mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-11-02 06:47:34 +00:00
360 lines
14 KiB
Go
360 lines
14 KiB
Go
/*
|
|
Copyright 2017 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package phases
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/spf13/cobra"
|
|
"github.com/spf13/pflag"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
|
clientset "k8s.io/client-go/kubernetes"
|
|
bootstrapapi "k8s.io/client-go/tools/bootstrap/token/api"
|
|
bootstraputil "k8s.io/client-go/tools/bootstrap/token/util"
|
|
kubeadmapiext "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha1"
|
|
"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/validation"
|
|
cmdutil "k8s.io/kubernetes/cmd/kubeadm/app/cmd/util"
|
|
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
|
"k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/clusterinfo"
|
|
"k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node"
|
|
"k8s.io/kubernetes/cmd/kubeadm/app/phases/certs/pkiutil"
|
|
kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
|
|
configutil "k8s.io/kubernetes/cmd/kubeadm/app/util/config"
|
|
kubeconfigutil "k8s.io/kubernetes/cmd/kubeadm/app/util/kubeconfig"
|
|
"k8s.io/kubernetes/cmd/kubeadm/app/util/pubkeypin"
|
|
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
|
"k8s.io/kubernetes/pkg/util/normalizer"
|
|
)
|
|
|
|
var (
|
|
allTokenLongDesc = normalizer.LongDesc(`
|
|
Bootstrap tokens are used for establishing bidirectional trust between a node joining
|
|
the cluster and a the master node.
|
|
|
|
This command makes all the configurations required to make bootstrap tokens works
|
|
and then creates an initial token.
|
|
` + cmdutil.AlphaDisclaimer)
|
|
|
|
allTokenExamples = normalizer.Examples(`
|
|
# Makes all the bootstrap token configurations and creates an initial token, functionally
|
|
# equivalent to what generated by kubeadm init.
|
|
kubeadm alpha phase bootstrap-token all
|
|
`)
|
|
|
|
createTokenLongDesc = normalizer.LongDesc(`
|
|
Creates a bootstrap token. If no token value is given, kubeadm will generate a random token instead.
|
|
|
|
Alternatively, you can use kubeadm token.
|
|
` + cmdutil.AlphaDisclaimer)
|
|
|
|
clusterInfoLongDesc = fmt.Sprintf(normalizer.LongDesc(`
|
|
Uploads the %q ConfigMap in the %q namespace, populating it with cluster information extracted from the
|
|
given kubeconfig file. The ConfigMap is used for the node bootstrap process in its initial phases,
|
|
before the client trusts the API server.
|
|
|
|
See online documentation about Authenticating with Bootstrap Tokens for more details.
|
|
`+cmdutil.AlphaDisclaimer), bootstrapapi.ConfigMapClusterInfo, metav1.NamespacePublic)
|
|
|
|
nodePostCSRsLongDesc = normalizer.LongDesc(`
|
|
Configures RBAC rules to allow node bootstrap tokens to post a certificate signing request,
|
|
thus enabling nodes joining the cluster to request long term certificate credentials.
|
|
|
|
See online documentation about TLS bootstrapping for more details.
|
|
` + cmdutil.AlphaDisclaimer)
|
|
|
|
nodeAutoApproveLongDesc = normalizer.LongDesc(`
|
|
Configures RBAC rules to allow the csrapprover controller to automatically approve
|
|
certificate signing requests generated by nodes joining the cluster.
|
|
It configures also RBAC rules for certificates rotation (with auto approval of new certificates).
|
|
|
|
See online documentation about TLS bootstrapping for more details.
|
|
` + cmdutil.AlphaDisclaimer)
|
|
)
|
|
|
|
// NewCmdBootstrapToken returns the Cobra command for running the mark-master phase
|
|
func NewCmdBootstrapToken() *cobra.Command {
|
|
var kubeConfigFile string
|
|
cmd := &cobra.Command{
|
|
Use: "bootstrap-token",
|
|
Short: "Manage kubeadm-specific bootstrap token functions",
|
|
Long: cmdutil.MacroCommandLongDescription,
|
|
Aliases: []string{"bootstraptoken"},
|
|
}
|
|
|
|
cmd.PersistentFlags().StringVar(&kubeConfigFile, "kubeconfig", "/etc/kubernetes/admin.conf", "The KubeConfig file to use when talking to the cluster")
|
|
|
|
// Add subcommands
|
|
cmd.AddCommand(NewSubCmdBootstrapTokenAll(&kubeConfigFile))
|
|
cmd.AddCommand(NewSubCmdBootstrapToken(&kubeConfigFile))
|
|
cmd.AddCommand(NewSubCmdClusterInfo(&kubeConfigFile))
|
|
cmd.AddCommand(NewSubCmdNodeBootstrapToken(&kubeConfigFile))
|
|
|
|
return cmd
|
|
}
|
|
|
|
// NewSubCmdBootstrapTokenAll returns the Cobra command for running the token all sub-phase
|
|
func NewSubCmdBootstrapTokenAll(kubeConfigFile *string) *cobra.Command {
|
|
cfg := &kubeadmapiext.MasterConfiguration{
|
|
// KubernetesVersion is not used by bootstrap-token, but we set this explicitly to avoid
|
|
// the lookup of the version from the internet when executing ConfigFileAndDefaultsToInternalConfig
|
|
KubernetesVersion: "v1.9.0",
|
|
}
|
|
|
|
// Default values for the cobra help text
|
|
legacyscheme.Scheme.Default(cfg)
|
|
|
|
var cfgPath, description string
|
|
var usages, extraGroups []string
|
|
var skipTokenPrint bool
|
|
|
|
cmd := &cobra.Command{
|
|
Use: "all",
|
|
Short: "Makes all the bootstrap token configurations and creates an initial token",
|
|
Long: allTokenLongDesc,
|
|
Example: allTokenExamples,
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
err := validation.ValidateMixedArguments(cmd.Flags())
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
client, err := kubeconfigutil.ClientSetFromFile(*kubeConfigFile)
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
// Creates the bootstap token
|
|
err = createBootstrapToken(client, cfgPath, cfg, description, usages, extraGroups, skipTokenPrint)
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
// Create the cluster-info ConfigMap or update if it already exists
|
|
err = clusterinfo.CreateBootstrapConfigMapIfNotExists(client, *kubeConfigFile)
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
// Create the RBAC rules that expose the cluster-info ConfigMap properly
|
|
err = clusterinfo.CreateClusterInfoRBACRules(client)
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
// Create RBAC rules that makes the bootstrap tokens able to post CSRs
|
|
err = node.AllowBootstrapTokensToPostCSRs(client)
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
// Create RBAC rules that makes the bootstrap tokens able to get their CSRs approved automatically
|
|
err = node.AutoApproveNodeBootstrapTokens(client)
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
// Create/update RBAC rules that makes the nodes to rotate certificates and get their CSRs approved automatically
|
|
err = node.AutoApproveNodeCertificateRotation(client)
|
|
kubeadmutil.CheckErr(err)
|
|
},
|
|
}
|
|
|
|
// Adds flags to the command
|
|
addBootstrapTokenFlags(cmd.Flags(), cfg, &cfgPath, &description, &usages, &extraGroups, &skipTokenPrint)
|
|
|
|
return cmd
|
|
}
|
|
|
|
// NewSubCmdBootstrapToken returns the Cobra command for running the create token phase
|
|
func NewSubCmdBootstrapToken(kubeConfigFile *string) *cobra.Command {
|
|
cfg := &kubeadmapiext.MasterConfiguration{
|
|
// KubernetesVersion is not used by bootstrap-token, but we set this explicitly to avoid
|
|
// the lookup of the version from the internet when executing ConfigFileAndDefaultsToInternalConfig
|
|
KubernetesVersion: "v1.9.0",
|
|
}
|
|
|
|
// Default values for the cobra help text
|
|
legacyscheme.Scheme.Default(cfg)
