kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Requested Changes 

- fixed the various issues highlighted in https://github.com/kubernetes/kops/pull/3125
- changed the docuementation to make more sense
- changed the logic of the UseSecureKubelet to return early
This commit is contained in:
Rohith 2017-08-06 22:35:42 +01:00
parent 2fb60b9b3d
commit 9873fc1be5
5 changed files with 20 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/security.md
View File

@ -42,7 +42,7 @@ Kubernetes has a number of authentication mechanisms:
## Kubelet API ## Kubelet API
By default AnonymousAuth on the kubelet is off and so communication between kube-apiserver and kubelet api is not authenticated. In order to switch on authentication; By default AnonymousAuth on the kubelet is 'on' and so communication between kube-apiserver and kubelet api is not authenticated. In order to switch on authentication;
```YAML ```YAML
# In the cluster spec # In the cluster spec
@ -51,7 +51,7 @@ spec:
anonymousAuth: false anonymousAuth: false
``` ```
**Note** on a existing cluster with 'anonymousAuth' unset you would need to first roll out the masters and then update the pools. **Note** on a existing cluster with 'anonymousAuth' unset you would need to first roll out the masters and then update the node instance groups.
### API Bearer Token ### API Bearer Token

12
nodeup/pkg/model/context.go
View File

@ -206,9 +206,14 @@ func (c *NodeupModelContext) UseSecureKubelet() bool {
cluster := &c.Cluster.Spec // just to shorten the typing cluster := &c.Cluster.Spec // just to shorten the typing
group := &c.InstanceGroup.Spec group := &c.InstanceGroup.Spec
// @check on the InstanceGroup itself
if group.Kubelet != nil && group.Kubelet.AnonymousAuth != nil && *group.Kubelet.AnonymousAuth == false {
return true
}
// @check if we have anything specific to master kubelet // @check if we have anything specific to master kubelet
if c.IsMaster { if c.IsMaster {
if cluster.MasterKubelet != nil && cluster.MasterKubelet.AnonymousAuth != nil && *cluster.MasterKubelet.AnonymousAuth == true { if cluster.MasterKubelet != nil && cluster.MasterKubelet.AnonymousAuth != nil && *cluster.MasterKubelet.AnonymousAuth == false {
return true return true
} }
} }
@ -218,10 +223,5 @@ func (c *NodeupModelContext) UseSecureKubelet() bool {
return true return true
} }
// @check on the InstanceGroup itself
if group.Kubelet != nil && group.Kubelet.AnonymousAuth != nil && *group.Kubelet.AnonymousAuth == false {
return true
}
return false return false
} }

2
nodeup/pkg/model/convenience.go
View File

@ -26,7 +26,7 @@ import (
"k8s.io/kops/upup/pkg/fi" "k8s.io/kops/upup/pkg/fi"
"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks" "k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
"github.com/golang/glog" "github.com/golang/glog"
) )
// s is a helper that builds a *string from a string value // s is a helper that builds a *string from a string value

20
nodeup/pkg/model/kubeapiserver.go
View File

@ -72,15 +72,13 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
} }
// @check if we are using secure client certificates for kubelet and grab the certificates // @check if we are using secure client certificates for kubelet and grab the certificates
{ if b.UseSecureKubelet() {
if b.UseSecureKubelet() { name := "kubelet-api"
name := "kubelet-api" if err := buildCertificateRequest(c, b.NodeupModelContext, name, ""); err != nil {
if err := buildCertificateRequest(c, b.NodeupModelContext, name, ""); err != nil { return err
return err }
} if err := buildPrivateKeyRequest(c, b.NodeupModelContext, name, ""); err != nil {
if err := buildPrivateKeyRequest(c, b.NodeupModelContext, name, ""); err != nil { return err
return err
}
} }
} }
@ -165,9 +163,9 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
kubeAPIServer.EtcdServersOverrides = []string{"/events#https://127.0.0.1:4002"} kubeAPIServer.EtcdServersOverrides = []string{"/events#https://127.0.0.1:4002"}
} }
// @check if we are using secure kubelet client certificates // @check if we are using secure kubelet client certificates
if b.UseSecureKubelet() { if b.UseSecureKubelet() {
// @note we are making assumption we are using the one's created by the pki model, not custom defined ones // @note we are making assumption were using the ones created by the pki model, not custom defined ones
kubeAPIServer.KubeletClientCertificate = filepath.Join(b.PathSrvKubernetes(), "kubelet-api.pem") kubeAPIServer.KubeletClientCertificate = filepath.Join(b.PathSrvKubernetes(), "kubelet-api.pem")
kubeAPIServer.KubeletClientKey = filepath.Join(b.PathSrvKubernetes(), "kubelet-api-key.pem") kubeAPIServer.KubeletClientKey = filepath.Join(b.PathSrvKubernetes(), "kubelet-api-key.pem")
} }

2
pkg/model/pki.go
View File

@ -44,7 +44,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
} }
c.AddTask(t) c.AddTask(t)
} }
{ {
// Generate a kubelet client certificate for api to speak securely to kubelets. This change was first // Generate a kubelet client certificate for api to speak securely to kubelets. This change was first
// introduced in https://github.com/kubernetes/kops/pull/2831 where server.cert/key were used. With kubernetes >= 1.7 // introduced in https://github.com/kubernetes/kops/pull/2831 where server.cert/key were used. With kubernetes >= 1.7
// the certificate usage is being checked (obviously the above was server not client certificate) and so now fails // the certificate usage is being checked (obviously the above was server not client certificate) and so now fails