Merge "k8s_fedora: Add kubelet authentication/authorization"

This commit is contained in:
Zuul 2018-03-30 12:25:08 +00:00 committed by Gerrit Code Review
commit 8cdaa22a65
5 changed files with 62 additions and 3 deletions

View File

@ -28,6 +28,9 @@ else
KUBE_API_ARGS="$KUBE_API_ARGS --authorization-mode=Node,RBAC --tls-cert-file=$CERT_DIR/server.crt"
KUBE_API_ARGS="$KUBE_API_ARGS --tls-private-key-file=$CERT_DIR/server.key"
KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=$CERT_DIR/ca.crt"
KUBE_API_ARGS="$KUBE_API_ARGS --tls-ca-file=${CERT_DIR}/ca.crt"
KUBE_API_ARGS="$KUBE_API_ARGS --service-account-key-file=${CERT_DIR}/server.key"
KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-certificate-authority=${CERT_DIR}/ca.crt --kubelet-client-certificate=${CERT_DIR}/server.crt --kubelet-client-key=${CERT_DIR}/server.key --kubelet-https=true"
fi
KUBE_ADMISSION_CONTROL=""

View File

@ -29,6 +29,9 @@ fi
KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
if [ -z "${KUBE_NODE_IP}" ]; then
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
fi
HOSTNAME_OVERRIDE=$(hostname --short | sed 's/\.novalocal//')
cat << EOF >> ${KUBELET_KUBECONFIG}
apiVersion: v1
@ -98,7 +101,8 @@ sed -i '
# the option --hostname-override for kubelet uses the hostname to register the node.
# Using any other name will break the load balancer and cinder volume features.
mkdir -p /etc/kubernetes/manifests
KUBELET_ARGS="--pod-manifest-path=/etc/kubernetes/manifests --cadvisor-port=4194 --kubeconfig ${KUBELET_KUBECONFIG} --hostname-override=${HOSTNAME_OVERRIDE}"
KUBELET_ARGS="--pod-manifest-path=/etc/kubernetes/manifests --cadvisor-port=0 --kubeconfig ${KUBELET_KUBECONFIG} --hostname-override=${HOSTNAME_OVERRIDE}"
KUBELET_ARGS="${KUBELET_ARGS} --address=${KUBE_NODE_IP} --port=10250 --read-only-port=0 --anonymous-auth=false --authorization-mode=Webhook --authentication-token-webhook=true"
KUBELET_ARGS="${KUBELET_ARGS} --cluster_dns=${DNS_SERVICE_IP} --cluster_domain=${DNS_CLUSTER_DOMAIN}"
KUBELET_ARGS="${KUBELET_ARGS} ${KUBELET_OPTIONS}"

View File

@ -395,7 +395,7 @@ spec:
imagePullPolicy: IfNotPresent
command:
- /heapster
- --source=kubernetes:https://kubernetes.default
- --source=kubernetes:https://kubernetes.default?insecure=false&useServiceAccount=true&kubeletPort=10250&kubeletHttps=true
${INFLUX_SINK}
---
apiVersion: v1
@ -425,6 +425,40 @@ roleRef:
kind: ClusterRole
name: system:heapster
subjects:
- kind: ServiceAccount
name: heapster
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:heapster-to-kubelet
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
- nodes/metrics
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: system:heapter-kubelet
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:heapster-to-kubelet
subjects:
- kind: ServiceAccount
name: heapster
namespace: kube-system

View File

@ -30,6 +30,10 @@ else
VERIFY_CA="-k"
fi
if [ -z "${KUBE_NODE_IP}" ]; then
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
fi
cert_dir=/etc/kubernetes/certs
mkdir -p "$cert_dir"
@ -93,6 +97,7 @@ EOF
#Kubelet Certs
INSTANCE_NAME=$(hostname --short | sed 's/\.novalocal//')
HOSTNAME=$(hostname)
cat > ${cert_dir}/kubelet.conf <<EOF
[req]
@ -107,8 +112,9 @@ C=US
ST=TX
L=Austin
[req_ext]
subjectAltName = IP:${KUBE_NODE_IP},DNS:${INSTANCE_NAME},DNS:${HOSTNAME}
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth
extendedKeyUsage=clientAuth,serverAuth
EOF
#kube-proxy Certs

View File

@ -0,0 +1,12 @@
---
fixes:
- |
Fix bug #1758672 [1] to protect kubelet in the k8s_fedora_atomic driver.
Before this patch kubelet was listening to 0.0.0.0 and for clusters with
floating IPs the kubelet was exposed. Also, even on clusters without fips
the kubelet was exposed inside the cluster. This patch allows access to
the kubelet only over https and with the appropriate roles. The apiserver
and heapster have the appropriate roles to access it. Finally, all
read-only ports have been closed to not expose any cluster data. The only
remaining open ports without authentication are for healthz.
[1] https://bugs.launchpad.net/magnum/+bug/1758672