-
Notifications
You must be signed in to change notification settings - Fork 39.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dramatically simplify Kubernetes deployment #2303
Comments
----- Original Message -----
Run it in a Docker container - I think we can make everything we need work with:
(that's kubelet plus master all in one, I don't know what in the container would block us).
With scoped tokens we can do "this token gives you the right to identify yourself as X and set your own minion description, as well as watch for pods under X". Unfortunately you'd have to have one token per minion there so it's easy. So some sort of back-and-forth bootstrapper seems inevitable: "client: hey, I'm X", "server: I see you at X, here's your token to create yourself". As much as possible our ops team(s) wants to be able to push a button to provision new infra and have it self join, and are usually willing to embed whatever secrets are needed to make that easy into the image or image template.
|
I think that we'll want to have a scalable set of choices -- from having a shared token across all minions that lets them join to allowing for per-minion tokens that are much tricker to distribute but also more secure. Another option would be to borrow the salt model:
In this case, the bootstrap API is purely for discovery and not for auth bootstrapping. |
I dislike the non-timeout nature of the shared token. In my opinion it eases deployment considerably, but the attack vector of only needing this one secret to get into the cluster is not dealt with during the later lifetime of the cluster. |
It seems like it would be fairly easy for an ops team to rotate that token every X hours via a script against their IaaS, and maybe have a window where they overlap (valid for 9 hours, regenerate every 8). ----- Original Message -----
|
I'm leaning more and more to having this bootstrap API not be used for widespread identity or auth but rather for cluster metadata and simple auth. We will need auth to the bootstrap API itself. Quick spec that could work for bootstrap service. Kubernetes Cluster Bootstrap APIWhen bootstrapping up a cluster, there are two things that we need to do: Identify the master of the cluster (for both worker nodes and clients) and establish the 'admin' credentials for administering the cluster. The Kubernetes Cluster Bootstrap API is optional -- it is possible to get clusters started without using this API. It is also possible to easily run this API inside of a constrained private network. The basic flow -- some of these steps are optional to further lock down the security of the cluster.
Further notes:
API Definition
|
Other previous work here is the etcd discovery protocol: https://github.com/coreos/etcd/blob/master/Documentation/discovery-protocol.md |
Question: Are you thinking we'd run pods on the master node just like on any other node? One issue users have raised is that in a small cluster the master has minimal requirements, whereas the other nodes need to accommodate the requirements of the application being run on the cluster, and even single-digit numbers of pods may have significant cpu, memory, and/or flash requirements. |
@bgrant0607 Yes -- I want to enable a mode where you have 1-5 machines and just want to kick the tires. It should be dead simple to get stuff running in that situation. Download/install one binary/package and copy/paste around a super minimal amount of info. |
Has the discussion from the face-to-face been reflected in an issue? If so can we link it here? |
I'm going to pick this stuff up again this week and break it down into a bunch of sub-items. I think that @erictune and @kelseyhightower were going to write some stuff up. I'm happy to get on that though. |
fwiw there's similiar work to the etcd discovery protocol embedded in On Mon, Dec 15, 2014 at 1:05 PM, Joe Beda notifications@github.com wrote:
|
@kapilt Yup -- I bugged them to document it. I'd love for us to do something that it a little bit more secure than that. Right now if you can steal the single token/cluster id, you can steal the cluster. We also need to bootstrap the cluster parameters and the admin account. |
So I'm a huge +1 for this, with one caveat of having a whitelist option on master #3103 , with reverse DNS lookup on minions to join. That should narrow the vector. |
This is related to kubernetes#2303 and steals from kubernetes#2435.
We now separately track the items from this uber-proposal that are part of milestone v1, so removing that tag. |
Created label cluster/platform/mesos On Thu, Mar 19, 2015 at 2:40 PM, Timothy St. Clair <notifications@github.com
|
I've broken cluster bootstrapping out into #5754. |
I've broken the all-in-one binary out into #5755. |
For reference, "Allow for kubelets to securely nominate themselves to join the cluster" is being tracked in #3168. |
And "Recast add-ons as post-cluster deploy scripts/tools that run on top of kubernetes" is being tracked in #3579. |
Closing this umbrella issue now that all of the various parts have been split into separate issues. |
@jbeda, is it implemented/in process? I mean master/minion combined installation? I just didn't see it in the ones @roberthbailey separated this monstruosed issue to, can you point me to discussion? thx. |
This is related to kubernetes#2303 and steals from kubernetes#2435.
We need to dramatically simplify deploying Kubernetes.
Task list to reduce/eliminate the bash/salt necessary for getting a cluster up and running:
cc: @eparis @smarterclayton
The end result is that we'd love for something like this to work:
Once per cluster start up:
And then on every node in the cluster:
And then from the client, you can use the same URL to auth to the servers as an 'admin' user. It'll use the bootstrap url to get admin keys, certs and such. If you connect to a mode and it isn't the master, it'll return a redirect to who is currently the master. This way updating the bootstrap URL can lag actual master election.
The text was updated successfully, but these errors were encountered: