github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-26 05:03:09 +00:00
Code Issues Projects Releases Wiki Activity

Revert "Added kube-proxy token."

Browse Source
This commit is contained in:
Zach Loafman 2015-04-22 10:55:08 -07:00
parent f12a59465e
commit 86468cd29d
4 changed files with 14 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cluster/aws/templates/create-dynamic-salt-files.sh
View File

@ -40,19 +40,14 @@ mkdir -p /srv/salt-overlay/salt/nginx
echo $MASTER_HTPASSWD > /srv/salt-overlay/salt/nginx/htpasswd echo $MASTER_HTPASSWD > /srv/salt-overlay/salt/nginx/htpasswd
# Generate and distribute a shared secret (bearer token) to # Generate and distribute a shared secret (bearer token) to
# apiserver and nodes so that kubelet/kube-proxy can authenticate to # apiserver and kubelet so that kubelet can authenticate to
# apiserver to send events. # apiserver to send events.
# This works on CoreOS, so it should work on a lot of distros. # This works on CoreOS, so it should work on a lot of distros.
kubelet_token=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null) kubelet_token=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null)
# Same thing for kube-proxy.
kube_proxy_token=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null)
# Make a list of tokens and usernames to be pushed to the apiserver
mkdir -p /srv/salt-overlay/salt/kube-apiserver mkdir -p /srv/salt-overlay/salt/kube-apiserver
known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv" known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
(umask u=rw,go= ; echo "" > $known_tokens_file) (umask u=rw,go= ; echo "$kubelet_token,kubelet,kubelet" > $known_tokens_file)
echo "$kubelet_token,kubelet,kubelet" >> $known_tokens_file ;
echo "$kube_proxy_token,kube_proxy,kube_proxy" >> $known_tokens_file
mkdir -p /srv/salt-overlay/salt/kubelet mkdir -p /srv/salt-overlay/salt/kubelet
kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth" kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"

19
cluster/gce/configure-vm.sh
View File

@ -73,23 +73,17 @@ for k,v in yaml.load(sys.stdin).iteritems():
fi fi
} }
function ensure-kube-tokens() { function ensure-kube-token() {
# We bake the KUBELET_TOKEN in separately to avoid auth information # We bake the KUBELET_TOKEN in separately to avoid auth information
# having to be re-communicated on kube-push. (Otherwise the client # having to be re-communicated on kube-push. (Otherwise the client
# has to keep the bearer token around to handle generating a valid # has to keep the bearer token around to handle generating a valid
# kube-env.) # kube-env.)
if [[ -z "${KUBELET_TOKEN:-}" ]] && [[ ! -e "${KNOWN_TOKENS_FILE}" ]]; then if [[ -z "${KUBELET_TOKEN:-}" ]] && [[ ! -e "${KNOWN_TOKENS_FILE}" ]]; then
until KUBELET_TOKEN=$(curl-metadata kubelet-token); do until KUBELET_TOKEN=$(curl-metadata kube-token); do
echo 'Waiting for metadata KUBELET_TOKEN...' echo 'Waiting for metadata KUBELET_TOKEN...'
sleep 3 sleep 3
done done
fi fi
if [[ -z "${KUBE_PROXY_TOKEN:-}" ]] && [[ ! -e "${KNOWN_TOKENS_FILE}" ]]; then
until KUBE_PROXY_TOKEN=$(curl-metadata kube-proxy-token); do
echo 'Waiting for metadata KUBE_PROXY_TOKEN...'
sleep 3
done
fi
} }
function remove-docker-artifacts() { function remove-docker-artifacts() {
@ -258,7 +252,7 @@ EOF
# This should only happen on cluster initialization. Uses # This should only happen on cluster initialization. Uses
# MASTER_HTPASSWORD to generate the nginx/htpasswd file, and the # MASTER_HTPASSWORD to generate the nginx/htpasswd file, and the
# KUBELET_TOKEN and KUBE_PROXY_TOKEN, to generate known_tokens.csv # KUBELET_TOKEN, plus /dev/urandom, to generate known_tokens.csv
# (KNOWN_TOKENS_FILE). After the first boot and on upgrade, these # (KNOWN_TOKENS_FILE). After the first boot and on upgrade, these
# files exist on the master-pd and should never be touched again # files exist on the master-pd and should never be touched again
# (except perhaps an additional service account, see NB below.) # (except perhaps an additional service account, see NB below.)
@ -272,9 +266,8 @@ function create-salt-auth() {
if [ ! -e "${KNOWN_TOKENS_FILE}" ]; then if [ ! -e "${KNOWN_TOKENS_FILE}" ]; then
mkdir -p /srv/salt-overlay/salt/kube-apiserver mkdir -p /srv/salt-overlay/salt/kube-apiserver
(umask 077; echo "" > "${KNOWN_TOKENS_FILE}") (umask 077;
echo "${KUBELET_TOKEN},kubelet,kubelet" >> "${KNOWN_TOKENS_FILE}" echo "${KUBELET_TOKEN},kubelet,kubelet" > "${KNOWN_TOKENS_FILE}")
echo "${KUBE_PROXY_TOKEN},kube_proxy,kube_proxy" >> "${KNOWN_TOKENS_FILE}"
mkdir -p /srv/salt-overlay/salt/kubelet mkdir -p /srv/salt-overlay/salt/kubelet
kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth" kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"
@ -429,7 +422,7 @@ if [[ -z "${is_push}" ]]; then
ensure-install-dir ensure-install-dir
set-kube-env set-kube-env
[[ "${KUBERNETES_MASTER}" == "true" ]] && mount-master-pd [[ "${KUBERNETES_MASTER}" == "true" ]] && mount-master-pd
ensure-kube-tokens ensure-kube-token
create-salt-pillar create-salt-pillar
create-salt-auth create-salt-auth
download-release download-release

