mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-04 04:08:16 +00:00
Merge pull request #82103 from neolit123/1.16-kubeadm-fix-kubelet-rotate-certs-false
kubeadm: fix a bug where the kubelet cert rotation was turned off
This commit is contained in:
Kubernetes Prow Robot
@@ -17,9 +17,10 @@ limitations under the License.
|
|||||||
package componentconfigs
|
package componentconfigs
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"k8s.io/klog"
|
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
|
||||||
|
"k8s.io/klog"
|
||||||
|
|
||||||
kubeproxyconfigv1alpha1 "k8s.io/kube-proxy/config/v1alpha1"
|
kubeproxyconfigv1alpha1 "k8s.io/kube-proxy/config/v1alpha1"
|
||||||
kubeletconfigv1beta1 "k8s.io/kubelet/config/v1beta1"
|
kubeletconfigv1beta1 "k8s.io/kubelet/config/v1beta1"
|
||||||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
|
||||||
@@ -58,6 +59,7 @@ const (
|
|||||||
// DefaultKubeProxyConfiguration assigns default values for the kube-proxy ComponentConfig
|
// DefaultKubeProxyConfiguration assigns default values for the kube-proxy ComponentConfig
|
||||||
func DefaultKubeProxyConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
|
func DefaultKubeProxyConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
|
||||||
externalproxycfg := &kubeproxyconfigv1alpha1.KubeProxyConfiguration{}
|
externalproxycfg := &kubeproxyconfigv1alpha1.KubeProxyConfiguration{}
|
||||||
|
kind := "KubeProxyConfiguration"
|
||||||
|
|
||||||
// Do a roundtrip to the external version for defaulting
|
// Do a roundtrip to the external version for defaulting
|
||||||
if internalcfg.ComponentConfigs.KubeProxy != nil {
|
if internalcfg.ComponentConfigs.KubeProxy != nil {
|
||||||
@@ -67,13 +69,13 @@ func DefaultKubeProxyConfiguration(internalcfg *kubeadmapi.ClusterConfiguration)
|
|||||||
if externalproxycfg.ClusterCIDR == "" && internalcfg.Networking.PodSubnet != "" {
|
if externalproxycfg.ClusterCIDR == "" && internalcfg.Networking.PodSubnet != "" {
|
||||||
externalproxycfg.ClusterCIDR = internalcfg.Networking.PodSubnet
|
externalproxycfg.ClusterCIDR = internalcfg.Networking.PodSubnet
|
||||||
} else if internalcfg.Networking.PodSubnet != "" && externalproxycfg.ClusterCIDR != internalcfg.Networking.PodSubnet {
|
} else if internalcfg.Networking.PodSubnet != "" && externalproxycfg.ClusterCIDR != internalcfg.Networking.PodSubnet {
|
||||||
warnDefaultComponentConfigValue(externalproxycfg.Kind, "cluster-cidr", internalcfg.Networking.PodSubnet, externalproxycfg.ClusterCIDR)
|
warnDefaultComponentConfigValue(kind, "clusterCIDR", internalcfg.Networking.PodSubnet, externalproxycfg.ClusterCIDR)
|
||||||
}
|
}
|
||||||
|
|
||||||
if externalproxycfg.ClientConnection.Kubeconfig == "" {
|
if externalproxycfg.ClientConnection.Kubeconfig == "" {
|
||||||
externalproxycfg.ClientConnection.Kubeconfig = kubeproxyKubeConfigFileName
|
externalproxycfg.ClientConnection.Kubeconfig = kubeproxyKubeConfigFileName
|
||||||
} else if externalproxycfg.ClientConnection.Kubeconfig != kubeproxyKubeConfigFileName {
|
} else if externalproxycfg.ClientConnection.Kubeconfig != kubeproxyKubeConfigFileName {
|
||||||
warnDefaultComponentConfigValue(externalproxycfg.Kind, "kubeconfig", kubeproxyKubeConfigFileName, externalproxycfg.ClientConnection.Kubeconfig)
|
warnDefaultComponentConfigValue(kind, "clientConnection.kubeconfig", kubeproxyKubeConfigFileName, externalproxycfg.ClientConnection.Kubeconfig)
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: The following code should be remvoved after dual-stack is GA.
