k8s_fedora: Add kubelet authentication/authorization
* disable kubelet anonymous-auth * enable kubelet webhook-(token) authorization * disable kubelet cadvisor and read-only ports * listen kubelet only on internal ipv4 ip * update kubelet certs * Update heapster RBAC to access kubelets * update api config to access kubelet over https Closes-Bug: #1758672 Change-Id: I2c6046ce5921a63a2d56f51435433497b1ff30ba
This commit is contained in:
parent
23bc667905
commit
dba9203f6a
|
@ -28,6 +28,9 @@ else
|
||||||
KUBE_API_ARGS="$KUBE_API_ARGS --authorization-mode=Node,RBAC --tls-cert-file=$CERT_DIR/server.crt"
|
KUBE_API_ARGS="$KUBE_API_ARGS --authorization-mode=Node,RBAC --tls-cert-file=$CERT_DIR/server.crt"
|
||||||
KUBE_API_ARGS="$KUBE_API_ARGS --tls-private-key-file=$CERT_DIR/server.key"
|
KUBE_API_ARGS="$KUBE_API_ARGS --tls-private-key-file=$CERT_DIR/server.key"
|
||||||
KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=$CERT_DIR/ca.crt"
|
KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=$CERT_DIR/ca.crt"
|
||||||
|
KUBE_API_ARGS="$KUBE_API_ARGS --tls-ca-file=${CERT_DIR}/ca.crt"
|
||||||
|
KUBE_API_ARGS="$KUBE_API_ARGS --service-account-key-file=${CERT_DIR}/server.key"
|
||||||
|
KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-certificate-authority=${CERT_DIR}/ca.crt --kubelet-client-certificate=${CERT_DIR}/server.crt --kubelet-client-key=${CERT_DIR}/server.key --kubelet-https=true"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
KUBE_ADMISSION_CONTROL=""
|
KUBE_ADMISSION_CONTROL=""
|
||||||
|
|
|
@ -29,6 +29,9 @@ fi
|
||||||
|
|
||||||
KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
|
KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
|
||||||
|
|
||||||
|
if [ -z "${KUBE_NODE_IP}" ]; then
|
||||||
|
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
|
||||||
|
fi
|
||||||
HOSTNAME_OVERRIDE=$(hostname --short | sed 's/\.novalocal//')
|
HOSTNAME_OVERRIDE=$(hostname --short | sed 's/\.novalocal//')
|
||||||
cat << EOF >> ${KUBELET_KUBECONFIG}
|
cat << EOF >> ${KUBELET_KUBECONFIG}
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
|
@ -98,7 +101,8 @@ sed -i '
