Skip to content

Commit

Permalink
make kubeadm use new sar approver
Browse files Browse the repository at this point in the history
  • Loading branch information
@mikedanese
mikedanese committed May 30, 2017
1 parent 66b4b99 commit fb4c020
Show file tree
Hide file tree
Showing 5 changed files with 74 additions and 44 deletions.
2 changes: 1 addition & 1 deletion cmd/kube-controller-manager/app/options/options.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ func (s *CMServer) AddFlags(fs *pflag.FlagSet, allControllers []string, disabled
fs.DurationVar(&s.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", s.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
var dummy string
fs.MarkDeprecated("insecure-experimental-approve-all-kubelet-csrs-for-group", "This flag does nothing.")
fs.StringVar(&dummy, "insecure-experimental-approve-all-kubelet-csrs-for-group", s.ApproveAllKubeletCSRsForGroup, "This flag does nothing.")
fs.StringVar(&dummy, "insecure-experimental-approve-all-kubelet-csrs-for-group", "", "This flag does nothing.")
fs.BoolVar(&s.EnableProfiling, "profiling", true, "Enable profiling via web interface host:port/debug/pprof/")
fs.BoolVar(&s.EnableContentionProfiling, "contention-profiling", false, "Enable lock contention profiling, if profiling is enabled")
fs.StringVar(&s.ClusterName, "cluster-name", s.ClusterName, "The instance prefix for the cluster")
Expand Down
1 change: 0 additions & 1 deletion cmd/kubeadm/app/master/BUILD
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ go_library(
"//cmd/kubeadm/app/constants:go_default_library",
"//cmd/kubeadm/app/images:go_default_library",
"//cmd/kubeadm/app/util/kubeconfig:go_default_library",
"//pkg/bootstrap/api:go_default_library",
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
"//pkg/kubectl/cmd/util:go_default_library",
"//pkg/util/version:go_default_library",
Expand Down
20 changes: 9 additions & 11 deletions cmd/kubeadm/app/master/manifests.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ import (
kubeadmapiext "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha1"
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
"k8s.io/kubernetes/cmd/kubeadm/app/images"
bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api"
authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
"k8s.io/kubernetes/pkg/util/version"
Expand Down Expand Up @@ -419,16 +418,15 @@ func getControllerManagerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted
}

defaultArguments := map[string]string{
"address": "127.0.0.1",
"leader-elect": "true",
"kubeconfig": filepath.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.ControllerManagerKubeConfigFileName),
"root-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
"service-account-private-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.ServiceAccountPrivateKeyName),
"cluster-signing-cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
"cluster-signing-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CAKeyName),
"insecure-experimental-approve-all-kubelet-csrs-for-group": bootstrapapi.BootstrapGroup,
"use-service-account-credentials": "true",
"controllers": "*,bootstrapsigner,tokencleaner",
"address": "127.0.0.1",
"leader-elect": "true",
"kubeconfig": filepath.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.ControllerManagerKubeConfigFileName),
"root-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
"service-account-private-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.ServiceAccountPrivateKeyName),
"cluster-signing-cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
"cluster-signing-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CAKeyName),
"use-service-account-credentials": "true",
"controllers": "*,bootstrapsigner,tokencleaner",
}

command = getComponentBaseCommand(controllerManager)
Expand Down
3 changes: 0 additions & 3 deletions cmd/kubeadm/app/master/manifests_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -676,7 +676,6 @@ func TestGetControllerManagerCommand(t *testing.T) {
"--service-account-private-key-file=" + testCertsDir + "/sa.key",
"--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
"--cluster-signing-key-file=" + testCertsDir + "/ca.key",
"--insecure-experimental-approve-all-kubelet-csrs-for-group=system:bootstrappers",
"--use-service-account-credentials=true",
"--controllers=*,bootstrapsigner,tokencleaner",
},
Expand All @@ -695,7 +694,6 @@ func TestGetControllerManagerCommand(t *testing.T) {
"--service-account-private-key-file=" + testCertsDir + "/sa.key",
"--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
"--cluster-signing-key-file=" + testCertsDir + "/ca.key",
"--insecure-experimental-approve-all-kubelet-csrs-for-group=system:bootstrappers",
"--use-service-account-credentials=true",
"--controllers=*,bootstrapsigner,tokencleaner",
"--cloud-provider=foo",
Expand All @@ -715,7 +713,6 @@ func TestGetControllerManagerCommand(t *testing.T) {
"--service-account-private-key-file=" + testCertsDir + "/sa.key",
"--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
"--cluster-signing-key-file=" + testCertsDir + "/ca.key",
"--insecure-experimental-approve-all-kubelet-csrs-for-group=system:bootstrappers",
"--use-service-account-credentials=true",
"--controllers=*,bootstrapsigner,tokencleaner",
"--allocate-node-cidrs=true",
Expand Down
92 changes: 64 additions & 28 deletions cmd/kubeadm/app/phases/apiconfig/clusterroles.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,32 +35,16 @@ const (
// BootstrapSignerClusterRoleName sets the name for the ClusterRole that allows access to ConfigMaps in the kube-public ns
BootstrapSignerClusterRoleName = "system:bootstrap-signer-clusterinfo"

// Constants
clusterRoleKind = "ClusterRole"
roleKind = "Role"
serviceAccountKind = "ServiceAccount"
rbacAPIGroup = "rbac.authorization.k8s.io"
anonymousUser = "system:anonymous"
clusterRoleKind = "ClusterRole"
roleKind = "Role"
serviceAccountKind = "ServiceAccount"
rbacAPIGroup = "rbac.authorization.k8s.io"
anonymousUser = "system:anonymous"
nodeAutoApproveBootstrap = "kubeadm:node-autoapprove-bootstrap"
)

// TODO: Are there any unit tests that could be made for this file other than duplicating all values and logic in a separate file?

// CreateRBACRules creates the essential RBAC rules for a minimally set-up cluster
func CreateRBACRules(clientset *clientset.Clientset) error {
if err := CreateRoles(clientset); err != nil {
return err
}
if err := CreateRoleBindings(clientset); err != nil {
return err
}
if err := CreateClusterRoleBindings(clientset); err != nil {
return err
}

fmt.Println("[apiconfig] Created RBAC rules")
return nil
}

// CreateServiceAccounts creates the necessary serviceaccounts that kubeadm uses/might use.
func CreateServiceAccounts(clientset *clientset.Clientset) error {
serviceAccounts := []v1.ServiceAccount{
Expand All @@ -86,8 +70,26 @@ func CreateServiceAccounts(clientset *clientset.Clientset) error {
return nil
}

// CreateRoles creates namespaces RBAC Roles
func CreateRoles(clientset *clientset.Clientset) error {
// CreateRBACRules creates the essential RBAC rules for a minimally set-up cluster
func CreateRBACRules(clientset *clientset.Clientset) error {
if err := createRoles(clientset); err != nil {
return err
}
if err := createRoleBindings(clientset); err != nil {
return err
}
if err := createClusterRoles(clientset); err != nil {
return err
}
if err := createClusterRoleBindings(clientset); err != nil {
return err
}

fmt.Println("[apiconfig] Created RBAC rules")
return nil
}

func createRoles(clientset *clientset.Clientset) error {
roles := []rbac.Role{
{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -107,8 +109,7 @@ func CreateRoles(clientset *clientset.Clientset) error {
return nil
}

// CreateRoleBindings creates all namespaced and necessary bindings between bootstrapped & kubeadm-created ClusterRoles and subjects kubeadm is using
func CreateRoleBindings(clientset *clientset.Clientset) error {
func createRoleBindings(clientset *clientset.Clientset) error {
roleBindings := []rbac.RoleBinding{
{
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -137,8 +138,27 @@ func CreateRoleBindings(clientset *clientset.Clientset) error {
return nil
}

// CreateClusterRoleBindings creates all necessary bindings between bootstrapped & kubeadm-created ClusterRoles and subjects kubeadm is using
func CreateClusterRoleBindings(clientset *clientset.Clientset) error {
func createClusterRoles(clientset *clientset.Clientset) error {
clusterRoles := []rbac.ClusterRole{
{
ObjectMeta: metav1.ObjectMeta{
Name: nodeAutoApproveBootstrap,
},
Rules: []rbac.PolicyRule{
rbac.NewRule("create").Groups("certificates.k8s.io").Resources("certificatesigningrequests/nodeclient").RuleOrDie(),
},
},
}

for _, roleBinding := range clusterRoles {
if _, err := clientset.RbacV1beta1().ClusterRoles().Create(&roleBinding); err != nil {
return err
}
}
return nil
}

func createClusterRoleBindings(clientset *clientset.Clientset) error {
clusterRoleBindings := []rbac.ClusterRoleBinding{
{
ObjectMeta: metav1.ObjectMeta{
Expand All @@ -156,6 +176,22 @@ func CreateClusterRoleBindings(clientset *clientset.Clientset) error {
},
},
},
{
ObjectMeta: metav1.ObjectMeta{
Name: nodeAutoApproveBootstrap,
},
RoleRef: rbac.RoleRef{
APIGroup: rbacAPIGroup,
Kind: clusterRoleKind,
Name: nodeAutoApproveBootstrap,
},
Subjects: []rbac.Subject{
{
Kind: "Group",
Name: bootstrapapi.BootstrapGroup,
},
},
},
{
ObjectMeta: metav1.ObjectMeta{
Name: "kubeadm:node-proxier",
Expand Down

0 comments on commit fb4c020

Please sign in to comment.