mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-10-31 05:40:42 +00:00
remove second CA used for kubelet auth in favor of webhook auth
This commit is contained in:
Mike Danese
14
cluster/addons/rbac/apiserver-node-proxy-binding.yaml
Normal file
14
cluster/addons/rbac/apiserver-node-proxy-binding.yaml
Normal file
@@ -0,0 +1,14 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: apiserver-node-proxy
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: node-proxy
|
||||
subjects:
|
||||
- apiVersion: rbac/v1beta1
|
||||
kind: User
|
||||
name: kube-apiserver
|
||||
23
cluster/addons/rbac/node-proxy-role.yaml
Normal file
23
cluster/addons/rbac/node-proxy-role.yaml
Normal file
@@ -0,0 +1,23 @@
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: node-proxy
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes/proxy
|
||||
verbs:
|
||||
- create
|
||||
- get
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- nodes/log
|
||||
- nodes/stats
|
||||
- nodes/metrics
|
||||
- nodes/spec
|
||||
verbs:
|
||||
- get
|
||||
@@ -585,7 +585,6 @@ function build-kube-master-certs {
|
||||
cat >$file <<EOF
|
||||
KUBEAPISERVER_CERT: $(yaml-quote ${KUBEAPISERVER_CERT_BASE64:-})
|
||||
KUBEAPISERVER_KEY: $(yaml-quote ${KUBEAPISERVER_KEY_BASE64:-})
|
||||
KUBELET_AUTH_CA_CERT: $(yaml-quote ${KUBELET_AUTH_CA_CERT_BASE64:-})
|
||||
CA_KEY: $(yaml-quote ${CA_KEY_BASE64:-})
|
||||
EOF
|
||||
}
|
||||
@@ -802,7 +801,6 @@ EOF
|
||||
KUBERNETES_MASTER: $(yaml-quote "false")
|
||||
ZONE: $(yaml-quote ${ZONE})
|
||||
EXTRA_DOCKER_OPTS: $(yaml-quote ${EXTRA_DOCKER_OPTS:-})
|
||||
KUBELET_AUTH_CA_CERT: $(yaml-quote ${KUBELET_AUTH_CA_CERT_BASE64:-})
|
||||
EOF
|
||||
if [ -n "${KUBEPROXY_TEST_ARGS:-}" ]; then
|
||||
cat >>$file <<EOF
|
||||
@@ -970,9 +968,8 @@ function create-certs {
|
||||
KUBELET_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubelet.key" | base64 | tr -d '\r\n')
|
||||
KUBECFG_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kubecfg.crt" | base64 | tr -d '\r\n')
|
||||
KUBECFG_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubecfg.key" | base64 | tr -d '\r\n')
|
||||
KUBELET_AUTH_CA_CERT_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/ca.crt" | base64 | tr -d '\r\n')
|
||||
KUBEAPISERVER_CERT_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/issued/kube-apiserver.crt" | base64 | tr -d '\r\n')
|
||||
KUBEAPISERVER_KEY_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/private/kube-apiserver.key" | base64 | tr -d '\r\n')
|
||||
KUBEAPISERVER_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kube-apiserver.crt" | base64 | tr -d '\r\n')
|
||||
KUBEAPISERVER_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kube-apiserver.key" | base64 | tr -d '\r\n')
|
||||
}
|
||||
|
||||
# Runs the easy RSA commands to generate certificate files.
|
||||
@@ -999,6 +996,7 @@ function generate-certs {
|
||||
# this puts the cert into pki/ca.crt and the key into pki/private/ca.key
|
||||
./easyrsa --batch "--req-cn=${PRIMARY_CN}@$(date +%s)" build-ca nopass
|
||||
./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass
|
||||
./easyrsa build-client-full kube-apiserver nopass
|
||||
|
||||
download-cfssl
|
||||
|
||||
@@ -1014,12 +1012,7 @@ function generate-certs {
|
||||
./easyrsa --dn-mode=org \
|
||||
--req-cn=kubecfg --req-org=system:masters \
|
||||
--req-c= --req-st= --req-city= --req-email= --req-ou= \
|
||||
build-client-full kubecfg nopass
|
||||
|
||||
cd ../kubelet
|
||||
./easyrsa init-pki
|
||||
./easyrsa --batch "--req-cn=kubelet@$(date +%s)" build-ca nopass
|
||||
./easyrsa build-client-full kube-apiserver nopass) &>${cert_create_debug_output} || {
