From bd731ce9898ad8f6d33591081b67f83012d7dd16 Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Wed, 7 Apr 2021 08:45:05 +0200 Subject: [PATCH] Use secure kubelet auth Without secure node auth enabled, commands like `kubectl logs` may fail with certain configurations. Previously, we checked if anonymousAuth was enabled on the kubelet before securing node communication, but this isn't really relevant. We can still authenticate even if anonymous access is allowed. --- nodeup/pkg/model/context.go | 5 --- nodeup/pkg/model/kube_apiserver.go | 32 ++++++++----------- nodeup/pkg/model/kubelet.go | 5 +-- .../tests/kubelet/featuregates/tasks.yaml | 2 +- 4 files changed, 15 insertions(+), 29 deletions(-) diff --git a/nodeup/pkg/model/context.go b/nodeup/pkg/model/context.go index 9c2417712a..84c2c4a916 100644 --- a/nodeup/pkg/model/context.go +++ b/nodeup/pkg/model/context.go @@ -397,11 +397,6 @@ func (c *NodeupModelContext) UseBootstrapTokens() bool { return c.Cluster.Spec.Kubelet != nil && c.Cluster.Spec.Kubelet.BootstrapKubeconfig != "" } -// UseSecureKubelet checks if the kubelet api should be protected by a client certificate. -func (c *NodeupModelContext) UseSecureKubelet() bool { - return c.NodeupConfig.KubeletConfig.AnonymousAuth != nil && !*c.NodeupConfig.KubeletConfig.AnonymousAuth -} - // KubectlPath returns distro based path for kubectl func (c *NodeupModelContext) KubectlPath() string { kubeletCommand := "/usr/local/bin" diff --git a/nodeup/pkg/model/kube_apiserver.go b/nodeup/pkg/model/kube_apiserver.go index 5e847edc56..28f942ec77 100644 --- a/nodeup/pkg/model/kube_apiserver.go +++ b/nodeup/pkg/model/kube_apiserver.go @@ -107,19 +107,16 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error { } } - // @check if we are using secure client certificates for kubelet and grab the certificates - if b.UseSecureKubelet() { - issueCert := &nodetasks.IssueCert{ - Name: "kubelet-api", - Signer: fi.CertificateIDCA, - Type: "client", - Subject: nodetasks.PKIXName{CommonName: "kubelet-api"}, - } - c.AddTask(issueCert) - err := issueCert.AddFileTasks(c, b.PathSrvKubernetes(), "kubelet-api", "", nil) - if err != nil { - return err - } + issueCert := &nodetasks.IssueCert{ + Name: "kubelet-api", + Signer: fi.CertificateIDCA, + Type: "client", + Subject: nodetasks.PKIXName{CommonName: "kubelet-api"}, + } + c.AddTask(issueCert) + err := issueCert.AddFileTasks(c, b.PathSrvKubernetes(), "kubelet-api", "", nil) + if err != nil { + return err } c.AddTask(&nodetasks.File{ @@ -341,12 +338,9 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) { kubeAPIServer.EtcdServersOverrides = []string{"/events#" + eventsEtcdCluster} } - // @check if we are using secure kubelet client certificates - if b.UseSecureKubelet() { - // @note we are making assumption were using the ones created by the pki model, not custom defined ones - kubeAPIServer.KubeletClientCertificate = filepath.Join(b.PathSrvKubernetes(), "kubelet-api.crt") - kubeAPIServer.KubeletClientKey = filepath.Join(b.PathSrvKubernetes(), "kubelet-api.key") - } + // @note we are making assumption were using the ones created by the pki model, not custom defined ones + kubeAPIServer.KubeletClientCertificate = filepath.Join(b.PathSrvKubernetes(), "kubelet-api.crt") + kubeAPIServer.KubeletClientKey = filepath.Join(b.PathSrvKubernetes(), "kubelet-api.key") { certPath := filepath.Join(b.PathSrvKubernetes(), "apiserver-aggregator.crt") diff --git a/nodeup/pkg/model/kubelet.go b/nodeup/pkg/model/kubelet.go index 5e356c2ff7..0a0224c4c0 100644 --- a/nodeup/pkg/model/kubelet.go +++ b/nodeup/pkg/model/kubelet.go @@ -426,10 +426,7 @@ func (b *KubeletBuilder) buildKubeletConfigSpec() (*kops.KubeletConfigSpec, erro // Merge KubeletConfig for NodeLabels c := b.NodeupConfig.KubeletConfig - // check if we are using secure kubelet <-> api settings - if b.UseSecureKubelet() { - c.ClientCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt") - } + c.ClientCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt") if isMaster { c.BootstrapKubeconfig = "" diff --git a/nodeup/pkg/model/tests/kubelet/featuregates/tasks.yaml b/nodeup/pkg/model/tests/kubelet/featuregates/tasks.yaml index 58d85e41b4..11b79dba7f 100644 --- a/nodeup/pkg/model/tests/kubelet/featuregates/tasks.yaml +++ b/nodeup/pkg/model/tests/kubelet/featuregates/tasks.yaml @@ -3,7 +3,7 @@ path: /etc/kubernetes/manifests type: directory --- contents: | - DAEMON_ARGS="--feature-gates=AllowExtTrafficLocalEndpoints=false,ExperimentalCriticalPodAnnotation=true --node-labels=kubernetes.io/role=node,node-role.kubernetes.io/node= --pod-manifest-path=/etc/kubernetes/manifests --register-schedulable=true --volume-plugin-dir=/usr/libexec/kubernetes/kubelet-plugins/volume/exec/ --cni-bin-dir=/opt/cni/bin/ --cni-conf-dir=/etc/cni/net.d/" + DAEMON_ARGS="--client-ca-file=/srv/kubernetes/ca.crt --feature-gates=AllowExtTrafficLocalEndpoints=false,ExperimentalCriticalPodAnnotation=true --node-labels=kubernetes.io/role=node,node-role.kubernetes.io/node= --pod-manifest-path=/etc/kubernetes/manifests --register-schedulable=true --volume-plugin-dir=/usr/libexec/kubernetes/kubelet-plugins/volume/exec/ --cni-bin-dir=/opt/cni/bin/ --cni-conf-dir=/etc/cni/net.d/" HOME="/root" path: /etc/sysconfig/kubelet type: file