|
// TODO: The following code should be remvoved after dual-stack is GA.
|
||||||
@@ -97,6 +99,7 @@ func DefaultKubeProxyConfiguration(internalcfg *kubeadmapi.ClusterConfiguration)
|
|||||||
// DefaultKubeletConfiguration assigns default values for the kubelet ComponentConfig
|
// DefaultKubeletConfiguration assigns default values for the kubelet ComponentConfig
|
||||||
func DefaultKubeletConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
|
func DefaultKubeletConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
|
||||||
externalkubeletcfg := &kubeletconfigv1beta1.KubeletConfiguration{}
|
externalkubeletcfg := &kubeletconfigv1beta1.KubeletConfiguration{}
|
||||||
|
kind := "KubeletConfiguration"
|
||||||
|
|
||||||
// Do a roundtrip to the external version for defaulting
|
// Do a roundtrip to the external version for defaulting
|
||||||
if internalcfg.ComponentConfigs.Kubelet != nil {
|
if internalcfg.ComponentConfigs.Kubelet != nil {
|
||||||
@@ -106,7 +109,7 @@ func DefaultKubeletConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
|
|||||||
if externalkubeletcfg.StaticPodPath == "" {
|
if externalkubeletcfg.StaticPodPath == "" {
|
||||||
externalkubeletcfg.StaticPodPath = kubeadmapiv1beta2.DefaultManifestsDir
|
externalkubeletcfg.StaticPodPath = kubeadmapiv1beta2.DefaultManifestsDir
|
||||||
} else if externalkubeletcfg.StaticPodPath != kubeadmapiv1beta2.DefaultManifestsDir {
|
} else if externalkubeletcfg.StaticPodPath != kubeadmapiv1beta2.DefaultManifestsDir {
|
||||||
warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "pod-manifest-path", kubeadmapiv1beta2.DefaultManifestsDir, externalkubeletcfg.StaticPodPath)
|
warnDefaultComponentConfigValue(kind, "staticPodPath", kubeadmapiv1beta2.DefaultManifestsDir, externalkubeletcfg.StaticPodPath)
|
||||||
}
|
}
|
||||||
|
|
||||||
clusterDNS := ""
|
clusterDNS := ""
|
||||||
@@ -120,13 +123,13 @@ func DefaultKubeletConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
|
|||||||
if externalkubeletcfg.ClusterDNS == nil {
|
if externalkubeletcfg.ClusterDNS == nil {
|
||||||
externalkubeletcfg.ClusterDNS = []string{clusterDNS}
|
externalkubeletcfg.ClusterDNS = []string{clusterDNS}
|
||||||
} else if len(externalkubeletcfg.ClusterDNS) != 1 || externalkubeletcfg.ClusterDNS[0] != clusterDNS {
|
} else if len(externalkubeletcfg.ClusterDNS) != 1 || externalkubeletcfg.ClusterDNS[0] != clusterDNS {
|
||||||
warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "cluster-dns", []string{clusterDNS}, externalkubeletcfg.ClusterDNS)
|
warnDefaultComponentConfigValue(kind, "clusterDNS", []string{clusterDNS}, externalkubeletcfg.ClusterDNS)
|
||||||
}
|
}
|
||||||
|
|
||||||
if externalkubeletcfg.ClusterDomain == "" {
|
if externalkubeletcfg.ClusterDomain == "" {
|
||||||
externalkubeletcfg.ClusterDomain = internalcfg.Networking.DNSDomain
|
externalkubeletcfg.ClusterDomain = internalcfg.Networking.DNSDomain
|
||||||
} else if internalcfg.Networking.DNSDomain != "" && externalkubeletcfg.ClusterDomain != internalcfg.Networking.DNSDomain {
|
} else if internalcfg.Networking.DNSDomain != "" && externalkubeletcfg.ClusterDomain != internalcfg.Networking.DNSDomain {
|
||||||
warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "cluster-domain", internalcfg.Networking.DNSDomain, externalkubeletcfg.ClusterDomain)
|
warnDefaultComponentConfigValue(kind, "clusterDomain", internalcfg.Networking.DNSDomain, externalkubeletcfg.ClusterDomain)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Require all clients to the kubelet API to have client certs signed by the cluster CA
