-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update kubeadm token to work as expected #41663
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,7 +20,7 @@ import ( | |
"errors" | ||
"fmt" | ||
"io" | ||
"path" | ||
"strings" | ||
"text/tabwriter" | ||
"time" | ||
|
||
|
@@ -29,7 +29,9 @@ import ( | |
|
||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/apimachinery/pkg/fields" | ||
clientset "k8s.io/client-go/kubernetes" | ||
"k8s.io/client-go/pkg/api" | ||
"k8s.io/client-go/pkg/api/v1" | ||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" | ||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" | ||
tokenphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/token" | ||
|
@@ -42,9 +44,30 @@ import ( | |
|
||
func NewCmdToken(out io.Writer, errW io.Writer) *cobra.Command { | ||
|
||
var kubeConfigFile string | ||
tokenCmd := &cobra.Command{ | ||
Use: "token", | ||
Short: "Manage bootstrap tokens.", | ||
Long: dedent.Dedent(` | ||
This command will manage Bootstrap Token for you. | ||
Please note this usage of this command is optional, and mostly for advanced users. | ||
|
||
In short, Bootstrap Tokens are used for establishing bidirectional trust between a client and a server. | ||
A Bootstrap Token can be used when a client (for example a node that's about to join the cluster) needs | ||
to trust the server it is talking to. Then a Bootstrap Token with the "signing" usage can be used. | ||
Bootstrap Tokens can also function as a way to allow short-lived authentication to the API Server | ||
(the token serves as a way for the API Server to trust the client), for example for doing the TLS Bootstrap. | ||
|
||
What is a Bootstrap Token more exactly? | ||
- It is a Secret in the kube-system namespace of type "bootstrap.kubernetes.io/token". | ||
- A Bootstrap Token must be of the form "[a-z0-9]{6}.[a-z0-9]{16}"; the former part is the public Token ID, | ||
and the latter is the Token Secret, which must be kept private at all circumstances. | ||
- The name of the Secret must be named "bootstrap-token-(token-id)". | ||
|
||
You can read more about Bootstrap Tokens in this proposal: | ||
|
||
https://github.com/kubernetes/community/blob/master/contributors/design-proposals/bootstrap-discovery.md | ||
`), | ||
|
||
// Without this callback, if a user runs just the "token" | ||
// command without a subcommand, or with an invalid subcommand, | ||
|
@@ -60,44 +83,78 @@ func NewCmdToken(out io.Writer, errW io.Writer) *cobra.Command { | |
}, | ||
} | ||
|
||
var token string | ||
tokenCmd.PersistentFlags().StringVar(&kubeConfigFile, | ||
"kubeconfig", "/etc/kubernetes/admin.conf", "The KubeConfig file to use for talking to the cluster") | ||
|
||
var usages []string | ||
var tokenDuration time.Duration | ||
var description string | ||
createCmd := &cobra.Command{ | ||
Use: "create", | ||
Use: "create [token]", | ||
Short: "Create bootstrap tokens on the server.", | ||
Long: dedent.Dedent(` | ||
This command will create a Bootstrap Token for you. | ||
You can specify the usages for this token, the time to live and an optional human friendly description. | ||
|
||
The [token] is the actual token to write. | ||
This should be a securely generated random token of the form "[a-z0-9]{6}.[a-z0-9]{16}". | ||
If no [token] is given, kubeadm will generate a random token instead. | ||
`), | ||
Run: func(tokenCmd *cobra.Command, args []string) { | ||
err := RunCreateToken(out, tokenCmd, tokenDuration, token) | ||
token := "" | ||
if len(args) != 0 { | ||
token = args[0] | ||
} | ||
client, err := kubeconfigutil.ClientSetFromFile(kubeConfigFile) | ||
kubeadmutil.CheckErr(err) | ||
|
||
err = RunCreateToken(out, client, token, tokenDuration, usages, description) | ||
kubeadmutil.CheckErr(err) | ||
}, | ||
} | ||
createCmd.PersistentFlags().DurationVar(&tokenDuration, | ||
createCmd.Flags().DurationVar(&tokenDuration, | ||