|
||||
build-client-full kubecfg nopass) &>${cert_create_debug_output} || {
|
||||
# If there was an error in the subshell, just die.
|
||||
# TODO(roberthbailey): add better error handling here
|
||||
cat "${cert_create_debug_output}" >&2
|
||||
|
||||
@@ -630,11 +630,6 @@ EOF
|
||||
if [ -n "${SCHEDULING_ALGORITHM_PROVIDER:-}" ]; then
|
||||
cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
|
||||
scheduling_algorithm_provider: '$(echo "${SCHEDULING_ALGORITHM_PROVIDER}" | sed -e "s/'/''/g")'
|
||||
EOF
|
||||
fi
|
||||
if [ -n "${KUBELET_AUTH_CA_CERT:-}" ]; then
|
||||
cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
|
||||
kubelet_auth_ca_cert: /var/lib/kubelet/kubelet_auth_ca.crt
|
||||
EOF
|
||||
fi
|
||||
}
|
||||
@@ -755,11 +750,9 @@ current-context: service-account-context
|
||||
EOF
|
||||
)
|
||||
fi
|
||||
local -r kubelet_auth_ca_file="/srv/salt-overlay/salt/kubelet/kubelet_auth_ca.crt"
|
||||
if [ ! -e "${kubelet_auth_ca_file}" ] && [[ ! -z "${KUBELET_AUTH_CA_CERT:-}" ]]; then
|
||||
(umask 077;
|
||||
echo "${KUBELET_AUTH_CA_CERT}" | base64 --decode > "${kubelet_auth_ca_file}")
|
||||
fi
|
||||
local -r client_ca_file="/srv/salt-overlay/salt/kubelet/ca.crt"
|
||||
(umask 077;
|
||||
echo "${KUBELET_CA_CERT}" | base64 --decode > "${client_ca_file}")
|
||||
}
|
||||
|
||||
# This should happen both on cluster initialization and node upgrades.
|
||||
|
||||
@@ -369,12 +369,7 @@ contexts:
|
||||
name: service-account-context
|
||||
current-context: service-account-context
|
||||
EOF
|
||||
}
|
||||
|
||||
function create-kubelet-auth-ca {
|
||||
if [[ -n "${KUBELET_AUTH_CA_CERT:-}" ]]; then
|
||||
echo "${KUBELET_AUTH_CA_CERT}" | base64 --decode > "/var/lib/kubelet/kubelet_auth_ca.crt"
|
||||
fi
|
||||
echo "${KUBELET_CA_CERT}" | base64 -d > /var/lib/kubelet/ca.crt
|
||||
}
|
||||
|
||||
# Uses KUBELET_CA_CERT (falling back to CA_CERT), KUBELET_CERT, and KUBELET_KEY
|
||||
@@ -388,7 +383,6 @@ function create-master-kubelet-auth {
|
||||
REGISTER_MASTER_KUBELET="true"
|
||||
create-kubelet-kubeconfig
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
function create-kubeproxy-kubeconfig {
|
||||
@@ -582,9 +576,7 @@ function start-kubelet {
|
||||
[[ "${HAIRPIN_MODE:-}" == "none" ]]; then
|
||||
flags+=" --hairpin-mode=${HAIRPIN_MODE}"
|
||||
fi
|
||||
if [ -n "${KUBELET_AUTH_CA_CERT:-}" ]; then
|
||||
flags+=" --anonymous-auth=false --client-ca-file=/var/lib/kubelet/kubelet_auth_ca.crt"
|
||||
fi
|
||||
flags+=" --anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/var/lib/kubelet/ca.crt"
|
||||
fi
|
||||
# Network plugin
|
||||
if [[ -n "${NETWORK_PROVIDER:-}" ]]; then
|
||||
@@ -1099,9 +1091,13 @@ function start-kube-addons {
|
||||
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
|
||||
local -r dst_dir="/etc/kubernetes/addons"
|
||||
|
||||
# TODO(mikedanese): only enable these in e2e
|
||||
# prep the additional bindings that are particular to e2e users and groups
|
||||
setup-addon-manifests "addons" "e2e-rbac-bindings"
|
||||
|
||||
# prep addition kube-up specific rbac objects
|
||||
setup-addon-manifests "addons" "rbac"
