github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 19:56:01 +00:00
Code Issues Projects Releases Wiki Activity

kubeadm: enable secure serving for the kube-scheduler

Browse Source 
Secure serving was already enabled for kube-controller-manager.
Do the same for kube-scheduler, by passing the flags
"authentication-kubeconfig" and "authorization-kubeconfig"
to the binary in the static Pod.

This change allows the scheduler to perform reviews on incoming
requests, such as:
- authentication.k8s.io/v1beta1 TokenReview
- authorization.k8s.io/v1 SubjectAccessReview

The authentication and authorization checks for "system:kube-scheduler"
users were previously enabled by PR 72491.
This commit is contained in:
Lubomir I. Ivanov 2019-08-03 19:15:32 +03:00
parent 3e3addf6c8
commit e142bf6203
4 changed files with 23 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
cmd/kubeadm/app/phases/controlplane/manifests.go
View File

@ -25,7 +25,7 @@ import (
"strings" "strings"
"github.com/pkg/errors" "github.com/pkg/errors"
"k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/klog" "k8s.io/klog"
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
@ -315,10 +315,13 @@ func getControllerManagerCommand(cfg *kubeadmapi.ClusterConfiguration) []string
// getSchedulerCommand builds the right scheduler command from the given config object and version // getSchedulerCommand builds the right scheduler command from the given config object and version
func getSchedulerCommand(cfg *kubeadmapi.ClusterConfiguration) []string { func getSchedulerCommand(cfg *kubeadmapi.ClusterConfiguration) []string {
kubeconfigFile := filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName)
defaultArguments := map[string]string{ defaultArguments := map[string]string{
"bind-address": "127.0.0.1", "bind-address": "127.0.0.1",
"leader-elect": "true", "leader-elect": "true",
"kubeconfig": filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName), "kubeconfig": kubeconfigFile,
"authentication-kubeconfig": kubeconfigFile,
"authorization-kubeconfig": kubeconfigFile,
} }
// TODO: The following code should be remvoved after dual-stack is GA. // TODO: The following code should be remvoved after dual-stack is GA.

2
cmd/kubeadm/app/phases/controlplane/manifests_test.go
View File

@ -868,6 +868,8 @@ func TestGetSchedulerCommand(t *testing.T) {
"--bind-address=127.0.0.1", "--bind-address=127.0.0.1",
"--leader-elect=true", "--leader-elect=true",
"--kubeconfig=" + kubeadmconstants.KubernetesDir + "/scheduler.conf", "--kubeconfig=" + kubeadmconstants.KubernetesDir + "/scheduler.conf",
"--authentication-kubeconfig=" + kubeadmconstants.KubernetesDir + "/scheduler.conf",
"--authorization-kubeconfig=" + kubeadmconstants.KubernetesDir + "/scheduler.conf",
}, },
}, },
} }

11
cmd/kubeadm/app/phases/selfhosting/podspec_mutation.go
View File

@ -20,7 +20,7 @@ import (
"path/filepath" "path/filepath"
"strings" "strings"
"k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util" kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
) )
@ -191,7 +191,14 @@ func setSelfHostedVolumesForScheduler(podSpec *v1.PodSpec) {
// This is not a problem with hostPath mounts as hostPath supports mounting one file only, instead of always a full directory. Secrets and Projected Volumes // This is not a problem with hostPath mounts as hostPath supports mounting one file only, instead of always a full directory. Secrets and Projected Volumes
// don't support that. // don't support that.
podSpec.Containers[0].Command = kubeadmutil.ReplaceArgument(podSpec.Containers[0].Command, func(argMap map[string]string) map[string]string { podSpec.Containers[0].Command = kubeadmutil.ReplaceArgument(podSpec.Containers[0].Command, func(argMap map[string]string) map[string]string {
argMap["kubeconfig"] = filepath.Join(selfHostedKubeConfigDir, kubeadmconstants.SchedulerKubeConfigFileName) schedulerKubeConfigPath := filepath.Join(selfHostedKubeConfigDir, kubeadmconstants.SchedulerKubeConfigFileName)
argMap["kubeconfig"] = schedulerKubeConfigPath
if _, ok := argMap["authentication-kubeconfig"]; ok {
argMap["authentication-kubeconfig"] = schedulerKubeConfigPath
}
if _, ok := argMap["authorization-kubeconfig"]; ok {
argMap["authorization-kubeconfig"] = schedulerKubeConfigPath
}
return argMap return argMap
}) })
} }

6
cmd/kubeadm/app/phases/selfhosting/podspec_mutation_test.go
View File

@ -21,7 +21,7 @@ import (
"sort" "sort"
"testing" "testing"
"k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
) )
@ -531,6 +531,8 @@ func TestSetSelfHostedVolumesForScheduler(t *testing.T) {
}, },
Command: []string{ Command: []string{
"--kubeconfig=/etc/kubernetes/scheduler.conf", "--kubeconfig=/etc/kubernetes/scheduler.conf",
"--authentication-kubeconfig=/etc/kubernetes/scheduler.conf",
"--authorization-kubeconfig=/etc/kubernetes/scheduler.conf",
"--foo=bar", "--foo=bar",
}, },
}, },
@ -558,6 +560,8 @@ func TestSetSelfHostedVolumesForScheduler(t *testing.T) {
}, },
Command: []string{ Command: []string{
"--kubeconfig=/etc/kubernetes/kubeconfig/scheduler.conf", "--kubeconfig=/etc/kubernetes/kubeconfig/scheduler.conf",
"--authentication-kubeconfig=/etc/kubernetes/kubeconfig/scheduler.conf",
"--authorization-kubeconfig=/etc/kubernetes/kubeconfig/scheduler.conf",
"--foo=bar", "--foo=bar",
}, },
}, },