kubeadm: Secure the control plane communication and add the kubeconfig phase command

cmd/kubeadm/app/cmd/BUILD

@@ -24,6 +24,7 @@ go_library(
         "//cmd/kubeadm/app/apis/kubeadm:go_default_library",
         "//cmd/kubeadm/app/apis/kubeadm/v1alpha1:go_default_library",
         "//cmd/kubeadm/app/apis/kubeadm/validation:go_default_library",
+        "//cmd/kubeadm/app/cmd/phases:go_default_library",
         "//cmd/kubeadm/app/constants:go_default_library",
         "//cmd/kubeadm/app/discovery:go_default_library",
         "//cmd/kubeadm/app/master:go_default_library",
@@ -78,6 +79,9 @@ filegroup(
 
 filegroup(
     name = "all-srcs",
-    srcs = [":package-srcs"],
+    srcs = [
+        ":package-srcs",
+        "//cmd/kubeadm/app/cmd/phases:all-srcs",
+    ],
     tags = ["automanaged"],
 )

cmd/kubeadm/app/cmd/cmd.go

@@ -23,6 +23,7 @@ import (
 	"github.com/spf13/cobra"
 
 	"k8s.io/apiserver/pkg/util/flag"
+	"k8s.io/kubernetes/cmd/kubeadm/app/cmd/phases"
 	cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 )
 
@@ -88,6 +89,7 @@ func NewKubeadmCommand(f cmdutil.Factory, in io.Reader, out, err io.Writer) *cob
 		Short: "Experimental sub-commands not yet fully functional.",
 	}
 	experimentalCmd.AddCommand(NewCmdToken(out, err))
+	experimentalCmd.AddCommand(phases.NewCmdPhase(out))
 	cmds.AddCommand(experimentalCmd)
 
 	return cmds

cmd/kubeadm/app/cmd/init.go

@@ -197,7 +197,7 @@ func (i *Init) Run(out io.Writer) error {
 	// so we'll pick the first one, there is much of chance to have an empty
 	// slice by the time this gets called
 	masterEndpoint := fmt.Sprintf("https://%s:%d", i.cfg.API.AdvertiseAddresses[0], i.cfg.API.Port)
-	err = kubeconfigphase.CreateAdminAndKubeletKubeConfig(masterEndpoint, kubeadmapi.GlobalEnvParams.HostPKIPath, kubeadmapi.GlobalEnvParams.KubernetesDir)
+	err = kubeconfigphase.CreateInitKubeConfigFiles(masterEndpoint, kubeadmapi.GlobalEnvParams.HostPKIPath, kubeadmapi.GlobalEnvParams.KubernetesDir)
 	if err != nil {
 		return err
 	}

cmd/kubeadm/app/cmd/phases/BUILD

@@ -0,0 +1,36 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "kubeconfig.go",
+        "phase.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//cmd/kubeadm/app/constants:go_default_library",
+        "//cmd/kubeadm/app/phases/kubeconfig:go_default_library",
+        "//cmd/kubeadm/app/util:go_default_library",
+        "//vendor:github.com/spf13/cobra",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

