mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-01 07:47:56 +00:00
Merge pull request #124361 from neolit123/1.31-stop-mounting-etc-pki
kubeadm: don't mount /etc/pki for apiserver and KCM
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
e6efba3380
@ -40,7 +40,7 @@ const (
|
|||||||
// caCertsExtraVolumePaths specifies the paths that can be conditionally mounted into the apiserver and controller-manager containers
|
// caCertsExtraVolumePaths specifies the paths that can be conditionally mounted into the apiserver and controller-manager containers
|
||||||
// as /etc/ssl/certs might be or contain a symlink to them. It's a variable since it may be changed in unit testing. This var MUST
|
// as /etc/ssl/certs might be or contain a symlink to them. It's a variable since it may be changed in unit testing. This var MUST
|
||||||
// NOT be changed in normal codepaths during runtime.
|
// NOT be changed in normal codepaths during runtime.
|
||||||
var caCertsExtraVolumePaths = []string{"/etc/pki", "/usr/share/ca-certificates", "/usr/local/share/ca-certificates", "/etc/ca-certificates"}
|
var caCertsExtraVolumePaths = []string{"/etc/pki/ca-trust", "/etc/pki/tls/certs", "/etc/ca-certificates", "/usr/share/ca-certificates", "/usr/local/share/ca-certificates"}
|
||||||
|
|
||||||
// getHostPathVolumesForTheControlPlane gets the required hostPath volumes and mounts for the control plane
|
// getHostPathVolumesForTheControlPlane gets the required hostPath volumes and mounts for the control plane
|
||||||
func getHostPathVolumesForTheControlPlane(cfg *kubeadmapi.ClusterConfiguration) controlPlaneHostPathMounts {
|
func getHostPathVolumesForTheControlPlane(cfg *kubeadmapi.ClusterConfiguration) controlPlaneHostPathMounts {
|
||||||
@ -83,7 +83,7 @@ func getHostPathVolumesForTheControlPlane(cfg *kubeadmapi.ClusterConfiguration)
|
|||||||
schedulerKubeConfigFile := filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName)
|
schedulerKubeConfigFile := filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName)
|
||||||
mounts.NewHostPathMount(kubeadmconstants.KubeScheduler, kubeadmconstants.KubeConfigVolumeName, schedulerKubeConfigFile, schedulerKubeConfigFile, true, &hostPathFileOrCreate)
|
mounts.NewHostPathMount(kubeadmconstants.KubeScheduler, kubeadmconstants.KubeConfigVolumeName, schedulerKubeConfigFile, schedulerKubeConfigFile, true, &hostPathFileOrCreate)
|
||||||
|
|
||||||
// On some systems were we host-mount /etc/ssl/certs, it is also required to mount additional directories.
|
// On some systems where we host-mount /etc/ssl/certs, it is also required to mount additional directories.
|
||||||
// This is needed due to symlinks pointing from files in /etc/ssl/certs to these directories.
|
// This is needed due to symlinks pointing from files in /etc/ssl/certs to these directories.
|
||||||
for _, caCertsExtraVolumePath := range caCertsExtraVolumePaths {
|
for _, caCertsExtraVolumePath := range caCertsExtraVolumePaths {
|
||||||
if isExtraVolumeMountNeeded(caCertsExtraVolumePath) {
|
if isExtraVolumeMountNeeded(caCertsExtraVolumePath) {
|
||||||
@ -179,7 +179,7 @@ func getEtcdCertVolumes(etcdCfg *kubeadmapi.ExternalEtcd, k8sCertificatesDir str
|
|||||||
for _, certPath := range certPaths {
|
for _, certPath := range certPaths {
|
||||||
certDir := filepath.ToSlash(filepath.Dir(certPath))
|
certDir := filepath.ToSlash(filepath.Dir(certPath))
|
||||||
// Ignore ".", which is the result of passing an empty path.
|
// Ignore ".", which is the result of passing an empty path.
