add static pods for rbacproxy

sync sync sync
openshift · Feb 8, 2024 · 16324c2 · 16324c2
1 parent 110a3ef
commit 16324c2
Show file tree

Hide file tree

Showing 7 changed files with 166 additions and 10 deletions.
diff --git a/pkg/controller/template/constants.go b/pkg/controller/template/constants.go
@@ -21,4 +21,7 @@ const (
 
 	// BaremetalRuntimeCfgKey is the key that references the baremetal-runtimecfg image in the controller
 	BaremetalRuntimeCfgKey string = "baremetalRuntimeCfgImage"
+
+	// KubeRbacProxyKey the key that references the kubeRbacProxy image
+	KubeRbacProxyKey string = "kubeRbacProxyImage"
 )
diff --git a/pkg/operator/bootstrap.go b/pkg/operator/bootstrap.go
@@ -150,6 +150,7 @@ func RenderBootstrap(
 		templatectrl.CorednsKey:             imgs.Coredns,
 		templatectrl.HaproxyKey:             imgs.Haproxy,
 		templatectrl.BaremetalRuntimeCfgKey: imgs.BaremetalRuntimeCfg,
+		templatectrl.KubeRbacProxyKey:       imgs.KubeRbacProxy,
 	}
 
 	config := getRenderConfig("", string(filesData[kubeAPIServerServingCA]), spec, &imgs.RenderConfigImages, infra.Status.APIServerInternalURL, nil)
@@ -176,7 +177,8 @@ func RenderBootstrap(
 		}, {
 			name:     "manifests/machineconfigserver/kube-apiserver-serving-ca-configmap.yaml",
 			filename: "manifests/kube-apiserver-serving-ca-configmap.yaml",
-		}}
+		},
+	}
 
 	manifests = appendManifestsByPlatform(manifests, *infra)
 

diff --git a/pkg/operator/sync.go b/pkg/operator/sync.go
@@ -56,13 +56,11 @@ const (
 	requiredForUpgradeMachineConfigPoolLabelKey = "operator.machineconfiguration.openshift.io/required-for-upgrade"
 )
 
-var (
-	platformsRequiringCloudConf = sets.NewString(
-		string(configv1.AzurePlatformType),
-		string(configv1.GCPPlatformType),
-		string(configv1.OpenStackPlatformType),
-		string(configv1.VSpherePlatformType),
-	)
+var platformsRequiringCloudConf = sets.NewString(
+	string(configv1.AzurePlatformType),
+	string(configv1.GCPPlatformType),
+	string(configv1.OpenStackPlatformType),
+	string(configv1.VSpherePlatformType),
 )
 
 type manifestPaths struct {
@@ -568,6 +566,7 @@ func (optr *Operator) syncRenderConfig(_ *renderConfig) error {
 		templatectrl.CorednsKey:               imgs.Coredns,
 		templatectrl.HaproxyKey:               imgs.Haproxy,
 		templatectrl.BaremetalRuntimeCfgKey:   imgs.BaremetalRuntimeCfg,
+		templatectrl.KubeRbacProxyKey:         imgs.KubeRbacProxy,
 	}
 
 	ignitionHost, err := getIgnitionHost(&infra.Status)
@@ -1538,7 +1537,6 @@ func (optr *Operator) getCAsFromConfigMap(namespace, name, key string) ([]byte,
 // it updates boot images.
 
 func (optr *Operator) stampBootImagesCM(pool *mcfgv1.MachineConfigPool) error {
-
 	// Ensure the targeted MC for this pool was generated by the current MCO
 	renderedMC, err := optr.mcLister.Get(pool.Spec.Configuration.Name)
 	if err != nil {
@@ -1726,7 +1724,6 @@ func isPoolStatusConditionTrue(pool *mcfgv1.MachineConfigPool, conditionType mcf
 // global pull secret. It also adds a default route to the registry for the firstboot scenario.
 
 func (optr *Operator) getImageRegistryPullSecrets() ([]byte, error) {
-
 	// Check if image registry exists, if it doesn't we no-op
 	co, err := optr.mcoCOLister.Get("image-registry")
 

