mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-03 19:58:17 +00:00
Merge pull request #38212 from mikedanese/kubeletauth
Automatic merge from submit-queue (batch tested with PRs 38212, 38792, 39641, 36390, 39005) Generate a kubelet CA and kube-apiserver cert-pair for kubelet auth. cc @cjcullen
This commit is contained in:
Kubernetes Submit Queue
@@ -555,6 +555,7 @@ function write-master-env {
|
||||
fi
|
||||
|
||||
build-kube-env true "${KUBE_TEMP}/master-kube-env.yaml"
|
||||
build-kube-master-certs "${KUBE_TEMP}/kube-master-certs.yaml"
|
||||
}
|
||||
|
||||
function write-node-env {
|
||||
@@ -565,6 +566,16 @@ function write-node-env {
|
||||
build-kube-env false "${KUBE_TEMP}/node-kube-env.yaml"
|
||||
}
|
||||
|
||||
function build-kube-master-certs {
|
||||
local file=$1
|
||||
rm -f ${file}
|
||||
cat >$file <<EOF
|
||||
KUBEAPISERVER_CERT: $(yaml-quote ${KUBEAPISERVER_CERT_BASE64:-})
|
||||
KUBEAPISERVER_KEY: $(yaml-quote ${KUBEAPISERVER_KEY_BASE64:-})
|
||||
KUBELET_AUTH_CA_CERT: $(yaml-quote ${KUBELET_AUTH_CA_CERT_BASE64:-})
|
||||
EOF
|
||||
}
|
||||
|
||||
# $1: if 'true', we're building a master yaml, else a node
|
||||
function build-kube-env {
|
||||
local master=$1
|
||||
@@ -777,6 +788,7 @@ EOF
|
||||
KUBERNETES_MASTER: $(yaml-quote "false")
|
||||
ZONE: $(yaml-quote ${ZONE})
|
||||
EXTRA_DOCKER_OPTS: $(yaml-quote ${EXTRA_DOCKER_OPTS:-})
|
||||
KUBELET_AUTH_CA_CERT: $(yaml-quote ${KUBELET_AUTH_CA_CERT_BASE64:-})
|
||||
EOF
|
||||
if [ -n "${KUBEPROXY_TEST_ARGS:-}" ]; then
|
||||
cat >>$file <<EOF
|
||||
@@ -943,6 +955,9 @@ function create-certs {
|
||||
KUBELET_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubelet.key" | base64 | tr -d '\r\n')
|
||||
KUBECFG_CERT_BASE64=$(cat "${CERT_DIR}/pki/issued/kubecfg.crt" | base64 | tr -d '\r\n')
|
||||
KUBECFG_KEY_BASE64=$(cat "${CERT_DIR}/pki/private/kubecfg.key" | base64 | tr -d '\r\n')
|
||||
KUBELET_AUTH_CA_CERT_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/ca.crt" | base64 | tr -d '\r\n')
|
||||
KUBEAPISERVER_CERT_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/issued/kube-apiserver.crt" | base64 | tr -d '\r\n')
|
||||
KUBEAPISERVER_KEY_BASE64=$(cat "${KUBE_TEMP}/easy-rsa-master/kubelet/pki/private/kube-apiserver.key" | base64 | tr -d '\r\n')
|
||||
}
|
||||
|
||||
# Runs the easy RSA commands to generate certificate files.
|
||||
@@ -962,6 +977,8 @@ function generate-certs {
|
||||
cd "${KUBE_TEMP}"
|
||||
curl -L -O --connect-timeout 20 --retry 6 --retry-delay 2 https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
|
||||
tar xzf easy-rsa.tar.gz
|
||||
mkdir easy-rsa-master/kubelet
|
||||
cp -r easy-rsa-master/easyrsa3/* easy-rsa-master/kubelet
|
||||
cd easy-rsa-master/easyrsa3
|
||||
./easyrsa init-pki
|
||||
# this puts the cert into pki/ca.crt and the key into pki/private/ca.key
|
||||
@@ -978,7 +995,11 @@ function generate-certs {
|
||||
mv "kubelet.pem" "pki/issued/kubelet.crt"
|
||||
rm -f "kubelet.csr"
|
||||
|
||||
./easyrsa build-client-full kubecfg nopass) &>${cert_create_debug_output} || {
|
||||
./easyrsa build-client-full kubecfg nopass
|
||||
cd ../kubelet
|
||||
./easyrsa init-pki
|
||||
./easyrsa --batch "--req-cn=kubelet@$(date +%s)" build-ca nopass
|
||||
./easyrsa build-client-full kube-apiserver nopass) &>${cert_create_debug_output} || {
