From b13d80a59a8c6eaf7f25a74c9687d98242f86dda Mon Sep 17 00:00:00 2001 From: Pengfei Ni Date: Wed, 15 May 2019 14:24:43 +0800 Subject: [PATCH] Allow Kubelet to run with no Azure identity useInstanceMetadata should be enabled and Kubelet would use IMDS to get node's information. --- .../azure/auth/azure_auth.go | 7 +- .../legacy-cloud-providers/azure/azure.go | 75 +++++++++++-------- .../azure/azure_instances.go | 27 +++++-- 3 files changed, 72 insertions(+), 37 deletions(-) diff --git a/staging/src/k8s.io/legacy-cloud-providers/azure/auth/azure_auth.go b/staging/src/k8s.io/legacy-cloud-providers/azure/auth/azure_auth.go index 6a651eb05c0..2e051d47b7b 100644 --- a/staging/src/k8s.io/legacy-cloud-providers/azure/auth/azure_auth.go +++ b/staging/src/k8s.io/legacy-cloud-providers/azure/auth/azure_auth.go @@ -28,6 +28,11 @@ import ( "k8s.io/klog" ) +var ( + // ErrorNoAuth indicates that no credentials are provided. + ErrorNoAuth = fmt.Errorf("no credentials provided for Azure cloud provider") +) + // AzureAuthConfig holds auth related part of cloud config type AzureAuthConfig struct { // The cloud environment identifier. Takes values from https://github.com/Azure/go-autorest/blob/ec5f4903f77ed9927ac95b19ab8e44ada64c1356/autorest/azure/environments.go#L13 @@ -104,7 +109,7 @@ func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment) ( env.ServiceManagementEndpoint) } - return nil, fmt.Errorf("No credentials provided for AAD application %s", config.AADClientID) + return nil, ErrorNoAuth } // ParseAzureEnvironment returns azure environment by name diff --git a/staging/src/k8s.io/legacy-cloud-providers/azure/azure.go b/staging/src/k8s.io/legacy-cloud-providers/azure/azure.go index 9bdc76d7259..48585179f8f 100644 --- a/staging/src/k8s.io/legacy-cloud-providers/azure/azure.go +++ b/staging/src/k8s.io/legacy-cloud-providers/azure/azure.go @@ -248,7 +248,14 @@ func NewCloud(configReader io.Reader) (cloudprovider.Interface, error) { } servicePrincipalToken, err := auth.GetServicePrincipalToken(&config.AzureAuthConfig, env) - if err != nil { + if err == auth.ErrorNoAuth { + if !config.UseInstanceMetadata { + // No credentials provided, useInstanceMetadata should be enabled. + return nil, fmt.Errorf("useInstanceMetadata must be enabled without Azure credentials") + } + + klog.V(2).Infof("Azure cloud provider is starting without credentials") + } else if err != nil { return nil, err } @@ -348,6 +355,27 @@ func NewCloud(configReader io.Reader) (cloudprovider.Interface, error) { } } + az := Cloud{ + Config: *config, + Environment: *env, + nodeZones: map[string]sets.String{}, + nodeResourceGroups: map[string]string{}, + unmanagedNodes: sets.NewString(), + routeCIDRs: map[string]string{}, + resourceRequestBackoff: resourceRequestBackoff, + } + az.metadata, err = NewInstanceMetadataService(metadataURL) + if err != nil { + return nil, err + } + + // No credentials provided, InstanceMetadataService would be used for getting Azure resources. + // Note that this only applies to Kubelet, controller-manager should configure credentials for managing Azure resources. + if servicePrincipalToken == nil { + return &az, nil + } + + // Initialize Azure clients. azClientConfig := &azClientConfig{ subscriptionID: config.SubscriptionID, resourceManagerEndpoint: env.ResourceManagerEndpoint, @@ -358,36 +386,21 @@ func NewCloud(configReader io.Reader) (cloudprovider.Interface, error) { CloudProviderBackoffDuration: config.CloudProviderBackoffDuration, ShouldOmitCloudProviderBackoff: config.shouldOmitCloudProviderBackoff(), } - az := Cloud{ - Config: *config, - Environment: *env, - nodeZones: map[string]sets.String{}, - nodeResourceGroups: map[string]string{}, - unmanagedNodes: sets.NewString(), - routeCIDRs: map[string]string{}, - resourceRequestBackoff: resourceRequestBackoff, - - DisksClient: newAzDisksClient(azClientConfig), - SnapshotsClient: