Merge pull request #40893 from mikedanese/kubelet-auth

Automatic merge from submit-queue (batch tested with PRs 40175, 41107, 41111, 40893, 40919)

remove second CA used for kubelet auth in favor of webhook auth

partial fixes upgrade test.
This commit is contained in:
Kubernetes Submit Queue 2017-02-08 01:47:43 -08:00 committed by GitHub
commit bdfa947a18
9 changed files with 61 additions and 50 deletions

View File

@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: apiserver-node-proxy
labels:
kubernetes.io/cluster-service: "true"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: node-proxy
subjects:
- apiVersion: rbac/v1beta1
kind: User
name: kube-apiserver

View File

@ -0,0 +1,23 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: node-proxy
labels:
kubernetes.io/cluster-service: "true"
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
verbs:
- create
- get
- apiGroups:
- ""
resources:
- nodes/log
- nodes/stats
- nodes/metrics
- nodes/spec
verbs:
- get

View File

@ -585,7 +585,6 @@ function build-kube-master-certs {
cat >$file <<EOF cat >$file <<EOF
KUBEAPISERVER_CERT: $(yaml-quote ${KUBEAPISERVER_CERT_BASE64:-}) KUBEAPISERVER_CERT: $(yaml-quote ${KUBEAPISERVER_CERT_BASE64:-})
KUBEAPISERVER_KEY: $(yaml-quote ${KUBEAPISERVER_KEY_BASE64:-}) KUBEAPISERVER_KEY: $(yaml-quote ${KUBEAPISERVER_KEY_BASE64:-})
KUBELET_AUTH_CA_CERT: $(yaml-quote ${KUBELET_AUTH_CA_CERT_BASE64:-})
CA_KEY: $(yaml-quote ${CA_KEY_BASE64:-}) CA_KEY: $(yaml-quote ${CA_KEY_BASE64:-})
EOF EOF
} }
@ -802,7 +801,6 @@ EOF
KUBERNETES_MASTER: $(yaml-quote "false") KUBERNETES_MASTER: $(yaml-quote "false")
ZONE: $(yaml-quote ${ZONE}) ZONE: $(yaml-quote ${ZONE})
EXTRA_DOCKER_OPTS: $(yaml-quote ${EXTRA_DOCKER_OPTS:-}) EXTRA_DOCKER_OPTS: $(yaml-quote ${EXTRA_DOCKER_OPTS:-})
KUBELET_AUTH_CA_CERT: $(yaml-quote ${KUBELET_AUTH_CA_CERT_BASE64:-})
EOF EOF
if [ -n "${KUBEPROXY_TEST_ARGS:-}" ]; then if [ -n "${KUBEPROXY_TEST_ARGS:-}" ]; then
cat >>$file <<EOF cat >>$file <<EOF
@ -970,9 +968,8 @@ function create-certs {
KUBELET_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubelet.key" | base64 | tr -d '\r\n') KUBELET_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubelet.key" | base64 | tr -d '\r\n')
KUBECFG_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kubecfg.crt" | base64 | tr -d '\r\n') KUBECFG_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kubecfg.crt" | base64 | tr -d '\r\n')
KUBECFG_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubecfg.key" | base64 | tr -d '\r\n') KUBECFG_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubecfg.key" | base64 | tr -d '\r\n')
KUBELET_AUTH_CA_CERT_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/ca.crt" | base64 | tr -d '\r\n') KUBEAPISERVER_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kube-apiserver.crt" | base64 | tr -d '\r\n')
KUBEAPISERVER_CERT_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/issued/kube-apiserver.crt" | base64 | tr -d '\r\n') KUBEAPISERVER_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kube-apiserver.key" | base64 | tr -d '\r\n')
KUBEAPISERVER_KEY_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/private/kube-apiserver.key" | base64 | tr -d '\r\n')
} }
# Runs the easy RSA commands to generate certificate files. # Runs the easy RSA commands to generate certificate files.
@ -999,6 +996,7 @@ function generate-certs {
# this puts the cert into pki/ca.crt and the key into pki/private/ca.key # this puts the cert into pki/ca.crt and the key into pki/private/ca.key
./easyrsa --batch "--req-cn=${PRIMARY_CN}@$(date +%s)" build-ca nopass ./easyrsa --batch "--req-cn=${PRIMARY_CN}@$(date +%s)" build-ca nopass
./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass ./easyrsa --subject-alt-name="${SANS}" build-server-full "${MASTER_NAME}" nopass
./easyrsa build-client-full kube-apiserver nopass
download-cfssl download-cfssl
@ -1014,12 +1012,7 @@ function generate-certs {
./easyrsa --dn-mode=org \ ./easyrsa --dn-mode=org \
--req-cn=kubecfg --req-org=system:masters \ --req-cn=kubecfg --req-org=system:masters \
--req-c= --req-st= --req-city= --req-email= --req-ou= \ --req-c= --req-st= --req-city= --req-email= --req-ou= \
build-client-full kubecfg nopass build-client-full kubecfg nopass) &>${cert_create_debug_output} || {
cd ../kubelet
./easyrsa init-pki
./easyrsa --batch "--req-cn=kubelet@$(date +%s)" build-ca nopass
./easyrsa build-client-full kube-apiserver nopass) &>${cert_create_debug_output} || {
# If there was an error in the subshell, just die. # If there was an error in the subshell, just die.
# TODO(roberthbailey): add better error handling here # TODO(roberthbailey): add better error handling here
cat "${cert_create_debug_output}" >&2 cat "${cert_create_debug_output}" >&2

