Requested Changes

- fixed the various issues highlighted in https://github.com/kubernetes/kops/pull/3125 - changed the docuementation to make more sense - changed the logic of the UseSecureKubelet to return early
2017-08-06 22:35:42 +01:00 · 2017-08-06 22:35:42 +01:00 · 9873fc1be5
parent 2fb60b9b3d
commit 9873fc1be5
5 changed files with 20 additions and 22 deletions
--- a/docs/security.md
+++ b/docs/security.md
@ -42,7 +42,7 @@ Kubernetes has a number of authentication mechanisms:

 ## Kubelet API

-By default AnonymousAuth on the kubelet is off and so communication between kube-apiserver and kubelet api is not authenticated. In order to switch on authentication;
+By default AnonymousAuth on the kubelet is 'on' and so communication between kube-apiserver and kubelet api is not authenticated. In order to switch on authentication;

 ```YAML
 # In the cluster spec
@ -51,7 +51,7 @@ spec:
    anonymousAuth: false
 ```

-**Note** on a existing cluster with 'anonymousAuth' unset you would need to first roll out the masters and then update the pools. 
+**Note** on a existing cluster with 'anonymousAuth' unset you would need to first roll out the masters and then update the node instance groups.

 ### API Bearer Token

--- a/nodeup/pkg/model/context.go
+++ b/nodeup/pkg/model/context.go
@ -206,9 +206,14 @@ func (c *NodeupModelContext) UseSecureKubelet() bool {
 	cluster := &c.Cluster.Spec // just to shorten the typing
 	group := &c.InstanceGroup.Spec

+	// @check on the InstanceGroup itself
+	if group.Kubelet != nil && group.Kubelet.AnonymousAuth != nil && *group.Kubelet.AnonymousAuth == false {
+		return true
+	}
+
 	// @check if we have anything specific to master kubelet
 	if c.IsMaster {
-		if cluster.MasterKubelet != nil && cluster.MasterKubelet.AnonymousAuth != nil && *cluster.MasterKubelet.AnonymousAuth == true {
+		if cluster.MasterKubelet != nil && cluster.MasterKubelet.AnonymousAuth != nil && *cluster.MasterKubelet.AnonymousAuth == false {
 			return true
 		}
 	}
@ -218,10 +223,5 @@ func (c *NodeupModelContext) UseSecureKubelet() bool {
 		return true
 	}

-	// @check on the InstanceGroup itself
-	if group.Kubelet != nil && group.Kubelet.AnonymousAuth != nil && *group.Kubelet.AnonymousAuth == false {
-		return true
-	}
-
 	return false
 }
--- a/nodeup/pkg/model/convenience.go
+++ b/nodeup/pkg/model/convenience.go
@ -26,7 +26,7 @@ import (
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"

-        "github.com/golang/glog"
+	"github.com/golang/glog"
 )

 // s is a helper that builds a *string from a string value
--- a/nodeup/pkg/model/kubeapiserver.go
+++ b/nodeup/pkg/model/kubeapiserver.go
@ -72,15 +72,13 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
 	}

 	// @check if we are using secure client certificates for kubelet and grab the certificates
-	{
-		if b.UseSecureKubelet() {
-			name := "kubelet-api"
-			if err := buildCertificateRequest(c, b.NodeupModelContext, name, ""); err != nil {
-				return err
-			}
-			if err := buildPrivateKeyRequest(c, b.NodeupModelContext, name, ""); err != nil {
-				return err
-			}
+	if b.UseSecureKubelet() {
+		name := "kubelet-api"
+		if err := buildCertificateRequest(c, b.NodeupModelContext, name, ""); err != nil {
+			return err
+		}
+		if err := buildPrivateKeyRequest(c, b.NodeupModelContext, name, ""); err != nil {
+			return err
 		}
 	}

@ -164,10 +162,10 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 		kubeAPIServer.EtcdServers = []string{"https://127.0.0.1:4001"}
 		kubeAPIServer.EtcdServersOverrides = []string{"/events#https://127.0.0.1:4002"}
 	}
-   
-        // @check if we are using secure kubelet client certificates
+
+	// @check if we are using secure kubelet client certificates
 	if b.UseSecureKubelet() {
-		// @note we are making assumption we are using the one's created by the pki model, not custom defined ones
+		// @note we are making assumption were using the ones created by the pki model, not custom defined ones
 		kubeAPIServer.KubeletClientCertificate = filepath.Join(b.PathSrvKubernetes(), "kubelet-api.pem")
 		kubeAPIServer.KubeletClientKey = filepath.Join(b.PathSrvKubernetes(), "kubelet-api-key.pem")
 	}
--- a/pkg/model/pki.go
+++ b/pkg/model/pki.go
@ -44,7 +44,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 		c.AddTask(t)
 	}
-        {
+	{
 		// Generate a kubelet client certificate for api to speak securely to kubelets. This change was first
 		// introduced in https://github.com/kubernetes/kops/pull/2831 where server.cert/key were used. With kubernetes >= 1.7
 		// the certificate usage is being checked (obviously the above was server not client certificate) and so now fails