mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-29 22:46:12 +00:00
kubelet: add configuration to optionally enable server tls bootstrap
right now if the RotateKubeletServerCertificate feature is enabled, kubelet will bootstrap server tls. this is undesirable if the deployment is not or cannot run an approver to handle these certificate signing requests.
This commit is contained in:
parent
ee4d90aaa6
commit
54f5f6752a
@ -187,6 +187,7 @@ var (
|
|||||||
"KubeReserved[*]",
|
"KubeReserved[*]",
|
||||||
"KubeletCgroups",
|
"KubeletCgroups",
|
||||||
"MakeIPTablesUtilChains",
|
"MakeIPTablesUtilChains",
|
||||||
|
"ServerTLSBootstrap",
|
||||||
"StaticPodURL",
|
"StaticPodURL",
|
||||||
"StaticPodURLHeader[*][*]",
|
"StaticPodURLHeader[*][*]",
|
||||||
"MaxOpenFiles",
|
"MaxOpenFiles",
|
||||||
|
@ -81,6 +81,12 @@ type KubeletConfiguration struct {
|
|||||||
// TLSMinVersion is the minimum TLS version supported.
|
// TLSMinVersion is the minimum TLS version supported.
|
||||||
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
|
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
|
||||||
TLSMinVersion string
|
TLSMinVersion string
|
||||||
|
// serverTLSBootstrap enables server certificate bootstrap. Instead of self
|
||||||
|
// signing a serving certificate, the Kubelet will request a certificate from
|
||||||
|
// the certificates.k8s.io API. This requires an approver to approve the
|
||||||
|
// certificate signing requests. The RotateKubeletServerCertificate feature
|
||||||
|
// must be enabled.
|
||||||
|
ServerTLSBootstrap bool
|
||||||
// authentication specifies how requests to the Kubelet's server are authenticated
|
// authentication specifies how requests to the Kubelet's server are authenticated
|
||||||
Authentication KubeletAuthentication
|
Authentication KubeletAuthentication
|
||||||
// authorization specifies how requests to the Kubelet's server are authorized
|
// authorization specifies how requests to the Kubelet's server are authorized
|
||||||
|
@ -107,6 +107,13 @@ type KubeletConfiguration struct {
|
|||||||
// Default: ""
|
// Default: ""
|
||||||
// +optional
|
// +optional
|
||||||
TLSMinVersion string `json:"tlsMinVersion,omitempty"`
|
TLSMinVersion string `json:"tlsMinVersion,omitempty"`
|
||||||
|
// serverTLSBootstrap enables server certificate bootstrap. Instead of self
|
||||||
|
// signing a serving certificate, the Kubelet will request a certificate from
|
||||||
|
// the certificates.k8s.io API. This requires an approver to approve the
|
||||||
|
// certificate signing requests. The RotateKubeletServerCertificate feature
|
||||||
|
// must be enabled.
|
||||||
|
// Default: false
|
||||||
|
ServerTLSBootstrap bool `json:"serverTLSBootstrap,omitempty"`
|
||||||
// authentication specifies how requests to the Kubelet's server are authenticated
|
// authentication specifies how requests to the Kubelet's server are authenticated
|
||||||
// Defaults:
|
// Defaults:
|
||||||
// anonymous:
|
// anonymous:
|
||||||
|
@ -154,6 +154,7 @@ func autoConvert_v1beta1_KubeletConfiguration_To_kubeletconfig_KubeletConfigurat
|
|||||||
out.TLSPrivateKeyFile = in.TLSPrivateKeyFile
|
out.TLSPrivateKeyFile = in.TLSPrivateKeyFile
|
||||||
out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites))
|
out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites))
|
||||||
out.TLSMinVersion = in.TLSMinVersion
|
out.TLSMinVersion = in.TLSMinVersion
|
||||||
|
out.ServerTLSBootstrap = in.ServerTLSBootstrap
|
||||||
if err := Convert_v1beta1_KubeletAuthentication_To_kubeletconfig_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil {
|
if err := Convert_v1beta1_KubeletAuthentication_To_kubeletconfig_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -275,6 +276,7 @@ func autoConvert_kubeletconfig_KubeletConfiguration_To_v1beta1_KubeletConfigurat
|
|||||||
out.TLSPrivateKeyFile = in.TLSPrivateKeyFile
|
out.TLSPrivateKeyFile = in.TLSPrivateKeyFile
|
||||||
