Browse Source

Merge "Use separate CA for kubelet authorization"

Zuul 7 months ago
parent
commit
f7b8f230f1

+ 2
- 0
charts/apiserver/templates/configmap-certs.yaml View File

@@ -28,4 +28,6 @@ data:
28 28
   etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }}
29 29
   etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }}
30 30
   service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
31
+  kubelet-client-ca.pem: {{ .Values.secrets.kubelet.tls.ca | default .Values.secrets.tls.ca | quote }}
32
+  kubelet-client.pem: {{ .Values.secrets.kubelet.tls.cert | default .Values.secrets.tls.cert | quote }}
31 33
 {{- end }}

+ 2
- 2
charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl View File

@@ -54,8 +54,8 @@ spec:
54 54
         - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
55 55
         - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
56 56
         - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
57
-        - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
58
-        - --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem
57
+        - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem
58
+        - --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem
59 59
         - --etcd-servers={{ .Values.apiserver.etcd.endpoints }}
60 60
         - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
61 61
         - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem

+ 1
- 0
charts/apiserver/templates/secret-apiserver.yaml View File

@@ -25,4 +25,5 @@ type: Opaque
25 25
 data:
26 26
   apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }}
27 27
   etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }}
28
+  kubelet-client-key.pem: {{ .Values.secrets.kubelet.tls.key | default .Values.secrets.tls.key | b64enc }}
28 29
 {{- end }}

+ 12
- 0
charts/apiserver/values.yaml View File

@@ -33,6 +33,10 @@ anchor:
33 33
   files_to_copy:
34 34
     - source: /certs/apiserver.pem
35 35
       dest: /etc/kubernetes/apiserver/pki/apiserver.pem
36
+    - source: /certs/kubelet-client.pem
37
+      dest: /etc/kubernetes/apiserver/pki/kubelet-client.pem
38
+    - source: /certs/kubelet-client-ca.pem
39
+      dest: /etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
36 40
     - source: /certs/cluster-ca.pem
37 41
       dest: /etc/kubernetes/apiserver/pki/cluster-ca.pem
38 42
     - source: /certs/etcd-client-ca.pem
@@ -43,6 +47,8 @@ anchor:
43 47
       dest: /etc/kubernetes/apiserver/pki/service-account.pub
44 48
     - source: /keys/apiserver-key.pem
45 49
       dest: /etc/kubernetes/apiserver/pki/apiserver-key.pem
50
+    - source: /keys/kubelet-client-key.pem
51
+      dest: /etc/kubernetes/apiserver/pki/kubelet-client-key.pem
46 52
     - source: /keys/etcd-client-key.pem
47 53
       dest: /etc/kubernetes/apiserver/pki/etcd-client-key.pem
48 54
     - source: /tmp/etc/kubernetes-apiserver.yaml
@@ -97,6 +103,12 @@ secrets:
97 103
       ca: placeholder
98 104
       cert: placeholder
99 105
       key: placeholder
106
+  kubelet:
107
+    tls:
108
+      ca: null
109
+      cert: null
110
+      key: null
111
+
100 112
 
101 113
 # typically overriden by environmental
102 114
 # values, but should include all endpoints

+ 5
- 0
examples/basic/PKICatalog.yaml View File

@@ -63,6 +63,11 @@ data:
63 63
           common_name: armada
64 64
           groups:
65 65
             - system:masters
66
+    kubelet:
67
+      description: CA for Kubernetes node interactions
68
+      certificates:
69
+        - document_name: apiserver-kubelet-client
70
+          common_name: apiserver-kubelet-client
66 71
     kubernetes-etcd:
67 72
       description: Certificates for Kubernetes's etcd servers
68 73
       certificates:

