-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: Secure the control plane communication and add the kubeconfig phase command #41897
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
package(default_visibility = ["//visibility:public"]) | ||
|
||
licenses(["notice"]) | ||
|
||
load( | ||
"@io_bazel_rules_go//go:def.bzl", | ||
"go_library", | ||
) | ||
|
||
go_library( | ||
name = "go_default_library", | ||
srcs = [ | ||
"kubeconfig.go", | ||
"phase.go", | ||
], | ||
tags = ["automanaged"], | ||
deps = [ | ||
"//cmd/kubeadm/app/constants:go_default_library", | ||
"//cmd/kubeadm/app/phases/kubeconfig:go_default_library", | ||
"//cmd/kubeadm/app/util:go_default_library", | ||
"//vendor:github.com/spf13/cobra", | ||
], | ||
) | ||
|
||
filegroup( | ||
name = "package-srcs", | ||
srcs = glob(["**"]), | ||
tags = ["automanaged"], | ||
visibility = ["//visibility:private"], | ||
) | ||
|
||
filegroup( | ||
name = "all-srcs", | ||
srcs = [":package-srcs"], | ||
tags = ["automanaged"], | ||
) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,119 @@ | ||
/* | ||
Copyright 2017 The Kubernetes Authors. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package phases | ||
|
||
import ( | ||
"fmt" | ||
"io" | ||
|
||
"github.com/spf13/cobra" | ||
|
||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" | ||
kubeconfigphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/kubeconfig" | ||
kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util" | ||
) | ||
|
||
func NewCmdKubeConfig(out io.Writer) *cobra.Command { | ||
cmd := &cobra.Command{ | ||
Use: "kubeconfig", | ||
Short: "Create KubeConfig files from given credentials.", | ||
RunE: subCmdRunE("kubeconfig"), | ||
} | ||
|
||
cmd.AddCommand(NewCmdToken(out)) | ||
cmd.AddCommand(NewCmdClientCerts(out)) | ||
return cmd | ||
} | ||
|
||
func NewCmdToken(out io.Writer) *cobra.Command { | ||
config := &kubeconfigphase.BuildConfigProperties{ | ||
MakeClientCerts: false, | ||
} | ||
cmd := &cobra.Command{ | ||
Use: "token", | ||
Short: "Output a valid KubeConfig file to STDOUT with a token as the authentication method.", | ||
Run: func(cmd *cobra.Command, args []string) { | ||
err := RunCreateWithToken(out, config) | ||
kubeadmutil.CheckErr(err) | ||
}, | ||
} | ||
addCommonFlags(cmd, config) | ||
cmd.Flags().StringVar(&config.Token, "token", "", "The path to the directory where the certificates are.") | ||
return cmd | ||
} | ||
|
||
func NewCmdClientCerts(out io.Writer) *cobra.Command { | ||
config := &kubeconfigphase.BuildConfigProperties{ | ||
MakeClientCerts: true, | ||
} | ||
cmd := &cobra.Command{ | ||
Use: "client-certs", | ||
Short: "Output a valid KubeConfig file to STDOUT with a client certificates as the authentication method.", | ||
Run: func(cmd *cobra.Command, args []string) { | ||
err := RunCreateWithClientCerts(out, config) | ||
kubeadmutil.CheckErr(err) | ||
}, | ||
} | ||
addCommonFlags(cmd, config) | ||
cmd.Flags().StringSliceVar(&config.Organization, "organization", []string{}, "The organization (group) the certificate should be in.") | ||
return cmd | ||
} | ||
|
||
func addCommonFlags(cmd *cobra.Command, config *kubeconfigphase.BuildConfigProperties) { | ||
cmd.Flags().StringVar(&config.CertDir, "cert-dir", kubeadmconstants.DefaultCertDir, "The path to the directory where the certificates are.") | ||
cmd.Flags().StringVar(&config.ClientName, "client-name", "", "The name of the client for which the KubeConfig file will be generated.") | ||
cmd.Flags().StringVar(&config.APIServer, "server", "", "The location of the api server.") | ||
} | ||
|
||
func validateCommonFlags(config *kubeconfigphase.BuildConfigProperties) error { | ||
if len(config.ClientName) == 0 { | ||
return fmt.Errorf("The --client-name flag is required") | ||
} | ||
if len(config.APIServer) == 0 { | ||
return fmt.Errorf("The --server flag is required") | ||
} | ||
return nil | ||
} | ||
|
||
// RunCreateWithToken generates a kubeconfig file from with a token as the authentication mechanism | ||
func RunCreateWithToken(out io.Writer, config *kubeconfigphase.BuildConfigProperties) error { | ||
if len(config.Token) == 0 { | ||
return fmt.Errorf("The --token flag is required") | ||
} | ||
if err := validateCommonFlags(config); err != nil { | ||
return err | ||
} | ||
kubeConfigBytes, err := kubeconfigphase.GetKubeConfigBytesFromSpec(*config) | ||
if err != nil { | ||
return err | ||
} | ||
fmt.Fprintln(out, string(kubeConfigBytes)) | ||
return nil | ||
} | ||
|
||
// RunCreateWithClientCerts generates a kubeconfig file from with client certs as the authentication mechanism | ||
func RunCreateWithClientCerts(out io.Writer, config *kubeconfigphase.BuildConfigProperties) error { | ||
if err := validateCommonFlags(config); err != nil { | ||
return err | ||
} | ||
kubeConfigBytes, err := kubeconfigphase.GetKubeConfigBytesFromSpec(*config) | ||
if err != nil { | ||
return err | ||
} | ||
fmt.Fprintln(out, string(kubeConfigBytes)) | ||
return nil | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
/* | ||
Copyright 2017 The Kubernetes Authors. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package phases | ||
|
||
import ( | ||
"fmt" | ||
"io" | ||
|
||
"github.com/spf13/cobra" | ||
) | ||
|
||
func NewCmdPhase(out io.Writer) *cobra.Command { | ||
cmd := &cobra.Command{ | ||
Use: "phase", | ||