|
||||
# If there was an error in the subshell, just die.
|
||||
# TODO(roberthbailey): add better error handling here
|
||||
cat "${cert_create_debug_output}" >&2
|
||||
|
||||
@@ -142,6 +142,23 @@ for k,v in yaml.load(sys.stdin).iteritems():
|
||||
' < """${kube_env_yaml}""")"
|
||||
}
|
||||
|
||||
function set-kube-master-certs() {
|
||||
local kube_master_certs_yaml="${INSTALL_DIR}/kube_master_certs.yaml"
|
||||
|
||||
until curl-metadata kube-master-certs > "${kube_master_certs_yaml}"; do
|
||||
echo 'Waiting for kube-master-certs...'
|
||||
sleep 3
|
||||
done
|
||||
|
||||
eval "$(python -c '
|
||||
import pipes,sys,yaml
|
||||
|
||||
for k,v in yaml.load(sys.stdin).iteritems():
|
||||
print("""readonly {var}={value}""".format(var = k, value = pipes.quote(str(v))))
|
||||
print("""export {var}""".format(var = k))
|
||||
' < """${kube_master_certs_yaml}""")"
|
||||
}
|
||||
|
||||
function remove-docker-artifacts() {
|
||||
echo "== Deleting docker0 =="
|
||||
apt-get-install bridge-utils
|
||||
@@ -613,6 +630,11 @@ EOF
|
||||
if [ -n "${SCHEDULING_ALGORITHM_PROVIDER:-}" ]; then
|
||||
cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
|
||||
scheduling_algorithm_provider: '$(echo "${SCHEDULING_ALGORITHM_PROVIDER}" | sed -e "s/'/''/g")'
|
||||
EOF
|
||||
fi
|
||||
if [ -n "${KUBELET_AUTH_CA_CERT:-}" ]; then
|
||||
cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
|
||||
kubelet_auth_ca_cert: /var/lib/kubelet/kubelet_auth_ca.crt
|
||||
EOF
|
||||
fi
|
||||
}
|
||||
@@ -659,6 +681,13 @@ function create-salt-master-auth() {
|
||||
echo "${KUBECFG_KEY:-}" | base64 --decode > /srv/kubernetes/kubecfg.key)
|
||||
fi
|
||||
fi
|
||||
if [ ! -e /srv/kubernetes/kubeapiserver.cert ]; then
|
||||
if [[ ! -z "${KUBEAPISERVER_CERT:-}" ]] && [[ ! -z "${KUBEAPISERVER_KEY:-}" ]]; then
|
||||
(umask 077;
|
||||
echo "${KUBEAPISERVER_CERT}" | base64 --decode > /srv/kubernetes/kubeapiserver.cert;
|
||||
echo "${KUBEAPISERVER_KEY}" | base64 --decode > /srv/kubernetes/kubeapiserver.key)
|
||||
fi
|
||||
fi
|
||||
if [ ! -e "${BASIC_AUTH_FILE}" ]; then
|
||||
mkdir -p /srv/salt-overlay/salt/kube-apiserver
|
||||
(umask 077;
|
||||
@@ -726,6 +755,11 @@ current-context: service-account-context
|
||||
EOF
|
||||
)
|
||||
fi
|
||||
local -r kubelet_auth_ca_file="/srv/salt-overlay/salt/kubelet/kubelet_auth_ca.crt"
|
||||
if [ ! -e "${kubelet_auth_ca_file}" ] && [[ ! -z "${KUBELET_AUTH_CA_CERT:-}" ]]; then
|
||||
(umask 077;
|
||||
echo "${KUBELET_AUTH_CA_CERT}" | base64 --decode > "${kubelet_auth_ca_file}")
|
||||
fi
|
||||
}
|
||||
|
||||
# This should happen both on cluster initialization and node upgrades.
|
||||
@@ -1099,6 +1133,7 @@ if [[ -z "${is_push}" ]]; then
|
||||
[[ "${KUBERNETES_MASTER}" == "true" ]] && mount-master-pd
|
||||
create-salt-pillar
|
||||
if [[ "${KUBERNETES_MASTER}" == "true" ]]; then
|
||||
set-kube-master-certs
|
||||
create-salt-master-auth
|
||||
create-salt-master-etcd-auth
|
||||
create-salt-master-kubelet-auth
|
||||
|
||||
@@ -87,7 +87,7 @@ function create-master-instance-internal() {
|
||||
--scopes "storage-ro,compute-rw,monitoring,logging-write" \
|
||||
--can-ip-forward \
|
||||
--metadata-from-file \
|
||||
"startup-script=${KUBE_TEMP}/configure-vm.sh,kube-env=${KUBE_TEMP}/master-kube-env.yaml,cluster-name=${KUBE_TEMP}/cluster-name.txt" \
|
||||
"startup-script=${KUBE_TEMP}/configure-vm.sh,kube-env=${KUBE_TEMP}/master-kube-env.yaml,cluster-name=${KUBE_TEMP}/cluster-name.txt,kube-master-certs=${KUBE_TEMP}/kube-master-certs.yaml" \
|
||||
--disk "name=${master_name}-pd,device-name=master-pd,mode=rw,boot=no,auto-delete=no" \
|
||||
--boot-disk-size "${MASTER_ROOT_DISK_SIZE:-10}" \
|
||||
${preemptible_master}
|
||||
|
||||
@@ -201,6 +201,10 @@ function create-master-auth {
|
||||
echo "${MASTER_CERT}" | base64 --decode > "${auth_dir}/server.cert"
|
||||
echo "${MASTER_KEY}" | base64 --decode > "${auth_dir}/server.key"
|
||||
fi
|
||||
if [ ! -e "${auth_dir}/kubeapiserver.cert" ] && [[ ! -z "${KUBEAPISERVER_CERT:-}" ]] && [[ ! -z "${KUBEAPISERVER_KEY:-}" ]]; then
|
||||
echo "${KUBEAPISERVER_CERT}" | base64 --decode > "${auth_dir}/kubeapiserver.cert"
|
||||
echo "${KUBEAPISERVER_KEY}" | base64 --decode > "${auth_dir}/kubeapiserver.key"
|
||||
fi
|
||||
local -r basic_auth_csv="${auth_dir}/basic_auth.csv"
|
||||
if [[ ! -e "${basic_auth_csv}" && -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then
|
||||
echo "${KUBE_PASSWORD},${KUBE_USER},admin" > "${basic_auth_csv}"
|
||||
@@ -344,6 +348,12 @@ current-context: service-account-context
|
||||
EOF
|
||||
}
|
||||
|
||||
function create-kubelet-auth-ca {
|
||||
if [[ -n "${KUBELET_AUTH_CA_CERT:-}" ]]; then
|
||||
echo "${KUBELET_AUTH_CA_CERT}" | base64 --decode > "/var/lib/kubelet/kubelet_auth_ca.crt"
