diff --git a/README.md b/README.md index bfbd1e52c36..8f388c0b4d6 100644 --- a/README.md +++ b/README.md @@ -303,8 +303,12 @@ The following settings can be optionally set to customize the node labels and ta The following settings are optional and allow you to further configure your cluster. * `settings.kubernetes.cluster-domain`: The DNS domain for this cluster, allowing all Kubernetes-run containers to search this domain before the host's search domains. Defaults to `cluster.local`. +* `settings.kubernetes.standalone-mode`: Whether to run the kubelet in standalone mode, without connecting to an API server. Defaults to `false`. +* `settings.kubernetes.authentication-mode`: Which authentication method the kubelet should use to connect to the API server, and for incoming requests. Defaults to `aws` for AWS variants, and `tls` for other variants. +* `settings.kubernetes.bootstrap-token`: The token to use for [TLS bootstrapping](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/). This is only used with the `tls` authentication mode, and is otherwise ignored. You can also optionally specify static pods for your node with the following settings. +Static pods can be particularly useful when running in standalone mode. * `settings.kubernetes.static-pods..manifest`: A base64-encoded pod manifest. * `settings.kubernetes.static-pods..enabled`: Whether the static pod is enabled. diff --git a/Release.toml b/Release.toml index 01e66888a45..c8be16a7617 100644 --- a/Release.toml +++ b/Release.toml @@ -20,5 +20,10 @@ version = "1.0.5" "migrate_v1.0.5_add-proxy-restart.lz4", "migrate_v1.0.5_add-proxy-services.lz4" ] -"(1.0.5, 1.0.6)" = ["migrate_v1.0.6_metricdog-init.lz4", "migrate_v1.0.6_add-static-pods.lz4"] +"(1.0.5, 1.0.6)" = [ + "migrate_v1.0.6_metricdog-init.lz4", + "migrate_v1.0.6_add-static-pods.lz4", + "migrate_v1.0.6_kubelet-standalone-tls-settings.lz4", + "migrate_v1.0.6_kubelet-standalone-tls-services.lz4", +] diff --git a/packages/kubernetes-1.15/kubelet-bootstrap-kubeconfig b/packages/kubernetes-1.15/kubelet-bootstrap-kubeconfig new file mode 100644 index 00000000000..27bb33e95fc --- /dev/null +++ b/packages/kubernetes-1.15/kubelet-bootstrap-kubeconfig @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: Config +clusters: +- cluster: +{{~#if settings.kubernetes.api-server}} + certificate-authority: "/etc/kubernetes/pki/ca.crt" + server: "{{settings.kubernetes.api-server}}" +{{~/if}} + name: kubernetes +contexts: +- context: + cluster: kubernetes + user: kubelet + name: kubelet +current-context: kubelet +users: +- name: kubelet +{{~#if settings.kubernetes.bootstrap-token}} + user: + token: "{{settings.kubernetes.bootstrap-token}}" +{{~/if}} diff --git a/packages/kubernetes-1.15/kubelet-config b/packages/kubernetes-1.15/kubelet-config index 709a766bd57..3ae6c21bec2 100644 --- a/packages/kubernetes-1.15/kubelet-config +++ b/packages/kubernetes-1.15/kubelet-config @@ -1,6 +1,16 @@ --- kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 +{{~#if settings.kubernetes.standalone-mode}} +address: 127.0.0.1 +authentication: + anonymous: + enabled: true + webhook: + enabled: false +authorization: + mode: AlwaysAllow +{{~else}} address: 0.0.0.0 authentication: anonymous: @@ -15,6 +25,7 @@ authorization: webhook: cacheAuthorizedTTL: 5m0s cacheUnauthorizedTTL: 30s +{{~/if}} clusterDomain: {{settings.kubernetes.cluster-domain}} clusterDNS: - {{settings.kubernetes.cluster-dns-ip}} diff --git a/packages/kubernetes-1.15/kubelet-exec-start-conf b/packages/kubernetes-1.15/kubelet-exec-start-conf new file mode 100644 index 00000000000..1cc4d9cf246 --- /dev/null +++ b/packages/kubernetes-1.15/kubelet-exec-start-conf @@ -0,0 +1,24 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/kubelet \ +{{~#unless settings.kubernetes.standalone-mode}} + --cloud-provider aws \ + --kubeconfig /etc/kubernetes/kubelet/kubeconfig \ +{{~#if (eq settings.kubernetes.authentication-mode "tls")}} + --bootstrap-kubeconfig /etc/kubernetes/kubelet/bootstrap-kubeconfig \ +{{~/if}} +{{~else}} + --cloud-provider "" \ +{{~/unless}} + --config /etc/kubernetes/kubelet/config \ + --container-runtime=remote \ + --container-runtime-endpoint=unix:///run/dockershim.sock \ + --containerd=/run/dockershim.sock \ + --network-plugin cni \ + --root-dir /var/lib/kubelet \ + --cert-dir /var/lib/kubelet/pki \ + --volume-plugin-dir /var/lib/kubelet/plugins/volume/exec \ + --node-ip ${NODE_IP} \ + --node-labels "${NODE_LABELS}" \ + --register-with-taints "${NODE_TAINTS}" \ + --pod-infra-container-image ${POD_INFRA_CONTAINER_IMAGE} diff --git a/packages/kubernetes-1.15/kubelet-kubeconfig b/packages/kubernetes-1.15/kubelet-kubeconfig index 775e7a576c7..e5309e732e4 100644 --- a/packages/kubernetes-1.15/kubelet-kubeconfig +++ b/packages/kubernetes-1.15/kubelet-kubeconfig @@ -3,8 +3,10 @@ apiVersion: v1 kind: Config clusters: - cluster: +{{~#if settings.kubernetes.api-server}} certificate-authority: "/etc/kubernetes/pki/ca.crt" server: "{{settings.kubernetes.api-server}}" +{{~/if}} name: kubernetes contexts: - context: @@ -14,6 +16,8 @@ contexts: current-context: kubelet users: - name: kubelet +{{~#if (eq settings.kubernetes.authentication-mode "aws")}} +{{~#if settings.kubernetes.cluster-name}} user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 @@ -22,3 +26,10 @@ users: - token - "-i" - "{{settings.kubernetes.cluster-name}}" +{{~/if}} +{{~/if}} +{{~#if (eq settings.kubernetes.authentication-mode "tls")}} + user: + client-certificate: "/var/lib/kubelet/pki/kubelet-client-current.pem" + client-key: "/var/lib/kubelet/pki/kubelet-client-current.pem" +{{~/if}} diff --git a/packages/kubernetes-1.15/kubelet.service b/packages/kubernetes-1.15/kubelet.service index fc9bcad9b46..087323d037d 100644 --- a/packages/kubernetes-1.15/kubelet.service +++ b/packages/kubernetes-1.15/kubelet.service @@ -16,21 +16,8 @@ ExecStartPre=/usr/bin/host-ctr \ --namespace=k8s.io \ pull-image \ --source=${POD_INFRA_CONTAINER_IMAGE} -ExecStart=/usr/bin/kubelet \ - --cloud-provider aws \ - --config /etc/kubernetes/kubelet/config \ - --kubeconfig /etc/kubernetes/kubelet/kubeconfig \ - --container-runtime=remote \ - --container-runtime-endpoint=unix:///run/dockershim.sock \ - --containerd=/run/dockershim.sock \ - --network-plugin cni \ - --root-dir /var/lib/kubelet \ - --cert-dir /var/lib/kubelet/pki \ - --volume-plugin-dir /var/lib/kubelet/plugins/volume/exec \ - --node-ip ${NODE_IP} \ - --node-labels "${NODE_LABELS}" \ - --register-with-taints "${NODE_TAINTS}" \ - --pod-infra-container-image ${POD_INFRA_CONTAINER_IMAGE} +# Must be overridden by a drop-in file or `kubelet` won't start +ExecStart=/usr/bin/false Restart=on-failure RestartForceExitStatus=SIGPIPE diff --git a/packages/kubernetes-1.15/kubernetes-1.15.spec b/packages/kubernetes-1.15/kubernetes-1.15.spec