|
||||||
// Also ignore the cert directories that already may be mounted; /etc/ssl/certs, /etc/pki or Kubernetes CertificatesDir
|
// Also ignore the cert directories that already may be mounted; /etc/ssl/certs, /etc/pki/ca-trust/ or Kubernetes CertificatesDir
|
||||||
// If the etcd certs are in there, it's okay, we don't have to do anything
|
// If the etcd certs are in there, it's okay, we don't have to do anything
|
||||||
extraVolumePath := false
|
extraVolumePath := false
|
||||||
for _, caCertsExtraVolumePath := range caCertsExtraVolumePaths {
|
for _, caCertsExtraVolumePath := range caCertsExtraVolumePaths {
|
||||||
@ -219,9 +219,9 @@ func getEtcdCertVolumes(etcdCfg *kubeadmapi.ExternalEtcd, k8sCertificatesDir str
|
|||||||
return volumes, volumeMounts
|
return volumes, volumeMounts
|
||||||
}
|
}
|
||||||
|
|
||||||
// isExtraVolumeMountNeeded specifies whether /etc/pki should be host-mounted into the containers
|
// isExtraVolumeMountNeeded specifies whether /etc/pki/ca-trust/ should be host-mounted into the containers
|
||||||
// On some systems were we host-mount /etc/ssl/certs, it is also required to mount /etc/pki. This is needed
|
// On some systems were we host-mount /etc/ssl/certs, it is also required to mount /etc/pki/ca-trust/. This is needed
|
||||||
// due to symlinks pointing from files in /etc/ssl/certs into /etc/pki/
|
// due to symlinks pointing from files in /etc/ssl/certs into /etc/pki/ca-trust/
|
||||||
func isExtraVolumeMountNeeded(caCertsExtraVolumePath string) bool {
|
func isExtraVolumeMountNeeded(caCertsExtraVolumePath string) bool {
|
||||||
if _, err := os.Stat(caCertsExtraVolumePath); err == nil {
|
if _, err := os.Stat(caCertsExtraVolumePath); err == nil {
|
||||||
return true
|
return true
|
||||||
|
|||||||
@ -57,10 +57,10 @@ func TestGetEtcdCertVolumes(t *testing.T) {
|
|||||||
volMount: []v1.VolumeMount{},
|
volMount: []v1.VolumeMount{},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "Should ignore files in /etc/pki",
|
name: "Should ignore files in /etc/pki/ca-trust",
|
||||||
ca: "/etc/pki/my-etcd-ca.crt",
|
ca: "/etc/pki/ca-trust/my-etcd-ca.crt",
|
||||||
cert: "/etc/pki/my-etcd.crt",
|
cert: "/etc/pki/ca-trust/my-etcd.crt",
|
||||||
key: "/etc/pki/my-etcd.key",
|
key: "/etc/pki/ca-trust/my-etcd.key",
|
||||||
vol: []v1.Volume{},
|
vol: []v1.Volume{},
|
||||||
volMount: []v1.VolumeMount{},
|
volMount: []v1.VolumeMount{},
|
||||||
},
|
},
|
||||||
@ -519,8 +519,9 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
|
|||||||
defer os.RemoveAll(tmpdir)
|
defer os.RemoveAll(tmpdir)
|
||||||
|
|
||||||
// set up tmp caCertsExtraVolumePaths for testing
|
// set up tmp caCertsExtraVolumePaths for testing
|
||||||
caCertsExtraVolumePaths = []string{fmt.Sprintf("%s/etc/pki", tmpdir), fmt.Sprintf("%s/usr/share/ca-certificates", tmpdir)}
|
originalCACertsExtraVolumePaths := caCertsExtraVolumePaths
|
||||||
defer func() { caCertsExtraVolumePaths = []string{"/etc/pki", "/usr/share/ca-certificates"} }()
|
caCertsExtraVolumePaths = []string{fmt.Sprintf("%s/etc/pki/ca-trust", tmpdir), fmt.Sprintf("%s/usr/share/ca-certificates", tmpdir)}
|
||||||
|
defer func() { caCertsExtraVolumePaths = originalCACertsExtraVolumePaths }()
|
||||||
|
|
||||||
for _, rt := range tests {
|
for _, rt := range tests {
|
||||||
t.Run(rt.name, func(t *testing.T) {
|
t.Run(rt.name, func(t *testing.T) {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user