Adds metadata concealment addon for GCE node

cmd/kops/create_cluster.go

@@ -231,9 +231,9 @@ var (
 		--master-zones $ZONES \
 		--node-count 3 \
 		--yes
-		  
+
-	# Generate a cluster spec to apply later. 
+	# Generate a cluster spec to apply later.
-	# Run the following, then: kops create -f filename.yamlh 
+	# Run the following, then: kops create -f filename.yamlh
 	kops create cluster --name=kubernetes-cluster.example.com \
 		--state=s3://kops-state-1234 \
 		--zones=eu-west-1a \
@@ -1293,6 +1293,9 @@ func RunCreateCluster(f *util.Factory, out io.Writer, c *CreateClusterOptions) e
 			return err
 		}
 		fullGroup.AddInstanceGroupNodeLabel()
+		if api.CloudProviderID(cluster.Spec.CloudProvider) == api.CloudProviderGCE {
+			fullGroup.Spec.NodeLabels["cloud.google.com/metadata-proxy-ready"] = "true"
+		}
 		fullInstanceGroups = append(fullInstanceGroups, fullGroup)
 	}
 

cmd/kops/create_ig.go

@@ -163,6 +163,10 @@ func RunCreateInstanceGroup(f *util.Factory, cmd *cobra.Command, args []string,
 	}
 
 	ig.AddInstanceGroupNodeLabel()
+	if api.CloudProviderID(cluster.Spec.CloudProvider) == api.CloudProviderGCE {
+		fmt.Println("detected a GCE cluster; labeling nodes to receive metadata-proxy.")
+		ig.Spec.NodeLabels["cloud.google.com/metadata-proxy-ready"] = "true"
+	}
 
 	if options.DryRun {
 

upup/models/cloudup/resources/addons/metadata-concealment.addons.k8s.io/addon.yaml

@@ -1,10 +0,0 @@
-kind: Addons
-metadata:
-  name: metadata-concealment
-spec:
-  addons:
-  - version: 0.1
-    selector:
-      k8s-addon: metadata-concealment.addons.k8s.io
-    manifest: v0.1.yaml
-

upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/addon.yaml

@@ -0,0 +1,10 @@
+kind: Addons
+metadata:
+  name: metadata-proxy
+spec:
+  addons:
+  - version: 0.1.12
+    selector:
+      k8s-addon: metadata-proxy.addons.k8s.io
+    manifest: v0.1.yaml
+

upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/v0.1.12.yaml

@@ -1,3 +1,5 @@
+# Borrowed from https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/metadata-proxy
+
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -11,18 +13,18 @@ metadata:
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: metadata-proxy-v0.1
+  name: metadata-proxy-v0.12
   namespace: kube-system
   labels:
     k8s-app: metadata-proxy
     kubernetes.io/cluster-service: "true"
     addonmanager.kubernetes.io/mode: Reconcile
-    version: v0.1
+    version: v0.12
 spec:
   selector:
     matchLabels:
       k8s-app: metadata-proxy
-      version: v0.1
+      version: v0.12
   updateStrategy:
     type: RollingUpdate
   template:
@@ -30,7 +32,7 @@ spec:
       labels:
         k8s-app: metadata-proxy
         kubernetes.io/cluster-service: "true"
-        version: v0.1
+        version: v0.12
     spec:
       priorityClassName: system-node-critical
       serviceAccountName: metadata-proxy
@@ -41,6 +43,22 @@ spec:
         effect: "NoExecute"
       - operator: "Exists"
         effect: "NoSchedule"
+      hostNetwork: true
+      initContainers:
+      - name: update-ipdtables
+        securityContext:
+          privileged: true
+        image: gcr.io/google_containers/k8s-custom-iptables:1.0
+        imagePullPolicy: Always
+        command: [ "/bin/sh", "-c", "/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -d 169.254.169.254 -j DNAT --to-destination 127.0.0.1:988" ]
+        volumeMounts:
+        - name: host
+          mountPath: /host
+      volumes:
+      - name: host
+        hostPath:
+          path: /
+          type: Directory
       containers:
       - name: metadata-proxy
         image: k8s.gcr.io/metadata-proxy:v0.1.12

upup/pkg/fi/cloudup/bootstrapchannelbuilder.go

@@ -520,24 +520,6 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons {
 		}
 	}
 
-	if kops.CloudProviderID(b.cluster.Spec.CloudProvider) == kops.CloudProviderGCE {
-		key := "metadata-concealment.addons.k8s.io"
-		version := "0.1"
-
-		{
-			id := "v0.1"
-			location := key + "/" + id + ".yaml"
-
-			addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
-				Name:     fi.String(key),
-				Version:  fi.String(version),
-				Selector: map[string]string{"k8s-addon": key},
-				Manifest: fi.String(location),
-				Id:       id,
-			})
-		}
-	}
-
 	if featureflag.Spotinst.Enabled() {
 		key := "spotinst-kubernetes-cluster-controller.addons.k8s.io"
 
@@ -571,6 +553,26 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons {
 		}
 	}
 
+	// The metadata-proxy daemonset conceals node metadata endpoints in GCE.
+	// It will land on nodes labeled cloud.google.com/metadata-proxy-ready=true
+	if kops.CloudProviderID(b.cluster.Spec.CloudProvider) == kops.CloudProviderGCE {
+		key := "metadata-proxy.addons.k8s.io"
+		version := "0.1.12"
+
+		{
+			id := "v0.1.12"
+			location := key + "/" + id + ".yaml"
+
+			addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
+				Name:     fi.String(key),
+				Version:  fi.String(version),
+				Selector: map[string]string{"k8s-addon": key},
+				Manifest: fi.String(location),
+				Id:       id,
+			})
+		}
+	}
+
 	// The role.kubernetes.io/networking is used to label anything related to a networking addin,
 	// so that if we switch networking plugins (e.g. calico -> weave or vice-versa), we'll replace the
 	// old networking plugin, and there won't be old pods "floating around".