|
||||||
# the option --hostname-override for kubelet uses the hostname to register the node.
|
# the option --hostname-override for kubelet uses the hostname to register the node.
|
||||||
# Using any other name will break the load balancer and cinder volume features.
|
# Using any other name will break the load balancer and cinder volume features.
|
||||||
mkdir -p /etc/kubernetes/manifests
|
mkdir -p /etc/kubernetes/manifests
|
||||||
KUBELET_ARGS="--pod-manifest-path=/etc/kubernetes/manifests --cadvisor-port=4194 --kubeconfig ${KUBELET_KUBECONFIG} --hostname-override=${HOSTNAME_OVERRIDE}"
|
KUBELET_ARGS="--pod-manifest-path=/etc/kubernetes/manifests --cadvisor-port=0 --kubeconfig ${KUBELET_KUBECONFIG} --hostname-override=${HOSTNAME_OVERRIDE}"
|
||||||
|
KUBELET_ARGS="${KUBELET_ARGS} --address=${KUBE_NODE_IP} --port=10250 --read-only-port=0 --anonymous-auth=false --authorization-mode=Webhook --authentication-token-webhook=true"
|
||||||
KUBELET_ARGS="${KUBELET_ARGS} --cluster_dns=${DNS_SERVICE_IP} --cluster_domain=${DNS_CLUSTER_DOMAIN}"
|
KUBELET_ARGS="${KUBELET_ARGS} --cluster_dns=${DNS_SERVICE_IP} --cluster_domain=${DNS_CLUSTER_DOMAIN}"
|
||||||
KUBELET_ARGS="${KUBELET_ARGS} ${KUBELET_OPTIONS}"
|
KUBELET_ARGS="${KUBELET_ARGS} ${KUBELET_OPTIONS}"
|
||||||
|
|
||||||
|
|
|
@ -395,7 +395,7 @@ spec:
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
command:
|
command:
|
||||||
- /heapster
|
- /heapster
|
||||||
- --source=kubernetes:https://kubernetes.default
|
- --source=kubernetes:https://kubernetes.default?insecure=false&useServiceAccount=true&kubeletPort=10250&kubeletHttps=true
|
||||||
${INFLUX_SINK}
|
${INFLUX_SINK}
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
|
@ -425,6 +425,40 @@ roleRef:
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
name: system:heapster
|
name: system:heapster
|
||||||
subjects:
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: heapster
|
||||||
|
namespace: kube-system
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
||||||
|
labels:
|
||||||
|
kubernetes.io/bootstrapping: rbac-defaults
|
||||||
|
name: system:heapster-to-kubelet
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- nodes/proxy
|
||||||
|
- nodes/stats
|
||||||
|
- nodes/log
|
||||||
|
- nodes/spec
|
||||||
|
- nodes/metrics
|
||||||
|
verbs:
|
||||||
|
- "*"
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: system:heapter-kubelet
|
||||||
|
namespace: kube-system
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:heapster-to-kubelet
|
||||||
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: heapster
|
name: heapster
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
|
|
|
@ -30,6 +30,10 @@ else
|
||||||
VERIFY_CA="-k"
|
VERIFY_CA="-k"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -z "${KUBE_NODE_IP}" ]; then
|
||||||
|
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
|
||||||
|
fi
|
||||||
|
|
||||||
cert_dir=/etc/kubernetes/certs
|
cert_dir=/etc/kubernetes/certs
|
||||||
|
|
||||||
mkdir -p "$cert_dir"
|
mkdir -p "$cert_dir"
|
||||||
|
@ -93,6 +97,7 @@ EOF
|
||||||
|
|
||||||
#Kubelet Certs
|
#Kubelet Certs
|
||||||
INSTANCE_NAME=$(hostname --short | sed 's/\.novalocal//')
|
INSTANCE_NAME=$(hostname --short | sed 's/\.novalocal//')
|
||||||
|
HOSTNAME=$(hostname)
|
||||||
|
|
||||||
cat > ${cert_dir}/kubelet.conf <<EOF
|
cat > ${cert_dir}/kubelet.conf <<EOF
|
||||||
[req]
|
[req]
|
||||||
|
@ -107,8 +112,9 @@ C=US
|
||||||
ST=TX
|
ST=TX
|
||||||
L=Austin
|
L=Austin
|
||||||
[req_ext]
|
[req_ext]
|
||||||
|
subjectAltName = IP:${KUBE_NODE_IP},DNS:${INSTANCE_NAME},DNS:${HOSTNAME}
|
||||||
keyUsage=critical,digitalSignature,keyEncipherment
|
keyUsage=critical,digitalSignature,keyEncipherment
|
||||||
extendedKeyUsage=clientAuth
|
extendedKeyUsage=clientAuth,serverAuth
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
#kube-proxy Certs
|
#kube-proxy Certs
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fix bug #1758672 [1] to protect kubelet in the k8s_fedora_atomic driver.
|
||||||
|
Before this patch kubelet was listening to 0.0.0.0 and for clusters with
|
||||||
|
floating IPs the kubelet was exposed. Also, even on clusters without fips
|
||||||
|
the kubelet was exposed inside the cluster. This patch allows access to
|
||||||
|
the kubelet only over https and with the appropriate roles. The apiserver
|
||||||
|
and heapster have the appropriate roles to access it. Finally, all
|
||||||
|
read-only ports have been closed to not expose any cluster data. The only
|
||||||
|
remaining open ports without authentication are for healthz.
|
||||||
|
[1] https://bugs.launchpad.net/magnum/+bug/1758672
|
Loading…
Reference in New Issue