From e142bf62038cbbb1cfcfd6672afb8b34aaefa3cf Mon Sep 17 00:00:00 2001 From: "Lubomir I. Ivanov" Date: Sat, 3 Aug 2019 19:15:32 +0300 Subject: [PATCH] kubeadm: enable secure serving for the kube-scheduler Secure serving was already enabled for kube-controller-manager. Do the same for kube-scheduler, by passing the flags "authentication-kubeconfig" and "authorization-kubeconfig" to the binary in the static Pod. This change allows the scheduler to perform reviews on incoming requests, such as: - authentication.k8s.io/v1beta1 TokenReview - authorization.k8s.io/v1 SubjectAccessReview The authentication and authorization checks for "system:kube-scheduler" users were previously enabled by PR 72491. --- cmd/kubeadm/app/phases/controlplane/manifests.go | 11 +++++++---- cmd/kubeadm/app/phases/controlplane/manifests_test.go | 2 ++ .../app/phases/selfhosting/podspec_mutation.go | 11 +++++++++-- .../app/phases/selfhosting/podspec_mutation_test.go | 6 +++++- 4 files changed, 23 insertions(+), 7 deletions(-) diff --git a/cmd/kubeadm/app/phases/controlplane/manifests.go b/cmd/kubeadm/app/phases/controlplane/manifests.go index dcc9cec4bc3..354ff074d3d 100644 --- a/cmd/kubeadm/app/phases/controlplane/manifests.go +++ b/cmd/kubeadm/app/phases/controlplane/manifests.go @@ -25,7 +25,7 @@ import ( "strings" "github.com/pkg/errors" - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/klog" kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" @@ -315,10 +315,13 @@ func getControllerManagerCommand(cfg *kubeadmapi.ClusterConfiguration) []string // getSchedulerCommand builds the right scheduler command from the given config object and version func getSchedulerCommand(cfg *kubeadmapi.ClusterConfiguration) []string { + kubeconfigFile := filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName) defaultArguments := map[string]string{ - "bind-address": "127.0.0.1", - "leader-elect": "true", - "kubeconfig": filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName), + "bind-address": "127.0.0.1", + "leader-elect": "true", + "kubeconfig": kubeconfigFile, + "authentication-kubeconfig": kubeconfigFile, + "authorization-kubeconfig": kubeconfigFile, } // TODO: The following code should be remvoved after dual-stack is GA. diff --git a/cmd/kubeadm/app/phases/controlplane/manifests_test.go b/cmd/kubeadm/app/phases/controlplane/manifests_test.go index 146e900d7bb..c11d2d993e4 100644 --- a/cmd/kubeadm/app/phases/controlplane/manifests_test.go +++ b/cmd/kubeadm/app/phases/controlplane/manifests_test.go @@ -868,6 +868,8 @@ func TestGetSchedulerCommand(t *testing.T) { "--bind-address=127.0.0.1", "--leader-elect=true", "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/scheduler.conf", + "--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/scheduler.conf", + "--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/scheduler.conf", }, }, } diff --git a/cmd/kubeadm/app/phases/selfhosting/podspec_mutation.go b/cmd/kubeadm/app/phases/selfhosting/podspec_mutation.go index 03b711b0535..80790ffe13d 100644 --- a/cmd/kubeadm/app/phases/selfhosting/podspec_mutation.go +++ b/cmd/kubeadm/app/phases/selfhosting/podspec_mutation.go @@ -20,7 +20,7 @@ import ( "path/filepath" "strings" - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util" ) @@ -191,7 +191,14 @@ func setSelfHostedVolumesForScheduler(podSpec *v1.PodSpec) { // This is not a problem with hostPath mounts as hostPath supports mounting one file only, instead of always a full directory. Secrets and Projected Volumes // don't support that. podSpec.Containers[0].Command = kubeadmutil.ReplaceArgument(podSpec.Containers[0].Command, func(argMap map[string]string) map[string]string { - argMap["kubeconfig"] = filepath.Join(selfHostedKubeConfigDir, kubeadmconstants.SchedulerKubeConfigFileName) + schedulerKubeConfigPath := filepath.Join(selfHostedKubeConfigDir, kubeadmconstants.SchedulerKubeConfigFileName) + argMap["kubeconfig"] = schedulerKubeConfigPath + if _, ok := argMap["authentication-kubeconfig"]; ok { + argMap["authentication-kubeconfig"] = schedulerKubeConfigPath + } + if _, ok := argMap["authorization-kubeconfig"]; ok { + argMap["authorization-kubeconfig"] = schedulerKubeConfigPath + } return argMap }) } diff --git a/cmd/kubeadm/app/phases/selfhosting/podspec_mutation_test.go b/cmd/kubeadm/app/phases/selfhosting/podspec_mutation_test.go index 4c6a4f51d22..8edfdede036 100644 --- a/cmd/kubeadm/app/phases/selfhosting/podspec_mutation_test.go +++ b/cmd/kubeadm/app/phases/selfhosting/podspec_mutation_test.go @@ -21,7 +21,7 @@ import ( "sort" "testing" - "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" ) @@ -531,6 +531,8 @@ func TestSetSelfHostedVolumesForScheduler(t *testing.T) { }, Command: []string{ "--kubeconfig=/etc/kubernetes/scheduler.conf", + "--authentication-kubeconfig=/etc/kubernetes/scheduler.conf", + "--authorization-kubeconfig=/etc/kubernetes/scheduler.conf", "--foo=bar", }, }, @@ -558,6 +560,8 @@ func TestSetSelfHostedVolumesForScheduler(t *testing.T) { }, Command: []string{ "--kubeconfig=/etc/kubernetes/kubeconfig/scheduler.conf", + "--authentication-kubeconfig=/etc/kubernetes/kubeconfig/scheduler.conf", + "--authorization-kubeconfig=/etc/kubernetes/kubeconfig/scheduler.conf", "--foo=bar", }, },