+ 23
- 13
examples/basic/armada-resources.yaml View File

@@ -664,7 +664,6 @@ metadata:
664 664
         path: .
665 665
       dest:
666 666
         path: .values.secrets.tls.ca
667
-
668 667
     -
669 668
       src:
670 669
         schema: deckhand/Certificate/v1
@@ -679,6 +678,29 @@ metadata:
679 678
         path: .
680 679
       dest:
681 680
         path: .values.secrets.tls.key
681
+
682
+    -
683
+      src:
684
+        schema: deckhand/CertificateAuthority/v1
685
+        name: kubelet
686
+        path: .
687
+      dest:
688
+        path: .values.secrets.kubelet.tls.ca
689
+    -
690
+      src:
691
+        schema: deckhand/Certificate/v1
692
+        name: apiserver-kubelet-client
693
+        path: .
694
+      dest:
695
+        path: .values.secrets.kubelet.tls.cert
696
+    -
697
+      src:
698
+        schema: deckhand/CertificateKey/v1
699
+        name: apiserver-kubelet-client
700
+        path: .
701
+      dest:
702
+        path: .values.secrets.kubelet.tls.key
703
+
682 704
     -
683 705
       src:
684 706
         schema: deckhand/CertificateAuthority/v1
@@ -731,18 +753,6 @@ data:
731 753
       tags:
732 754
         anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.2
733 755
         apiserver: gcr.io/google_containers/hyperkube-amd64:v1.10.2
734
-    secrets:
735
-      service_account:
736
-        public_key: placeholder
737
-      tls:
738
-        ca: placeholder
739
-        cert: placeholder
740
-        key: placeholder
741
-      etcd:
742
-        tls:
743
-          ca: placeholder
744
-          cert: placeholder
745
-          key: placeholder
746 756
     network:
747 757
       kubernetes_service_ip: 10.96.0.1
748 758
       pod_cidr: 10.97.0.0/16

+ 5
- 0
examples/complete/PKICatalog.yaml View File

@@ -70,6 +70,11 @@ data:
70 70
           common_name: armada
71 71
           groups:
72 72
             - system:masters
73
+    kubelet:
74
+      description: CA for Kubernetes node interactions
75
+      certificates:
76
+        - document_name: apiserver-kubelet-client
77
+          common_name: apiserver-kubelet-client
73 78
     kubernetes-etcd:
74 79
       description: Certificates for Kubernetes's etcd servers
75 80
       certificates:

+ 1
- 0
promenade/templates/roles/common/etc/kubernetes/pki/kubelet-client-ca.pem View File

@@ -0,0 +1 @@
1
+{{ config.get(schema='deckhand/CertificateAuthority/v1', name='kubelet', default=config.get(schema='deckhand/CertificateAuthority/v1', name='kubernetes')) }}

+ 1
- 1
promenade/templates/roles/common/etc/systemd/system/kubelet.service View File

@@ -7,7 +7,7 @@ After=network-online.target
7 7
 ExecStart=/opt/kubernetes/bin/kubelet \
8 8
     --allow-privileged=true \
9 9
     --anonymous-auth=false \
10
-    --client-ca-file=/etc/kubernetes/pki/cluster-ca.pem \
10
+    --client-ca-file=/etc/kubernetes/pki/kubelet-client-ca.pem \
11 11
     --cluster-dns={{ config['KubernetesNetwork:dns.service_ip'] }} \
12 12
     --cluster-domain={{ config['KubernetesNetwork:dns.cluster_domain'] }} \
13 13
     --hostname-override={{ config.get_first('Genesis:hostname', 'KubernetesNode:hostname') }} \

+ 1
- 0
promenade/templates/roles/genesis/etc/genesis/apiserver/pki/kubelet-client-ca.pem View File

@@ -0,0 +1 @@
1
+{{ config.get(schema='deckhand/CertificateAuthority/v1', name='kubelet', default=config.get(schema='deckhand/CertificateAuthority/v1', name='kubernetes')) }}

+ 1
- 0
promenade/templates/roles/genesis/etc/genesis/apiserver/pki/kubelet-client-key.pem View File

@@ -0,0 +1 @@
1
+{{ config.get(schema='deckhand/CertificateKey/v1', name='apiserver-kubelet-client', default=config.get(schema='deckhand/CertificateKey/v1', name='apiserver')) }}

+ 1
- 0
promenade/templates/roles/genesis/etc/genesis/apiserver/pki/kubelet-client.pem View File

@@ -0,0 +1 @@
1
+{{ config.get(schema='deckhand/Certificate/v1', name='apiserver-kubelet-client', default=config.get(schema='deckhand/Certificate/v1', name='apiserver')) }}

+ 3
- 3
promenade/templates/roles/genesis/etc/kubernetes/manifests/kubernetes-apiserver.yaml View File

@@ -24,9 +24,9 @@ spec:
24 24
         - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
25 25
         - --anonymous-auth=false
26 26
         - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
27
-        - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
28
-        - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
29
-        - --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem
27
+        - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem
28
+        - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem
29
+        - --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem
30 30
         - --insecure-port=0
31 31
         - --bind-address=0.0.0.0
32 32
         - --secure-port=6443

Loading…
Cancel
Save