Use separate CA for kubelet authorization
This increases isolation of actions against the node API. With the previous combined CA approach, each node would have a valid key to talk to each other node. With this separated approach, only the API servers will have keys with access to the node APIs. Change-Id: I2705016eb963ca9d2cc2a344047677f4b2cc3025
This commit is contained in:
Mark Burnett
parent
6a5295687a
commit
1399731096
|
|
@ -28,4 +28,6 @@ data:
|
||||||
etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }}
|
etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }}
|
||||||
etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }}
|
etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }}
|
||||||
service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
|
service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
|
||||||
|
kubelet-client-ca.pem: {{ .Values.secrets.kubelet.tls.ca | default .Values.secrets.tls.ca | quote }}
|
||||||
|
kubelet-client.pem: {{ .Values.secrets.kubelet.tls.cert | default .Values.secrets.tls.cert | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
||||||
|
|
@ -54,8 +54,8 @@ spec:
|
||||||
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
||||||
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
||||||
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||||
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
|
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem
|
||||||
- --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
- --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem
|
||||||
- --etcd-servers={{ .Values.apiserver.etcd.endpoints }}
|
- --etcd-servers={{ .Values.apiserver.etcd.endpoints }}
|
||||||
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
|
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
|
||||||
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
|
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
|
||||||
|
|
|
||||||
|
|
@ -25,4 +25,5 @@ type: Opaque
|
||||||
data:
|
data:
|
||||||
apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }}
|
apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }}
|
||||||
etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }}
|
etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }}
|
||||||
|
kubelet-client-key.pem: {{ .Values.secrets.kubelet.tls.key | default .Values.secrets.tls.key | b64enc }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,10 @@ anchor:
|
||||||
files_to_copy:
|
files_to_copy:
|
||||||
- source: /certs/apiserver.pem
|
- source: /certs/apiserver.pem
|
||||||
dest: /etc/kubernetes/apiserver/pki/apiserver.pem
|
dest: /etc/kubernetes/apiserver/pki/apiserver.pem
|
||||||
|
- source: /certs/kubelet-client.pem
|
||||||
|
dest: /etc/kubernetes/apiserver/pki/kubelet-client.pem
|
||||||
|
- source: /certs/kubelet-client-ca.pem
|
||||||
|
dest: /etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
|
||||||
- source: /certs/cluster-ca.pem
|
- source: /certs/cluster-ca.pem
|
||||||
dest: /etc/kubernetes/apiserver/pki/cluster-ca.pem
|
dest: /etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||||
- source: /certs/etcd-client-ca.pem
|
- source: /certs/etcd-client-ca.pem
|
||||||
|
|
@ -43,6 +47,8 @@ anchor:
|
||||||
dest: /etc/kubernetes/apiserver/pki/service-account.pub
|
dest: /etc/kubernetes/apiserver/pki/service-account.pub
|
||||||
- source: /keys/apiserver-key.pem
|
- source: /keys/apiserver-key.pem
|
||||||
dest: /etc/kubernetes/apiserver/pki/apiserver-key.pem
|
dest: /etc/kubernetes/apiserver/pki/apiserver-key.pem
|
||||||
|
- source: /keys/kubelet-client-key.pem
|
||||||
|
dest: /etc/kubernetes/apiserver/pki/kubelet-client-key.pem
|
||||||
- source: /keys/etcd-client-key.pem
|
- source: /keys/etcd-client-key.pem
|
||||||
dest: /etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
dest: /etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
||||||
- source: /tmp/etc/kubernetes-apiserver.yaml
|
- source: /tmp/etc/kubernetes-apiserver.yaml
|
||||||
|
|
@ -97,6 +103,12 @@ secrets:
|
||||||
ca: placeholder
|
ca: placeholder
|
||||||
cert: placeholder
|
cert: placeholder
|
||||||
key: placeholder
|
key: placeholder
|
||||||
|
kubelet:
|
||||||
|
tls:
|
||||||
|
ca: null
|
||||||
|
cert: null
|
||||||
|
key: null
|
||||||
|
|
||||||
|
|
||||||
# typically overriden by environmental
|
# typically overriden by environmental
|
||||||
# values, but should include all endpoints
|
# values, but should include all endpoints
|
||||||
|
|
|
||||||
|
|
@ -63,6 +63,11 @@ data:
|
||||||
common_name: armada
|
common_name: armada
|
||||||
groups:
|
groups:
|
||||||
- system:masters
|
- system:masters
|
||||||
|
kubelet:
|
||||||
|
description: CA for Kubernetes node interactions
|
||||||
|
certificates:
|
||||||
|
- document_name: apiserver-kubelet-client
|
||||||
|
common_name: apiserver-kubelet-client
|
||||||
kubernetes-etcd:
|
kubernetes-etcd:
|
||||||
description: Certificates for Kubernetes's etcd servers
|
description: Certificates for Kubernetes's etcd servers
|
||||||
certificates:
|
certificates:
|
||||||
|
|
|
||||||
|
|
@ -664,7 +664,6 @@ metadata:
|
||||||
path: .
|
path: .
|
||||||
dest:
|
dest:
|
||||||
path: .values.secrets.tls.ca
|
path: .values.secrets.tls.ca
|
||||||
|
|
||||||
-
|
-
|
||||||
src:
|
src:
|
||||||
schema: deckhand/Certificate/v1
|
schema: deckhand/Certificate/v1
|
||||||
|
|
@ -679,6 +678,29 @@ metadata:
|
||||||
path: .
