kube-master: Use TLS for scheduler and controllers communications
This commit aims to enable the scheduler and controller-manager to
access the proper {{ kube_api_endpoint }}, instead of the
unauthenticated localhost port. Two aditionnal certs are generated
on master nodes, and kubeconfig files are added for both pods.
This commit is contained in:
nhaveric
parent
638b80d8de
commit
9b96fd7f5f
7 changed files with 68 additions and 0 deletions
|
|
@ -60,6 +60,13 @@
|
||||||
when: kubesystem|failed and inventory_hostname == groups['kube-master'][0]
|
when: kubesystem|failed and inventory_hostname == groups['kube-master'][0]
|
||||||
tags: apps
|
tags: apps
|
||||||
|
|
||||||
|
- name: Write kube-controller-manager kubeconfig
|
||||||
|
template:
|
||||||
|
src: controller-manager-kubeconfig.yaml.j2
|
||||||
|
dest: "{{ kube_config_dir}}/controller-manager-kubeconfig.yaml"
|
||||||
|
notify: Master | wait for kube-controller-manager
|
||||||
|
tags: kube-controller-manager
|
||||||
|
|
||||||
- name: Write kube-controller-manager manifest
|
- name: Write kube-controller-manager manifest
|
||||||
template:
|
template:
|
||||||
src: manifests/kube-controller-manager.manifest.j2
|
src: manifests/kube-controller-manager.manifest.j2
|
||||||
|
|
@ -67,6 +74,13 @@
|
||||||
notify: Master | wait for kube-controller-manager
|
notify: Master | wait for kube-controller-manager
|
||||||
tags: kube-controller-manager
|
tags: kube-controller-manager
|
||||||
|
|
||||||
|
- name: Write kube-scheduler kubeconfig
|
||||||
|
template:
|
||||||
|
src: scheduler-kubeconfig.yaml.j2
|
||||||
|
dest: "{{ kube_config_dir}}/scheduler-kubeconfig.yaml"
|
||||||
|
notify: Master | wait for kube-controller-manager
|
||||||
|
tags: kube-scheduler
|
||||||
|
|
||||||
- name: Write kube-scheduler manifest
|
- name: Write kube-scheduler manifest
|
||||||
template:
|
template:
|
||||||
src: manifests/kube-scheduler.manifest.j2
|
src: manifests/kube-scheduler.manifest.j2
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,18 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Config
|
||||||
|
clusters:
|
||||||
|
- name: local
|
||||||
|
cluster:
|
||||||
|
certificate-authority: {{ kube_cert_dir }}/ca.pem
|
||||||
|
server: {{ kube_apiserver_endpoint }}
|
||||||
|
users:
|
||||||
|
- name: controller-manager
|
||||||
|
user:
|
||||||
|
client-certificate: {{ kube_cert_dir }}/controller-manager-{{ inventory_hostname }}.pem
|
||||||
|
client-key: {{ kube_cert_dir }}/controller-manager-{{ inventory_hostname }}-key.pem
|
||||||
|
contexts:
|
||||||
|
- context:
|
||||||
|
cluster: local
|
||||||
|
user: controller-manager
|
||||||
|
name: controller-manager-{{ cluster_name }}
|
||||||
|
current-context: controller-manager-{{ cluster_name }}
|
||||||
|
|
@ -35,6 +35,7 @@ spec:
|
||||||
- --node-monitor-period={{ kube_controller_node_monitor_period }}
|
- --node-monitor-period={{ kube_controller_node_monitor_period }}
|
||||||
- --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }}
|
- --pod-eviction-timeout={{ kube_controller_pod_eviction_timeout }}
|
||||||
- --v={{ kube_log_level }}
|
- --v={{ kube_log_level }}
|
||||||
|
- --kubeconfig={{ kube_config_dir}}/controller-manager-kubeconfig.yaml
|
||||||
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %}
|
{% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere"] %}
|
||||||
- --cloud-provider={{cloud_provider}}
|
- --cloud-provider={{cloud_provider}}
|
||||||
- --cloud-config={{ kube_config_dir }}/cloud_config
|
- --cloud-config={{ kube_config_dir }}/cloud_config
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,7 @@ spec:
|
||||||
- --leader-elect=true
|
- --leader-elect=true
|
||||||
- --master={{ kube_apiserver_endpoint }}
|
- --master={{ kube_apiserver_endpoint }}
|
||||||
- --v={{ kube_log_level }}
|
- --v={{ kube_log_level }}
|
||||||
|
- --kubeconfig={{ kube_config_dir}}/scheduler-kubeconfig.yaml
|
||||||
{% if scheduler_custom_flags is string %}
|
{% if scheduler_custom_flags is string %}
|
||||||
- {{ scheduler_custom_flags }}
|
- {{ scheduler_custom_flags }}
|
||||||
{% else %}
|
{% else %}
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,18 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Config
|
||||||
|
clusters:
|
||||||
|
- name: local
|
||||||
|
cluster:
|
||||||
|
certificate-authority: {{ kube_cert_dir }}/ca.pem
|
||||||
|
server: {{ kube_apiserver_endpoint }}
|
||||||
|
users:
|
||||||
|
- name: scheduler
|
||||||
|
user:
|
||||||
|
client-certificate: {{ kube_cert_dir }}/scheduler-{{ inventory_hostname }}.pem
|
||||||
|
client-key: {{ kube_cert_dir }}/scheduler-{{ inventory_hostname }}-key.pem
|
||||||
|
contexts:
|
||||||
|
- context:
|
||||||
|
cluster: local
|
||||||
|
user: scheduler
|
||||||
|
name: scheduler-{{ cluster_name }}
|
||||||
|
current-context: scheduler-{{ cluster_name }}
|
||||||
|
|
@ -87,6 +87,14 @@ if [ -n "$MASTERS" ]; then
|
||||||
openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
|
openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
|
||||||
openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${cn}/O=system:masters" > /dev/null 2>&1
|
openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${cn}/O=system:masters" > /dev/null 2>&1
|
||||||
openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 3650 > /dev/null 2>&1
|
openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 3650 > /dev/null 2>&1
|
||||||
|
# controller-manager key
|
||||||
|
openssl genrsa -out controller-manager-${host}-key.pem 2048 > /dev/null 2>&1
|
||||||
|
openssl req -new -key controller-manager-${host}-key.pem -out controller-manager-${host}.csr -subj "/CN=kube-controller-manager-${cn}/O=system:kube-controller-manager" > /dev/null 2>&1
|
||||||
|
openssl x509 -req -in controller-manager-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out controller-manager-${host}.pem -days 3650 > /dev/null 2>&1
|
||||||
|
# scheduler
|
||||||
|
openssl genrsa -out scheduler-${host}-key.pem 2048 > /dev/null 2>&1
|
||||||
|
openssl req -new -key scheduler-${host}-key.pem -out scheduler-${host}.csr -subj "/CN=kube-scheduler-${cn}/O=system:kube-scheduler" > /dev/null 2>&1
|
||||||
|
openssl x509 -req -in scheduler-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out scheduler-${host}.pem -days 3650 > /dev/null 2>&1
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -59,12 +59,20 @@
|
||||||
{% for node in groups['kube-master'] %}
|
{% for node in groups['kube-master'] %}
|
||||||
'admin-{{ node }}.pem',
|
'admin-{{ node }}.pem',
|
||||||
'admin-{{ node }}-key.pem',
|
'admin-{{ node }}-key.pem',
|
||||||
|
'controller-manager-{{ node }}.pem',
|
||||||
|
'controller-manager-{{ node }}-key.pem',
|
||||||
|
'scheduler-{{ node }}.pem',
|
||||||
|
'scheduler-{{ node }}-key.pem',
|
||||||
'apiserver.pem',
|
'apiserver.pem',
|
||||||
'apiserver-key.pem',
|
'apiserver-key.pem',
|
||||||
{% endfor %}]"
|
{% endfor %}]"
|
||||||
my_master_certs: ['ca-key.pem',
|
my_master_certs: ['ca-key.pem',
|
||||||
'admin-{{ inventory_hostname }}.pem',
|
'admin-{{ inventory_hostname }}.pem',
|
||||||
'admin-{{ inventory_hostname }}-key.pem',
|
'admin-{{ inventory_hostname }}-key.pem',
|
||||||
|
'controller-manager-{{ inventory_hostname }}.pem',
|
||||||
|
'controller-manager-{{ inventory_hostname }}-key.pem',
|
||||||
|
'scheduler-{{ inventory_hostname }}.pem',
|
||||||
|
'scheduler-{{ inventory_hostname }}-key.pem',
|
||||||
'apiserver.pem',
|
'apiserver.pem',
|
||||||
'apiserver-key.pem'
|
'apiserver-key.pem'
|
||||||
]
|
]
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue