kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove node requirement to access private ca and master keys in S3

This commit is contained in:
Kashif Saadat 2017-08-09 09:44:47 +01:00
parent cd149414df
commit fd0ce236dc
3 changed files with 15 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/model/iam/iam_builder.go
View File

@ -314,8 +314,6 @@ func addS3Permissions(p *IAMPolicy, iamPrefix string, s3Path *vfs.S3Path, role a
strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/instancegroup/*"}, ""),
strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/issued/*"}, ""),
strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/ssh/*"}, ""),
strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/private/ca/*"}, ""),
strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/private/master/*"}, ""),
strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/private/kube-proxy/*"}, ""),
strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/pki/private/kubelet/*"}, ""),
strings.Join([]string{iamPrefix, ":s3:::", iamS3Path, "/secrets/*"}, ""),

2
pkg/model/iam/iam_builder_test.go
View File

@ -126,8 +126,6 @@ func TestS3PolicyGeneration(t *testing.T) {
"arn:aws:s3:::bucket-name/cluster-name.k8s.local/instancegroup/*",
"arn:aws:s3:::bucket-name/cluster-name.k8s.local/pki/issued/*",
"arn:aws:s3:::bucket-name/cluster-name.k8s.local/pki/ssh/*",
"arn:aws:s3:::bucket-name/cluster-name.k8s.local/pki/private/ca/*",
"arn:aws:s3:::bucket-name/cluster-name.k8s.local/pki/private/master/*",
"arn:aws:s3:::bucket-name/cluster-name.k8s.local/pki/private/kube-proxy/*",
"arn:aws:s3:::bucket-name/cluster-name.k8s.local/pki/private/kubelet/*",
"arn:aws:s3:::bucket-name/cluster-name.k8s.local/secrets/*",

44
upup/pkg/fi/vfs_castore.go
View File

@ -24,14 +24,16 @@ import (
"crypto/x509"
"crypto/x509/pkix"
"fmt"
"github.com/golang/glog"
"golang.org/x/crypto/ssh"
"k8s.io/kops/util/pkg/vfs"
"math/big"
"os"
"strings"
"sync"
"time"
"github.com/golang/glog"
"golang.org/x/crypto/ssh"
"k8s.io/kops/util/pkg/vfs"
)
type VFSCAStore struct {
@ -300,19 +302,11 @@ func (c *VFSCAStore) FindKeypair(id string) (*Certificate, *PrivateKey, error) {
func (c *VFSCAStore) FindCert(id string) (*Certificate, error) {
var certs *certificates
if id == CertificateId_CA {
caCertificates, _, err := c.readCAKeypairs()
if err != nil {
return nil, err
}
certs = caCertificates
} else {
var err error
p := c.buildCertificatePoolPath(id)
certs, err = c.loadCertificates(p)
if err != nil {
return nil, err
}
var err error
p := c.buildCertificatePoolPath(id)
certs, err = c.loadCertificates(p)
if err != nil {
return nil, fmt.Errorf("error in 'FindCert' attempting to load cert %q: %v", id, err)
}
var cert *Certificate
@ -326,19 +320,11 @@ func (c *VFSCAStore) FindCert(id string) (*Certificate, error) {
func (c *VFSCAStore) FindCertificatePool(id string) (*CertificatePool, error) {
var certs *certificates
if id == CertificateId_CA {
caCertificates, _, err := c.readCAKeypairs()
if err != nil {
return nil, err
}
certs = caCertificates
} else {
var err error
p := c.buildCertificatePoolPath(id)
certs, err = c.loadCertificates(p)
if err != nil {
return nil, err
}
var err error
p := c.buildCertificatePoolPath(id)
certs, err = c.loadCertificates(p)
if err != nil {
return nil, fmt.Errorf("error in 'FindCertificatePool' attempting to load cert %q: %v", id, err)
}
pool := &CertificatePool{}