View File

@ -630,11 +630,6 @@ EOF
if [ -n "${SCHEDULING_ALGORITHM_PROVIDER:-}" ]; then if [ -n "${SCHEDULING_ALGORITHM_PROVIDER:-}" ]; then
cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
scheduling_algorithm_provider: '$(echo "${SCHEDULING_ALGORITHM_PROVIDER}" | sed -e "s/'/''/g")' scheduling_algorithm_provider: '$(echo "${SCHEDULING_ALGORITHM_PROVIDER}" | sed -e "s/'/''/g")'
EOF
fi
if [ -n "${KUBELET_AUTH_CA_CERT:-}" ]; then
cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
kubelet_auth_ca_cert: /var/lib/kubelet/kubelet_auth_ca.crt
EOF EOF
fi fi
} }
@ -755,11 +750,9 @@ current-context: service-account-context
EOF EOF
) )
fi fi
local -r kubelet_auth_ca_file="/srv/salt-overlay/salt/kubelet/kubelet_auth_ca.crt" local -r client_ca_file="/srv/salt-overlay/salt/kubelet/ca.crt"
if [ ! -e "${kubelet_auth_ca_file}" ] && [[ ! -z "${KUBELET_AUTH_CA_CERT:-}" ]]; then (umask 077;
(umask 077; echo "${KUBELET_CA_CERT}" | base64 --decode > "${client_ca_file}")
echo "${KUBELET_AUTH_CA_CERT}" | base64 --decode > "${kubelet_auth_ca_file}")
fi
} }
# This should happen both on cluster initialization and node upgrades. # This should happen both on cluster initialization and node upgrades.

View File

@ -369,12 +369,7 @@ contexts:
name: service-account-context name: service-account-context
current-context: service-account-context current-context: service-account-context
EOF EOF
} echo "${KUBELET_CA_CERT}" | base64 -d > /var/lib/kubelet/ca.crt
function create-kubelet-auth-ca {
if [[ -n "${KUBELET_AUTH_CA_CERT:-}" ]]; then
echo "${KUBELET_AUTH_CA_CERT}" | base64 --decode > "/var/lib/kubelet/kubelet_auth_ca.crt"
fi
} }
# Uses KUBELET_CA_CERT (falling back to CA_CERT), KUBELET_CERT, and KUBELET_KEY # Uses KUBELET_CA_CERT (falling back to CA_CERT), KUBELET_CERT, and KUBELET_KEY
@ -388,7 +383,6 @@ function create-master-kubelet-auth {
REGISTER_MASTER_KUBELET="true" REGISTER_MASTER_KUBELET="true"
create-kubelet-kubeconfig create-kubelet-kubeconfig
fi fi
} }
function create-kubeproxy-kubeconfig { function create-kubeproxy-kubeconfig {
@ -582,9 +576,7 @@ function start-kubelet {
[[ "${HAIRPIN_MODE:-}" == "none" ]]; then [[ "${HAIRPIN_MODE:-}" == "none" ]]; then
flags+=" --hairpin-mode=${HAIRPIN_MODE}" flags+=" --hairpin-mode=${HAIRPIN_MODE}"
fi fi
if [ -n "${KUBELET_AUTH_CA_CERT:-}" ]; then flags+=" --anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/var/lib/kubelet/ca.crt"
flags+=" --anonymous-auth=false --client-ca-file=/var/lib/kubelet/kubelet_auth_ca.crt"
fi
fi fi
# Network plugin # Network plugin
if [[ -n "${NETWORK_PROVIDER:-}" ]]; then if [[ -n "${NETWORK_PROVIDER:-}" ]]; then
@ -829,8 +821,10 @@ function start-kube-apiserver {
params+=" --secure-port=443" params+=" --secure-port=443"
params+=" --tls-cert-file=/etc/srv/kubernetes/server.cert" params+=" --tls-cert-file=/etc/srv/kubernetes/server.cert"
params+=" --tls-private-key-file=/etc/srv/kubernetes/server.key" params+=" --tls-private-key-file=/etc/srv/kubernetes/server.key"
params+=" --kubelet-client-certificate=/etc/srv/kubernetes/kubeapiserver.cert" if [[ -e /etc/srv/kubernetes/kubeapiserver.cert ]] && [[ -e /etc/srv/kubernetes/kubeapiserver.key ]]; then
params+=" --kubelet-client-key=/etc/srv/kubernetes/kubeapiserver.key" params+=" --kubelet-client-certificate=/etc/srv/kubernetes/kubeapiserver.cert"
params+=" --kubelet-client-key=/etc/srv/kubernetes/kubeapiserver.key"
fi
params+=" --token-auth-file=/etc/srv/kubernetes/known_tokens.csv" params+=" --token-auth-file=/etc/srv/kubernetes/known_tokens.csv"
if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then
params+=" --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv" params+=" --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv"
@ -1099,9 +1093,13 @@ function start-kube-addons {
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
local -r dst_dir="/etc/kubernetes/addons" local -r dst_dir="/etc/kubernetes/addons"
# TODO(mikedanese): only enable these in e2e
# prep the additional bindings that are particular to e2e users and groups # prep the additional bindings that are particular to e2e users and groups
setup-addon-manifests "addons" "e2e-rbac-bindings" setup-addon-manifests "addons" "e2e-rbac-bindings"
# prep addition kube-up specific rbac objects
setup-addon-manifests "addons" "rbac"
# Set up manifests of other addons. # Set up manifests of other addons.
if [[ "${ENABLE_CLUSTER_MONITORING:-}" == "influxdb" ]] || \ if [[ "${ENABLE_CLUSTER_MONITORING:-}" == "influxdb" ]] || \
[[ "${ENABLE_CLUSTER_MONITORING:-}" == "google" ]] || \ [[ "${ENABLE_CLUSTER_MONITORING:-}" == "google" ]] || \
@ -1345,7 +1343,6 @@ if [[ "${KUBERNETES_MASTER:-}" == "true" ]]; then
create-master-etcd-auth create-master-etcd-auth
else else
create-kubelet-kubeconfig create-kubelet-kubeconfig
create-kubelet-auth-ca
create-kubeproxy-kubeconfig create-kubeproxy-kubeconfig
fi fi

View File

@ -233,9 +233,6 @@ function prepare-node-upgrade() {
KUBELET_CERT_BASE64=$(get-env-val "${node_env}" "KUBELET_CERT") KUBELET_CERT_BASE64=$(get-env-val "${node_env}" "KUBELET_CERT")
KUBELET_KEY_BASE64=$(get-env-val "${node_env}" "KUBELET_KEY") KUBELET_KEY_BASE64=$(get-env-val "${node_env}" "KUBELET_KEY")
local master_env=$(get-master-env)
KUBELET_AUTH_CA_CERT_BASE64=$(get-env-val "${master_env}" "KUBELET_AUTH_CA_CERT")
# TODO(zmerlynn): How do we ensure kube-env is written in a ${version}- # TODO(zmerlynn): How do we ensure kube-env is written in a ${version}-
# compatible way? # compatible way?
write-node-env write-node-env

