Use a generated password for kube user (#1624)

Removed unnecessary root user
This commit is contained in:
Matthew Mosesohn 2017-09-06 20:20:25 +03:00 committed by GitHub
parent e26aec96b0
commit 7117614ee5
5 changed files with 29 additions and 14 deletions

1
.gitignore vendored
View file

@ -24,6 +24,7 @@ __pycache__/
.Python .Python
env/ env/
build/ build/
credentials/
develop-eggs/ develop-eggs/
dist/ dist/
downloads/ downloads/

View file

@ -57,7 +57,7 @@ ansible-playbook -i my_inventory/inventory.cfg cluster.yml -b -v \
See more details in the [ansible guide](ansible.md). See more details in the [ansible guide](ansible.md).
Adding nodes Adding nodes
-------------------------- ------------
You may want to add worker nodes to your existing cluster. This can be done by re-running the `cluster.yml` playbook, or you can target the bare minimum needed to get kubelet installed on the worker and talking to your masters. This is especially helpful when doing something like autoscaling your clusters. You may want to add worker nodes to your existing cluster. This can be done by re-running the `cluster.yml` playbook, or you can target the bare minimum needed to get kubelet installed on the worker and talking to your masters. This is especially helpful when doing something like autoscaling your clusters.
@ -66,4 +66,26 @@ You may want to add worker nodes to your existing cluster. This can be done by r
``` ```
ansible-playbook -i my_inventory/inventory.cfg scale.yml -b -v \ ansible-playbook -i my_inventory/inventory.cfg scale.yml -b -v \
--private-key=~/.ssh/private_key --private-key=~/.ssh/private_key
``` ```
Connecting to Kubernetes
------------------------
By default, Kubespray configures kube-master hosts with insecure access to
kube-apiserver via port 8080. A kubeconfig file is not necessary in this case,
because kubectl will use http://localhost:8080 to connect. The kubeconfig files
generated will point to localhost (on kube-masters) and kube-node hosts will
connect either to a localhost nginx proxy or to a loadbalancer if configured.
More details on this process is in the [HA guide](ha.md).
Kubespray permits connecting to the cluster remotely on any IP of any
kube-master host on port 6443 by default. However, this requires
authentication. One could generate a kubeconfig based on one installed
kube-master hosts (needs improvement) or connect with a username and password.
By default, two users are created: `kube` and `admin` with the same password.
The password can be viewed after deployment by looking at the file
`PATH_TO_KUBESPRAY/credentials/kube_user`. This contains a randomly generated
password. If you wish to set your own password, just precreate/modify this
file yourself.
For more information on kubeconfig and accessing a Kubernetes cluster, refer to
the Kubernetes [documentation](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/).

View file

@ -40,18 +40,11 @@ kube_log_level: 2
# Users to create for basic auth in Kubernetes API via HTTP # Users to create for basic auth in Kubernetes API via HTTP
# Optionally add groups for user # Optionally add groups for user
kube_api_pwd: "changeme" kube_api_pwd: "{{ lookup('password', 'credentials/kube_user length=15') }}"
kube_users: kube_users:
kube: kube:
pass: "{{kube_api_pwd}}" pass: "{{kube_api_pwd}}"
role: admin role: admin
root:
pass: "{{kube_api_pwd}}"
role: admin
# groups:
# - system:masters
## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth) ## It is possible to activate / deactivate selected authentication methods (basic auth, static token auth)
#kube_oidc_auth: false #kube_oidc_auth: false

View file

@ -66,9 +66,6 @@ kube_users:
kube: kube:
pass: "{{kube_api_pwd}}" pass: "{{kube_api_pwd}}"
role: admin role: admin
root:
pass: "{{kube_api_pwd}}"
role: admin
# Choose network plugin (calico, weave or flannel) # Choose network plugin (calico, weave or flannel)
# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing

View file

@ -2,10 +2,12 @@
- hosts: kube-master - hosts: kube-master
tasks: tasks:
- debug:
msg: "kube pass: {{ lookup('password', '../../credentials/kube_user length=15') }}"
- name: Check the API servers are responding - name: Check the API servers are responding
uri: uri:
url: "https://{{ access_ip | default(ansible_default_ipv4.address) }}:{{ kube_apiserver_port }}/api/v1" url: "https://{{ access_ip | default(ansible_default_ipv4.address) }}:{{ kube_apiserver_port }}/api/v1"
user: kube user: kube
password: changeme password: "{{ lookup('password', '../../credentials/kube_user length=15') }}"
validate_certs: no validate_certs: no
status_code: 200 status_code: 200