Commit Graph

53 Commits

Author SHA1 Message Date
XinYang
72fd01095d
re-order imports for kubeadm
Signed-off-by: XinYang <xinydev@gmail.com>
2021-08-17 22:40:46 +08:00
XinYang
c2a8cd359f
re-order the imports in kubeadm
Signed-off-by: XinYang <xinydev@gmail.com>

Update cmd/kubeadm/app/cmd/join.go

Co-authored-by: Lubomir I. Ivanov <neolit123@gmail.com>
2021-07-04 16:41:27 +08:00
Lubomir I. Ivanov
14fa296bb3 kubeadm: use the bootstraptoken/v1 API across the code base
- Make v1beta3 use bootstraptoken/v1 instead of local copies
- Make the internal API use bootstraptoken/v1
- Update validation, /cmd, /util and other packages
- Update v1beta2 conversion
2021-07-02 00:11:49 +03:00
Lubomir I. Ivanov
4cba7dcc43 kubeadm: enable v1beta3 accross the code base
- scheme: switch to:
utilruntime.Must(scheme.SetVersionPriority(v1beta3.SchemeGroupVersion))
- change all imports in the code base from v1beta2 to v1beta3
- rename all import aliases for kubeadmapiv1beta2 to "kubeadmapiv".
this allows smaller diffs when changing the default public API.
2021-04-20 03:47:27 +03:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Lubomir I. Ivanov
429b7e2272 kubeadm: improve the error messages when validating discovery CA hash
The error messages when the user feeds an invalid discovery token CA
hash are vague. Make sure to:
- Print the list of supported hash formats (currently only "sha256").
- Wrap the error from pubKeyPins.Allow() with a descriptive message.
2020-12-14 20:13:36 +02:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:27 -04:00
Mike Danese
3aa59f7f30 generated: run refactor 2020-02-07 18:16:47 -08:00
Lubomir I. Ivanov
ce68a89d26 kubeadm: simplify discover/token and add detailed unit tests
- Add retrieveValidatedConfigInfo to be able to better unit
test the function.
- Break some of the logic in RetrieveValidatedConfigInfo into
helper functions.
- Pass JoinConfiguration.Discovery to RetrieveValidatedConfigInfo
instead of JoinConfiguration.
- Use the discovery timeout per API call to fetch cluster-info
(optionally the user value can be slit in 2).
- Add detailed unit tests for retrieveValidatedConfigInfo.
2019-11-27 01:16:43 +02:00
Chuck Ha
8fcf892498
Remove an infinite poll
This infinite poll can make kubeadm init/join hang forever due
to a lack of function cancelling.

Signed-off-by: Chuck Ha <chuckh@vmware.com>
2019-11-13 10:10:41 -05:00
Yassine TIJANI
d3620dfa29 move jws to k8s.io/cluster-bootstrap
Signed-off-by: Yassine TIJANI <ytijani@vmware.com>
2019-06-25 13:48:13 +02:00
Dmitry Rozhkov
358659ef4d kubeadm: remove duplicated token.parsePEMCerts()
The function parsePEMCerts() duplicates ParseCertsPEM() from
the "k8s.io/client-go/util/cert" package.
2019-04-29 14:32:38 +03:00
Rostislav M. Georgiev
9e1ac76c1a kubeadm: Introduce v1beta2 config
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
2019-04-25 17:10:04 +03:00
Kubernetes Prow Robot
0f617a3825
Merge pull request #76500 from rojkov/issue-1399
kubeadm: check all available CA certs against pinned certs
2019-04-23 07:52:21 -07:00
SataQiu
62dbd0fa0d use 'errors.Errorf' instead of 'fmt.Errorf' 2019-04-20 17:10:18 +08:00
Dmitry Rozhkov
7f8fc5d189 kubeadm: check all available CA certs against pinned certs
Currently kubeadm produces an error upon parsing multiple
certificates stored in the cluster-info configmap. Yet it
should check all available certificates in a scenario like
CA key rotation.

Check all available CA certs against pinned certificate hashes.

Fixes https://github.com/kubernetes/kubeadm/issues/1399
2019-04-15 15:08:06 +03:00
Lubomir I. Ivanov
6f6b364b9c kubeadm: update output of init, join reset commands
- move most unrelated to phases output to klog.V(1)
- rename some prefixes for consistency - e.g.
[kubelet] -> [kubelet-start]
- control-plane-prepare: print details for each generated CP
component manifest.
- uppercase the info text for all "[reset].." lines
- modify the text for one line in reset
2019-03-06 03:17:35 +02:00
vanduc95
0296cfb2b8 kubeadm cleanup: master -> control-plane (cont.5) 2019-02-26 09:04:54 +07:00
vanduc95
0e8941f7ec kubeadm cleanup: master -> control-plane 2019-02-14 09:18:42 +07:00
Rafael Fernández López
47b4e04842
kubeadm: Remove cluster name from JoinConfiguration 2018-11-08 23:29:52 +01:00
Yago Nobre
cc670e29a1
Fix typos on cmd/kubeadm/app/cmd 2018-10-31 16:32:02 -03:00
Rostislav M. Georgiev
a3e7d7e038 kubeadm: APIServerEndpoints -> APIServerEndpoint
In the past the discovery configuration expected, that we can support multiple
API server endpoints. In practice, we always end up with a single API server
endpoint, because, even in HA setups, we use a load balancer scheme for API
servers.
Therefore, to reduce complexity and improve readability of the config, the
multiple API server endpoints support is removed from the bootstrap token
discovery join method and configuration.

Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
2018-10-30 16:10:28 +02:00
yuexiao-wang
c0a9b4d04d add BUILD
Signed-off-by: yuexiao-wang <wang.yuexiao@zte.com.cn>
2018-10-30 16:23:52 +08:00
yuexiao-wang
cc303c8774 [kubeadm/app/]switch to github.com/pkg/errors
Signed-off-by: yuexiao-wang <wang.yuexiao@zte.com.cn>
2018-10-30 16:23:24 +08:00
Rostislav M. Georgiev
576b8d3f4f kubeadm: Split discovery from JoinConfiguration
This change splits out discovery fields from JoinConfiguration by performing
the following changes:

- Introduce a BootstrapTokenDiscovery structure, that houses configuration
  options needed for bootstrap token based discovery.

- Introduce a FileDiscovery structure, that houses configuration options
  (currently only a single option) needed for KubeConfig based discovery.

- Introduce a Discovery structure, that houses common options (such as
  discovery timeout and TLS bootstrap token) as well as pointer to an instance
  of either BootstrapTokenDiscovery or FileDiscovery structures.

- Replace the old discovery related JoinConfiguration members with a single
  Discovery member.

This change is required in order to cleanup the code of unnecessary logic and
make the serialized JoinConfiguration more structured (and therefore, more
intuitive).

Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
2018-10-16 15:25:32 +03:00
Yu Liao
fc21115c3f Moved staging/src/k8s.io/client-go/tools/bootstrap to staging/src/k8s.io/cluster-bootstrap 2018-10-02 09:46:13 -07:00
Di Xu
997a612206 kubeadm join the cluster with pre-existing client certificate 2018-07-26 19:34:09 +08:00
fabriziopandini
a6b0410f83 Automated rename from NodeConfiguration to JoinConfiguration 2018-07-13 22:52:41 +02:00
Jeff Grafton
23ceebac22 Run hack/update-bazel.sh 2018-06-22 16:22:57 -07:00
Lucas Käldström
67a9f1bfe7
autogenerated 2018-05-31 22:21:06 +03:00
Lucas Käldström
c473039580
kubeadm: Initial refactor of the Bootstrap Tokens. Add the new API objects, add/move helpers and start using the new flow in the code 2018-05-31 22:19:26 +03:00
Karan Goel
24d6483558 Add --cluster-name to kubeadm 2018-04-11 09:42:31 -07:00
Rostislav M. Georgiev
230a9c67ce kubeadm: Introduce controllable timeout on join
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
2018-04-03 14:05:02 +03:00
Jeff Grafton
ef56a8d6bb Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
Kubernetes Submit Queue
77ac663df4
Merge pull request #57941 from stewart-yu/improveErrorMessages
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

improve error message for expired tokens

**What this PR does / why we need it**:
When you join a node with a expired tokens, you can get fuzz error messages: `[discovery] Failed to connect to API Server "<cluster-ip>:6443": there is no JWS signed token in the cluster-info ConfigMap. This token id "c33826" is invalid for this cluster, can't connect`, we should improve it.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes [https://github.com/kubernetes/kubeadm/issues/630](https://github.com/kubernetes/kubeadm/issues/630)

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```
2018-01-19 14:34:12 -08:00
Gavin
f653d02b05 create auto-gen files 2018-01-17 16:23:03 +08:00
Gavin
bb5e156aba Add generic Bootstrap Token constants and helpers to client-go 2018-01-17 16:22:37 +08:00
stewart-yu
528435f8dc improve error message for expired tokens 2018-01-17 09:54:06 +08:00
Jeff Grafton
efee0704c6 Autogenerate BUILD files 2017-12-23 13:12:11 -08:00
Jeff Grafton
aee5f457db update BUILD files 2017-10-15 18:18:13 -07:00
Serguei Bezverkhi
42bd500134 kubeadm golint clean up
Closes #375
2017-09-23 08:07:55 -04:00
Jeff Grafton
a7f49c906d Use buildozer to delete licenses() rules except under third_party/ 2017-08-11 09:32:39 -07:00
Jeff Grafton
33276f06be Use buildozer to remove deprecated automanaged tags 2017-08-11 09:31:50 -07:00
Matt Moyer
1be639d6b0 kubeadm: implement TLS discovery root CA pinning.
This change adds the `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join` and corresponding fields on the kubeadm NodeConfiguration struct. These flags configure enhanced TLS validation for token-based discovery.

The enhanced TLS validation works by pinning the public key hashes of the cluster CA. This is done by connecting to the `cluster-info` endpoint initially using an unvalidated/unsafe TLS connection. After the cluster info has been loaded, parsed, and validated with the existing symmetric signature/MAC scheme, the root CA is validated against the pinned public key set. A second request is made using validated/safe TLS using the newly-known CA and the result is validated to make sure the same `cluster-info` was returned from both requests.

This validation prevents a class of attacks where a leaked bootstrap token (such as from a compromised worker node) allows an attacker to impersonate the API server.

This change also update `kubeadm init` to print the correct `--discovery-token-ca-cert-hash` flag in the example `kubeadm join` command it prints at the end of initialization.
2017-08-10 11:39:25 -05:00
Matt Moyer
1d9bc00b81 Begin polling for bootstrap cluster info immediately.
The previous behavior was to sleep for `constants.DiscoveryRetryInterval` (5 seconds) before the first request.
2017-07-10 15:40:33 -07:00
Chao Xu
60604f8818 run hack/update-all 2017-06-22 11:31:03 -07:00
Chao Xu
f2d3220a11 run root-rewrite-import-client-go-api-types 2017-06-22 11:30:59 -07:00
Mike Danese
a05c3c0efd autogenerated 2017-04-14 10:40:57 -07:00
Lucas Käldström
61a284d720
Hook up kubeadm against the BootstrapSigner/BootstrapTokenAuthenticator 2017-03-04 11:17:52 +02:00