Merge pull request #12036 from johngmyers/provision-kubecfg

Use kubeconfig for authentication and authorization as well

nodeup/pkg/model/kube_controller_manager.go

@@ -123,8 +123,10 @@ func (b *KubeControllerManagerBuilder) buildPod() (*v1.Pod, error) {
 		flags = append(flags, "--cloud-config="+CloudConfigFilePath)
 	}
 
-	// Add kubeconfig flag
-	flags = append(flags, "--kubeconfig="+"/var/lib/kube-controller-manager/kubeconfig")
+	// Add kubeconfig flags
+	for _, flag := range []string{"", "authentication-", "authorization-"} {
+		flags = append(flags, "--"+flag+"kubeconfig="+"/var/lib/kube-controller-manager/kubeconfig")
+	}
 
 	// Configure CA certificate to be used to sign keys
 	flags = append(flags, []string{

nodeup/pkg/model/kube_scheduler.go

@@ -150,6 +150,11 @@ func (b *KubeSchedulerBuilder) buildPod() (*v1.Pod, error) {
 
 	flags = append(flags, "--config="+"/var/lib/kube-scheduler/config.yaml")
 
+	// Add kubeconfig flags
+	for _, flag := range []string{"authentication-", "authorization-"} {
+		flags = append(flags, "--"+flag+"kubeconfig="+defaultKubeConfig)
+	}
+
 	if c.UsePolicyConfigMap != nil {
 		flags = append(flags, "--policy-configmap=scheduler-policy", "--policy-configmap-namespace=kube-system")
 	}

nodeup/pkg/model/tests/golden/minimal/tasks-kube-controller-manager.yaml

@@ -14,6 +14,8 @@ contents: |
     - args:
       - --allocate-node-cidrs=true
       - --attach-detach-reconcile-sync-period=1m0s
+      - --authentication-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
       - --cloud-config=/etc/kubernetes/cloud.config
       - --cloud-provider=aws
       - --cluster-cidr=100.96.0.0/11

nodeup/pkg/model/tests/golden/minimal/tasks-kube-scheduler.yaml

@@ -12,6 +12,8 @@ contents: |
   spec:
     containers:
     - args:
+      - --authentication-kubeconfig=/var/lib/kube-scheduler/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-scheduler/kubeconfig
       - --config=/var/lib/kube-scheduler/config.yaml
       - --leader-elect=true
       - --v=2

nodeup/pkg/model/tests/golden/side-loading/tasks-kube-controller-manager-amd64.yaml

@@ -14,6 +14,8 @@ contents: |
     - args:
       - --allocate-node-cidrs=true
       - --attach-detach-reconcile-sync-period=1m0s
+      - --authentication-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
       - --cloud-config=/etc/kubernetes/cloud.config
       - --cloud-provider=aws
       - --cluster-cidr=100.96.0.0/11

nodeup/pkg/model/tests/golden/side-loading/tasks-kube-controller-manager-arm64.yaml

@@ -14,6 +14,8 @@ contents: |
     - args:
       - --allocate-node-cidrs=true
       - --attach-detach-reconcile-sync-period=1m0s
+      - --authentication-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
       - --cloud-config=/etc/kubernetes/cloud.config
       - --cloud-provider=aws
       - --cluster-cidr=100.96.0.0/11

nodeup/pkg/model/tests/golden/side-loading/tasks-kube-scheduler-amd64.yaml

@@ -12,6 +12,8 @@ contents: |
   spec:
     containers:
     - args:
+      - --authentication-kubeconfig=/var/lib/kube-scheduler/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-scheduler/kubeconfig
       - --config=/var/lib/kube-scheduler/config.yaml
       - --leader-elect=true
       - --v=2

nodeup/pkg/model/tests/golden/side-loading/tasks-kube-scheduler-arm64.yaml

@@ -12,6 +12,8 @@ contents: |
   spec:
     containers:
     - args:
+      - --authentication-kubeconfig=/var/lib/kube-scheduler/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-scheduler/kubeconfig
       - --config=/var/lib/kube-scheduler/config.yaml
       - --leader-elect=true
       - --v=2