github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-11-02 23:02:25 +00:00
Code Issues Projects Releases Wiki Activity
Files
0fac54e65e7b3097fdcd9c2497721facf24a413c
kubernetes/cmd/kubeadm
History
Kubernetes Submit Queue 0fac54e65e Merge pull request #40316 from luxas/kubeadm_fix_apiserver_certs 
Automatic merge from submit-queue (batch tested with PRs 40303, 40316)

kubeadm: Fix up the apiserver kubelet client cert

**What this PR does / why we need it**:

I didn't notice that the apiserver serving cert was _only_ a server cert, not both a server and client cert in https://github.com/kubernetes/kubernetes/pull/40292.

This PR fixes that misconception and generates a dedicated client cert for apiserver -> kubelet communication and harmonizes the `ca.crt` path to `/etc/kubernetes/pki/ca.crt` on both master and node.

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Special notes for your reviewer**:

```console
$ systemctl cat kubelet
# /lib/systemd/system/kubelet.service
[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=http://kubernetes.io/docs/

[Service]
ExecStart=/usr/bin/kubelet
Restart=always
StartLimitInterval=0
RestartSec=10

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--kubeconfig=/etc/kubernetes/kubelet.conf **--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt** --require-kubeconfig=true"
Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true"
Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local"
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_EXTRA_ARGS


$ curl -k https://localhost:10250/containerLogs/kube-system/weave-net-arm64-4t2xv/weave
Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=proxy)
$ curl --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt --key /etc/kubernetes/pki/apiserver-kubelet-client.key -k https://localhost:10250/containerLogs/kube-system/weave-net-arm64-4t2xv/weave
[Works!!]
```

**Release note**:

```release-note
NONE
```

@liggitt @deads2k
2017-01-24 01:57:11 -08:00
..
app
Merge pull request #40316 from luxas/kubeadm_fix_apiserver_certs
2017-01-24 01:57:11 -08:00
test
kubeadm: replaced period as token separator in favor of colon.
2017-01-16 18:57:23 +00:00
BUILD
Enable auto-generating sources rules
2017-01-05 14:14:13 -08:00
kubeadm.go
OWNERS
Update OWNERS approvers and reviewers: cmd/kubeadm
2016-12-12 15:48:47 -08:00