|
||||
|
||||
# Set up manifests of other addons.
|
||||
if [[ "${ENABLE_CLUSTER_MONITORING:-}" == "influxdb" ]] || \
|
||||
[[ "${ENABLE_CLUSTER_MONITORING:-}" == "google" ]] || \
|
||||
@@ -1345,7 +1341,6 @@ if [[ "${KUBERNETES_MASTER:-}" == "true" ]]; then
|
||||
create-master-etcd-auth
|
||||
else
|
||||
create-kubelet-kubeconfig
|
||||
create-kubelet-auth-ca
|
||||
create-kubeproxy-kubeconfig
|
||||
fi
|
||||
|
||||
|
||||
@@ -233,9 +233,6 @@ function prepare-node-upgrade() {
|
||||
KUBELET_CERT_BASE64=$(get-env-val "${node_env}" "KUBELET_CERT")
|
||||
KUBELET_KEY_BASE64=$(get-env-val "${node_env}" "KUBELET_KEY")
|
||||
|
||||
local master_env=$(get-master-env)
|
||||
KUBELET_AUTH_CA_CERT_BASE64=$(get-env-val "${master_env}" "KUBELET_AUTH_CA_CERT")
|
||||
|
||||
# TODO(zmerlynn): How do we ensure kube-env is written in a ${version}-
|
||||
# compatible way?
|
||||
write-node-env
|
||||
|
||||
@@ -188,10 +188,7 @@
|
||||
{% set eviction_hard="--eviction-hard=" + pillar['eviction_hard'] %}
|
||||
{% endif -%}
|
||||
|
||||
{% set kubelet_auth_ca_cert = "" %}
|
||||
{% if pillar['kubelet_auth_ca_cert'] is defined -%}
|
||||
{% set kubelet_auth_ca_cert="--anonymous-auth=false --client-ca-file=" + pillar['kubelet_auth_ca_cert'] %}
|
||||
{% endif -%}
|
||||
{% set kubelet_auth = "--anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/var/lib/kubelet/ca.crt" %}
|
||||
|
||||
# test_args has to be kept at the end, so they'll overwrite any prior configuration
|
||||
DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{kubelet_auth_ca_cert}} {{feature_gates}} {{test_args}}"
|
||||
DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{kubelet_auth}} {{feature_gates}} {{test_args}}"
|
||||
|
||||
@@ -31,15 +31,13 @@
|
||||
- mode: 400
|
||||
- makedirs: true
|
||||
|
||||
{% if pillar['kubelet_auth_ca_cert'] is defined %}
|
||||
/var/lib/kubelet/kubelet_auth_ca.crt:
|
||||
/var/lib/kubelet/ca.crt:
|
||||
file.managed:
|
||||
- source: salt://kubelet/kubelet_auth_ca.crt
|
||||
- source: salt://kubelet/ca.crt
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 400
|
||||
- makedirs: true
|
||||
{% endif %}
|
||||
|
||||
{% if pillar.get('is_systemd') %}
|
||||
|
||||
@@ -61,7 +59,7 @@ fix-service-kubelet:
|
||||
- file: {{ pillar.get('systemd_system_path') }}/kubelet.service
|
||||
- file: {{ environment_file }}
|
||||
- file: /var/lib/kubelet/kubeconfig
|
||||
- file: /var/lib/kubelet/kubelet_auth_ca.crt
|
||||
- file: /var/lib/kubelet/ca.crt
|
||||
|
||||
{% else %}
|
||||
|
||||
@@ -89,9 +87,7 @@ kubelet:
|
||||
{% endif %}
|
||||
- file: {{ environment_file }}
|
||||
- file: /var/lib/kubelet/kubeconfig
|
||||
{% if pillar['kubelet_auth_ca_cert'] is defined %}
|
||||
- file: /var/lib/kubelet/kubelet_auth_ca.crt
|
||||
{% endif %}
|
||||
- file: /var/lib/kubelet/ca.crt
|
||||
{% if pillar.get('is_systemd') %}
|
||||
- provider:
|
||||
- service: systemd
|
||||
|
||||
@@ -14,6 +14,7 @@ cluster/gce/configure-vm.sh: cloud_config: ${CLOUD_CONFIG}
|
||||
cluster/gce/configure-vm.sh: env-to-grains "feature_gates"
|
||||
cluster/gce/configure-vm.sh: env-to-grains "runtime_config"
|
||||
cluster/gce/configure-vm.sh: kubelet_api_servers: '${KUBELET_APISERVER}'
|
||||
cluster/gce/configure-vm.sh: local -r client_ca_file="/srv/salt-overlay/salt/kubelet/ca.crt"
|
||||
cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",ABAC"
|
||||
cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",Webhook"
|
||||
cluster/gce/container-linux/configure-helper.sh: local api_servers="--master=https://${KUBERNETES_MASTER_NAME}"
|
||||
|
||||
Reference in New Issue
Block a user