cmd/kubeadm/app/cmd/phases/kubeconfig.go

@@ -0,0 +1,119 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package phases
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/spf13/cobra"
+
+	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
+	kubeconfigphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/kubeconfig"
+	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
+)
+
+func NewCmdKubeConfig(out io.Writer) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "kubeconfig",
+		Short: "Create KubeConfig files from given credentials.",
+		RunE:  subCmdRunE("kubeconfig"),
+	}
+
+	cmd.AddCommand(NewCmdToken(out))
+	cmd.AddCommand(NewCmdClientCerts(out))
+	return cmd
+}
+
+func NewCmdToken(out io.Writer) *cobra.Command {
+	config := &kubeconfigphase.BuildConfigProperties{
+		MakeClientCerts: false,
+	}
+	cmd := &cobra.Command{
+		Use:   "token",
+		Short: "Output a valid KubeConfig file to STDOUT with a token as the authentication method.",
+		Run: func(cmd *cobra.Command, args []string) {
+			err := RunCreateWithToken(out, config)
+			kubeadmutil.CheckErr(err)
+		},
+	}
+	addCommonFlags(cmd, config)
+	cmd.Flags().StringVar(&config.Token, "token", "", "The path to the directory where the certificates are.")
+	return cmd
+}
+
+func NewCmdClientCerts(out io.Writer) *cobra.Command {
+	config := &kubeconfigphase.BuildConfigProperties{
+		MakeClientCerts: true,
+	}
+	cmd := &cobra.Command{
+		Use:   "client-certs",
+		Short: "Output a valid KubeConfig file to STDOUT with a client certificates as the authentication method.",
+		Run: func(cmd *cobra.Command, args []string) {
+			err := RunCreateWithClientCerts(out, config)
+			kubeadmutil.CheckErr(err)
+		},
+	}
+	addCommonFlags(cmd, config)
+	cmd.Flags().StringSliceVar(&config.Organization, "organization", []string{}, "The organization (group) the certificate should be in.")
+	return cmd
+}
+
+func addCommonFlags(cmd *cobra.Command, config *kubeconfigphase.BuildConfigProperties) {
+	cmd.Flags().StringVar(&config.CertDir, "cert-dir", kubeadmconstants.DefaultCertDir, "The path to the directory where the certificates are.")
+	cmd.Flags().StringVar(&config.ClientName, "client-name", "", "The name of the client for which the KubeConfig file will be generated.")
+	cmd.Flags().StringVar(&config.APIServer, "server", "", "The location of the api server.")
+}
+
+func validateCommonFlags(config *kubeconfigphase.BuildConfigProperties) error {
+	if len(config.ClientName) == 0 {
+		return fmt.Errorf("The --client-name flag is required")
+	}
+	if len(config.APIServer) == 0 {
+		return fmt.Errorf("The --server flag is required")
+	}
+	return nil
+}
+
+// RunCreateWithToken generates a kubeconfig file from with a token as the authentication mechanism
+func RunCreateWithToken(out io.Writer, config *kubeconfigphase.BuildConfigProperties) error {
+	if len(config.Token) == 0 {
+		return fmt.Errorf("The --token flag is required")
+	}
+	if err := validateCommonFlags(config); err != nil {
+		return err
+	}
+	kubeConfigBytes, err := kubeconfigphase.GetKubeConfigBytesFromSpec(*config)
+	if err != nil {
+		return err
+	}
+	fmt.Fprintln(out, string(kubeConfigBytes))
+	return nil
+}
+
+// RunCreateWithClientCerts generates a kubeconfig file from with client certs as the authentication mechanism
+func RunCreateWithClientCerts(out io.Writer, config *kubeconfigphase.BuildConfigProperties) error {
+	if err := validateCommonFlags(config); err != nil {
+		return err
+	}
+	kubeConfigBytes, err := kubeconfigphase.GetKubeConfigBytesFromSpec(*config)
+	if err != nil {
+		return err
+	}
+	fmt.Fprintln(out, string(kubeConfigBytes))
+	return nil
+}

cmd/kubeadm/app/cmd/phases/phase.go

@@ -0,0 +1,49 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package phases
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/spf13/cobra"
+)
+
+func NewCmdPhase(out io.Writer) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "phase",
+		Short: "Invoke subsets of kubeadm functions separately for a manual install.",
+		RunE:  subCmdRunE("phase"),
+	}
+	cmd.AddCommand(NewCmdKubeConfig(out))
+	return cmd
+}
+
+// subCmdRunE returns a function that handles a case where a subcommand must be specified
+// Without this callback, if a user runs just the command without a subcommand,
+// or with an invalid subcommand, cobra will print usage information, but still exit cleanly.
+// We want to return an error code in these cases so that the
+// user knows that their command was invalid.
+func subCmdRunE(name string) func(*cobra.Command, []string) error {
+	return func(_ *cobra.Command, args []string) error {
+		if len(args) < 1 {
+			return fmt.Errorf("missing subcommand; %q is not meant to be run on its own", name)
+		} else {
+			return fmt.Errorf("invalid subcommand: %q", args[0])
+		}
+	}
+}

cmd/kubeadm/app/cmd/reset.go

@@ -223,6 +223,8 @@ func resetConfigDir(configPathDir, pkiPathDir string) {
 	filesToClean := []string{
 		filepath.Join(configPathDir, kubeadmconstants.AdminKubeConfigFileName),
 		filepath.Join(configPathDir, kubeadmconstants.KubeletKubeConfigFileName),
+		filepath.Join(configPathDir, kubeadmconstants.ControllerManagerKubeConfigFileName),
+		filepath.Join(configPathDir, kubeadmconstants.SchedulerKubeConfigFileName),
 	}
 	fmt.Printf("[reset] Deleting files: %v\n", filesToClean)
 	for _, path := range filesToClean {

cmd/kubeadm/app/constants/constants.go

@@ -49,12 +49,23 @@ const (
 	FrontProxyClientCertName           = "front-proxy-client.crt"
 	FrontProxyClientKeyName            = "front-proxy-client.key"
 
-	AdminKubeConfigFileName   = "admin.conf"
-	KubeletKubeConfigFileName = "kubelet.conf"
+	AdminKubeConfigFileName             = "admin.conf"
+	KubeletKubeConfigFileName           = "kubelet.conf"
+	ControllerManagerKubeConfigFileName = "controller-manager.conf"
+	SchedulerKubeConfigFileName         = "scheduler.conf"
+
+	DefaultCertDir = "/etc/kubernetes/pki"
 
 	// Important: a "v"-prefix shouldn't exist here; semver doesn't allow that
 	MinimumControlPlaneVersion = "1.6.0-alpha.2"
 
+	// Some well-known users and groups in the core Kubernetes authorization system
+
+	ControllerManagerUser = "system:kube-controller-manager"
+	SchedulerUser         = "system:kube-scheduler"
+	MastersGroup          = "system:masters"
+	NodesGroup            = "system:nodes"
+
 	// Constants for what we name our ServiceAccounts with limited access to the cluster in case of RBAC
 	KubeDNSServiceAccountName   = "kube-dns"
 	KubeProxyServiceAccountName = "kube-proxy"

cmd/kubeadm/app/master/manifests.go

@@ -91,10 +91,11 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
 			Name:          kubeScheduler,
 			Image:         images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
 			Command:       getSchedulerCommand(cfg, false),
+			VolumeMounts:  []api.VolumeMount{k8sVolumeMount()},
 			LivenessProbe: componentProbe(10251, "/healthz"),
 			Resources:     componentResources("100m"),
 			Env:           getProxyEnvVars(),
-		}),
+		}, k8sVolume(cfg)),
 	}
 
 	// Add etcd static pod spec only if external etcd is not configured
@@ -378,7 +379,7 @@ func getControllerManagerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted
 	command = append(getComponentBaseCommand(controllerManager),
 		"--address=127.0.0.1",
 		"--leader-elect",
-		"--master=127.0.0.1:8080",
+		"--kubeconfig="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.ControllerManagerKubeConfigFileName),
 		"--root-ca-file="+getCertFilePath(kubeadmconstants.CACertName),
 		"--service-account-private-key-file="+getCertFilePath(kubeadmconstants.ServiceAccountPrivateKeyName),
 		"--cluster-signing-cert-file="+getCertFilePath(kubeadmconstants.CACertName),
@@ -416,7 +417,7 @@ func getSchedulerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [
 	command = append(getComponentBaseCommand(scheduler),
 		"--address=127.0.0.1",
 		"--leader-elect",
-		"--master=127.0.0.1:8080",
+		"--kubeconfig="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName),
 	)
 
 	return command

cmd/kubeadm/app/master/manifests_test.go

@@ -483,7 +483,7 @@ func TestGetControllerManagerCommand(t *testing.T) {
 				"kube-controller-manager",
 				"--address=127.0.0.1",
 				"--leader-elect",
-				"--master=127.0.0.1:8080",
+				"--kubeconfig=" + kubeadmapi.GlobalEnvParams.KubernetesDir + "/controller-manager.conf",
 				"--root-ca-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/ca.crt",
 				"--service-account-private-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.key",
 				"--cluster-signing-cert-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/ca.crt",
@@ -498,7 +498,7 @@ func TestGetControllerManagerCommand(t *testing.T) {
 				"kube-controller-manager",
 				"--address=127.0.0.1",
 				"--leader-elect",
-				"--master=127.0.0.1:8080",
+				"--kubeconfig=" + kubeadmapi.GlobalEnvParams.KubernetesDir + "/controller-manager.conf",
 				"--root-ca-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/ca.crt",
 				"--service-account-private-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.key",
 				"--cluster-signing-cert-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/ca.crt",
@@ -514,7 +514,7 @@ func TestGetControllerManagerCommand(t *testing.T) {
 				"kube-controller-manager",
 				"--address=127.0.0.1",
 				"--leader-elect",
-				"--master=127.0.0.1:8080",
+				"--kubeconfig=" + kubeadmapi.GlobalEnvParams.KubernetesDir + "/controller-manager.conf",
 				"--root-ca-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/ca.crt",
 				"--service-account-private-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.key",
 				"--cluster-signing-cert-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/ca.crt",
@@ -552,7 +552,7 @@ func TestGetSchedulerCommand(t *testing.T) {
 				"kube-scheduler",
 				"--address=127.0.0.1",
 				"--leader-elect",
-				"--master=127.0.0.1:8080",
+				"--kubeconfig=" + kubeadmapi.GlobalEnvParams.KubernetesDir + "/scheduler.conf",
 			},
 		},
 	}

cmd/kubeadm/app/phases/certs/certs.go

@@ -151,7 +151,7 @@ func CreatePKIAssets(cfg *kubeadmapi.MasterConfiguration, pkiDir string) error {
 		// TODO: Add a test case to verify that this cert has the x509.ExtKeyUsageClientAuth flag
 		config := certutil.Config{
 			CommonName:   "kube-apiserver-kubelet-client",
-			Organization: []string{"system:masters"},
+			Organization: []string{kubeadmconstants.MastersGroup},
 			Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 		}
 		apiClientCert, apiClientKey, err := pkiutil.NewCertAndKey(caCert, caKey, config)