github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #38212 from mikedanese/kubeletauth

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 38212, 38792, 39641, 36390, 39005)

Generate a kubelet CA and kube-apiserver cert-pair for kubelet auth.

cc @cjcullen
This commit is contained in:
Kubernetes Submit Queue
2017-01-10 19:48:09 -08:00
committed by GitHub
parent 234c435827 3ab0e37cc6
commit addc6cae4a
15 changed files with 141 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
View File

@@ -82,6 +82,8 @@
{% set cert_file = "--tls-cert-file=/srv/kubernetes/server.cert" -%}
{% set key_file = "--tls-private-key-file=/srv/kubernetes/server.key" -%}
{% set kubelet_cert_file = "--kubelet-client-certificate=/srv/kubernetes/kubeapiserver.cert" -%}
{% set kubelet_key_file = "--kubelet-client-key=/srv/kubernetes/kubeapiserver.key" -%}
{% set client_ca_file = "" -%}
{% set secure_port = "6443" -%}
@@ -169,7 +171,7 @@
{% endif -%}
{% set params = address + " " + storage_backend + " " + etcd_servers + " " + etcd_servers_overrides + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + feature_gates + " " + admission_control + " " + max_requests_inflight + " " + target_ram_mb + " " + service_cluster_ip_range + " " + client_ca_file + basic_auth_file + " " + min_request_timeout + " " + enable_garbage_collector + " " + etcd_quorum_read -%}
{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address + " " + proxy_ssh_options + authz_mode + abac_policy_file + webhook_authentication_config + webhook_authorization_config + image_review_config -%}
{% set params = params + " " + cert_file + " " + key_file + " " + kubelet_cert_file + " " + kubelet_key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address + " " + proxy_ssh_options + authz_mode + abac_policy_file + webhook_authentication_config + webhook_authorization_config + image_review_config -%}
# test_args has to be kept at the end, so they'll overwrite any prior configuration
{% if pillar['apiserver_test_args'] is defined -%}

7
cluster/saltbase/salt/kubelet/default
View File

@@ -188,5 +188,10 @@
{% set eviction_hard="--eviction-hard=" + pillar['eviction_hard'] %}
{% endif -%}
{% set kubelet_auth_ca_cert = "" %}
{% if pillar['kubelet_auth_ca_cert'] is defined -%}
{% set kubelet_auth_ca_cert="--anonymous-auth=false --client-ca-file=" + pillar['kubelet_auth_ca_cert'] %}
{% endif -%}
# test_args has to be kept at the end, so they'll overwrite any prior configuration
DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{feature_gates}} {{test_args}}"
DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{kubelet_auth_ca_cert}} {{feature_gates}} {{test_args}}"

13
cluster/saltbase/salt/kubelet/init.sls
View File

@@ -31,6 +31,15 @@
- mode: 400
- makedirs: true
{% if pillar['kubelet_auth_ca_cert'] is defined %}
/var/lib/kubelet/kubelet_auth_ca.crt:
file.managed:
- source: salt://kubelet/kubelet_auth_ca.crt
- user: root
- group: root
- mode: 400
- makedirs: true
{% endif %}
{% if pillar.get('is_systemd') %}
@@ -52,6 +61,7 @@ fix-service-kubelet:
- file: {{ pillar.get('systemd_system_path') }}/kubelet.service
- file: {{ environment_file }}
- file: /var/lib/kubelet/kubeconfig
- file: /var/lib/kubelet/kubelet_auth_ca.crt
{% else %}
@@ -79,6 +89,9 @@ kubelet:
{% endif %}
- file: {{ environment_file }}
- file: /var/lib/kubelet/kubeconfig
{% if pillar['kubelet_auth_ca_cert'] is defined %}
- file: /var/lib/kubelet/kubelet_auth_ca.crt
{% endif %}
{% if pillar.get('is_systemd') %}
- provider:
- service: systemd

9
cluster/saltbase/salt/supervisor/kubelet-checker.sh
View File

@@ -18,11 +18,6 @@
# it detects a failure. It then exits, and supervisord restarts it
# which in turn restarts the kubelet.
{% set kubelet_port = "10250" -%}
{% if pillar['kubelet_port'] is defined -%}
{% set kubelet_port = pillar['kubelet_port'] -%}
{% endif -%}
/etc/init.d/kubelet stop
/etc/init.d/kubelet start
@@ -32,9 +27,9 @@ sleep 60
max_seconds=10
while true; do
if ! curl --insecure -m ${max_seconds} -f -s https://127.0.0.1:{{kubelet_port}}/healthz > /dev/null; then
if ! curl -m ${max_seconds} -f -s http://127.0.0.1:10255/healthz > /dev/null; then
echo "kubelet failed!"
curl --insecure https://127.0.0.1:{{kubelet_port}}/healthz
curl http://127.0.0.1:10255/healthz
exit 2
fi
sleep 10