|
||||
fi
|
||||
}
|
||||
|
||||
# Uses KUBELET_CA_CERT (falling back to CA_CERT), KUBELET_CERT, and KUBELET_KEY
|
||||
# to generate a kubeconfig file for the kubelet to securely connect to the apiserver.
|
||||
# Set REGISTER_MASTER_KUBELET to true if kubelet on the master node
|
||||
@@ -549,6 +559,9 @@ function start-kubelet {
|
||||
[[ "${HAIRPIN_MODE:-}" == "none" ]]; then
|
||||
flags+=" --hairpin-mode=${HAIRPIN_MODE}"
|
||||
fi
|
||||
if [ -n "${KUBELET_AUTH_CA_CERT:-}" ]; then
|
||||
flags+=" --anonymous-auth=false --client-ca-file=/var/lib/kubelet/kubelet_auth_ca.crt"
|
||||
fi
|
||||
fi
|
||||
# Network plugin
|
||||
if [[ -n "${NETWORK_PROVIDER:-}" ]]; then
|
||||
@@ -793,6 +806,8 @@ function start-kube-apiserver {
|
||||
params+=" --secure-port=443"
|
||||
params+=" --tls-cert-file=/etc/srv/kubernetes/server.cert"
|
||||
params+=" --tls-private-key-file=/etc/srv/kubernetes/server.key"
|
||||
params+=" --kubelet-client-certificate=/etc/srv/kubernetes/kubeapiserver.cert"
|
||||
params+=" --kubelet-client-key=/etc/srv/kubernetes/kubeapiserver.key"
|
||||
params+=" --token-auth-file=/etc/srv/kubernetes/known_tokens.csv"
|
||||
if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then
|
||||
params+=" --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv"
|
||||
@@ -1266,6 +1281,10 @@ fi
|
||||
|
||||
source "${KUBE_HOME}/kube-env"
|
||||
|
||||
if [[ -e "${KUBE_HOME}/kube-master-certs" ]]; then
|
||||
source "${KUBE_HOME}/kube-master-certs"
|
||||
fi
|
||||
|
||||
if [[ -n "${KUBE_USER:-}" ]]; then
|
||||
if ! [[ "${KUBE_USER}" =~ ^[-._@a-zA-Z0-9]+$ ]]; then
|
||||
echo "Bad KUBE_USER format."
|
||||
@@ -1289,6 +1308,7 @@ if [[ "${KUBERNETES_MASTER:-}" == "true" ]]; then
|
||||
create-master-etcd-auth
|
||||
else
|
||||
create-kubelet-kubeconfig
|
||||
create-kubelet-auth-ca
|
||||
create-kubeproxy-kubeconfig
|
||||
fi
|
||||
|
||||
|
||||
@@ -54,6 +54,22 @@ for k,v in yaml.load(sys.stdin).iteritems():
|
||||
rm -f "${tmp_kube_env}"
|
||||
}
|
||||
|
||||
function download-kube-master-certs {
|
||||
# Fetch kube-env from GCE metadata server.
|
||||
local -r tmp_kube_master_certs="/tmp/kube-master-certs.yaml"
|
||||
curl --fail --retry 5 --retry-delay 3 --silent --show-error \
|
||||
-H "X-Google-Metadata-Request: True" \
|
||||
-o "${tmp_kube_master_certs}" \
|
||||
http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-master-certs
|
||||
# Convert the yaml format file into a shell-style file.
|
||||
eval $(python -c '''
|
||||
import pipes,sys,yaml
|
||||
for k,v in yaml.load(sys.stdin).iteritems():
|
||||
print("readonly {var}={value}".format(var = k, value = pipes.quote(str(v))))
|
||||
''' < "${tmp_kube_master_certs}" > "${KUBE_HOME}/kube-master-certs")
|
||||
rm -f "${tmp_kube_master_certs}"
|
||||
}
|
||||
|
||||
function validate-hash {
|
||||
local -r file="$1"
|
||||
local -r expected="$2"
|
||||
@@ -208,6 +224,9 @@ set-broken-motd
|
||||
KUBE_HOME="/home/kubernetes"
|
||||
download-kube-env
|
||||
source "${KUBE_HOME}/kube-env"
|
||||
if [[ "${KUBERNETES_MASTER:-}" == "true" ]]; then
|
||||
download-kube-master-certs
|
||||
fi
|
||||
install-kube-binary-config
|
||||
echo "Done for installing kubernetes files"
|
||||
|
||||
|
||||
@@ -38,14 +38,14 @@ function docker_monitoring {
|
||||
}
|
||||
|
||||
function kubelet_monitoring {
|
||||
echo "Wait for 2 minutes for kubelet to be fuctional"
|
||||
echo "Wait for 2 minutes for kubelet to be functional"
|
||||
# TODO(andyzheng0831): replace it with a more reliable method if possible.
|
||||
sleep 120
|
||||
local -r max_seconds=10
|
||||
while [ 1 ]; do
|
||||
if ! curl --insecure -m "${max_seconds}" -f -s https://127.0.0.1:${KUBELET_PORT:-10250}/healthz > /dev/null; then
|
||||
if ! curl -m "${max_seconds}" -f -s http://127.0.0.1:10255/healthz > /dev/null; then
|
||||
echo "Kubelet is unhealthy!"
|
||||
curl --insecure https://127.0.0.1:${KUBELET_PORT:-10250}/healthz
|
||||
curl http://127.0.0.1:10255/healthz
|
||||
pkill kubelet
|
||||
# Wait for a while, as we don't want to kill it again before it is really up.
|
||||
sleep 60
|
||||
|
||||
@@ -89,7 +89,7 @@ function create-master-instance-internal() {
|
||||
--scopes "storage-ro,compute-rw,monitoring,logging-write" \
|
||||
--can-ip-forward \
|
||||
--metadata-from-file \
|
||||
"kube-env=${KUBE_TEMP}/master-kube-env.yaml,user-data=${KUBE_ROOT}/cluster/gce/gci/master.yaml,configure-sh=${KUBE_ROOT}/cluster/gce/gci/configure.sh,cluster-name=${KUBE_TEMP}/cluster-name.txt,gci-update-strategy=${KUBE_TEMP}/gci-update.txt,gci-ensure-gke-docker=${KUBE_TEMP}/gci-ensure-gke-docker.txt,gci-docker-version=${KUBE_TEMP}/gci-docker-version.txt" \
|
||||
"kube-env=${KUBE_TEMP}/master-kube-env.yaml,user-data=${KUBE_ROOT}/cluster/gce/gci/master.yaml,configure-sh=${KUBE_ROOT}/cluster/gce/gci/configure.sh,cluster-name=${KUBE_TEMP}/cluster-name.txt,gci-update-strategy=${KUBE_TEMP}/gci-update.txt,gci-ensure-gke-docker=${KUBE_TEMP}/gci-ensure-gke-docker.txt,gci-docker-version=${KUBE_TEMP}/gci-docker-version.txt,kube-master-certs=${KUBE_TEMP}/kube-master-certs.yaml" \
|
||||
--disk "name=${master_name}-pd,device-name=master-pd,mode=rw,boot=no,auto-delete=no" \
|
||||
--boot-disk-size "${MASTER_ROOT_DISK_SIZE:-10}" \
|
||||
${preemptible_master}
|
||||
|
||||
@@ -233,6 +233,9 @@ function prepare-node-upgrade() {
|
||||
KUBELET_CERT_BASE64=$(get-env-val "${node_env}" "KUBELET_CERT")
|
||||
KUBELET_KEY_BASE64=$(get-env-val "${node_env}" "KUBELET_KEY")
|
||||
|
||||
local master_env=$(get-master-env)
|
||||
KUBELET_AUTH_CA_CERT_BASE64=$(get-env-val "${master_env}" "KUBELET_AUTH_CA_CERT")
