Remove support for bootstrap tokens

2023-07-16 12:07:56 -07:00 · 2023-07-16 12:07:56 -07:00 · bbff6298e7
parent bb4dbdce90
commit bbff6298e7
6 changed files with 6 additions and 60 deletions
--- a/nodeup/pkg/model/context.go
+++ b/nodeup/pkg/model/context.go
@ -218,17 +218,6 @@ func (c *NodeupModelContext) PathSrvSshproxy() string {
 	}
 }

-// KubeletBootstrapKubeconfig is the path the bootstrap config file
-func (c *NodeupModelContext) KubeletBootstrapKubeconfig() string {
-	path := c.NodeupConfig.KubeletConfig.BootstrapKubeconfig
-
-	if path != "" {
-		return path
-	}
-
-	return "/var/lib/kubelet/bootstrap-kubeconfig"
-}
-
 // KubeletKubeConfig is the path of the kubelet kubeconfig file
 func (c *NodeupModelContext) KubeletKubeConfig() string {
 	return "/var/lib/kubelet/kubeconfig"
@ -354,15 +343,6 @@ func (c *NodeupModelContext) UsesSecondaryIP() bool {
 		c.BootConfig.CloudProvider == kops.CloudProviderHetzner
 }

-// UseBootstrapTokens checks if we are using bootstrap tokens
-func (c *NodeupModelContext) UseBootstrapTokens() bool {
-	if c.HasAPIServer {
-		return fi.ValueOf(c.NodeupConfig.APIServerConfig.KubeAPIServer.EnableBootstrapAuthToken)
-	}
-
-	return c.NodeupConfig.KubeletConfig.BootstrapKubeconfig != ""
-}
-
 // KubectlPath returns distro based path for kubectl
 func (c *NodeupModelContext) KubectlPath() string {
 	kubeletCommand := "/usr/local/bin"
--- a/nodeup/pkg/model/kubelet.go
+++ b/nodeup/pkg/model/kubelet.go
@ -126,7 +126,7 @@ func (b *KubeletBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 			Mode: s("0755"),
 		})

-		if b.HasAPIServer || !b.UseBootstrapTokens() {
+		{
 			var kubeconfig fi.Resource
 			if b.HasAPIServer {
 				kubeconfig, err = b.buildControlPlaneKubeletKubeconfig(c)
@ -285,11 +285,6 @@ func (b *KubeletBuilder) buildManifestDirectory(kubeletConfig *kops.KubeletConfi

 // buildSystemdEnvironmentFile renders the environment file for the kubelet
 func (b *KubeletBuilder) buildSystemdEnvironmentFile(kubeletConfig *kops.KubeletConfigSpec) (*nodetasks.File, error) {
-	// @step: ensure the masters do not get a bootstrap configuration
-	if b.UseBootstrapTokens() && b.IsMaster {
-		kubeletConfig.BootstrapKubeconfig = ""
-	}
-
 	// TODO: Dump the separate file for flags - just complexity!
 	flags, err := flagbuilder.BuildFlags(kubeletConfig)
 	if err != nil {
@ -381,12 +376,6 @@ func (b *KubeletBuilder) buildSystemdService() *nodetasks.Service {

 	manifest.Set("Service", "EnvironmentFile", "/etc/sysconfig/kubelet")

-	// @check if we are using bootstrap tokens and file checker
-	if !b.IsMaster && b.UseBootstrapTokens() {
-		manifest.Set("Service", "ExecStartPre",
-			fmt.Sprintf("/bin/bash -c 'while [ ! -f %s ]; do sleep 5; done;'", b.KubeletBootstrapKubeconfig()))
-	}
-
 	manifest.Set("Service", "ExecStart", kubeletCommand+" \"$DAEMON_ARGS\"")
 	manifest.Set("Service", "Restart", "always")
 	manifest.Set("Service", "RestartSec", "2s")
@ -582,17 +571,11 @@ func (b *KubeletBuilder) addContainerizedMounter(c *fi.NodeupModelBuilderContext

 // buildKubeletConfigSpec returns the kubeletconfig for the specified instanceGroup
 func (b *KubeletBuilder) buildKubeletConfigSpec() (*kops.KubeletConfigSpec, error) {
-	isMaster := b.IsMaster
-
 	// Merge KubeletConfig for NodeLabels
 	c := b.NodeupConfig.KubeletConfig

 	c.ClientCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt")