"ttl", kubeadmconstants.DefaultTokenDuration, "The duration before the token is automatically deleted. 0 means 'never expires'.") | ||
createCmd.PersistentFlags().StringVar( | ||
&token, "token", "", | ||
"Shared secret used to secure cluster bootstrap. If none is provided, one will be generated for you.", | ||
) | ||
createCmd.Flags().StringSliceVar(&usages, | ||
"usages", kubeadmconstants.DefaultTokenUsages, "The ways in which this token can be used. Valid options: [signing,authentication].") | ||
createCmd.Flags().StringVar(&description, | ||
"description", "", "A human friendly description of how this token is used.") | ||
tokenCmd.AddCommand(createCmd) | ||
|
||
tokenCmd.AddCommand(NewCmdTokenGenerate(out)) | ||
|
||
listCmd := &cobra.Command{ | ||
Use: "list", | ||
Short: "List bootstrap tokens on the server.", | ||
Long: dedent.Dedent(` | ||
This command will list all Bootstrap Tokens for you. | ||
`), | ||
Run: func(tokenCmd *cobra.Command, args []string) { | ||
err := RunListTokens(out, errW, tokenCmd) | ||
client, err := kubeconfigutil.ClientSetFromFile(kubeConfigFile) | ||
kubeadmutil.CheckErr(err) | ||
|
||
err = RunListTokens(out, errW, client) | ||
kubeadmutil.CheckErr(err) | ||
}, | ||
} | ||
tokenCmd.AddCommand(listCmd) | ||
|
||
deleteCmd := &cobra.Command{ | ||
Use: "delete", | ||
Use: "delete [token-value]", | ||
Short: "Delete bootstrap tokens on the server.", | ||
Long: dedent.Dedent(` | ||
This command will delete a given Bootstrap Token for you. | ||
|
||
The [token-value] is the full Token of the form "[a-z0-9]{6}.[a-z0-9]{16}" or the | ||
Token ID of the form "[a-z0-9]{6}" to delete. | ||
`), | ||
Run: func(tokenCmd *cobra.Command, args []string) { | ||
if len(args) < 1 { | ||
kubeadmutil.CheckErr(fmt.Errorf("missing subcommand; 'token delete' is missing token of form [\"^([a-z0-9]{6})$\"]")) | ||
kubeadmutil.CheckErr(fmt.Errorf("missing subcommand; 'token delete' is missing token of form [%q]", tokenutil.TokenIDRegexpString)) | ||
} | ||
err := RunDeleteToken(out, tokenCmd, args[0]) | ||
client, err := kubeconfigutil.ClientSetFromFile(kubeConfigFile) | ||
kubeadmutil.CheckErr(err) | ||
|
||
err = RunDeleteToken(out, client, args[0]) | ||
kubeadmutil.CheckErr(err) | ||
}, | ||
} | ||
|
@@ -115,7 +172,7 @@ func NewCmdTokenGenerate(out io.Writer) *cobra.Command { | |
the "init" and "join" commands. | ||
|
||
You don't have to use this command in order to generate a token, you can do so | ||
yourself as long as it's in the format "<6 characters>:<16 characters>". This | ||
yourself as long as it's in the format "[a-z0-9]{6}.[a-z0-9]{16}". This | ||
command is provided for convenience to generate tokens in that format. | ||
|
||
You can also use "kubeadm init" without specifying a token, and it will | ||
|
@@ -129,27 +186,30 @@ func NewCmdTokenGenerate(out io.Writer) *cobra.Command { | |
} | ||
|
||
// RunCreateToken generates a new bootstrap token and stores it as a secret on the server. | ||
func RunCreateToken(out io.Writer, cmd *cobra.Command, tokenDuration time.Duration, token string) error { | ||
client, err := kubeconfigutil.ClientSetFromFile(path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AdminKubeConfigFileName)) | ||
if err != nil { | ||
return err | ||
} | ||
func RunCreateToken(out io.Writer, client *clientset.Clientset, token string, tokenDuration time.Duration, usages []string, description string) error { | ||
|
||
parsedID, parsedSecret, err := tokenutil.ParseToken(token) | ||
td := &kubeadmapi.TokenDiscovery{} | ||
var err error | ||
if len(token) == 0 { | ||
err = tokenutil.GenerateToken(td) | ||
} else { | ||
td.ID, td.Secret, err = tokenutil.ParseToken(token) | ||
} | ||
if err != nil { | ||
return err | ||
} | ||
td := &kubeadmapi.TokenDiscovery{ID: parsedID, Secret: parsedSecret} | ||
|
||
err = tokenphase.UpdateOrCreateToken(client, td, tokenDuration) | ||