|
||||
|
||||
# TODO(zmerlynn): How do we ensure kube-env is written in a ${version}-
|
||||
# compatible way?
|
||||
write-node-env
|
||||
|
||||
@@ -82,6 +82,8 @@
|
||||
|
||||
{% set cert_file = "--tls-cert-file=/srv/kubernetes/server.cert" -%}
|
||||
{% set key_file = "--tls-private-key-file=/srv/kubernetes/server.key" -%}
|
||||
{% set kubelet_cert_file = "--kubelet-client-certificate=/srv/kubernetes/kubeapiserver.cert" -%}
|
||||
{% set kubelet_key_file = "--kubelet-client-key=/srv/kubernetes/kubeapiserver.key" -%}
|
||||
{% set client_ca_file = "" -%}
|
||||
|
||||
{% set secure_port = "6443" -%}
|
||||
@@ -169,7 +171,7 @@
|
||||
{% endif -%}
|
||||
|
||||
{% set params = address + " " + storage_backend + " " + etcd_servers + " " + etcd_servers_overrides + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + feature_gates + " " + admission_control + " " + max_requests_inflight + " " + target_ram_mb + " " + service_cluster_ip_range + " " + client_ca_file + basic_auth_file + " " + min_request_timeout + " " + enable_garbage_collector + " " + etcd_quorum_read -%}
|
||||
{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address + " " + proxy_ssh_options + authz_mode + abac_policy_file + webhook_authentication_config + webhook_authorization_config + image_review_config -%}
|
||||
{% set params = params + " " + cert_file + " " + key_file + " " + kubelet_cert_file + " " + kubelet_key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address + " " + proxy_ssh_options + authz_mode + abac_policy_file + webhook_authentication_config + webhook_authorization_config + image_review_config -%}
|
||||
|
||||
# test_args has to be kept at the end, so they'll overwrite any prior configuration
|
||||
{% if pillar['apiserver_test_args'] is defined -%}
|
||||
|
||||
@@ -188,5 +188,10 @@
|
||||
{% set eviction_hard="--eviction-hard=" + pillar['eviction_hard'] %}
|
||||
{% endif -%}
|
||||
|
||||
{% set kubelet_auth_ca_cert = "" %}
|
||||
{% if pillar['kubelet_auth_ca_cert'] is defined -%}
|
||||
{% set kubelet_auth_ca_cert="--anonymous-auth=false --client-ca-file=" + pillar['kubelet_auth_ca_cert'] %}
|
||||
{% endif -%}
|
||||
|
||||
# test_args has to be kept at the end, so they'll overwrite any prior configuration
|
||||
DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{feature_gates}} {{test_args}}"
|
||||
DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{babysit_daemons}} {{eviction_hard}} {{kubelet_auth_ca_cert}} {{feature_gates}} {{test_args}}"
|
||||
|
||||
@@ -31,6 +31,15 @@
|
||||
- mode: 400
|
||||
- makedirs: true
|
||||
|
||||
{% if pillar['kubelet_auth_ca_cert'] is defined %}
|
||||
/var/lib/kubelet/kubelet_auth_ca.crt:
|
||||
file.managed:
|
||||
- source: salt://kubelet/kubelet_auth_ca.crt
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 400
|
||||
- makedirs: true
|
||||
{% endif %}
|
||||
|
||||
{% if pillar.get('is_systemd') %}
|
||||
|
||||
@@ -52,6 +61,7 @@ fix-service-kubelet:
|
||||
- file: {{ pillar.get('systemd_system_path') }}/kubelet.service
|
||||
- file: {{ environment_file }}
|
||||
- file: /var/lib/kubelet/kubeconfig
|
||||
- file: /var/lib/kubelet/kubelet_auth_ca.crt
|
||||
|
||||
{% else %}
|
||||
|
||||
@@ -79,6 +89,9 @@ kubelet:
|
||||
{% endif %}
|
||||
- file: {{ environment_file }}
|
||||
- file: /var/lib/kubelet/kubeconfig
|
||||
{% if pillar['kubelet_auth_ca_cert'] is defined %}
|
||||
- file: /var/lib/kubelet/kubelet_auth_ca.crt
|
||||
{% endif %}
|
||||
{% if pillar.get('is_systemd') %}
|
||||
- provider:
|
||||
- service: systemd
|
||||
|
||||
@@ -18,11 +18,6 @@
|
||||
# it detects a failure. It then exits, and supervisord restarts it
|
||||
# which in turn restarts the kubelet.
|
||||
|
||||
{% set kubelet_port = "10250" -%}
|
||||
{% if pillar['kubelet_port'] is defined -%}
|
||||
{% set kubelet_port = pillar['kubelet_port'] -%}
|
||||
{% endif -%}
|
||||
|
||||
/etc/init.d/kubelet stop
|
||||
/etc/init.d/kubelet start
|
||||
|
||||
@@ -32,9 +27,9 @@ sleep 60
|
||||
max_seconds=10
|
||||
|
||||
while true; do
|
||||
if ! curl --insecure -m ${max_seconds} -f -s https://127.0.0.1:{{kubelet_port}}/healthz > /dev/null; then
|
||||
if ! curl -m ${max_seconds} -f -s http://127.0.0.1:10255/healthz > /dev/null; then
|
||||
echo "kubelet failed!"