Short: "Invoke subsets of kubeadm functions separately for a manual install.", | ||
RunE: subCmdRunE("phase"), | ||
} | ||
cmd.AddCommand(NewCmdKubeConfig(out)) | ||
return cmd | ||
} | ||
|
||
// subCmdRunE returns a function that handles a case where a subcommand must be specified | ||
// Without this callback, if a user runs just the command without a subcommand, | ||
// or with an invalid subcommand, cobra will print usage information, but still exit cleanly. | ||
// We want to return an error code in these cases so that the | ||
// user knows that their command was invalid. | ||
func subCmdRunE(name string) func(*cobra.Command, []string) error { | ||
return func(_ *cobra.Command, args []string) error { | ||
if len(args) < 1 { | ||
return fmt.Errorf("missing subcommand; %q is not meant to be run on its own", name) | ||
} else { | ||
return fmt.Errorf("invalid subcommand: %q", args[0]) | ||
} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -49,12 +49,23 @@ const ( | |
FrontProxyClientCertName = "front-proxy-client.crt" | ||
FrontProxyClientKeyName = "front-proxy-client.key" | ||
|
||
AdminKubeConfigFileName = "admin.conf" | ||
KubeletKubeConfigFileName = "kubelet.conf" | ||
AdminKubeConfigFileName = "admin.conf" | ||
KubeletKubeConfigFileName = "kubelet.conf" | ||
ControllerManagerKubeConfigFileName = "controller-manager.conf" | ||
SchedulerKubeConfigFileName = "scheduler.conf" | ||
|
||
DefaultCertDir = "/etc/kubernetes/pki" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this a pre-existing path from somewhere or is it net new? I'm just not very familiar with the tool. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This exists already as an environment variable option, but I'm registering this here now so I can gradually expose this as a flag and the API in different places and get rid of the env param(s) totally |
||
|
||
// Important: a "v"-prefix shouldn't exist here; semver doesn't allow that | ||
MinimumControlPlaneVersion = "1.6.0-alpha.2" | ||
|
||
// Some well-known users and groups in the core Kubernetes authorization system | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These users and groups look correct. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I wondered, do we have these easily accessible anywhere else? |
||
|
||
ControllerManagerUser = "system:kube-controller-manager" | ||
SchedulerUser = "system:kube-scheduler" | ||
MastersGroup = "system:masters" | ||
NodesGroup = "system:nodes" | ||
|
||
// Constants for what we name our ServiceAccounts with limited access to the cluster in case of RBAC | ||
KubeDNSServiceAccountName = "kube-dns" | ||
KubeProxyServiceAccountName = "kube-proxy" | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -91,10 +91,11 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error { | |
Name: kubeScheduler, | ||
Image: images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage), | ||
Command: getSchedulerCommand(cfg, false), | ||
VolumeMounts: []api.VolumeMount{k8sVolumeMount()}, | ||
LivenessProbe: componentProbe(10251, "/healthz"), | ||
Resources: componentResources("100m"), | ||
Env: getProxyEnvVars(), | ||
}), | ||
}, k8sVolume(cfg)), | ||
} | ||
|
||
// Add etcd static pod spec only if external etcd is not configured | ||
|
@@ -378,7 +379,7 @@ func getControllerManagerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted | |
command = append(getComponentBaseCommand(controllerManager), | ||
"--address=127.0.0.1", | ||
"--leader-elect", | ||
"--master=127.0.0.1:8080", | ||
"--kubeconfig="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.ControllerManagerKubeConfigFileName), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This makes me happy There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Cool to make you happy :) I still think that the |
||
"--root-ca-file="+getCertFilePath(kubeadmconstants.CACertName), | ||
"--service-account-private-key-file="+getCertFilePath(kubeadmconstants.ServiceAccountPrivateKeyName), | ||
"--cluster-signing-cert-file="+getCertFilePath(kubeadmconstants.CACertName), | ||
|
@@ -416,7 +417,7 @@ func getSchedulerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [ | |
command = append(getComponentBaseCommand(scheduler), | ||
"--address=127.0.0.1", | ||
"--leader-elect", | ||
"--master=127.0.0.1:8080", | ||
"--kubeconfig="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName), | ||
) | ||
|
||
return command | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In our experience, people will probably want a "starting point" kubeconfig that doesn't have an identity, but does have the server connection information in it. Doesn't have to be in this pull, but it's likely to come up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kubeadm alpha phase kubeconfig token --client-name foo --api-server https://ip-here --token bar
will give you that nearly that. It will output the kubeconfig to stdout with the token, but it's very easy to just remove the bar token afterwards.We might consider a
kubeadm alpha phase kubeconfig basic
orbare
orserver-only
or something if there's needThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also -- this is the "cluster info" stuff that we put in the configmap for discovery bootstrap. The goal was to make this be the way to go and get this stuff. (
namespace/kube-public/configmaps/cluster-info
).