Allow Kubelet to run with no Azure identity

useInstanceMetadata should be enabled and Kubelet would use IMDS to get node's information.
2025-07-22 03:11:40 +00:00 · 2019-05-15 14:24:43 +08:00 · 2019-05-15 14:24:43 +08:00 · b13d80a59a
commit b13d80a59a
parent b066e0d783
3 changed files with 72 additions and 37 deletions
--- a/staging/src/k8s.io/legacy-cloud-providers/azure/auth/azure_auth.go
+++ b/staging/src/k8s.io/legacy-cloud-providers/azure/auth/azure_auth.go
@ -28,6 +28,11 @@ import (
 	"k8s.io/klog"
 )

+var (
+	// ErrorNoAuth indicates that no credentials are provided.
+	ErrorNoAuth = fmt.Errorf("no credentials provided for Azure cloud provider")
+)
+
 // AzureAuthConfig holds auth related part of cloud config
 type AzureAuthConfig struct {
 	// The cloud environment identifier. Takes values from https://github.com/Azure/go-autorest/blob/ec5f4903f77ed9927ac95b19ab8e44ada64c1356/autorest/azure/environments.go#L13
@ -104,7 +109,7 @@ func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment) (
 			env.ServiceManagementEndpoint)
 	}

-	return nil, fmt.Errorf("No credentials provided for AAD application %s", config.AADClientID)
+	return nil, ErrorNoAuth
 }

 // ParseAzureEnvironment returns azure environment by name
--- a/staging/src/k8s.io/legacy-cloud-providers/azure/azure.go
+++ b/staging/src/k8s.io/legacy-cloud-providers/azure/azure.go
@ -248,7 +248,14 @@ func NewCloud(configReader io.Reader) (cloudprovider.Interface, error) {
 	}

 	servicePrincipalToken, err := auth.GetServicePrincipalToken(&config.AzureAuthConfig, env)
-	if err != nil {
+	if err == auth.ErrorNoAuth {
+		if !config.UseInstanceMetadata {
+			// No credentials provided, useInstanceMetadata should be enabled.
+			return nil, fmt.Errorf("useInstanceMetadata must be enabled without Azure credentials")
+		}
+
+		klog.V(2).Infof("Azure cloud provider is starting without credentials")
+	} else if err != nil {
 		return nil, err
 	}

@ -348,6 +355,27 @@ func NewCloud(configReader io.Reader) (cloudprovider.Interface, error) {
 		}
 	}

