diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index 169552737c2..8a59190ace3 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -109,7 +109,7 @@ ENABLE_ADMISSION_PLUGINS=${ENABLE_ADMISSION_PLUGINS:-"NamespaceLifecycle,LimitRa DISABLE_ADMISSION_PLUGINS=${DISABLE_ADMISSION_PLUGINS:-""} ADMISSION_CONTROL_CONFIG_FILE=${ADMISSION_CONTROL_CONFIG_FILE:-""} -# START_MODE can be 'all', 'kubeletonly', or 'nokubelet' +# START_MODE can be 'all', 'kubeletonly', 'nokubelet', or 'nokubeproxy' START_MODE=${START_MODE:-"all"} # A list of controllers to enable @@ -457,7 +457,6 @@ function generate_certs { kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-apiserver kubernetes.default kubernetes.default.svc "localhost" ${API_HOST_IP} ${API_HOST} ${FIRST_SERVICE_CLUSTER_IP} # Create client certs signed with client-ca, given id, given CN and a number of groups - kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-proxy system:kube-proxy system:nodes kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' controller system:kube-controller-manager kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' scheduler system:kube-scheduler kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' admin system:admin system:masters @@ -466,11 +465,17 @@ function generate_certs { # Create matching certificates for kube-aggregator kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-aggregator api.kube-public.svc "localhost" ${API_HOST_IP} kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" request-header-ca auth-proxy system:auth-proxy + # TODO remove masters and add rolebinding kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-aggregator system:kube-aggregator system:masters kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-aggregator } +function generate_kubeproxy_certs { + kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-proxy system:kube-proxy system:nodes + kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-proxy +} + function generate_kubelet_certs { kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kubelet @@ -595,7 +600,6 @@ EOF # Create kubeconfigs for all components, using client certs kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" admin ${CONTROLPLANE_SUDO} chown "${USER}" "${CERT_DIR}/client-admin.key" # make readable for kubectl - kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" kube-proxy kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" controller kube::util::write_client_kubeconfig "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "${ROOT_CA_FILE}" "${API_HOST}" "${API_SECURE_PORT}" scheduler @@ -813,6 +817,10 @@ EOF done fi >>/tmp/kube-proxy.yaml + if [[ "${REUSE_CERTS}" != true ]]; then + generate_kubeproxy_certs + fi + sudo "${GO_OUT}/hyperkube" proxy \ --v=${LOG_LEVEL} \ --config=/tmp/kube-proxy.yaml \ @@ -1014,7 +1022,9 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then if [[ "${EXTERNAL_CLOUD_PROVIDER:-}" == "true" ]]; then start_cloud_controller_manager fi - start_kubeproxy + if [[ "${START_MODE}" != "nokubeproxy" ]]; then + start_kubeproxy + fi start_kubescheduler start_kubedns if [[ "${ENABLE_NODELOCAL_DNS:-}" == "true" ]]; then