|
|
|
|
var cfgPath, description string
|
|
var usages, extraGroups []string
|
|
var skipTokenPrint bool
|
|
|
|
cmd := &cobra.Command{
|
|
Use: "create",
|
|
Short: "Creates a bootstrap token to be used for node joining",
|
|
Long: createTokenLongDesc,
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
err := validation.ValidateMixedArguments(cmd.Flags())
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
client, err := kubeconfigutil.ClientSetFromFile(*kubeConfigFile)
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
err = createBootstrapToken(client, cfgPath, cfg, description, usages, extraGroups, skipTokenPrint)
|
|
kubeadmutil.CheckErr(err)
|
|
},
|
|
}
|
|
|
|
// Adds flags to the command
|
|
addBootstrapTokenFlags(cmd.Flags(), cfg, &cfgPath, &description, &usages, &extraGroups, &skipTokenPrint)
|
|
|
|
return cmd
|
|
}
|
|
|
|
// NewSubCmdClusterInfo returns the Cobra command for running the cluster-info sub-phase
|
|
func NewSubCmdClusterInfo(kubeConfigFile *string) *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "cluster-info",
|
|
Short: "Uploads the cluster-info ConfigMap from the given kubeconfig file",
|
|
Long: clusterInfoLongDesc,
|
|
Aliases: []string{"clusterinfo"},
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
client, err := kubeconfigutil.ClientSetFromFile(*kubeConfigFile)
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
// Create the cluster-info ConfigMap or update if it already exists
|
|
err = clusterinfo.CreateBootstrapConfigMapIfNotExists(client, *kubeConfigFile)
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
// Create the RBAC rules that expose the cluster-info ConfigMap properly
|
|
err = clusterinfo.CreateClusterInfoRBACRules(client)
|
|
kubeadmutil.CheckErr(err)
|
|
},
|
|
}
|
|
return cmd
|
|
}
|
|
|
|
// NewSubCmdNodeBootstrapToken returns the Cobra command for running the node sub-phase
|
|
func NewSubCmdNodeBootstrapToken(kubeConfigFile *string) *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "node",
|
|
Short: "Configures the node bootstrap process",
|
|
Aliases: []string{"clusterinfo"},
|
|
Long: cmdutil.MacroCommandLongDescription,
|
|
}
|
|
|
|
cmd.AddCommand(NewSubCmdNodeBootstrapTokenPostCSRs(kubeConfigFile))
|
|
cmd.AddCommand(NewSubCmdNodeBootstrapTokenAutoApprove(kubeConfigFile))
|
|
|
|
return cmd
|
|
}
|
|
|
|
// NewSubCmdNodeBootstrapTokenPostCSRs returns the Cobra command for running the allow-post-csrs sub-phase
|
|
func NewSubCmdNodeBootstrapTokenPostCSRs(kubeConfigFile *string) *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "allow-post-csrs",
|
|
Short: "Configures RBAC to allow node bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials",
|
|
Long: nodePostCSRsLongDesc,
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
client, err := kubeconfigutil.ClientSetFromFile(*kubeConfigFile)
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
// Create RBAC rules that makes the bootstrap tokens able to post CSRs
|
|
err = node.AllowBootstrapTokensToPostCSRs(client)
|
|
kubeadmutil.CheckErr(err)
|
|
},
|
|
}
|
|
return cmd
|
|
}
|
|
|
|
// NewSubCmdNodeBootstrapTokenAutoApprove returns the Cobra command for running the allow-auto-approve sub-phase
|
|
func NewSubCmdNodeBootstrapTokenAutoApprove(kubeConfigFile *string) *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "allow-auto-approve",
|
|
Short: "Configures RBAC rules to allow the csrapprover controller automatically approve CSRs from a node bootstrap token",
|
|
Long: nodeAutoApproveLongDesc,
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
client, err := kubeconfigutil.ClientSetFromFile(*kubeConfigFile)
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
// Create RBAC rules that makes the bootstrap tokens able to get their CSRs approved automatically
|
|
err = node.AutoApproveNodeBootstrapTokens(client)
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