diff --git a/templates/master/01-master-kubelet/_base/files/criometricsproxy-config.yaml b/templates/master/01-master-kubelet/_base/files/criometricsproxy-config.yaml
@@ -0,0 +1,10 @@
+mode: 0644
+path: "/etc/kube-rbac-proxy/crio-metrics-proxy.cfg"
+contents:
+  inline: |-
+    authorization:
+      resourceAttributes:
+        apiVersion: v1
+        resource: namespace
+        subresource: metrics
+        namespace: openshift-machine-config-operator
diff --git a/templates/master/01-master-kubelet/_base/files/criometricsproxy.yaml b/templates/master/01-master-kubelet/_base/files/criometricsproxy.yaml
@@ -0,0 +1,67 @@
+mode: 0644
+path: "/etc/kubernetes/manifests/criometricsproxy.yaml"
+contents:
+  inline: |-
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: crio-kube-rbac-proxy
+      namespace: openshift-machine-config-operator
+    spec:
+      volumes:
+      - name: host-fs
+        hostPath:
+          path: "/"
+      hostNetwork: true
+      initContainers:
+      - name: setup
+        terminationMessagePolicy: FallbackToLogsOnError
+        image: {{.Images.kubeRbacProxyImage}}
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - name: host-fs
+          mountPath: "/host"
+          mountPropagation: HostToContainer
+        command: ['/bin/bash', '-ec']
+        args:
+        - |
+          echo -n "Waiting for kubelet key and certificate to be available"
+          while [ -n "$(ls /host/var/lib/kubelet/pki/kubelet-server-current.pem)" ] ; do
+            echo -n "."
+            sleep 1
+            (( tries += 1 ))
+            if [[ "${tries}" -gt 10 ]]; then
+              echo "Timed out waiting for kubelet key and cert."
+              exit 1
+            fi
+          done
+        securityContext:
+          privileged: true
+      resources:
+        requests:
+          memory: 50Mi
+          cpu: 5m
+      containers:
+      - name: crio-kube-rbac-proxy
+        image: {{.Images.kubeRbacProxyImage}}
+        securityContext:
+          privileged: true
+        ports:
+        - containerPort: 9637
+        args:
+        - --secure-listen-address=:9637
+        - --logtostderr=true
+        - --config-file=/host/etc/kube-rbac-proxy/crio-metrics-proxy.cfg
+        - --kubeconfig=/host/etc/kubernetes/kubeconfig
+        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - --upstream=http://127.0.0.1:9537
+        - --tls-cert-file=/host/var/lib/kubelet/pki/kubelet-server-current.pem
+        - --tls-private-key-file=/host/var/lib/kubelet/pki/kubelet-server-current.pem
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        volumeMounts:
+        - name: host-fs
+          mountPath: "/host"
+          mountPropagation: HostToContainer
diff --git a/templates/worker/01-worker-kubelet/_base/files/criometricsproxy-config.yaml b/templates/worker/01-worker-kubelet/_base/files/criometricsproxy-config.yaml
@@ -0,0 +1,10 @@
+mode: 0644
+path: "/etc/kube-rbac-proxy/crio-metrics-proxy.cfg"
+contents:
+  inline: |-
+    authorization:
+      resourceAttributes:
+        apiVersion: v1
+        resource: namespace
+        subresource: metrics
+        namespace: openshift-machine-config-operator
diff --git a/templates/worker/01-worker-kubelet/_base/files/criometricsproxy.yaml b/templates/worker/01-worker-kubelet/_base/files/criometricsproxy.yaml
@@ -0,0 +1,67 @@
+mode: 0644
+path: "/etc/kubernetes/manifests/criometricsproxy.yaml"
+contents:
+  inline: |-
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: crio-kube-rbac-proxy
+      namespace: openshift-machine-config-operator
+    spec:
+      volumes:
+      - name: host-fs
+        hostPath:
+          path: "/"
+      hostNetwork: true
+      initContainers:
+      - name: setup
+        terminationMessagePolicy: FallbackToLogsOnError
+        image: {{.Images.kubeRbacProxyImage}}
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - name: host-fs
+          mountPath: "/host"
+          mountPropagation: HostToContainer
+        command: ['/bin/bash', '-ec']
+        args:
+        - |
+          echo -n "Waiting for kubelet key and certificate to be available"
+          while [ -n "$(ls /host/var/lib/kubelet/pki/kubelet-server-current.pem)" ] ; do
+            echo -n "."
+            sleep 1
+            (( tries += 1 ))
+            if [[ "${tries}" -gt 10 ]]; then
+              echo "Timed out waiting for kubelet key and cert."
+              exit 1
+            fi
+          done
+        securityContext:
+          privileged: true
+      resources:
+        requests:
+          memory: 50Mi
+          cpu: 5m
+      containers:
+      - name: crio-kube-rbac-proxy
+        image: {{.Images.kubeRbacProxyImage}}
+        securityContext:
+          privileged: true
+        ports:
+        - containerPort: 9637
+        args:
+        - --secure-listen-address=:9637
+        - --config-file=/host/etc/kube-rbac-proxy/crio-metrics-proxy.cfg
+        - --logtostderr=true
+        - --kubeconfig=/host/etc/kubernetes/kubeconfig
+        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - --upstream=http://127.0.0.1:9537
+        - --tls-cert-file=/host/var/lib/kubelet/pki/kubelet-server-current.pem
+        - --tls-private-key-file=/host/var/lib/kubelet/pki/kubelet-server-current.pem
+        resources:
+          requests:
+            cpu: 20m
+            memory: 50Mi
+        volumeMounts:
+        - name: host-fs
+          mountPath: "/host"
+          mountPropagation: HostToContainer