// TODO: Validate usages here so we don't allow something unsupported | ||
err = tokenphase.CreateNewToken(client, td, tokenDuration, usages, description) | ||
if err != nil { | ||
return err | ||
} | ||
fmt.Fprintln(out, tokenutil.BearerToken(td)) | ||
|
||
fmt.Fprintln(out, tokenutil.BearerToken(td)) | ||
return nil | ||
} | ||
|
||
// RunGenerateToken just generates a random token for the user | ||
func RunGenerateToken(out io.Writer) error { | ||
td := &kubeadmapi.TokenDiscovery{} | ||
err := tokenutil.GenerateToken(td) | ||
|
@@ -162,12 +222,8 @@ func RunGenerateToken(out io.Writer) error { | |
} | ||
|
||
// RunListTokens lists details on all existing bootstrap tokens on the server. | ||
func RunListTokens(out io.Writer, errW io.Writer, cmd *cobra.Command) error { | ||
client, err := kubeconfigutil.ClientSetFromFile(path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AdminKubeConfigFileName)) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
func RunListTokens(out io.Writer, errW io.Writer, client *clientset.Clientset) error { | ||
// First, build our selector for bootstrap tokens only | ||
tokenSelector := fields.SelectorFromSet( | ||
map[string]string{ | ||
api.SecretTypeField: string(bootstrapapi.SecretTypeBootstrapToken), | ||
|
@@ -177,61 +233,99 @@ func RunListTokens(out io.Writer, errW io.Writer, cmd *cobra.Command) error { | |
FieldSelector: tokenSelector.String(), | ||
} | ||
|
||
results, err := client.Secrets(metav1.NamespaceSystem).List(listOptions) | ||
secrets, err := client.CoreV1().Secrets(metav1.NamespaceSystem).List(listOptions) | ||
if err != nil { | ||
return fmt.Errorf("failed to list bootstrap tokens [%v]", err) | ||
} | ||
|
||
w := tabwriter.NewWriter(out, 10, 4, 3, ' ', 0) | ||
fmt.Fprintln(w, "ID\tTOKEN\tTTL") | ||
for _, secret := range results.Items { | ||
tokenId, ok := secret.Data[bootstrapapi.BootstrapTokenIDKey] | ||
if !ok { | ||
fmt.Fprintf(errW, "[token] bootstrap token has no token-id data: %s\n", secret.Name) | ||
fmt.Fprintln(w, "TOKEN\tTTL\tEXPIRES\tUSAGES\tDESCRIPTION") | ||
for _, secret := range secrets.Items { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit+: We should skip/ignore/warn on tokens that don't match our naming requirement. |
||
tokenId := getSecretString(&secret, bootstrapapi.BootstrapTokenIDKey) | ||
if len(tokenId) == 0 { | ||
fmt.Fprintf(errW, "bootstrap token has no token-id data: %s\n", secret.Name) | ||
continue | ||
} | ||
|
||
// enforce the right naming convention | ||
if secret.Name != fmt.Sprintf("%s%s", bootstrapapi.BootstrapTokenSecretPrefix, tokenId) { | ||
fmt.Fprintf(errW, "bootstrap token name is not of the form '%s(token-id)': %s\n", bootstrapapi.BootstrapTokenSecretPrefix, secret.Name) | ||
continue | ||
} | ||
|
||
tokenSecret, ok := secret.Data[bootstrapapi.BootstrapTokenSecretKey] | ||
if !ok { | ||
fmt.Fprintf(errW, "[token] bootstrap token has no token-secret data: %s\n", secret.Name) | ||
tokenSecret := getSecretString(&secret, bootstrapapi.BootstrapTokenSecretKey) | ||
if len(tokenSecret) == 0 { | ||
fmt.Fprintf(errW, "bootstrap token has no token-secret data: %s\n", secret.Name) | ||
continue | ||
} | ||
td := &kubeadmapi.TokenDiscovery{ID: string(tokenId), Secret: string(tokenSecret)} | ||
td := &kubeadmapi.TokenDiscovery{ID: tokenId, Secret: tokenSecret} | ||
|
||
// Expiration time is optional, if not specified this implies the token | ||
// never expires. | ||
ttl := "<forever>" | ||
expires := "<never>" | ||
secretExpiration, ok := secret.Data[bootstrapapi.BootstrapTokenExpirationKey] | ||
if ok { | ||
expireTime, err := time.Parse(time.RFC3339, string(secretExpiration)) | ||
secretExpiration := getSecretString(&secret, bootstrapapi.BootstrapTokenExpirationKey) | ||
if len(secretExpiration) > 0 { | ||
expireTime, err := time.Parse(time.RFC3339, secretExpiration) | ||
if err != nil { | ||
return fmt.Errorf("error parsing expiration time [%v]", err) | ||