-	if isMaster {
-		c.BootstrapKubeconfig = ""
-	}
-
 	if b.NodeupConfig.Networking.AmazonVPC != nil {
 		sess := session.Must(session.NewSession())
 		metadata := ec2metadata.New(sess)
--- a/pkg/apis/kops/validation/validation.go
+++ b/pkg/apis/kops/validation/validation.go
@ -705,6 +705,10 @@ func validateExecContainerAction(v *kops.ExecContainerAction, fldPath *field.Pat
 func validateKubeAPIServer(v *kops.KubeAPIServerConfig, c *kops.Cluster, fldPath *field.Path, strict bool) field.ErrorList {
 	allErrs := field.ErrorList{}

+	if fi.ValueOf(v.EnableBootstrapAuthToken) {
+		allErrs = append(allErrs, field.Forbidden(fldPath.Child("enableBootstrapTokenAuth"), "bootstrap tokens are not supported"))
+	}
+
 	if len(v.AdmissionControl) > 0 {
 		if len(v.DisableAdmissionPlugins) > 0 {
 			allErrs = append(allErrs, field.Forbidden(fldPath.Child("admissionControl"),
@ -863,9 +867,7 @@ func validateKubelet(k *kops.KubeletConfigSpec, c *kops.Cluster, kubeletPath *fi
 		}

 		if k.BootstrapKubeconfig != "" {
-			if c.Spec.KubeAPIServer == nil {
-				allErrs = append(allErrs, field.Required(kubeletPath.Root().Child("spec").Child("kubeAPIServer"), "bootstrap token require the NodeRestriction admissions controller"))
-			}
+			allErrs = append(allErrs, field.Forbidden(kubeletPath.Child("bootstrapKubeconfig"), "bootstrap tokens are not supported"))
 		}

 		if k.TopologyManagerPolicy != "" {
--- a/pkg/model/bootstrapscript.go
+++ b/pkg/model/bootstrapscript.go
@ -354,12 +354,6 @@ func (b *BootstrapScript) Run(c *fi.CloudupContext) error {
 			spec["cloudConfig"] = cs.CloudConfig
 			spec["kubelet"] = cs.Kubelet

-			if cs.KubeAPIServer != nil && cs.KubeAPIServer.EnableBootstrapAuthToken != nil {
-				spec["kubeAPIServer"] = map[string]interface{}{
-					"enableBootstrapAuthToken": cs.KubeAPIServer.EnableBootstrapAuthToken,
-				}
-			}
-
 			if b.ig.IsControlPlane() {
 				spec["encryptionConfig"] = cs.EncryptionConfig
 				spec["etcdClusters"] = make(map[string]kops.EtcdClusterSpec)
--- a/pkg/model/components/kubecontrollermanager.go
+++ b/pkg/model/components/kubecontrollermanager.go
@ -173,11 +173,6 @@ func (b *KubeControllerManagerOptionsBuilder) BuildOptions(o interface{}) error

 	if len(kcm.Controllers) == 0 {
 		var changes []string
-		// @check if the node authorization is enabled and if so enable the tokencleaner controller (disabled by default)
-		// This is responsible for cleaning up bootstrap tokens which have expired
-		if fi.ValueOf(clusterSpec.KubeAPIServer.EnableBootstrapAuthToken) {
-			changes = append(changes, "tokencleaner")
-		}
 		if clusterSpec.IsKopsControllerIPAM() {
 			changes = append(changes, "-nodeipam")
 		}
--- a/pkg/model/components/kubelet.go
+++ b/pkg/model/components/kubelet.go
@ -47,14 +47,6 @@ func (b *KubeletOptionsBuilder) BuildOptions(o interface{}) error {
 		clusterSpec.ControlPlaneKubelet = &kops.KubeletConfigSpec{}
 	}

-	if clusterSpec.KubeAPIServer != nil && clusterSpec.KubeAPIServer.EnableBootstrapAuthToken != nil {
-		if *clusterSpec.KubeAPIServer.EnableBootstrapAuthToken {
-			if clusterSpec.Kubelet.BootstrapKubeconfig == "" {
-				clusterSpec.Kubelet.BootstrapKubeconfig = "/var/lib/kubelet/bootstrap-kubeconfig"
-			}
-		}
-	}
-
 	// Standard options
 	clusterSpec.Kubelet.EnableDebuggingHandlers = fi.PtrTo(true)
 	clusterSpec.Kubelet.PodManifestPath = "/etc/kubernetes/manifests"