Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding service account to libvirt #17848

Merged
merged 1 commit into from
Dec 11, 2015
+25 −5
Merged

adding service account to libvirt #17848

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion cluster/libvirt-coreos/user_data_master.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ coreos:

[Service]
ExecStart=/opt/kubernetes/bin/kube-apiserver \
--service-account-key-file=/opt/kubernetes/certs/kube-serviceaccount.key \
--service-account-lookup=${SERVICE_ACCOUNT_LOOKUP} \
--admission-control=${ADMISSION_CONTROL} \
--insecure-bind-address=0.0.0.0 \
--insecure-port=8080 \
--etcd-servers=http://127.0.0.1:2379 \
Expand All @@ -36,7 +39,8 @@ coreos:

[Service]
ExecStart=/opt/kubernetes/bin/kube-controller-manager \
--master=127.0.0.1:8080
--master=127.0.0.1:8080 \
--service-account-private-key-file=/opt/kubernetes/certs/kube-serviceaccount.key \
Restart=always
RestartSec=2

Expand Down
17 changes: 16 additions & 1 deletion cluster/libvirt-coreos/util.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ source "$ROOT/${KUBE_CONFIG_FILE:-"config-default.sh"}"
source "$KUBE_ROOT/cluster/common.sh"

export LIBVIRT_DEFAULT_URI=qemu:///system

export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-false}
export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota}
readonly POOL=kubernetes
readonly POOL_PATH="$(cd $ROOT && pwd)/libvirt_storage_pool"

Expand Down Expand Up @@ -51,6 +52,19 @@ function detect-nodes {
KUBE_NODE_IP_ADDRESSES=("${NODE_IPS[@]}")
}

function set_service_accounts {
SERVICE_ACCOUNT_KEY=${SERVICE_ACCOUNT_KEY:-"/tmp/kube-serviceaccount.key"}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will /tmp be writeable under normal circumstances?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This env is local dev environment. /tmp in general is writable (as in local cluster)

# Generate ServiceAccount key if needed
if [[ ! -f "${SERVICE_ACCOUNT_KEY}" ]]; then
mkdir -p "$(dirname ${SERVICE_ACCOUNT_KEY})"
openssl genrsa -out "${SERVICE_ACCOUNT_KEY}" 2048 2>/dev/null
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will openssl be available under normal circumstances?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

libvirt-coreos targets local development environments.
I think it is reasonable to request openssl as a pre-requisite. It should be easy for the developer to install it on its workstation.
But we could document this new dependency in: https://github.com/kubernetes/kubernetes/blob/master/docs/getting-started-guides/libvirt-coreos.md#prerequisites

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

fi

mkdir -p "$POOL_PATH/kubernetes/certs"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar enough with this install to know if this path is reasonable

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$POOL_PATH is the shared directory mounted by different virtual hosts data will be in kubernetes/cluster/libvirt-coreos/libvirt_storage_pool and mounted remotely in /opt/

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In libvirt-coreos setup, the $POOL_PATH/kubernetes directory of the host (machine where kube-up.sh is launched) is mounted on each VM in /opt/kubernetes.

It is the most efficient way to push things to the VMs.

I’m fine with that.

cp "${SERVICE_ACCOUNT_KEY}" "$POOL_PATH/kubernetes/certs"
}


# Verify prereqs on host machine
function verify-prereqs {
if ! which virsh >/dev/null; then
Expand Down Expand Up @@ -185,6 +199,7 @@ function kube-up {
detect-nodes
load-or-gen-kube-bearertoken
initialize-pool keep_base_image
set_service_accounts
initialize-network

readonly ssh_keys="$(cat ~/.ssh/id_*.pub | sed 's/^/ - /')"
Expand Down
7 changes: 4 additions & 3 deletions docs/getting-started-guides/libvirt-coreos.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,12 @@ On the other hand, `libvirt-coreos` might be useful for people investigating low
2. Install [ebtables](http://ebtables.netfilter.org/)
3. Install [qemu](http://wiki.qemu.org/Main_Page)
4. Install [libvirt](http://libvirt.org/)
5. Enable and start the libvirt daemon, e.g:
5. Install [openssl](http://openssl.org/)
6. Enable and start the libvirt daemon, e.g:
* ``systemctl enable libvirtd``
* ``systemctl start libvirtd``
6. [Grant libvirt access to your user¹](https://libvirt.org/aclpolkit.html)
7. Check that your $HOME is accessible to the qemu user²
7. [Grant libvirt access to your user¹](https://libvirt.org/aclpolkit.html)
8. Check that your $HOME is accessible to the qemu user²

#### ¹ Depending on your distribution, libvirt access may be denied by default or may require a password at each access.

Expand Down