fmt.Fprintf(errW, "can't parse expiration time of bootstrap token %s\n", secret.Name) | ||
continue | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why don't we return an error if the time parsing fails? It seems like this function never returns an error that isn't nil inside the iteration of Secret Items. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. IMO, if one secret is malformed we want to be able to print out the rest of them. If we return an error here then one bad secret spoils everything. |
||
} | ||
expires = printers.ShortHumanDuration(expireTime.Sub(time.Now())) | ||
ttl = printers.ShortHumanDuration(expireTime.Sub(time.Now())) | ||
expires = expireTime.Format(time.RFC3339) | ||
} | ||
|
||
usages := []string{} | ||
for k, v := range secret.Data { | ||
// Skip all fields that don't include this prefix | ||
if !strings.Contains(k, bootstrapapi.BootstrapTokenUsagePrefix) { | ||
continue | ||
} | ||
// Skip those that don't have this usage set to true | ||
if string(v) != "true" { | ||
continue | ||
} | ||
usages = append(usages, strings.TrimPrefix(k, bootstrapapi.BootstrapTokenUsagePrefix)) | ||
} | ||
usageString := strings.Join(usages, ",") | ||
if len(usageString) == 0 { | ||
usageString = "<none>" | ||
} | ||
fmt.Fprintf(w, "%s\t%s\t%s\n", tokenId, tokenutil.BearerToken(td), expires) | ||
|
||
description := getSecretString(&secret, bootstrapapi.BootstrapTokenDescriptionKey) | ||
if len(description) == 0 { | ||
description = "<none>" | ||
} | ||
fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", tokenutil.BearerToken(td), ttl, expires, usageString, description) | ||
} | ||
w.Flush() | ||
|
||
return nil | ||
} | ||
|
||
// RunDeleteToken removes a bootstrap token from the server. | ||
func RunDeleteToken(out io.Writer, cmd *cobra.Command, tokenId string) error { | ||
if err := tokenutil.ParseTokenID(tokenId); err != nil { | ||
return err | ||
} | ||
|
||
client, err := kubeconfigutil.ClientSetFromFile(path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AdminKubeConfigFileName)) | ||
if err != nil { | ||
return err | ||
func RunDeleteToken(out io.Writer, client *clientset.Clientset, tokenIdOrToken string) error { | ||
// Assume the given first argument is a token id and try to parse it | ||
tokenId := tokenIdOrToken | ||
if err := tokenutil.ParseTokenID(tokenIdOrToken); err != nil { | ||
if tokenId, _, err = tokenutil.ParseToken(tokenIdOrToken); err != nil { | ||
return fmt.Errorf("given token or token id %q didn't match pattern [%q] or [%q]", tokenIdOrToken, tokenutil.TokenIDRegexpString, tokenutil.TokenRegexpString) | ||
} | ||
} | ||
|
||
tokenSecretName := fmt.Sprintf("%s%s", bootstrapapi.BootstrapTokenSecretPrefix, tokenId) | ||
if err := client.Secrets(metav1.NamespaceSystem).Delete(tokenSecretName, nil); err != nil { | ||
if err := client.CoreV1().Secrets(metav1.NamespaceSystem).Delete(tokenSecretName, nil); err != nil { | ||
return fmt.Errorf("failed to delete bootstrap token [%v]", err) | ||
} | ||
fmt.Fprintf(out, "[token] bootstrap token deleted: %s\n", tokenId) | ||
|
||
fmt.Fprintf(out, "bootstrap token with id %q deleted\n", tokenId) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. are we moving away from having [foo] labels? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. not generally, but it doesn't make sense to have it for only one line |
||
return nil | ||
} | ||
|
||
func getSecretString(secret *v1.Secret, key string) string { | ||
if secret.Data == nil { | ||
return "" | ||
} | ||
if val, ok := secret.Data[key]; ok { | ||
return string(val) | ||
} | ||
return "" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
[token]
parameter is undefined in the help text. I'd docreate [token-value]
and then change the description to document that "The token-value is the actual token to write. This should be a securely generated random token of the form [a-z0-9]{6}.[a-z0-9]{16}."