From ea1c97c7173b526b29059c9be1f3000c82d64f38 Mon Sep 17 00:00:00 2001 From: Salvatore Dario Minonne Date: Thu, 26 Nov 2015 22:16:07 +0100 Subject: [PATCH] adding service account to libvirt --- cluster/libvirt-coreos/user_data_master.yml | 6 +++++- cluster/libvirt-coreos/util.sh | 17 ++++++++++++++++- docs/getting-started-guides/libvirt-coreos.md | 7 ++++--- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/cluster/libvirt-coreos/user_data_master.yml b/cluster/libvirt-coreos/user_data_master.yml index b23ea561c1206..cf1dcfe9a10e8 100644 --- a/cluster/libvirt-coreos/user_data_master.yml +++ b/cluster/libvirt-coreos/user_data_master.yml @@ -14,6 +14,9 @@ coreos: [Service] ExecStart=/opt/kubernetes/bin/kube-apiserver \ + --service-account-key-file=/opt/kubernetes/certs/kube-serviceaccount.key \ + --service-account-lookup=${SERVICE_ACCOUNT_LOOKUP} \ + --admission-control=${ADMISSION_CONTROL} \ --insecure-bind-address=0.0.0.0 \ --insecure-port=8080 \ --etcd-servers=http://127.0.0.1:2379 \ @@ -36,7 +39,8 @@ coreos: [Service] ExecStart=/opt/kubernetes/bin/kube-controller-manager \ - --master=127.0.0.1:8080 + --master=127.0.0.1:8080 \ + --service-account-private-key-file=/opt/kubernetes/certs/kube-serviceaccount.key \ Restart=always RestartSec=2 diff --git a/cluster/libvirt-coreos/util.sh b/cluster/libvirt-coreos/util.sh index 76dea254afbeb..e591f5ac3d2af 100644 --- a/cluster/libvirt-coreos/util.sh +++ b/cluster/libvirt-coreos/util.sh @@ -22,7 +22,8 @@ source "$ROOT/${KUBE_CONFIG_FILE:-"config-default.sh"}" source "$KUBE_ROOT/cluster/common.sh" export LIBVIRT_DEFAULT_URI=qemu:///system - +export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-false} +export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota} readonly POOL=kubernetes readonly POOL_PATH="$(cd $ROOT && pwd)/libvirt_storage_pool" @@ -51,6 +52,19 @@ function detect-nodes { KUBE_NODE_IP_ADDRESSES=("${NODE_IPS[@]}") } +function set_service_accounts { + SERVICE_ACCOUNT_KEY=${SERVICE_ACCOUNT_KEY:-"/tmp/kube-serviceaccount.key"} + # Generate ServiceAccount key if needed + if [[ ! -f "${SERVICE_ACCOUNT_KEY}" ]]; then + mkdir -p "$(dirname ${SERVICE_ACCOUNT_KEY})" + openssl genrsa -out "${SERVICE_ACCOUNT_KEY}" 2048 2>/dev/null + fi + + mkdir -p "$POOL_PATH/kubernetes/certs" + cp "${SERVICE_ACCOUNT_KEY}" "$POOL_PATH/kubernetes/certs" +} + + # Verify prereqs on host machine function verify-prereqs { if ! which virsh >/dev/null; then @@ -185,6 +199,7 @@ function kube-up { detect-nodes load-or-gen-kube-bearertoken initialize-pool keep_base_image + set_service_accounts initialize-network readonly ssh_keys="$(cat ~/.ssh/id_*.pub | sed 's/^/ - /')" diff --git a/docs/getting-started-guides/libvirt-coreos.md b/docs/getting-started-guides/libvirt-coreos.md index 2d3ec2ad050f2..5bba81c3b2d9b 100644 --- a/docs/getting-started-guides/libvirt-coreos.md +++ b/docs/getting-started-guides/libvirt-coreos.md @@ -83,11 +83,12 @@ On the other hand, `libvirt-coreos` might be useful for people investigating low 2. Install [ebtables](http://ebtables.netfilter.org/) 3. Install [qemu](http://wiki.qemu.org/Main_Page) 4. Install [libvirt](http://libvirt.org/) -5. Enable and start the libvirt daemon, e.g: +5. Install [openssl](http://openssl.org/) +6. Enable and start the libvirt daemon, e.g: * ``systemctl enable libvirtd`` * ``systemctl start libvirtd`` -6. [Grant libvirt access to your user¹](https://libvirt.org/aclpolkit.html) -7. Check that your $HOME is accessible to the qemu user² +7. [Grant libvirt access to your user¹](https://libvirt.org/aclpolkit.html) +8. Check that your $HOME is accessible to the qemu user² #### ¹ Depending on your distribution, libvirt access may be denied by default or may require a password at each access.