Node metadata-concealment in GCE, first pass

2020-02-26 20:23:18 -08:00 · 2020-02-26 20:23:18 -08:00 · 12ce5f0e9c
parent 7d030ae459
commit 12ce5f0e9c
4 changed files with 133 additions and 4 deletions
--- a/upup/models/cloudup/resources/addons/metadata-concealment.addons.k8s.io/addon.yaml
+++ b/upup/models/cloudup/resources/addons/metadata-concealment.addons.k8s.io/addon.yaml
@ -0,0 +1,10 @@
+kind: Addons
+metadata:
+  name: metadata-concealment
+spec:
+  addons:
+  - version: 0.1
+    selector:
+      k8s-addon: metadata-concealment.addons.k8s.io
+    manifest: v0.1.yaml
+
--- a/upup/models/cloudup/resources/addons/metadata-concealment.addons.k8s.io/v0.1.yaml
+++ b/upup/models/cloudup/resources/addons/metadata-concealment.addons.k8s.io/v0.1.yaml
@ -0,0 +1,88 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: metadata-proxy
+  namespace: kube-system
+  labels:
+    k8s-app: metadata-proxy
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: metadata-proxy-v0.1
+  namespace: kube-system
+  labels:
+    k8s-app: metadata-proxy
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+    version: v0.1
+spec:
+  selector:
+    matchLabels:
+      k8s-app: metadata-proxy
+      version: v0.1
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        k8s-app: metadata-proxy
+        kubernetes.io/cluster-service: "true"
+        version: v0.1
+    spec:
+      priorityClassName: system-node-critical
+      serviceAccountName: metadata-proxy
+      hostNetwork: true
+      dnsPolicy: Default
+      tolerations:
+      - operator: "Exists"
+        effect: "NoExecute"
+      - operator: "Exists"
+        effect: "NoSchedule"
+      containers:
+      - name: metadata-proxy
+        image: k8s.gcr.io/metadata-proxy:v0.1.12
+        securityContext:
+          privileged: true
+        # Request and limit resources to get guaranteed QoS.
+        resources:
+          requests:
+            memory: "25Mi"
+            cpu: "30m"
+          limits:
+            memory: "25Mi"
+            cpu: "30m"
+      # BEGIN_PROMETHEUS_TO_SD
+      - name: prometheus-to-sd-exporter
+        image: k8s.gcr.io/prometheus-to-sd:v0.5.0
+        # Request and limit resources to get guaranteed QoS.
+        resources:
+          requests:
+            memory: "20Mi"
+            cpu: "2m"
+          limits:
+            memory: "20Mi"
+            cpu: "2m"
+        command:
+          - /monitor
+          - --stackdriver-prefix={{ prometheus_to_sd_prefix }}/addons
+          - --api-override={{ prometheus_to_sd_endpoint }}
+          - --source=metadata_proxy:http://127.0.0.1:989?whitelisted=request_count
+          - --pod-id=$(POD_NAME)
+          - --namespace-id=$(POD_NAMESPACE)
+        env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+      # END_PROMETHEUS_TO_SD
+      nodeSelector:
+        cloud.google.com/metadata-proxy-ready: "true"
+        beta.kubernetes.io/os: linux
+      terminationGracePeriodSeconds: 30
--- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
+++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
@ -520,6 +520,24 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons {
 		}
 	}

+	if kops.CloudProviderID(b.cluster.Spec.CloudProvider) == kops.CloudProviderGCE {
+		key := "metadata-concealment.addons.k8s.io"
+		version := "0.1"
+
+		{
+			id := "v0.1"
+			location := key + "/" + id + ".yaml"
+
+			addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
+				Name:     fi.String(key),
+				Version:  fi.String(version),
+				Selector: map[string]string{"k8s-addon": key},
+				Manifest: fi.String(location),
+				Id:       id,
+			})
+		}
+	}
+
 	if featureflag.Spotinst.Enabled() {
 		key := "spotinst-kubernetes-cluster-controller.addons.k8s.io"

--- a/upup/pkg/fi/cloudup/gcetasks/instancetemplate.go
+++ b/upup/pkg/fi/cloudup/gcetasks/instancetemplate.go
@ -45,9 +45,9 @@ type InstanceTemplate struct {

 	Lifecycle *fi.Lifecycle

-	Network *Network
-	Tags    []string
-	//Labels      map[string]string
+	Network     *Network
+	Tags        []string
+	Labels      map[string]string
 	Preemptible *bool

 	BootDiskImage  *string
@ -103,6 +103,7 @@ func (e *InstanceTemplate) Find(c *fi.Context) (*InstanceTemplate, error) {
 		p := r.Properties

 		actual.Tags = append(actual.Tags, p.Tags.Items...)
+		actual.Labels = p.Labels
 		actual.MachineType = fi.String(lastComponent(p.MachineType))
 		actual.CanIPForward = &p.CanIpForward

@ -245,6 +246,17 @@ func (e *InstanceTemplate) mapToGCE(project string, region string) (*compute.Ins
 		}
 	}

+	// Question: do we want to make metadata-concealment configurable?
+	// Ordering the task like this _should_ make it possible to override
+	labels := map[string]string{
+		"cloud.google.com/metadata-proxy-ready": "true",
+	}
+	if e.Labels != nil {
+		for k, v := range e.Labels {
+			labels[k] = v
+		}
+	}
+
 	var networkInterfaces []*compute.NetworkInterface
 	ni := &compute.NetworkInterface{
 		Kind: "compute#networkInterface",
@ -315,7 +327,8 @@ func (e *InstanceTemplate) mapToGCE(project string, region string) (*compute.Ins

 			ServiceAccounts: serviceAccounts,

-			Tags: tags,
+			Tags:   tags,
+			Labels: labels,
 		},
 	}