Merge pull request #44588 from dmmcquay/kubeadm_skip_token_print

Automatic merge from submit-queue (batch tested with PRs 44601, 44842, 44893, 44491, 44588)

kubeadm: add flag to skip token print out

**What this PR does / why we need it**: When kubeadm init is used in an automated context, it still prints the token to standard out. When standard output ends up in a log file, it can be considered that the token is leaked there and can be compromised. This PR adds a flag you can select to not have it print out and explicitly disable this behavior.

This is a continuation from https://github.com/kubernetes/kubernetes/pull/42823 since it had to be closed.

**Which issue this PR fixes** : fixes #https://github.com/kubernetes/kubeadm/issues/160

**Special notes for your reviewer**: /cc @luxas @errordeveloper 

**Release note**:
```release-note
NONE
```
This commit is contained in:
Kubernetes Submit Queue 2017-04-25 12:51:41 -07:00 committed by GitHub
commit 896d2afb42
2 changed files with 17 additions and 5 deletions

View File

@ -72,6 +72,7 @@ func NewCmdInit(out io.Writer) *cobra.Command {
var cfgPath string var cfgPath string
var skipPreFlight bool var skipPreFlight bool
var skipTokenPrint bool
cmd := &cobra.Command{ cmd := &cobra.Command{
Use: "init", Use: "init",
Short: "Run this in order to set up the Kubernetes master", Short: "Run this in order to set up the Kubernetes master",
@ -80,7 +81,7 @@ func NewCmdInit(out io.Writer) *cobra.Command {
internalcfg := &kubeadmapi.MasterConfiguration{} internalcfg := &kubeadmapi.MasterConfiguration{}
api.Scheme.Convert(cfg, internalcfg, nil) api.Scheme.Convert(cfg, internalcfg, nil)
i, err := NewInit(cfgPath, internalcfg, skipPreFlight) i, err := NewInit(cfgPath, internalcfg, skipPreFlight, skipTokenPrint)
kubeadmutil.CheckErr(err) kubeadmutil.CheckErr(err)
kubeadmutil.CheckErr(i.Validate()) kubeadmutil.CheckErr(i.Validate())
kubeadmutil.CheckErr(i.Run(out)) kubeadmutil.CheckErr(i.Run(out))
@ -126,6 +127,10 @@ func NewCmdInit(out io.Writer) *cobra.Command {
&skipPreFlight, "skip-preflight-checks", skipPreFlight, &skipPreFlight, "skip-preflight-checks", skipPreFlight,
"Skip preflight checks normally run before modifying the system", "Skip preflight checks normally run before modifying the system",
) )
cmd.PersistentFlags().BoolVar(
&skipTokenPrint, "skip-token-print", skipTokenPrint,
"Skip printing of the default bootstrap token generated by 'kubeadm init'",
)
cmd.PersistentFlags().StringVar( cmd.PersistentFlags().StringVar(
&cfg.Token, "token", cfg.Token, &cfg.Token, "token", cfg.Token,
@ -138,7 +143,7 @@ func NewCmdInit(out io.Writer) *cobra.Command {
return cmd return cmd
} }
func NewInit(cfgPath string, cfg *kubeadmapi.MasterConfiguration, skipPreFlight bool) (*Init, error) { func NewInit(cfgPath string, cfg *kubeadmapi.MasterConfiguration, skipPreFlight, skipTokenPrint bool) (*Init, error) {
fmt.Println("[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.") fmt.Println("[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.")
@ -177,11 +182,12 @@ func NewInit(cfgPath string, cfg *kubeadmapi.MasterConfiguration, skipPreFlight
// Try to start the kubelet service in case it's inactive // Try to start the kubelet service in case it's inactive
preflight.TryStartKubelet() preflight.TryStartKubelet()
return &Init{cfg: cfg}, nil return &Init{cfg: cfg, skipTokenPrint: skipTokenPrint}, nil
} }
type Init struct { type Init struct {
cfg *kubeadmapi.MasterConfiguration cfg *kubeadmapi.MasterConfiguration
skipTokenPrint bool
} }
// Validate validates configuration passed to "kubeadm init" // Validate validates configuration passed to "kubeadm init"
@ -232,7 +238,9 @@ func (i *Init) Run(out io.Writer) error {
} }
// PHASE 4: Set up the bootstrap tokens // PHASE 4: Set up the bootstrap tokens
if !i.skipTokenPrint {
fmt.Printf("[token] Using token: %s\n", i.cfg.Token) fmt.Printf("[token] Using token: %s\n", i.cfg.Token)
}
tokenDescription := "The default bootstrap token generated by 'kubeadm init'." tokenDescription := "The default bootstrap token generated by 'kubeadm init'."
if err := tokenphase.UpdateOrCreateToken(client, i.cfg.Token, false, i.cfg.TokenTTL, kubeadmconstants.DefaultTokenUsages, tokenDescription); err != nil { if err := tokenphase.UpdateOrCreateToken(client, i.cfg.Token, false, i.cfg.TokenTTL, kubeadmconstants.DefaultTokenUsages, tokenDescription); err != nil {
@ -267,6 +275,9 @@ func (i *Init) Run(out io.Writer) error {
"MasterIP": i.cfg.API.AdvertiseAddress, "MasterIP": i.cfg.API.AdvertiseAddress,
"MasterPort": strconv.Itoa(int(i.cfg.API.BindPort)), "MasterPort": strconv.Itoa(int(i.cfg.API.BindPort)),
} }
if i.skipTokenPrint {
ctx["Token"] = "<value withheld>"
}
return initDoneTempl.Execute(out, ctx) return initDoneTempl.Execute(out, ctx)
} }

View File

@ -648,6 +648,7 @@ since-time
skip-generated-rewrite skip-generated-rewrite
skip-munges skip-munges
skip-preflight-checks skip-preflight-checks
skip-token-print
skip-unsafe skip-unsafe
sort-by sort-by
source-file source-file