrap %v requires feature gate RotateKubeletServerCertificate", kc.ServerTLSBootstrap))
}
for _, val := range kc.EnforceNodeAllocatable { for _, val := range kc.EnforceNodeAllocatable {
switch val { switch val {
case kubetypes.NodeAllocatableEnforcementKey: case kubetypes.NodeAllocatableEnforcementKey:

View File

@ -707,7 +707,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
klet.statusManager = status.NewManager(klet.kubeClient, klet.podManager, klet) klet.statusManager = status.NewManager(klet.kubeClient, klet.podManager, klet)
if utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) && kubeDeps.TLSOptions != nil { if kubeCfg.ServerTLSBootstrap && kubeDeps.TLSOptions != nil && utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) {
var ( var (
ips []net.IP ips []net.IP
names []string names []string
@ -1233,8 +1233,8 @@ func (kl *Kubelet) initializeModules() error {
// Start the image manager. // Start the image manager.
kl.imageManager.Start() kl.imageManager.Start()
// Start the certificate manager. // Start the certificate manager if it was enabled.
if utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) { if kl.serverCertificateManager != nil {
kl.serverCertificateManager.Start() kl.serverCertificateManager.Start()
} }