Place a different token for every node/daemon combination

We can now revoke one token at a time!
2025-08-09 12:07:47 +00:00 · 2015-06-25 18:35:41 -04:00 · 2015-06-25 18:35:41 -04:00 · c6f2841839
commit c6f2841839
parent bb179b6a4c
5 changed files with 20 additions and 26 deletions
--- a/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml
+++ b/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml
@ -18,12 +18,12 @@
    - restart daemons

 - name: Generate tokens for node components
-  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item }}"
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
  environment:
    TOKEN_DIR: "{{ kube_token_dir }}"
-  with_items:
-    - "system:kubelet"
-    - "system:proxy"
+  with_nested:
+    - [ 'system:kubelet', 'system:proxy' ]
+    - "{{ groups['nodes'] }}"
  register: gentoken
  changed_when: "'Added' in gentoken.stdout"
  notify:
--- a/contrib/ansible/roles/kubernetes/tasks/place_secrets.yml
+++ b/contrib/ansible/roles/kubernetes/tasks/place_secrets.yml
@ -23,16 +23,6 @@
    - restart daemons
  when: inventory_hostname in groups['masters']

- name: Copy node tokens to the nodes
-  synchronize: src={{ kube_token_dir }}/{{ item }} dest={{ kube_token_dir }}/{{ item }}
-  delegate_to: "{{ groups['masters'][0] }}"
-  with_items:
-    - "system:kubelet.token"
-    - "system:proxy.token"
-  notify:
-    - restart daemons
-  when: inventory_hostname in groups['nodes']
-
 - name: remove ssh public key so apiserver can not push stuff
  authorized_key: user=root key="{{ item }}" state=absent
  with_file:
--- a/contrib/ansible/roles/node/tasks/main.yml
+++ b/contrib/ansible/roles/node/tasks/main.yml
@ -14,16 +14,25 @@
 - include: centos.yml
  when: not is_atomic and ansible_distribution == "CentOS"

+- name: Get the node token values
+  slurp:
+    src: "{{ kube_token_dir }}/{{ item }}-{{ inventory_hostname }}.token"
+  with_items:
+    - "system:kubelet"
+    - "system:proxy"
+  register: tokens
+  delegate_to: "{{ groups['masters'][0] }}"
+
+- name: Set token facts
+  set_fact:
+    kubelet_token: "{{ tokens.results[0].content|b64decode }}"
+    proxy_token: "{{ tokens.results[1].content|b64decode }}"
+
 - name: write the config files for kubelet
  template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet
  notify:
    - restart kubelet

- name: Get the kubelet token value
-  slurp:
-    src: "{{ kube_token_dir }}/system:kubelet.token"
-  register: kubelet_token
-
 - name: write the kubecfg (auth) file for kubelet
  template: src=kubelet.kubeconfig.j2 dest={{ kube_config_dir }}/kubelet.kubeconfig
  notify:
@ -37,11 +46,6 @@
  notify:
    - restart proxy

- name: Get the proxy token value
-  slurp:
-    src: "{{ kube_token_dir }}/system:proxy.token"
-  register: proxy_token
-
 - name: write the kubecfg (auth) file for kube-proxy
  template: src=proxy.kubeconfig.j2 dest={{ kube_config_dir }}/proxy.kubeconfig
  notify:
--- a/contrib/ansible/roles/node/templates/kubelet.kubeconfig.j2
+++ b/contrib/ansible/roles/node/templates/kubelet.kubeconfig.j2
@ -15,4 +15,4 @@ contexts:
 users:
 - name: kubelet
  user:
-    token: {{ kubelet_token.content|b64decode }}
+    token: {{ kubelet_token }}
--- a/contrib/ansible/roles/node/templates/proxy.kubeconfig.j2
+++ b/contrib/ansible/roles/node/templates/proxy.kubeconfig.j2
@ -15,4 +15,4 @@ clusters:
 users:
 - name: proxy
  user:
-    token: {{ proxy_token.content|b64decode }}
+    token: {{ proxy_token }}