out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites))
|
out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites))
|
||||||
out.TLSMinVersion = in.TLSMinVersion
|
out.TLSMinVersion = in.TLSMinVersion
|
||||||
|
out.ServerTLSBootstrap = in.ServerTLSBootstrap
|
||||||
if err := Convert_kubeletconfig_KubeletAuthentication_To_v1beta1_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil {
|
if err := Convert_kubeletconfig_KubeletAuthentication_To_v1beta1_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -11,10 +11,12 @@ go_library(
|
|||||||
srcs = ["validation.go"],
|
srcs = ["validation.go"],
|
||||||
importpath = "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/validation",
|
importpath = "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/validation",
|
||||||
deps = [
|
deps = [
|
||||||
|
"//pkg/features:go_default_library",
|
||||||
"//pkg/kubelet/apis/kubeletconfig:go_default_library",
|
"//pkg/kubelet/apis/kubeletconfig:go_default_library",
|
||||||
"//pkg/kubelet/types:go_default_library",
|
"//pkg/kubelet/types:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library",
|
||||||
|
"//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -21,6 +21,8 @@ import (
|
|||||||
|
|
||||||
utilerrors "k8s.io/apimachinery/pkg/util/errors"
|
utilerrors "k8s.io/apimachinery/pkg/util/errors"
|
||||||
utilvalidation "k8s.io/apimachinery/pkg/util/validation"
|
utilvalidation "k8s.io/apimachinery/pkg/util/validation"
|
||||||
|
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||||
|
"k8s.io/kubernetes/pkg/features"
|
||||||
"k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig"
|
"k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig"
|
||||||
kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
|
kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
|
||||||
)
|
)
|
||||||
@ -86,6 +88,9 @@ func ValidateKubeletConfiguration(kc *kubeletconfig.KubeletConfiguration) error
|
|||||||
if kc.RegistryPullQPS < 0 {
|
if kc.RegistryPullQPS < 0 {
|
||||||
allErrors = append(allErrors, fmt.Errorf("invalid configuration: RegistryPullQPS (--registry-qps) %v must not be a negative number", kc.RegistryPullQPS))
|
allErrors = append(allErrors, fmt.Errorf("invalid configuration: RegistryPullQPS (--registry-qps) %v must not be a negative number", kc.RegistryPullQPS))
|
||||||
}
|
}
|
||||||
|
if kc.ServerTLSBootstrap && !utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) {
|
||||||
|
allErrors = append(allErrors, fmt.Errorf("invalid configuration: ServerTLSBootstrap %v requires feature gate RotateKubeletServerCertificate", kc.ServerTLSBootstrap))
|
||||||
|
}
|
||||||
for _, val := range kc.EnforceNodeAllocatable {
|
for _, val := range kc.EnforceNodeAllocatable {
|
||||||
switch val {
|
switch val {
|
||||||
case kubetypes.NodeAllocatableEnforcementKey:
|
case kubetypes.NodeAllocatableEnforcementKey:
|
||||||
|
@ -707,7 +707,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
|
|||||||
|
|
||||||
klet.statusManager = status.NewManager(klet.kubeClient, klet.podManager, klet)
|
klet.statusManager = status.NewManager(klet.kubeClient, klet.podManager, klet)
|
||||||
|
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) && kubeDeps.TLSOptions != nil {
|
if kubeCfg.ServerTLSBootstrap && kubeDeps.TLSOptions != nil && utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) {
|
||||||
var (
|
var (
|
||||||
ips []net.IP
|
ips []net.IP
|
||||||
names []string
|
names []string
|
||||||
@ -1233,8 +1233,8 @@ func (kl *Kubelet) initializeModules() error {
|
|||||||
// Start the image manager.
|
// Start the image manager.
|
||||||
kl.imageManager.Start()
|
kl.imageManager.Start()
|
||||||
|
|
||||||
// Start the certificate manager.
|
// Start the certificate manager if it was enabled.
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) {
|
if kl.serverCertificateManager != nil {
|
||||||
kl.serverCertificateManager.Start()
|
kl.serverCertificateManager.Start()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user