|
||||
curl --insecure https://127.0.0.1:{{kubelet_port}}/healthz
|
||||
curl http://127.0.0.1:10255/healthz
|
||||
exit 2
|
||||
fi
|
||||
sleep 10
|
||||
|
||||
@@ -71,7 +71,8 @@ func NewServerRunOptions() *ServerRunOptions {
|
||||
EventTTL: 1 * time.Hour,
|
||||
MasterCount: 1,
|
||||
KubeletConfig: kubeletclient.KubeletClientConfig{
|
||||
Port: ports.KubeletPort,
|
||||
Port: ports.KubeletPort,
|
||||
ReadOnlyPort: ports.KubeletReadOnlyPort,
|
||||
PreferredAddressTypes: []string{
|
||||
string(api.NodeHostName),
|
||||
string(api.NodeInternalIP),
|
||||
@@ -154,6 +155,9 @@ func (s *ServerRunOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
"DEPRECATED: kubelet port.")
|
||||
fs.MarkDeprecated("kubelet-port", "kubelet-port is deprecated and will be removed.")
|
||||
|
||||
fs.UintVar(&s.KubeletConfig.ReadOnlyPort, "kubelet-read-only-port", s.KubeletConfig.ReadOnlyPort,
|
||||
"DEPRECATED: kubelet port.")
|
||||
|
||||
fs.DurationVar(&s.KubeletConfig.HTTPTimeout, "kubelet-timeout", s.KubeletConfig.HTTPTimeout,
|
||||
"Timeout for kubelet operations.")
|
||||
|
||||
|
||||
@@ -141,12 +141,15 @@ func Run(s *options.ServerRunOptions) error {
|
||||
if s.KubeletConfig.Port == 0 {
|
||||
return fmt.Errorf("must enable kubelet port if proxy ssh-tunneling is specified")
|
||||
}
|
||||
if s.KubeletConfig.ReadOnlyPort == 0 {
|
||||
return fmt.Errorf("must enable kubelet readonly port if proxy ssh-tunneling is specified")
|
||||
}
|
||||
// Set up the tunneler
|
||||
// TODO(cjcullen): If we want this to handle per-kubelet ports or other
|
||||
// kubelet listen-addresses, we need to plumb through options.
|
||||
healthCheckPath := &url.URL{
|
||||
Scheme: "https",
|
||||
Host: net.JoinHostPort("127.0.0.1", strconv.FormatUint(uint64(s.KubeletConfig.Port), 10)),
|
||||
Scheme: "http",
|
||||
Host: net.JoinHostPort("127.0.0.1", strconv.FormatUint(uint64(s.KubeletConfig.ReadOnlyPort), 10)),
|
||||
Path: "healthz",
|
||||
}
|
||||
tunneler = genericapiserver.NewSSHTunneler(s.SSHUser, s.SSHKeyfile, healthCheckPath, installSSH)
|
||||
|
||||
@@ -32,8 +32,9 @@ import (
|
||||
|
||||
type KubeletClientConfig struct {
|
||||
// Default port - used if no information about Kubelet port can be found in Node.NodeStatus.DaemonEndpoints.
|
||||
Port uint
|
||||
EnableHttps bool
|
||||
Port uint
|
||||
ReadOnlyPort uint
|
||||
EnableHttps bool
|
||||
|
||||
// PreferredAddressTypes - used to select an address from Node.NodeStatus.Addresses
|
||||
PreferredAddressTypes []string
|
||||
|
||||
Reference in New Issue
Block a user