|
// Require all clients to the kubelet API to have client certs signed by the cluster CA
|
||||||
@@ -134,13 +137,13 @@ func DefaultKubeletConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
|
|||||||
if externalkubeletcfg.Authentication.X509.ClientCAFile == "" {
|
if externalkubeletcfg.Authentication.X509.ClientCAFile == "" {
|
||||||
externalkubeletcfg.Authentication.X509.ClientCAFile = clientCAFile
|
externalkubeletcfg.Authentication.X509.ClientCAFile = clientCAFile
|
||||||
} else if externalkubeletcfg.Authentication.X509.ClientCAFile != clientCAFile {
|
} else if externalkubeletcfg.Authentication.X509.ClientCAFile != clientCAFile {
|
||||||
warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "client-ca-file", clientCAFile, externalkubeletcfg.Authentication.X509.ClientCAFile)
|
warnDefaultComponentConfigValue(kind, "authentication.x509.clientCAFile", clientCAFile, externalkubeletcfg.Authentication.X509.ClientCAFile)
|
||||||
}
|
}
|
||||||
|
|
||||||
if externalkubeletcfg.Authentication.Anonymous.Enabled == nil {
|
if externalkubeletcfg.Authentication.Anonymous.Enabled == nil {
|
||||||
externalkubeletcfg.Authentication.Anonymous.Enabled = utilpointer.BoolPtr(kubeletAuthenticationAnonymousEnabled)
|
externalkubeletcfg.Authentication.Anonymous.Enabled = utilpointer.BoolPtr(kubeletAuthenticationAnonymousEnabled)
|
||||||
} else if *externalkubeletcfg.Authentication.Anonymous.Enabled != kubeletAuthenticationAnonymousEnabled {
|
} else if *externalkubeletcfg.Authentication.Anonymous.Enabled != kubeletAuthenticationAnonymousEnabled {
|
||||||
warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "anonymous-auth", kubeletAuthenticationAnonymousEnabled, *externalkubeletcfg.Authentication.Anonymous.Enabled)
|
warnDefaultComponentConfigValue(kind, "authentication.anonymous.enabled", kubeletAuthenticationAnonymousEnabled, *externalkubeletcfg.Authentication.Anonymous.Enabled)
|
||||||
}
|
}
|
||||||
|
|
||||||
// On every client request to the kubelet API, execute a webhook (SubjectAccessReview request) to the API server
|
// On every client request to the kubelet API, execute a webhook (SubjectAccessReview request) to the API server
|
||||||
@@ -148,36 +151,36 @@ func DefaultKubeletConfiguration(internalcfg *kubeadmapi.ClusterConfiguration) {
|
|||||||
if externalkubeletcfg.Authorization.Mode == "" {
|
if externalkubeletcfg.Authorization.Mode == "" {
|
||||||
externalkubeletcfg.Authorization.Mode = kubeletAuthorizationMode
|
externalkubeletcfg.Authorization.Mode = kubeletAuthorizationMode
|
||||||
} else if externalkubeletcfg.Authorization.Mode != kubeletAuthorizationMode {
|
} else if externalkubeletcfg.Authorization.Mode != kubeletAuthorizationMode {
|
||||||
warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "authorization-mode", kubeletAuthorizationMode, externalkubeletcfg.Authorization.Mode)
|
warnDefaultComponentConfigValue(kind, "authorization.mode", kubeletAuthorizationMode, externalkubeletcfg.Authorization.Mode)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Let clients using other authentication methods like ServiceAccount tokens also access the kubelet API
|
// Let clients using other authentication methods like ServiceAccount tokens also access the kubelet API
|
||||||
if externalkubeletcfg.Authentication.Webhook.Enabled == nil {
|
if externalkubeletcfg.Authentication.Webhook.Enabled == nil {
|
||||||
externalkubeletcfg.Authentication.Webhook.Enabled = utilpointer.BoolPtr(kubeletAuthenticationWebhookEnabled)
|
externalkubeletcfg.Authentication.Webhook.Enabled = utilpointer.BoolPtr(kubeletAuthenticationWebhookEnabled)
|
||||||
} else if *externalkubeletcfg.Authentication.Webhook.Enabled != kubeletAuthenticationWebhookEnabled {
|
} else if *externalkubeletcfg.Authentication.Webhook.Enabled != kubeletAuthenticationWebhookEnabled {
|
||||||
warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "authentication-token-webhook", kubeletAuthenticationWebhookEnabled, *externalkubeletcfg.Authentication.Webhook.Enabled)
|
warnDefaultComponentConfigValue(kind, "authentication.webhook.enabled", kubeletAuthenticationWebhookEnabled, *externalkubeletcfg.Authentication.Webhook.Enabled)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Serve a /healthz webserver on localhost:10248 that kubeadm can talk to
|
// Serve a /healthz webserver on localhost:10248 that kubeadm can talk to
|
||||||
if externalkubeletcfg.HealthzBindAddress == "" {
|
if externalkubeletcfg.HealthzBindAddress == "" {
|
||||||
externalkubeletcfg.HealthzBindAddress = kubeletHealthzBindAddress
|
externalkubeletcfg.HealthzBindAddress = kubeletHealthzBindAddress
|
||||||
} else if externalkubeletcfg.HealthzBindAddress != kubeletHealthzBindAddress {
|
} else if externalkubeletcfg.HealthzBindAddress != kubeletHealthzBindAddress {
|
||||||
warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "healthz-bind-address", kubeletHealthzBindAddress, externalkubeletcfg.HealthzBindAddress)
|
warnDefaultComponentConfigValue(kind, "healthzBindAddress", kubeletHealthzBindAddress, externalkubeletcfg.HealthzBindAddress)
|
||||||
}
|
}
|
||||||
|
|
||||||
if externalkubeletcfg.HealthzPort == nil {
|
if externalkubeletcfg.HealthzPort == nil {
|
||||||
externalkubeletcfg.HealthzPort = utilpointer.Int32Ptr(constants.KubeletHealthzPort)
|
externalkubeletcfg.HealthzPort = utilpointer.Int32Ptr(constants.KubeletHealthzPort)
|
||||||
} else if *externalkubeletcfg.HealthzPort != constants.KubeletHealthzPort {
|
} else if *externalkubeletcfg.HealthzPort != constants.KubeletHealthzPort {
|
||||||
warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "healthz-port", constants.KubeletHealthzPort, *externalkubeletcfg.HealthzPort)
|
warnDefaultComponentConfigValue(kind, "healthzPort", constants.KubeletHealthzPort, *externalkubeletcfg.HealthzPort)
|
||||||
}
|
}
|
||||||
|
|
||||||
if externalkubeletcfg.ReadOnlyPort != kubeletReadOnlyPort {
|
if externalkubeletcfg.ReadOnlyPort != kubeletReadOnlyPort {
|
||||||
warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "read-only-port", kubeletReadOnlyPort, externalkubeletcfg.ReadOnlyPort)
|
warnDefaultComponentConfigValue(kind, "readOnlyPort", kubeletReadOnlyPort, externalkubeletcfg.ReadOnlyPort)
|
||||||
}
|
}
|
||||||
|
|
||||||
if externalkubeletcfg.RotateCertificates != kubeletRotateCertificates {
|
// We cannot show a warning for RotateCertificates==false and we must hardcode it to true.
|
||||||
warnDefaultComponentConfigValue(externalkubeletcfg.Kind, "rotate-certificates", kubeletRotateCertificates, externalkubeletcfg.RotateCertificates)
|
// There is no way to determine if the user has set this or not, given the field is a non-pointer.
|
||||||
}
|
externalkubeletcfg.RotateCertificates = kubeletRotateCertificates
|
||||||
|
|
||||||
Scheme.Default(externalkubeletcfg)
|
Scheme.Default(externalkubeletcfg)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user