Merge pull request #17848 from sdminonne/libvirt_service_account

Auto commit by PR queue bot

cluster/libvirt-coreos/user_data_master.yml

@@ -14,6 +14,9 @@ coreos:
 
         [Service]
         ExecStart=/opt/kubernetes/bin/kube-apiserver \
+        --service-account-key-file=/opt/kubernetes/certs/kube-serviceaccount.key \
+        --service-account-lookup=${SERVICE_ACCOUNT_LOOKUP} \
+        --admission-control=${ADMISSION_CONTROL} \
         --insecure-bind-address=0.0.0.0 \
         --insecure-port=8080 \
         --etcd-servers=http://127.0.0.1:2379 \
@@ -36,7 +39,8 @@ coreos:
 
         [Service]
         ExecStart=/opt/kubernetes/bin/kube-controller-manager \
-        --master=127.0.0.1:8080
+        --master=127.0.0.1:8080 \
+        --service-account-private-key-file=/opt/kubernetes/certs/kube-serviceaccount.key \
         Restart=always
         RestartSec=2
 

cluster/libvirt-coreos/util.sh

@@ -22,7 +22,8 @@ source "$ROOT/${KUBE_CONFIG_FILE:-"config-default.sh"}"
 source "$KUBE_ROOT/cluster/common.sh"
 
 export LIBVIRT_DEFAULT_URI=qemu:///system
-
+export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-false}
+export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota}
 readonly POOL=kubernetes
 readonly POOL_PATH="$(cd $ROOT && pwd)/libvirt_storage_pool"
 
@@ -51,6 +52,19 @@ function detect-nodes {
   KUBE_NODE_IP_ADDRESSES=("${NODE_IPS[@]}")
 }
 
+function set_service_accounts {
+    SERVICE_ACCOUNT_KEY=${SERVICE_ACCOUNT_KEY:-"/tmp/kube-serviceaccount.key"}
+    # Generate ServiceAccount key if needed
+    if [[ ! -f "${SERVICE_ACCOUNT_KEY}" ]]; then
+      mkdir -p "$(dirname ${SERVICE_ACCOUNT_KEY})"
+      openssl genrsa -out "${SERVICE_ACCOUNT_KEY}" 2048 2>/dev/null
+    fi
+
+    mkdir -p  "$POOL_PATH/kubernetes/certs"
+    cp "${SERVICE_ACCOUNT_KEY}" "$POOL_PATH/kubernetes/certs"
+}
+
+
 # Verify prereqs on host machine
 function verify-prereqs {
   if ! which virsh >/dev/null; then
@@ -185,6 +199,7 @@ function kube-up {
   detect-nodes
   load-or-gen-kube-bearertoken
   initialize-pool keep_base_image
+  set_service_accounts
   initialize-network
 
   readonly ssh_keys="$(cat ~/.ssh/id_*.pub | sed 's/^/  - /')"

docs/getting-started-guides/libvirt-coreos.md

@@ -83,11 +83,12 @@ On the other hand, `libvirt-coreos` might be useful for people investigating low
 2. Install [ebtables](http://ebtables.netfilter.org/)
 3. Install [qemu](http://wiki.qemu.org/Main_Page)
 4. Install [libvirt](http://libvirt.org/)
-5. Enable and start the libvirt daemon, e.g:
+5. Install [openssl](http://openssl.org/)
+6. Enable and start the libvirt daemon, e.g:
    * ``systemctl enable libvirtd``
    * ``systemctl start libvirtd``
-6. [Grant libvirt access to your user¹](https://libvirt.org/aclpolkit.html)
+7. [Grant libvirt access to your user¹](https://libvirt.org/aclpolkit.html)
-7. Check that your $HOME is accessible to the qemu user²
+8. Check that your $HOME is accessible to the qemu user²
 
 #### ¹ Depending on your distribution, libvirt access may be denied by default or may require a password at each access.