Merge pull request #80951 from neolit123/1.16-sched-auth

kubeadm: enable secure serving for the kube-scheduler

cmd/kubeadm/app/phases/controlplane/manifests.go

@@ -25,7 +25,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/klog"
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
@@ -315,10 +315,13 @@ func getControllerManagerCommand(cfg *kubeadmapi.ClusterConfiguration) []string
 
 // getSchedulerCommand builds the right scheduler command from the given config object and version
 func getSchedulerCommand(cfg *kubeadmapi.ClusterConfiguration) []string {
+	kubeconfigFile := filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName)
 	defaultArguments := map[string]string{
-		"bind-address": "127.0.0.1",
-		"leader-elect": "true",
-		"kubeconfig":   filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName),
+		"bind-address":              "127.0.0.1",
+		"leader-elect":              "true",
+		"kubeconfig":                kubeconfigFile,
+		"authentication-kubeconfig": kubeconfigFile,
+		"authorization-kubeconfig":  kubeconfigFile,
 	}
 
 	// TODO: The following code should be remvoved after dual-stack is GA.

cmd/kubeadm/app/phases/controlplane/manifests_test.go

@@ -868,6 +868,8 @@ func TestGetSchedulerCommand(t *testing.T) {
 				"--bind-address=127.0.0.1",
 				"--leader-elect=true",
 				"--kubeconfig=" + kubeadmconstants.KubernetesDir + "/scheduler.conf",
+				"--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/scheduler.conf",
+				"--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/scheduler.conf",
 			},
 		},
 	}

cmd/kubeadm/app/phases/selfhosting/podspec_mutation.go

@@ -20,7 +20,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
 )
@@ -191,7 +191,14 @@ func setSelfHostedVolumesForScheduler(podSpec *v1.PodSpec) {
 	// This is not a problem with hostPath mounts as hostPath supports mounting one file only, instead of always a full directory. Secrets and Projected Volumes
 	// don't support that.
 	podSpec.Containers[0].Command = kubeadmutil.ReplaceArgument(podSpec.Containers[0].Command, func(argMap map[string]string) map[string]string {
-		argMap["kubeconfig"] = filepath.Join(selfHostedKubeConfigDir, kubeadmconstants.SchedulerKubeConfigFileName)
+		schedulerKubeConfigPath := filepath.Join(selfHostedKubeConfigDir, kubeadmconstants.SchedulerKubeConfigFileName)
+		argMap["kubeconfig"] = schedulerKubeConfigPath
+		if _, ok := argMap["authentication-kubeconfig"]; ok {
+			argMap["authentication-kubeconfig"] = schedulerKubeConfigPath
+		}
+		if _, ok := argMap["authorization-kubeconfig"]; ok {
+			argMap["authorization-kubeconfig"] = schedulerKubeConfigPath
+		}
 		return argMap
 	})
 }

cmd/kubeadm/app/phases/selfhosting/podspec_mutation_test.go

@@ -21,7 +21,7 @@ import (
 	"sort"
 	"testing"
 
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 )
 
@@ -531,6 +531,8 @@ func TestSetSelfHostedVolumesForScheduler(t *testing.T) {
 						},
 						Command: []string{
 							"--kubeconfig=/etc/kubernetes/scheduler.conf",
+							"--authentication-kubeconfig=/etc/kubernetes/scheduler.conf",
+							"--authorization-kubeconfig=/etc/kubernetes/scheduler.conf",
 							"--foo=bar",
 						},
 					},
@@ -558,6 +560,8 @@ func TestSetSelfHostedVolumesForScheduler(t *testing.T) {
 						},
 						Command: []string{
 							"--kubeconfig=/etc/kubernetes/kubeconfig/scheduler.conf",
+							"--authentication-kubeconfig=/etc/kubernetes/kubeconfig/scheduler.conf",
+							"--authorization-kubeconfig=/etc/kubernetes/kubeconfig/scheduler.conf",
 							"--foo=bar",
 						},
 					},