13
cluster/gce/util.sh
View File

@ -594,12 +594,11 @@ function kube-up {
--zone "${ZONE}" \ --zone "${ZONE}" \
--size "10GB" --size "10GB"
# Generate a bearer token for kubelets in this cluster. We push this # Generate a bearer token for this cluster. We push this separately
# separately from the other cluster variables so that the client (this # from the other cluster variables so that the client (this
# computer) can forget it later. This should disappear with # computer) can forget it later. This should disappear with
# https://github.com/GoogleCloudPlatform/kubernetes/issues/3168 # https://github.com/GoogleCloudPlatform/kubernetes/issues/3168
KUBELET_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null) KUBELET_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
KUBE_PROXY_TOKEN=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
# Reserve the master's IP so that it can later be transferred to another VM # Reserve the master's IP so that it can later be transferred to another VM
# without disrupting the kubelets. IPs are associated with regions, not zones, # without disrupting the kubelets. IPs are associated with regions, not zones,
@ -626,8 +625,7 @@ function kube-up {
# Wait for last batch of jobs # Wait for last batch of jobs
wait-for-jobs wait-for-jobs
add-instance-metadata "${MASTER_NAME}" "kubelet-token=${KUBELET_TOKEN}" add-instance-metadata "${MASTER_NAME}" "kube-token=${KUBELET_TOKEN}"
add-instance-metadata "${MASTER_NAME}" "kube-proxy-token=${KUBE_PROXY_TOKEN}"
echo "Creating minions." echo "Creating minions."
@ -642,8 +640,7 @@ function kube-up {
create-node-template "${NODE_INSTANCE_PREFIX}-template" "${scope_flags[*]}" \ create-node-template "${NODE_INSTANCE_PREFIX}-template" "${scope_flags[*]}" \
"startup-script=${KUBE_ROOT}/cluster/gce/configure-vm.sh" \ "startup-script=${KUBE_ROOT}/cluster/gce/configure-vm.sh" \
"kube-env=${KUBE_TEMP}/node-kube-env.yaml" \ "kube-env=${KUBE_TEMP}/node-kube-env.yaml" \
"kubelet-token=${KUBELET_TOKEN}" \ "kube-token=${KUBELET_TOKEN}"
"kube-proxy-token=${KUBE_PROXY_TOKEN}"
gcloud preview managed-instance-groups --zone "${ZONE}" \ gcloud preview managed-instance-groups --zone "${ZONE}" \
create "${NODE_INSTANCE_PREFIX}-group" \ create "${NODE_INSTANCE_PREFIX}-group" \
@ -881,7 +878,7 @@ function kube-push {
# TODO(zmerlynn): Re-create instance-template with the new # TODO(zmerlynn): Re-create instance-template with the new
# node-kube-env. This isn't important until the node-ip-range issue # node-kube-env. This isn't important until the node-ip-range issue
# is solved (because that's blocking automatic dynamic nodes from # is solved (because that's blocking automatic dynamic nodes from
# working). The node-kube-env has to be composed with the kube*-token # working). The node-kube-env has to be composed with the kube-token
# metadata. Ideally we would have # metadata. Ideally we would have
# https://github.com/GoogleCloudPlatform/kubernetes/issues/3168 # https://github.com/GoogleCloudPlatform/kubernetes/issues/3168
# implemented before then, though, so avoiding this mess until then. # implemented before then, though, so avoiding this mess until then.

5
cluster/vagrant/provision-master.sh
View File

@ -137,13 +137,10 @@ EOF
known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv" known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
if [[ ! -f "${known_tokens_file}" ]]; then if [[ ! -f "${known_tokens_file}" ]]; then
kubelet_token=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null) kubelet_token=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null)
kube_proxy_token=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null)
mkdir -p /srv/salt-overlay/salt/kube-apiserver mkdir -p /srv/salt-overlay/salt/kube-apiserver
known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv" known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
(umask u=rw,go= ; echo "" > $known_tokens_file) (umask u=rw,go= ; echo "$kubelet_token,kubelet,kubelet" > $known_tokens_file)
echo "$kubelet_token,kubelet,kubelet" >> $known_tokens_file
echo "$kube_proxy_token,kube-proxy,kube-proxy" >> $known_tokens_file
mkdir -p /srv/salt-overlay/salt/kubelet mkdir -p /srv/salt-overlay/salt/kubelet
kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth" kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"