newSnapshotsClient(azClientConfig), - RoutesClient: newAzRoutesClient(azClientConfig), - SubnetsClient: newAzSubnetsClient(azClientConfig), - InterfacesClient: newAzInterfacesClient(azClientConfig), - RouteTablesClient: newAzRouteTablesClient(azClientConfig), - LoadBalancerClient: newAzLoadBalancersClient(azClientConfig), - SecurityGroupsClient: newAzSecurityGroupsClient(azClientConfig), - StorageAccountClient: newAzStorageAccountClient(azClientConfig), - VirtualMachinesClient: newAzVirtualMachinesClient(azClientConfig), - PublicIPAddressesClient: newAzPublicIPAddressesClient(azClientConfig), - VirtualMachineSizesClient: newAzVirtualMachineSizesClient(azClientConfig), - VirtualMachineScaleSetsClient: newAzVirtualMachineScaleSetsClient(azClientConfig), - VirtualMachineScaleSetVMsClient: newAzVirtualMachineScaleSetVMsClient(azClientConfig), - FileClient: &azureFileClient{env: *env}, - } - - az.metadata, err = NewInstanceMetadataService(metadataURL) - if err != nil { - return nil, err - } + az.DisksClient = newAzDisksClient(azClientConfig) + az.SnapshotsClient = newSnapshotsClient(azClientConfig) + az.RoutesClient = newAzRoutesClient(azClientConfig) + az.SubnetsClient = newAzSubnetsClient(azClientConfig) + az.InterfacesClient = newAzInterfacesClient(azClientConfig) + az.RouteTablesClient = newAzRouteTablesClient(azClientConfig) + az.LoadBalancerClient = newAzLoadBalancersClient(azClientConfig) + az.SecurityGroupsClient = newAzSecurityGroupsClient(azClientConfig) + az.StorageAccountClient = newAzStorageAccountClient(azClientConfig) + az.VirtualMachinesClient = newAzVirtualMachinesClient(azClientConfig) + az.PublicIPAddressesClient = newAzPublicIPAddressesClient(azClientConfig) + az.VirtualMachineSizesClient = newAzVirtualMachineSizesClient(azClientConfig) + az.VirtualMachineScaleSetsClient = newAzVirtualMachineScaleSetsClient(azClientConfig) + az.VirtualMachineScaleSetVMsClient = newAzVirtualMachineScaleSetVMsClient(azClientConfig) + az.FileClient = &azureFileClient{env: *env} if az.MaximumLoadBalancerRuleCount == 0 { az.MaximumLoadBalancerRuleCount = maximumLoadBalancerRuleCount diff --git a/staging/src/k8s.io/legacy-cloud-providers/azure/azure_instances.go b/staging/src/k8s.io/legacy-cloud-providers/azure/azure_instances.go index 07bba979b74..ae6442ddb88 100644 --- a/staging/src/k8s.io/legacy-cloud-providers/azure/azure_instances.go +++ b/staging/src/k8s.io/legacy-cloud-providers/azure/azure_instances.go @@ -83,7 +83,12 @@ func (az *Cloud) NodeAddresses(ctx context.Context, name types.NodeName) ([]v1.N // Not local instance, get addresses from Azure ARM API. if !isLocalInstance { - return addressGetter(name) + if az.vmSet != nil { + return addressGetter(name) + } + + // vmSet == nil indicates credentials are not provided. + return nil, fmt.Errorf("no credentials provided for Azure cloud provider") } if len(metadata.Network.Interface) == 0 { @@ -242,7 +247,12 @@ func (az *Cloud) InstanceID(ctx context.Context, name types.NodeName) (string, e // Not local instance, get instanceID from Azure ARM API. if !isLocalInstance { - return az.vmSet.GetInstanceIDByNodeName(nodeName) + if az.vmSet != nil { + return az.vmSet.GetInstanceIDByNodeName(nodeName) + } + + // vmSet == nil indicates credentials are not provided. + return "", fmt.Errorf("no credentials provided for Azure cloud provider") } // Get resource group name. @@ -316,10 +326,17 @@ func (az *Cloud) InstanceType(ctx context.Context, name types.NodeName) (string, if err != nil { return "", err } - if isLocalInstance { - if metadata.Compute.VMSize != "" { - return metadata.Compute.VMSize, nil + if !isLocalInstance { + if az.vmSet != nil { + return az.vmSet.GetInstanceTypeByNodeName(string(name)) } + + // vmSet == nil indicates credentials are not provided. + return "", fmt.Errorf("no credentials provided for Azure cloud provider") + } + + if metadata.Compute.VMSize != "" { + return metadata.Compute.VMSize, nil } }