// Create/update RBAC rules that makes the nodes to rotate certificates and get their CSRs approved automatically
|
|
err = node.AutoApproveNodeCertificateRotation(client)
|
|
kubeadmutil.CheckErr(err)
|
|
},
|
|
}
|
|
return cmd
|
|
}
|
|
|
|
func addBootstrapTokenFlags(flagSet *pflag.FlagSet, cfg *kubeadmapiext.MasterConfiguration, cfgPath, description *string, usages, extraGroups *[]string, skipTokenPrint *bool) {
|
|
flagSet.StringVar(
|
|
cfgPath, "config", *cfgPath,
|
|
"Path to kubeadm config file (WARNING: Usage of a configuration file is experimental)",
|
|
)
|
|
flagSet.StringVar(
|
|
&cfg.CertificatesDir, "cert-dir", cfg.CertificatesDir,
|
|
"The path where certificates are stored",
|
|
)
|
|
flagSet.StringVar(
|
|
&cfg.Token, "token", cfg.Token,
|
|
"The token to use for establishing bidirectional trust between nodes and masters",
|
|
)
|
|
flagSet.DurationVar(
|
|
&cfg.TokenTTL.Duration, "ttl", kubeadmconstants.DefaultTokenDuration,
|
|
"The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire",
|
|
)
|
|
flagSet.StringSliceVar(
|
|
usages, "usages", kubeadmconstants.DefaultTokenUsages,
|
|
fmt.Sprintf("Describes the ways in which this token can be used. You can pass --usages multiple times or provide a comma separated list of options. Valid options: [%s]", strings.Join(kubeadmconstants.DefaultTokenUsages, ",")),
|
|
)
|
|
flagSet.StringSliceVar(
|
|
extraGroups, "groups", []string{kubeadmconstants.NodeBootstrapTokenAuthGroup},
|
|
fmt.Sprintf("Extra groups that this token will authenticate as when used for authentication. Must match %q", bootstrapapi.BootstrapGroupPattern),
|
|
)
|
|
flagSet.StringVar(
|
|
description, "description", "The default bootstrap token generated by 'kubeadm init'.",
|
|
"A human friendly description of how this token is used.",
|
|
)
|
|
flagSet.BoolVar(
|
|
skipTokenPrint, "skip-token-print", *skipTokenPrint,
|
|
"Skip printing of the bootstrap token",
|
|
)
|
|
}
|
|
|
|
func createBootstrapToken(client clientset.Interface, cfgPath string, cfg *kubeadmapiext.MasterConfiguration, description string, usages, extraGroups []string, skipTokenPrint bool) error {
|
|
// adding groups only makes sense for authentication
|
|
usagesSet := sets.NewString(usages...)
|
|
usageAuthentication := strings.TrimPrefix(bootstrapapi.BootstrapTokenUsageAuthentication, bootstrapapi.BootstrapTokenUsagePrefix)
|
|
if len(extraGroups) > 0 && !usagesSet.Has(usageAuthentication) {
|
|
return fmt.Errorf("--groups cannot be specified unless --usages includes %q", usageAuthentication)
|
|
}
|
|
|
|
// validate any extra group names
|
|
for _, group := range extraGroups {
|
|
if err := bootstraputil.ValidateBootstrapGroupName(group); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// This call returns the ready-to-use configuration based on the configuration file that might or might not exist and the default cfg populated by flags
|
|
internalcfg, err := configutil.ConfigFileAndDefaultsToInternalConfig(cfgPath, cfg)
|
|
kubeadmutil.CheckErr(err)
|
|
|
|
// Load the CA certificate from so we can pin its public key
|
|
caCert, err := pkiutil.TryLoadCertFromDisk(internalcfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName)
|
|
if err != nil {
|
|
return fmt.Errorf("error loading ca cert from disk: %v", err)
|
|
}
|
|
|
|
// Creates or updates the token
|
|
if err := node.UpdateOrCreateToken(client, internalcfg.Token, false, internalcfg.TokenTTL.Duration, usages, extraGroups, description); err != nil {
|
|
return err
|
|
}
|
|
|
|
fmt.Println("[bootstraptoken] Bootstrap token Created")
|
|
if skipTokenPrint {
|
|
internalcfg.Token = "{token}"
|
|
}
|
|
fmt.Println("[bootstraptoken] You can now join any number of machines by running:")
|
|
fmt.Printf("[bootstraptoken] kubeadm join {master} --token %s --discovery-token-ca-cert-hash %s \n", internalcfg.Token, pubkeypin.Hash(caCert))
|
|
|
|
return nil
|
|
}
|