kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Node Authorizer Client Fix 

- fixing up the client for reboots ... somewhat of a oversight on my part :-)
- added the reason to the node denial message
This commit is contained in:
Rohith 2018-10-01 10:04:47 +01:00
parent 0959412fa4
commit 97dc2beb71
5 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
node-authorizer/cmd/node-authorizer/client.go
View File

@ -51,7 +51,7 @@ func addClientCommand() cli.Command {
Name: "kubeconfig", Name: "kubeconfig",
Usage: "location to write bootstrap token config `PATH`", Usage: "location to write bootstrap token config `PATH`",
EnvVar: "KUBECONFIG_BOOTSTRAP", EnvVar: "KUBECONFIG_BOOTSTRAP",
Value: "/var/run/kubelet/kubelet-bootstrap.yml", Value: "/var/lib/kubelet/bootstrap-kubeconfig",
}, },
cli.StringFlag{ cli.StringFlag{
Name: "tls-client-ca", Name: "tls-client-ca",

8
node-authorizer/pkg/client/client.go
View File

@ -43,6 +43,14 @@ func New(config *Config) error {
zap.String("kubeconfig", config.KubeConfigPath), zap.String("kubeconfig", config.KubeConfigPath),
zap.String("registration-url", config.NodeURL)) zap.String("registration-url", config.NodeURL))
// @step: if we have a kubecfg already we can skip it
if utils.FileExists(config.KubeConfigPath) {
utils.Logger.Info("skipping the client authorization as kubecfg found",
zap.String("kubecfg", config.KubeConfigPath))
return nil
}
// @step: create the verifier // @step: create the verifier
verifier, err := newNodeVerifier(config.Authorizer) verifier, err := newNodeVerifier(config.Authorizer)
if err != nil { if err != nil {

3
node-authorizer/pkg/server/admission.go
View File

@ -80,7 +80,8 @@ func (n *NodeAuthorizer) authorizeNodeRequest(ctx context.Context, request *Node
if !request.IsAllowed() { if !request.IsAllowed() {
utils.Logger.Error("the node has been denied authorization", utils.Logger.Error("the node has been denied authorization",
zap.String("client", request.Spec.RemoteAddr), zap.String("client", request.Spec.RemoteAddr),
zap.String("node", request.Spec.NodeName)) zap.String("node", request.Spec.NodeName),
zap.String("reason", request.Status.Reason))
nodeAuthorizationMetric.WithLabelValues("denied").Inc() nodeAuthorizationMetric.WithLabelValues("denied").Inc()

2
pkg/model/components/node-authorizer/options.go
View File

@ -100,5 +100,5 @@ func GetNodeAuthorizerImage() string {
return v return v
} }
return "quay.io/gambol99/node-authorizer:v0.0.2@sha256:78c20c69187d3098e196e2b645d0571aeef377adc5cbd89684023ec668306268" return "quay.io/gambol99/node-authorizer:v0.0.3@sha256:bc581658115e71d7a08bd5ca216368432d5b8d501ef70924ebd30627773bc134"
} }

2
upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
View File

@ -150,7 +150,7 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri
if b.cluster.Spec.NodeAuthorization != nil { if b.cluster.Spec.NodeAuthorization != nil {
{ {
key := "node-authorizer.addons.k8s.io" key := "node-authorizer.addons.k8s.io"
version := "v0.0.2" version := "v0.0.3"
{ {
location := key + "/k8s-1.10.yaml" location := key + "/k8s-1.10.yaml"