View File

@ -188,10 +188,7 @@
{% set eviction_hard="--eviction-hard=" + pillar['eviction_hard'] %} {% set eviction_hard="--eviction-hard=" + pillar['eviction_hard'] %}
{% endif -%} {% endif -%}
{% set kubelet_auth_ca_cert = "" %} {% set kubelet_auth = "--anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/var/lib/kubelet/ca.crt" %}
{% if pillar['kubelet_auth_ca_cert'] is defined -%}
{% set kubelet_auth_ca_cert="--anonymous-auth=false --client-ca-file=" + pillar['kubelet_auth_ca_cert'] %}
{% endif -%}
# test_args has to be kept at the end, so they'll overwrite any prior configuration # test_args has to be kept at the end, so they'll overwrite any prior configuration
DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{kubelet_auth_ca_cert}} {{feature_gates}} {{test_args}}" DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{kubelet_auth}} {{feature_gates}} {{test_args}}"

View File

@ -31,15 +31,13 @@
- mode: 400 - mode: 400
- makedirs: true - makedirs: true
{% if pillar['kubelet_auth_ca_cert'] is defined %} /var/lib/kubelet/ca.crt:
/var/lib/kubelet/kubelet_auth_ca.crt:
file.managed: file.managed:
- source: salt://kubelet/kubelet_auth_ca.crt - source: salt://kubelet/ca.crt
- user: root - user: root
- group: root - group: root
- mode: 400 - mode: 400
- makedirs: true - makedirs: true
{% endif %}
{% if pillar.get('is_systemd') %} {% if pillar.get('is_systemd') %}
@ -61,7 +59,7 @@ fix-service-kubelet:
- file: {{ pillar.get('systemd_system_path') }}/kubelet.service - file: {{ pillar.get('systemd_system_path') }}/kubelet.service
- file: {{ environment_file }} - file: {{ environment_file }}
- file: /var/lib/kubelet/kubeconfig - file: /var/lib/kubelet/kubeconfig
- file: /var/lib/kubelet/kubelet_auth_ca.crt - file: /var/lib/kubelet/ca.crt
{% else %} {% else %}
@ -89,9 +87,7 @@ kubelet:
{% endif %} {% endif %}
- file: {{ environment_file }} - file: {{ environment_file }}
- file: /var/lib/kubelet/kubeconfig - file: /var/lib/kubelet/kubeconfig
{% if pillar['kubelet_auth_ca_cert'] is defined %} - file: /var/lib/kubelet/ca.crt
- file: /var/lib/kubelet/kubelet_auth_ca.crt
{% endif %}
{% if pillar.get('is_systemd') %} {% if pillar.get('is_systemd') %}
- provider: - provider:
- service: systemd - service: systemd

View File

@ -14,6 +14,7 @@ cluster/gce/configure-vm.sh: cloud_config: ${CLOUD_CONFIG}
cluster/gce/configure-vm.sh: env-to-grains "feature_gates" cluster/gce/configure-vm.sh: env-to-grains "feature_gates"
cluster/gce/configure-vm.sh: env-to-grains "runtime_config" cluster/gce/configure-vm.sh: env-to-grains "runtime_config"
cluster/gce/configure-vm.sh: kubelet_api_servers: '${KUBELET_APISERVER}' cluster/gce/configure-vm.sh: kubelet_api_servers: '${KUBELET_APISERVER}'
cluster/gce/configure-vm.sh: local -r client_ca_file="/srv/salt-overlay/salt/kubelet/ca.crt"
cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",ABAC" cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",ABAC"
cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",Webhook" cluster/gce/container-linux/configure-helper.sh: authorization_mode+=",Webhook"
cluster/gce/container-linux/configure-helper.sh: local api_servers="--master=https://${KUBERNETES_MASTER_NAME}" cluster/gce/container-linux/configure-helper.sh: local api_servers="--master=https://${KUBERNETES_MASTER_NAME}"