|
path: .
|
||||||
dest:
|
dest:
|
||||||
path: .values.secrets.tls.key
|
path: .values.secrets.tls.key
|
||||||
|
|
||||||
|
-
|
||||||
|
src:
|
||||||
|
schema: deckhand/CertificateAuthority/v1
|
||||||
|
name: kubelet
|
||||||
|
path: .
|
||||||
|
dest:
|
||||||
|
path: .values.secrets.kubelet.tls.ca
|
||||||
|
-
|
||||||
|
src:
|
||||||
|
schema: deckhand/Certificate/v1
|
||||||
|
name: apiserver-kubelet-client
|
||||||
|
path: .
|
||||||
|
dest:
|
||||||
|
path: .values.secrets.kubelet.tls.cert
|
||||||
|
-
|
||||||
|
src:
|
||||||
|
schema: deckhand/CertificateKey/v1
|
||||||
|
name: apiserver-kubelet-client
|
||||||
|
path: .
|
||||||
|
dest:
|
||||||
|
path: .values.secrets.kubelet.tls.key
|
||||||
|
|
||||||
-
|
-
|
||||||
src:
|
src:
|
||||||
schema: deckhand/CertificateAuthority/v1
|
schema: deckhand/CertificateAuthority/v1
|
||||||
|
|
@ -731,18 +753,6 @@ data:
|
||||||
tags:
|
tags:
|
||||||
anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
|
anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
|
||||||
apiserver: gcr.io/google_containers/hyperkube-amd64:v1.10.2
|
apiserver: gcr.io/google_containers/hyperkube-amd64:v1.10.2
|
||||||
secrets:
|
|
||||||
service_account:
|
|
||||||
public_key: placeholder
|
|
||||||
tls:
|
|
||||||
ca: placeholder
|
|
||||||
cert: placeholder
|
|
||||||
key: placeholder
|
|
||||||
etcd:
|
|
||||||
tls:
|
|
||||||
ca: placeholder
|
|
||||||
cert: placeholder
|
|
||||||
key: placeholder
|
|
||||||
network:
|
network:
|
||||||
kubernetes_service_ip: 10.96.0.1
|
kubernetes_service_ip: 10.96.0.1
|
||||||
pod_cidr: 10.97.0.0/16
|
pod_cidr: 10.97.0.0/16
|
||||||
|
|
|
||||||
|
|
@ -70,6 +70,11 @@ data:
|
||||||
common_name: armada
|
common_name: armada
|
||||||
groups:
|
groups:
|
||||||
- system:masters
|
- system:masters
|
||||||
|
kubelet:
|
||||||
|
description: CA for Kubernetes node interactions
|
||||||
|
certificates:
|
||||||
|
- document_name: apiserver-kubelet-client
|
||||||
|
common_name: apiserver-kubelet-client
|
||||||
kubernetes-etcd:
|
kubernetes-etcd:
|
||||||
description: Certificates for Kubernetes's etcd servers
|
description: Certificates for Kubernetes's etcd servers
|
||||||
certificates:
|
certificates:
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(schema='deckhand/CertificateAuthority/v1', name='kubelet', default=config.get(schema='deckhand/CertificateAuthority/v1', name='kubernetes')) }}
|
||||||
|
|
@ -7,7 +7,7 @@ After=network-online.target
|
||||||
ExecStart=/opt/kubernetes/bin/kubelet \
|
ExecStart=/opt/kubernetes/bin/kubelet \
|
||||||
--allow-privileged=true \
|
--allow-privileged=true \
|
||||||
--anonymous-auth=false \
|
--anonymous-auth=false \
|
||||||
--client-ca-file=/etc/kubernetes/pki/cluster-ca.pem \
|
--client-ca-file=/etc/kubernetes/pki/kubelet-client-ca.pem \
|
||||||
--cluster-dns={{ config['KubernetesNetwork:dns.service_ip'] }} \
|
--cluster-dns={{ config['KubernetesNetwork:dns.service_ip'] }} \
|
||||||
--cluster-domain={{ config['KubernetesNetwork:dns.cluster_domain'] }} \
|
--cluster-domain={{ config['KubernetesNetwork:dns.cluster_domain'] }} \
|
||||||
--hostname-override={{ config.get_first('Genesis:hostname', 'KubernetesNode:hostname') }} \
|
--hostname-override={{ config.get_first('Genesis:hostname', 'KubernetesNode:hostname') }} \
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(schema='deckhand/CertificateAuthority/v1', name='kubelet', default=config.get(schema='deckhand/CertificateAuthority/v1', name='kubernetes')) }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(schema='deckhand/CertificateKey/v1', name='apiserver-kubelet-client', default=config.get(schema='deckhand/CertificateKey/v1', name='apiserver')) }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ config.get(schema='deckhand/Certificate/v1', name='apiserver-kubelet-client', default=config.get(schema='deckhand/Certificate/v1', name='apiserver')) }}
|
||||||
|
|
@ -24,9 +24,9 @@ spec:
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
||||||
- --anonymous-auth=false
|
- --anonymous-auth=false
|
||||||
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||||
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
|
||||||
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
|
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem
|
||||||
- --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
- --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem
|
||||||
- --insecure-port=0
|
- --insecure-port=0
|
||||||
- --bind-address=0.0.0.0
|
- --bind-address=0.0.0.0
|
||||||
- --secure-port=6443
|
- --secure-port=6443
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue