From 9b96fd7f5f0b847a1d9fa21d7ff6fd19714490dd Mon Sep 17 00:00:00 2001 From: nhaveric Date: Fri, 23 Jun 2017 17:26:22 +0200 Subject: [PATCH] kube-master: Use TLS for scheduler and controllers communications This commit aims to enable the scheduler and controller-manager to access the proper {{ kube_api_endpoint }}, instead of the unauthenticated localhost port. Two aditionnal certs are generated on master nodes, and kubeconfig files are added for both pods. --- roles/kubernetes/master/tasks/main.yml | 14 ++++++++++++++ .../controller-manager-kubeconfig.yaml.j2 | 18 ++++++++++++++++++ .../kube-controller-manager.manifest.j2 | 1 + .../manifests/kube-scheduler.manifest.j2 | 1 + .../templates/scheduler-kubeconfig.yaml.j2 | 18 ++++++++++++++++++ roles/kubernetes/secrets/files/make-ssl.sh | 8 ++++++++ .../secrets/tasks/gen_certs_script.yml | 8 ++++++++ 7 files changed, 68 insertions(+) create mode 100644 roles/kubernetes/master/templates/controller-manager-kubeconfig.yaml.j2 create mode 100644 roles/kubernetes/master/templates/scheduler-kubeconfig.yaml.j2 diff --git a/roles/kubernetes/master/tasks/main.yml b/roles/kubernetes/master/tasks/main.yml index dadef4bf5..ef4fa4a0a 100644 --- a/roles/kubernetes/master/tasks/main.yml +++ b/roles/kubernetes/master/tasks/main.yml @@ -60,6 +60,13 @@ when: kubesystem|failed and inventory_hostname == groups['kube-master'][0] tags: apps +- name: Write kube-controller-manager kubeconfig + template: + src: controller-manager-kubeconfig.yaml.j2 + dest: "{{ kube_config_dir}}/controller-manager-kubeconfig.yaml" + notify: Master | wait for kube-controller-manager + tags: kube-controller-manager + - name: Write kube-controller-manager manifest template: src: manifests/kube-controller-manager.manifest.j2 @@ -67,6 +74,13 @@ notify: Master | wait for kube-controller-manager tags: kube-controller-manager +- name: Write kube-scheduler kubeconfig + template: + src: scheduler-kubeconfig.yaml.j2 + dest: "{{ kube_config_dir}}/scheduler-kubeconfig.yaml" + notify: Master | wait for kube-controller-manager + tags: kube-scheduler + - name: Write kube-scheduler manifest template: src: manifests/kube-scheduler.manifest.j2 diff --git a/roles/kubernetes/master/templates/controller-manager-kubeconfig.yaml.j2 b/roles/kubernetes/master/templates/controller-manager-kubeconfig.yaml.j2 new file mode 100644 index 000000000..c8048be99 --- /dev/null +++ b/roles/kubernetes/master/templates/controller-manager-kubeconfig.yaml.j2 @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Config +clusters: +- name: local + cluster: + certificate-authority: {{ kube_cert_dir }}/ca.pem + server: {{ kube_apiserver_endpoint }} +users: +- name: controller-manager + user: + client-certificate: {{ kube_cert_dir }}/controller-manager-{{ inventory_hostname }}.pem + client-key: {{ kube_cert_dir }}/controller-manager-{{ inventory_hostname }}-key.pem +contexts: +- context: + cluster: local + user: controller-manager + name: controller-manager-{{ cluster_name }} +current-context: controller-manager-{{ cluster_name }} diff --git a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 index d3f8a23a5..9c476d012 100644 --- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 @@ -35,6 +35,7 @@ spec: - --node-monitor-period={{ kube_controller_node_monitor_period }} - --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }} - --v={{ kube_log_level }} + - --kubeconfig={{ kube_config_dir}}/controller-manager-kubeconfig.yaml {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %} - --cloud-provider={{cloud_provider}} - --cloud-config={{ kube_config_dir }}/cloud_config diff --git a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 index 441f991eb..9fa235549 100644 --- a/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-scheduler.manifest.j2 @@ -27,6 +27,7 @@ spec: - --leader-elect=true - --master={{ kube_apiserver_endpoint }} - --v={{ kube_log_level }} + - --kubeconfig={{ kube_config_dir}}/scheduler-kubeconfig.yaml {% if scheduler_custom_flags is string %} - {{ scheduler_custom_flags }} {% else %} diff --git a/roles/kubernetes/master/templates/scheduler-kubeconfig.yaml.j2 b/roles/kubernetes/master/templates/scheduler-kubeconfig.yaml.j2 new file mode 100644 index 000000000..e320261b4 --- /dev/null +++ b/roles/kubernetes/master/templates/scheduler-kubeconfig.yaml.j2 @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Config +clusters: +- name: local + cluster: + certificate-authority: {{ kube_cert_dir }}/ca.pem + server: {{ kube_apiserver_endpoint }} +users: +- name: scheduler + user: + client-certificate: {{ kube_cert_dir }}/scheduler-{{ inventory_hostname }}.pem + client-key: {{ kube_cert_dir }}/scheduler-{{ inventory_hostname }}-key.pem +contexts: +- context: + cluster: local + user: scheduler + name: scheduler-{{ cluster_name }} +current-context: scheduler-{{ cluster_name }} diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh index 363dfa94f..4baaafb3c 100755 --- a/roles/kubernetes/secrets/files/make-ssl.sh +++ b/roles/kubernetes/secrets/files/make-ssl.sh @@ -87,6 +87,14 @@ if [ -n "$MASTERS" ]; then openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1 openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${cn}/O=system:masters" > /dev/null 2>&1 openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 3650 > /dev/null 2>&1 + # controller-manager key + openssl genrsa -out controller-manager-${host}-key.pem 2048 > /dev/null 2>&1 + openssl req -new -key controller-manager-${host}-key.pem -out controller-manager-${host}.csr -subj "/CN=kube-controller-manager-${cn}/O=system:kube-controller-manager" > /dev/null 2>&1 + openssl x509 -req -in controller-manager-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out controller-manager-${host}.pem -days 3650 > /dev/null 2>&1 + # scheduler + openssl genrsa -out scheduler-${host}-key.pem 2048 > /dev/null 2>&1 + openssl req -new -key scheduler-${host}-key.pem -out scheduler-${host}.csr -subj "/CN=kube-scheduler-${cn}/O=system:kube-scheduler" > /dev/null 2>&1 + openssl x509 -req -in scheduler-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out scheduler-${host}.pem -days 3650 > /dev/null 2>&1 done fi diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml index 8df2195bf..8f5cdfa2a 100644 --- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml +++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml @@ -59,12 +59,20 @@ {% for node in groups['kube-master'] %} 'admin-{{ node }}.pem', 'admin-{{ node }}-key.pem', + 'controller-manager-{{ node }}.pem', + 'controller-manager-{{ node }}-key.pem', + 'scheduler-{{ node }}.pem', + 'scheduler-{{ node }}-key.pem', 'apiserver.pem', 'apiserver-key.pem', {% endfor %}]" my_master_certs: ['ca-key.pem', 'admin-{{ inventory_hostname }}.pem', 'admin-{{ inventory_hostname }}-key.pem', + 'controller-manager-{{ inventory_hostname }}.pem', + 'controller-manager-{{ inventory_hostname }}-key.pem', + 'scheduler-{{ inventory_hostname }}.pem', + 'scheduler-{{ inventory_hostname }}-key.pem', 'apiserver.pem', 'apiserver-key.pem' ]