Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatically create a secret in the default namespace that contains cluster access auth info #7979

Closed
satnam6502 opened this issue May 8, 2015 · 14 comments
Closed

Automatically create a secret in the default namespace that contains cluster access auth info #7979

satnam6502 opened this issue May 8, 2015 · 14 comments
Labels
priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
v1.0

Comments

@satnam6502
Copy link
Contributor

When a cluster is created automatically make a kubernetes-auth secret that contains the basic auth, bearer token auth and certs to allow applications running inside pods to access the apiserver etc.
@satnam6502 satnam6502 self-assigned this May 8, 2015
@satnam6502 satnam6502 added this to the v1.0-candidate milestone May 8, 2015
@satnam6502 satnam6502 added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. team/cluster labels May 8, 2015
@satnam6502
Copy link
Contributor Author

@roberthbailey @zmerlynn @erictune

@roberthbailey
Copy link
Contributor

Will #7101 do this for us automatically? @liggitt

@satnam6502
Copy link
Contributor Author

I see that we already have:

$ kubectl get secrets
NAME                              TYPE      DATA
token-admin                       Opaque    1
token-kube-proxy                  Opaque    1
token-kubelet                     Opaque    1
token-system-controller-manager   Opaque    1
token-system-dns                  Opaque    1
token-system-logging              Opaque    1
token-system-monitoring           Opaque    1
token-system-scheduler            Opaque    1

@roberthbailey
Copy link
Contributor

For GCE/GKE we do (@erictune added them to cluster/gce/configure-vm.sh).

@roberthbailey
Copy link
Contributor

Note that these are all just bearer tokens and they don't contain the CA root cert which we need to distribute for #7964.

@liggitt
Copy link
Member

liggitt commented May 8, 2015

#7101 will get automatically get you bearer tokens for service accounts, but that's it. There was discussion about following that with adding a kubeconfig key to the secret which bundled the ca cert and the token together

@erictune
Copy link
Member

erictune commented May 8, 2015

Let's not use the admin account for pods. Secrets are for pods. So let's
not put the admin secrets in secret resources.
On May 8, 2015 12:56 PM, "Jordan Liggitt" notifications@github.com wrote:

#7101 #7101 will
get automatically get you bearer tokens for service accounts, but that's
it. There was discussion about following that with adding a kubeconfig key
to the secret which bundled the ca cert and the token together


Reply to this email directly or view it on GitHub
#7979 (comment)
.

@satnam6502
Copy link
Contributor Author

@erictune : have I done the wrong thing in PR ##7988 ?

@justinsb justinsb mentioned this issue May 9, 2015
Closed
@erictune
Copy link
Member

I created token-system-logging with the hope that it would be used for elasticsearch. So I am a little sad that #7988 used token-admin. 😿

@satnam6502
Copy link
Contributor Author

Let me look into this and see if I can switch to token-system-logging

@goltermann goltermann modified the milestones: v1.0, v1.0-candidate May 12, 2015
@goltermann goltermann assigned lavalamp and unassigned satnam6502 May 12, 2015
@goltermann goltermann modified the milestones: v1.0-candidate, v1.0 May 12, 2015
@roberthbailey roberthbailey modified the milestones: v1.0, v1.0-candidate May 19, 2015
@thockin
Copy link
Member

thockin commented Jun 5, 2015

What's the status on this? It seems that tokens are a big issue for many people but I guess a lot of it has to do with doing upgrades. Do we think this issue is something we want to do? If not, let's close it out.

@satnam6502
Copy link
Contributor Author

I can't help thinking that we will keep wanting to make system pods that want to make Kuebernetes API calls but perhaps we should wait until there is a clear demand for this scenario.

@thockin
Copy link
Member

thockin commented Jun 5, 2015

Doesn't service accounts handle this?

On Fri, Jun 5, 2015 at 12:42 AM, Satnam Singh notifications@github.com
wrote:

I can't help thinking that we will keep wanting to make system pods that
want to make Kuebernetes API calls but perhaps we should wait until there
is a clear demand for this scenario.


Reply to this email directly or view it on GitHub
#7979 (comment)
.

@liggitt
Copy link
Member

liggitt commented Jun 5, 2015

Doesn't service accounts handle this?

Yes. Room for improvement (including the CA or a kubeconfig with the token as well), but yes... that's how pods get API credentials.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
v1.0
Development

No branches or pull requests
7 participants
@lavalamp @liggitt @thockin @satnam6502 @roberthbailey @erictune @goltermann