kubeadm: fix a bug where the kubelet cert rotation was turned off

A recent commit added warnings for KubeletConfiguration and KubeProxyConfiguration fields that kubeadm cares about and does not recommend the user modifying them. Kubelet's "rotateCertificates" cannot be handled using this function as there is not way to figure out if the user has set it explicitly to "false". Hardcode the value to "true" and add a comment about that. Also apply the following changes to warnDefaultComponentConfigValue() calls: - use a local "kind" variable that defines the Kind we are warning about. - fix wrong paths to fields.
2025-08-02 16:29:21 +00:00 · 2019-08-29 01:28:26 +03:00 · 2019-08-29 01:28:26 +03:00 · c9b11980ff
commit c9b11980ff
parent 8b4fd4104d
1 changed files with 19 additions and 16 deletions
--- a/cmd/kubeadm/app/componentconfigs/defaults.go
+++ b/cmd/kubeadm/app/componentconfigs/defaults.go
@ -17,9 +17,10 @@ limitations under the License.
 package componentconfigs
 import (
 	"k8s.io/klog"
 	"path/filepath"
 	"k8s.io/klog"
 	kubeproxyconfigv1alpha1 "k8s.io/kube-proxy/config/v1alpha1"
 	kubeletconfigv1beta1 "k8s.io/kubelet/config/v1beta1"
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
@ -58,6 +59,7 @@ const (
 // DefaultKubeProxyConfiguration assigns default values for the kube-proxy ComponentConfig
 func DefaultKubeProxyConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
 	externalproxycfg := &kubeproxyconfigv1alpha1.KubeProxyConfiguration{}
 	kind := "KubeProxyConfiguration"
 	// Do a roundtrip to the external version for defaulting
 	if internalcfg.ComponentConfigs.KubeProxy != nil {
@ -67,13 +69,13 @@ func DefaultKubeProxyConfiguration(internalcfg *kubeadmapi.ClusterConfiguration)
 	if externalproxycfg.ClusterCIDR == "" && internalcfg.Networking.PodSubnet != "" {
 		externalproxycfg.ClusterCIDR = internalcfg.Networking.PodSubnet
 	} else if internalcfg.Networking.PodSubnet != "" && externalproxycfg.ClusterCIDR != internalcfg.Networking.PodSubnet {
-		warnDefaultComponentConfigValue(externalproxycfg.Kind, "cluster-cidr", internalcfg.Networking.PodSubnet, externalproxycfg.ClusterCIDR)
+		warnDefaultComponentConfigValue(kind, "clusterCIDR", internalcfg.Networking.PodSubnet, externalproxycfg.ClusterCIDR)
 	}
 	if externalproxycfg.ClientConnection.Kubeconfig == "" {
 		externalproxycfg.ClientConnection.Kubeconfig = kubeproxyKubeConfigFileName
 	} else if externalproxycfg.ClientConnection.Kubeconfig != kubeproxyKubeConfigFileName {
-		warnDefaultComponentConfigValue(externalproxycfg.Kind, "kubeconfig", kubeproxyKubeConfigFileName, externalproxycfg.ClientConnection.Kubeconfig)
+		warnDefaultComponentConfigValue(kind, "clientConnection.kubeconfig", kubeproxyKubeConfigFileName, externalproxycfg.ClientConnection.Kubeconfig)
 	}
 	// TODO: The following code should be remvoved after dual-stack is GA.
@ -97,6 +99,7 @@ func DefaultKubeProxyConfiguration(internalcfg *kubeadmapi.ClusterConfiguration)
 // DefaultKubeletConfiguration assigns default values for the kubelet ComponentConfig
 func DefaultKubeletConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
 	externalkubeletcfg := &kubeletconfigv1beta1.KubeletConfiguration{}
 	kind := "KubeletConfiguration"
 	// Do a roundtrip to the external version for defaulting
 	if internalcfg.ComponentConfigs.Kubelet != nil {
@ -106,7 +109,7 @@ func DefaultKubeletConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
 	if externalkubeletcfg.StaticPodPath == "" {
 		externalkubeletcfg.StaticPodPath = kubeadmapiv1beta2.DefaultManifestsDir
 	} else if externalkubeletcfg.StaticPodPath != kubeadmapiv1beta2.DefaultManifestsDir {
-		warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "pod-manifest-path", kubeadmapiv1beta2.DefaultManifestsDir, externalkubeletcfg.StaticPodPath)
+		warnDefaultComponentConfigValue(kind, "staticPodPath", kubeadmapiv1beta2.DefaultManifestsDir, externalkubeletcfg.StaticPodPath)
 	}
 	clusterDNS := ""
@ -120,13 +123,13 @@ func DefaultKubeletConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
 	if externalkubeletcfg.ClusterDNS == nil {
 		externalkubeletcfg.ClusterDNS = []string{clusterDNS}
 	} else if len(externalkubeletcfg.ClusterDNS) != 1 || externalkubeletcfg.ClusterDNS[0] != clusterDNS {
-		warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "cluster-dns", []string{clusterDNS}, externalkubeletcfg.ClusterDNS)
+		warnDefaultComponentConfigValue(kind, "clusterDNS", []string{clusterDNS}, externalkubeletcfg.ClusterDNS)
 	}
 	if externalkubeletcfg.ClusterDomain == "" {
 		externalkubeletcfg.ClusterDomain = internalcfg.Networking.DNSDomain
 	} else if internalcfg.Networking.DNSDomain != "" && externalkubeletcfg.ClusterDomain != internalcfg.Networking.DNSDomain {
-		warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "cluster-domain", internalcfg.Networking.DNSDomain, externalkubeletcfg.ClusterDomain)
