kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Requested Changes 

- fixed the various issues highlighted in https://github.com/kubernetes/kops/pull/3125
- changed the docuementation to make more sense
- changed the logic of the UseSecureKubelet to return early
This commit is contained in:
Rohith 2017-08-06 22:35:42 +01:00
parent 2fb60b9b3d
commit 9873fc1be5
5 changed files with 20 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/security.md
View File

@ -42,7 +42,7 @@ Kubernetes has a number of authentication mechanisms:
## Kubelet API
By default AnonymousAuth on the kubelet is off and so communication between kube-apiserver and kubelet api is not authenticated. In order to switch on authentication;
By default AnonymousAuth on the kubelet is 'on' and so communication between kube-apiserver and kubelet api is not authenticated. In order to switch on authentication;
```YAML
# In the cluster spec
@ -51,7 +51,7 @@ spec:
anonymousAuth: false
```
**Note** on a existing cluster with 'anonymousAuth' unset you would need to first roll out the masters and then update the pools.
**Note** on a existing cluster with 'anonymousAuth' unset you would need to first roll out the masters and then update the node instance groups.
### API Bearer Token

12
nodeup/pkg/model/context.go
View File

@ -206,9 +206,14 @@ func (c *NodeupModelContext) UseSecureKubelet() bool {
cluster := &c.Cluster.Spec // just to shorten the typing
group := &c.InstanceGroup.Spec
// @check on the InstanceGroup itself
if group.Kubelet != nil && group.Kubelet.AnonymousAuth != nil && *group.Kubelet.AnonymousAuth == false {
return true
}
// @check if we have anything specific to master kubelet
if c.IsMaster {
if cluster.MasterKubelet != nil && cluster.MasterKubelet.AnonymousAuth != nil && *cluster.MasterKubelet.AnonymousAuth == true {
if cluster.MasterKubelet != nil && cluster.MasterKubelet.AnonymousAuth != nil && *cluster.MasterKubelet.AnonymousAuth == false {
return true
}
}
@ -218,10 +223,5 @@ func (c *NodeupModelContext) UseSecureKubelet() bool {
return true
}
// @check on the InstanceGroup itself
if group.Kubelet != nil && group.Kubelet.AnonymousAuth != nil && *group.Kubelet.AnonymousAuth == false {
return true
}
return false
}

4
nodeup/pkg/model/kubeapiserver.go
View File

@ -72,7 +72,6 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
}
// @check if we are using secure client certificates for kubelet and grab the certificates
{
if b.UseSecureKubelet() {
name := "kubelet-api"
if err := buildCertificateRequest(c, b.NodeupModelContext, name, ""); err != nil {
@ -82,7 +81,6 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
return err
}
}
}
// Touch log file, so that docker doesn't create a directory instead
{
@ -167,7 +165,7 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
// @check if we are using secure kubelet client certificates
if b.UseSecureKubelet() {
// @note we are making assumption we are using the one's created by the pki model, not custom defined ones
// @note we are making assumption were using the ones created by the pki model, not custom defined ones
kubeAPIServer.KubeletClientCertificate = filepath.Join(b.PathSrvKubernetes(), "kubelet-api.pem")
kubeAPIServer.KubeletClientKey = filepath.Join(b.PathSrvKubernetes(), "kubelet-api-key.pem")
}