+	az := Cloud{
+		Config:                 *config,
+		Environment:            *env,
+		nodeZones:              map[string]sets.String{},
+		nodeResourceGroups:     map[string]string{},
+		unmanagedNodes:         sets.NewString(),
+		routeCIDRs:             map[string]string{},
+		resourceRequestBackoff: resourceRequestBackoff,
+	}
+	az.metadata, err = NewInstanceMetadataService(metadataURL)
+	if err != nil {
+		return nil, err
+	}
+
+	// No credentials provided, InstanceMetadataService would be used for getting Azure resources.
+	// Note that this only applies to Kubelet, controller-manager should configure credentials for managing Azure resources.
+	if servicePrincipalToken == nil {
+		return &az, nil
+	}
+
+	// Initialize Azure clients.
 	azClientConfig := &azClientConfig{
 		subscriptionID:                 config.SubscriptionID,
 		resourceManagerEndpoint:        env.ResourceManagerEndpoint,
@ -358,36 +386,21 @@ func NewCloud(configReader io.Reader) (cloudprovider.Interface, error) {
 		CloudProviderBackoffDuration:   config.CloudProviderBackoffDuration,
 		ShouldOmitCloudProviderBackoff: config.shouldOmitCloudProviderBackoff(),
 	}
-	az := Cloud{
-		Config:                 *config,
-		Environment:            *env,
-		nodeZones:              map[string]sets.String{},
-		nodeResourceGroups:     map[string]string{},
-		unmanagedNodes:         sets.NewString(),
-		routeCIDRs:             map[string]string{},
-		resourceRequestBackoff: resourceRequestBackoff,
-
-		DisksClient:                     newAzDisksClient(azClientConfig),
-		SnapshotsClient:                 newSnapshotsClient(azClientConfig),
-		RoutesClient:                    newAzRoutesClient(azClientConfig),
-		SubnetsClient:                   newAzSubnetsClient(azClientConfig),
-		InterfacesClient:                newAzInterfacesClient(azClientConfig),
-		RouteTablesClient:               newAzRouteTablesClient(azClientConfig),
-		LoadBalancerClient:              newAzLoadBalancersClient(azClientConfig),
-		SecurityGroupsClient:            newAzSecurityGroupsClient(azClientConfig),
-		StorageAccountClient:            newAzStorageAccountClient(azClientConfig),
-		VirtualMachinesClient:           newAzVirtualMachinesClient(azClientConfig),
-		PublicIPAddressesClient:         newAzPublicIPAddressesClient(azClientConfig),
-		VirtualMachineSizesClient:       newAzVirtualMachineSizesClient(azClientConfig),
-		VirtualMachineScaleSetsClient:   newAzVirtualMachineScaleSetsClient(azClientConfig),
-		VirtualMachineScaleSetVMsClient: newAzVirtualMachineScaleSetVMsClient(azClientConfig),
-		FileClient:                      &azureFileClient{env: *env},
-	}
-
-	az.metadata, err = NewInstanceMetadataService(metadataURL)
-	if err != nil {
-		return nil, err
-	}
+	az.DisksClient = newAzDisksClient(azClientConfig)
+	az.SnapshotsClient = newSnapshotsClient(azClientConfig)
+	az.RoutesClient = newAzRoutesClient(azClientConfig)
+	az.SubnetsClient = newAzSubnetsClient(azClientConfig)
+	az.InterfacesClient = newAzInterfacesClient(azClientConfig)
+	az.RouteTablesClient = newAzRouteTablesClient(azClientConfig)
+	az.LoadBalancerClient = newAzLoadBalancersClient(azClientConfig)
+	az.SecurityGroupsClient = newAzSecurityGroupsClient(azClientConfig)
+	az.StorageAccountClient = newAzStorageAccountClient(azClientConfig)
+	az.VirtualMachinesClient = newAzVirtualMachinesClient(azClientConfig)
+	az.PublicIPAddressesClient = newAzPublicIPAddressesClient(azClientConfig)
+	az.VirtualMachineSizesClient = newAzVirtualMachineSizesClient(azClientConfig)
+	az.VirtualMachineScaleSetsClient = newAzVirtualMachineScaleSetsClient(azClientConfig)
+	az.VirtualMachineScaleSetVMsClient = newAzVirtualMachineScaleSetVMsClient(azClientConfig)
+	az.FileClient = &azureFileClient{env: *env}

 	if az.MaximumLoadBalancerRuleCount == 0 {
 		az.MaximumLoadBalancerRuleCount = maximumLoadBalancerRuleCount
--- a/staging/src/k8s.io/legacy-cloud-providers/azure/azure_instances.go
+++ b/staging/src/k8s.io/legacy-cloud-providers/azure/azure_instances.go
@ -83,7 +83,12 @@ func (az *Cloud) NodeAddresses(ctx context.Context, name types.NodeName) ([]v1.N

 		// Not local instance, get addresses from Azure ARM API.
 		if !isLocalInstance {
-			return addressGetter(name)
+			if az.vmSet != nil {
+				return addressGetter(name)
+			}
+
+			// vmSet == nil indicates credentials are not provided.
+			return nil, fmt.Errorf("no credentials provided for Azure cloud provider")
 		}

 		if len(metadata.Network.Interface) == 0 {
@ -242,7 +247,12 @@ func (az *Cloud) InstanceID(ctx context.Context, name types.NodeName) (string, e

 		// Not local instance, get instanceID from Azure ARM API.
 		if !isLocalInstance {
-			return az.vmSet.GetInstanceIDByNodeName(nodeName)
+			if az.vmSet != nil {
+				return az.vmSet.GetInstanceIDByNodeName(nodeName)
+			}
+
+			// vmSet == nil indicates credentials are not provided.
+			return "", fmt.Errorf("no credentials provided for Azure cloud provider")
 		}

 		// Get resource group name.
@ -316,10 +326,17 @@ func (az *Cloud) InstanceType(ctx context.Context, name types.NodeName) (string,
 		if err != nil {
 			return "", err
 		}
-		if isLocalInstance {
-			if metadata.Compute.VMSize != "" {
-				return metadata.Compute.VMSize, nil
+		if !isLocalInstance {
+			if az.vmSet != nil {
+				return az.vmSet.GetInstanceTypeByNodeName(string(name))
 			}
+
+			// vmSet == nil indicates credentials are not provided.
+			return "", fmt.Errorf("no credentials provided for Azure cloud provider")
+		}
+
+		if metadata.Compute.VMSize != "" {
+			return metadata.Compute.VMSize, nil
 		}
 	}