+		warnDefaultComponentConfigValue(kind, "clusterDomain", internalcfg.Networking.DNSDomain, externalkubeletcfg.ClusterDomain)
 	}
 	// Require all clients to the kubelet API to have client certs signed by the cluster CA
@ -134,13 +137,13 @@ func DefaultKubeletConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
 	if externalkubeletcfg.Authentication.X509.ClientCAFile == "" {
 		externalkubeletcfg.Authentication.X509.ClientCAFile = clientCAFile
 	} else if externalkubeletcfg.Authentication.X509.ClientCAFile != clientCAFile {
-		warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "client-ca-file", clientCAFile, externalkubeletcfg.Authentication.X509.ClientCAFile)
+		warnDefaultComponentConfigValue(kind, "authentication.x509.clientCAFile", clientCAFile, externalkubeletcfg.Authentication.X509.ClientCAFile)
 	}
 	if externalkubeletcfg.Authentication.Anonymous.Enabled == nil {
 		externalkubeletcfg.Authentication.Anonymous.Enabled = utilpointer.BoolPtr(kubeletAuthenticationAnonymousEnabled)
 	} else if *externalkubeletcfg.Authentication.Anonymous.Enabled != kubeletAuthenticationAnonymousEnabled {
-		warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "anonymous-auth", kubeletAuthenticationAnonymousEnabled, *externalkubeletcfg.Authentication.Anonymous.Enabled)
+		warnDefaultComponentConfigValue(kind, "authentication.anonymous.enabled", kubeletAuthenticationAnonymousEnabled, *externalkubeletcfg.Authentication.Anonymous.Enabled)
 	}
 	// On every client request to the kubelet API, execute a webhook (SubjectAccessReview request) to the API server
@ -148,36 +151,36 @@ func DefaultKubeletConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
 	if externalkubeletcfg.Authorization.Mode == "" {
 		externalkubeletcfg.Authorization.Mode = kubeletAuthorizationMode
 	} else if externalkubeletcfg.Authorization.Mode != kubeletAuthorizationMode {
-		warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "authorization-mode", kubeletAuthorizationMode, externalkubeletcfg.Authorization.Mode)
+		warnDefaultComponentConfigValue(kind, "authorization.mode", kubeletAuthorizationMode, externalkubeletcfg.Authorization.Mode)
 	}
 	// Let clients using other authentication methods like ServiceAccount tokens also access the kubelet API
 	if externalkubeletcfg.Authentication.Webhook.Enabled == nil {
 		externalkubeletcfg.Authentication.Webhook.Enabled = utilpointer.BoolPtr(kubeletAuthenticationWebhookEnabled)
 	} else if *externalkubeletcfg.Authentication.Webhook.Enabled != kubeletAuthenticationWebhookEnabled {
-		warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "authentication-token-webhook", kubeletAuthenticationWebhookEnabled, *externalkubeletcfg.Authentication.Webhook.Enabled)
+		warnDefaultComponentConfigValue(kind, "authentication.webhook.enabled", kubeletAuthenticationWebhookEnabled, *externalkubeletcfg.Authentication.Webhook.Enabled)
 	}
 	// Serve a /healthz webserver on localhost:10248 that kubeadm can talk to
 	if externalkubeletcfg.HealthzBindAddress == "" {
 		externalkubeletcfg.HealthzBindAddress = kubeletHealthzBindAddress
 	} else if externalkubeletcfg.HealthzBindAddress != kubeletHealthzBindAddress {
-		warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "healthz-bind-address", kubeletHealthzBindAddress, externalkubeletcfg.HealthzBindAddress)
+		warnDefaultComponentConfigValue(kind, "healthzBindAddress", kubeletHealthzBindAddress, externalkubeletcfg.HealthzBindAddress)
 	}
 	if externalkubeletcfg.HealthzPort == nil {
 		externalkubeletcfg.HealthzPort = utilpointer.Int32Ptr(constants.KubeletHealthzPort)
 	} else if *externalkubeletcfg.HealthzPort != constants.KubeletHealthzPort {
-		warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "healthz-port", constants.KubeletHealthzPort, *externalkubeletcfg.HealthzPort)
+		warnDefaultComponentConfigValue(kind, "healthzPort", constants.KubeletHealthzPort, *externalkubeletcfg.HealthzPort)
 	}
 	if externalkubeletcfg.ReadOnlyPort != kubeletReadOnlyPort {
-		warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "read-only-port", kubeletReadOnlyPort, externalkubeletcfg.ReadOnlyPort)
+		warnDefaultComponentConfigValue(kind, "readOnlyPort", kubeletReadOnlyPort, externalkubeletcfg.ReadOnlyPort)
 	}
-	if externalkubeletcfg.RotateCertificates != kubeletRotateCertificates {
+	// We cannot show a warning for RotateCertificates==false and we must hardcode it to true.
-		warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "rotate-certificates", kubeletRotateCertificates, externalkubeletcfg.RotateCertificates)
+	// There is no way to determine if the user has set this or not, given the field is a non-pointer.
-	}
+	externalkubeletcfg.RotateCertificates = kubeletRotateCertificates
 	Scheme.Default(externalkubeletcfg)