diff --git a/cmd/kops-controller/pkg/server/server.go b/cmd/kops-controller/pkg/server/server.go index afa264165d..0659d866ea 100644 --- a/cmd/kops-controller/pkg/server/server.go +++ b/cmd/kops-controller/pkg/server/server.go @@ -168,6 +168,10 @@ func (s *Server) issueCert(name string, pubKey string, id *fi.VerifyResult, vali issueReq.Subject = pkix.Name{ CommonName: rbac.KubeProxy, } + case "kube-router": + issueReq.Subject = pkix.Name{ + CommonName: rbac.KubeRouter, + } default: return "", fmt.Errorf("unexpected key name") } diff --git a/nodeup/pkg/model/networking/BUILD.bazel b/nodeup/pkg/model/networking/BUILD.bazel index df6fff01be..f5a0843b3d 100644 --- a/nodeup/pkg/model/networking/BUILD.bazel +++ b/nodeup/pkg/model/networking/BUILD.bazel @@ -14,6 +14,7 @@ go_library( deps = [ "//nodeup/pkg/model:go_default_library", "//pkg/apis/kops:go_default_library", + "//pkg/rbac:go_default_library", "//upup/pkg/fi:go_default_library", "//upup/pkg/fi/nodeup/nodetasks:go_default_library", "//vendor/github.com/aws/aws-sdk-go/aws:go_default_library", diff --git a/nodeup/pkg/model/networking/kube_router.go b/nodeup/pkg/model/networking/kube_router.go index 388d335daf..2700808880 100644 --- a/nodeup/pkg/model/networking/kube_router.go +++ b/nodeup/pkg/model/networking/kube_router.go @@ -18,6 +18,7 @@ package networking import ( "k8s.io/kops/nodeup/pkg/model" + "k8s.io/kops/pkg/rbac" "k8s.io/kops/upup/pkg/fi" "k8s.io/kops/upup/pkg/fi/nodeup/nodetasks" ) @@ -37,14 +38,21 @@ func (b *KuberouterBuilder) Build(c *fi.ModelBuilderContext) error { return nil } - kubeconfig, err := b.BuildPKIKubeconfig("kube-router") - if err != nil { - return err + var kubeconfig fi.Resource + var err error + + if b.IsMaster { + kubeconfig = b.BuildIssuedKubeconfig("kube-router", nodetasks.PKIXName{CommonName: rbac.KubeRouter}, c) + } else { + kubeconfig, err = b.BuildBootstrapKubeconfig("kube-router", c) + if err != nil { + return err + } } c.AddTask(&nodetasks.File{ Path: "/var/lib/kube-router/kubeconfig", - Contents: fi.NewStringResource(kubeconfig), + Contents: kubeconfig, Type: nodetasks.FileType_File, Mode: fi.String("0400"), }) diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 855d1421c7..e8e2727b22 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -474,7 +474,7 @@ func ReadableStatePaths(cluster *kops.Cluster, role kops.InstanceGroupRole) ([]s if networkingSpec != nil { // @check if kuberoute is enabled and permit access to the private key - if networkingSpec.Kuberouter != nil { + if networkingSpec.Kuberouter != nil && !model.UseKopsControllerForNodeBootstrap(cluster) { paths = append(paths, "/pki/private/kube-router/*") } diff --git a/pkg/model/pki.go b/pkg/model/pki.go index 26b0c2e450..60aee7e3f2 100644 --- a/pkg/model/pki.go +++ b/pkg/model/pki.go @@ -140,10 +140,10 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error { } } - if b.KopsModelContext.Cluster.Spec.Networking.Kuberouter != nil { + if b.KopsModelContext.Cluster.Spec.Networking.Kuberouter != nil && !b.UseKopsControllerForNodeBootstrap() { t := &fitasks.Keypair{ Name: fi.String("kube-router"), - Subject: "cn=" + "system:kube-router", + Subject: "cn=" + rbac.KubeRouter, Type: "client", Signer: defaultCA, } diff --git a/pkg/rbac/wellknown.go b/pkg/rbac/wellknown.go index 8cb0aba756..00591b0133 100644 --- a/pkg/rbac/wellknown.go +++ b/pkg/rbac/wellknown.go @@ -29,6 +29,7 @@ const ( // core kubernetes process identities KubeProxy = "system:kube-proxy" + KubeRouter = "system:kube-router" KubeControllerManager = "system:kube-controller-manager" KubeScheduler = "system:kube-scheduler" )