index 2157954632a..49ed94d3302 100644 --- a/packages/kubernetes-1.15/kubernetes-1.15.spec +++ b/packages/kubernetes-1.15/kubernetes-1.15.spec @@ -20,7 +20,9 @@ Source2: kubelet-env Source3: kubelet-config Source4: kubelet-kubeconfig Source5: kubernetes-ca-crt -Source6: kubernetes-tmpfiles.conf +Source6: kubelet-exec-start-conf +Source7: kubelet-bootstrap-kubeconfig +Source8: kubernetes-tmpfiles.conf Source1000: clarify.toml Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch @@ -79,9 +81,11 @@ install -m 0644 %{S:2} %{buildroot}%{_cross_templatedir}/kubelet-env install -m 0644 %{S:3} %{buildroot}%{_cross_templatedir}/kubelet-config install -m 0644 %{S:4} %{buildroot}%{_cross_templatedir}/kubelet-kubeconfig install -m 0644 %{S:5} %{buildroot}%{_cross_templatedir}/kubernetes-ca-crt +install -m 0644 %{S:6} %{buildroot}%{_cross_templatedir}/kubelet-exec-start-conf +install -m 0644 %{S:7} %{buildroot}%{_cross_templatedir}/kubelet-bootstrap-kubeconfig install -d %{buildroot}%{_cross_tmpfilesdir} -install -p -m 0644 %{S:6} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf +install -p -m 0644 %{S:8} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf %cross_scan_attribution --clarify %{S:1000} go-vendor vendor @@ -95,6 +99,8 @@ install -p -m 0644 %{S:6} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf %{_cross_templatedir}/kubelet-env %{_cross_templatedir}/kubelet-config %{_cross_templatedir}/kubelet-kubeconfig +%{_cross_templatedir}/kubelet-bootstrap-kubeconfig +%{_cross_templatedir}/kubelet-exec-start-conf %{_cross_templatedir}/kubernetes-ca-crt %{_cross_tmpfilesdir}/kubernetes.conf diff --git a/packages/kubernetes-1.15/kubernetes-ca-crt b/packages/kubernetes-1.15/kubernetes-ca-crt index 0a726ad63df..ab82c485f56 100644 --- a/packages/kubernetes-1.15/kubernetes-ca-crt +++ b/packages/kubernetes-1.15/kubernetes-ca-crt @@ -1 +1,3 @@ +{{~#if settings.kubernetes.cluster-certificate~}} {{base64_decode settings.kubernetes.cluster-certificate}} +{{~/if~}} diff --git a/packages/kubernetes-1.16/kubelet-bootstrap-kubeconfig b/packages/kubernetes-1.16/kubelet-bootstrap-kubeconfig new file mode 100644 index 00000000000..27bb33e95fc --- /dev/null +++ b/packages/kubernetes-1.16/kubelet-bootstrap-kubeconfig @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: Config +clusters: +- cluster: +{{~#if settings.kubernetes.api-server}} + certificate-authority: "/etc/kubernetes/pki/ca.crt" + server: "{{settings.kubernetes.api-server}}" +{{~/if}} + name: kubernetes +contexts: +- context: + cluster: kubernetes + user: kubelet + name: kubelet +current-context: kubelet +users: +- name: kubelet +{{~#if settings.kubernetes.bootstrap-token}} + user: + token: "{{settings.kubernetes.bootstrap-token}}" +{{~/if}} diff --git a/packages/kubernetes-1.16/kubelet-config b/packages/kubernetes-1.16/kubelet-config index 709a766bd57..3ae6c21bec2 100644 --- a/packages/kubernetes-1.16/kubelet-config +++ b/packages/kubernetes-1.16/kubelet-config @@ -1,6 +1,16 @@ --- kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 +{{~#if settings.kubernetes.standalone-mode}} +address: 127.0.0.1 +authentication: + anonymous: + enabled: true + webhook: + enabled: false +authorization: + mode: AlwaysAllow +{{~else}} address: 0.0.0.0 authentication: anonymous: @@ -15,6 +25,7 @@ authorization: webhook: cacheAuthorizedTTL: 5m0s cacheUnauthorizedTTL: 30s +{{~/if}} clusterDomain: {{settings.kubernetes.cluster-domain}} clusterDNS: - {{settings.kubernetes.cluster-dns-ip}} diff --git a/packages/kubernetes-1.16/kubelet-exec-start-conf b/packages/kubernetes-1.16/kubelet-exec-start-conf new file mode 100644 index 00000000000..1cc4d9cf246 --- /dev/null +++ b/packages/kubernetes-1.16/kubelet-exec-start-conf @@ -0,0 +1,24 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/kubelet \ +{{~#unless settings.kubernetes.standalone-mode}} + --cloud-provider aws \ + --kubeconfig /etc/kubernetes/kubelet/kubeconfig \ +{{~#if (eq settings.kubernetes.authentication-mode "tls")}} + --bootstrap-kubeconfig /etc/kubernetes/kubelet/bootstrap-kubeconfig \ +{{~/if}} +{{~else}} + --cloud-provider "" \ +{{~/unless}} + --config /etc/kubernetes/kubelet/config \ + --container-runtime=remote \ + --container-runtime-endpoint=unix:///run/dockershim.sock \ + --containerd=/run/dockershim.sock \ + --network-plugin cni \ + --root-dir /var/lib/kubelet \ + --cert-dir /var/lib/kubelet/pki \ + --volume-plugin-dir /var/lib/kubelet/plugins/volume/exec \ + --node-ip ${NODE_IP} \ + --node-labels "${NODE_LABELS}" \ + --register-with-taints "${NODE_TAINTS}" \ + --pod-infra-container-image ${POD_INFRA_CONTAINER_IMAGE} diff --git a/packages/kubernetes-1.16/kubelet-kubeconfig b/packages/kubernetes-1.16/kubelet-kubeconfig index 775e7a576c7..e5309e732e4 100644 --- a/packages/kubernetes-1.16/kubelet-kubeconfig +++ b/packages/kubernetes-1.16/kubelet-kubeconfig @@ -3,8 +3,10 @@ apiVersion: v1 kind: Config clusters: - cluster: +{{~#if settings.kubernetes.api-server}} certificate-authority: "/etc/kubernetes/pki/ca.crt" server: "{{settings.kubernetes.api-server}}" +{{~/if}} name: kubernetes contexts: - context: @@ -14,6 +16,8 @@ contexts: current-context: kubelet users: - name: kubelet +{{~#if (eq settings.kubernetes.authentication-mode "aws")}} +{{~#if settings.kubernetes.cluster-name}} user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 @@ -22,3 +26,10 @@ users: - token - "-i" - "{{settings.kubernetes.cluster-name}}" +{{~/if}} +{{~/if}} +{{~#if (eq settings.kubernetes.authentication-mode "tls")}} + user: + client-certificate: "/var/lib/kubelet/pki/kubelet-client-current.pem" + client-key: "/var/lib/kubelet/pki/kubelet-client-current.pem" +{{~/if}} diff --git a/packages/kubernetes-1.16/kubelet.service b/packages/kubernetes-1.16/kubelet.service index fc9bcad9b46..087323d037d 100644 --- a/packages/kubernetes-1.16/kubelet.service +++ b/packages/kubernetes-1.16/kubelet.service @@ -16,21 +16,8 @@ ExecStartPre=/usr/bin/host-ctr \ --namespace=k8s.io \ pull-image \ --source=${POD_INFRA_CONTAINER_IMAGE} -ExecStart=/usr/bin/kubelet \ - --cloud-provider aws \ - --config /etc/kubernetes/kubelet/config \ - --kubeconfig /etc/kubernetes/kubelet/kubeconfig \ - --container-runtime=remote \ - --container-runtime-endpoint=unix:///run/dockershim.sock \ - --containerd=/run/dockershim.sock \ - --network-plugin cni \ - --root-dir /var/lib/kubelet \ - --cert-dir /var/lib/kubelet/pki \ - --volume-plugin-dir /var/lib/kubelet/plugins/volume/exec \ - --node-ip ${NODE_IP} \ - --node-labels "${NODE_LABELS}" \ - --register-with-taints "${NODE_TAINTS}" \ - --pod-infra-container-image ${POD_INFRA_CONTAINER_IMAGE} +# Must be overridden by a drop-in file or `kubelet` won't start +ExecStart=/usr/bin/false Restart=on-failure RestartForceExitStatus=SIGPIPE diff --git a/packages/kubernetes-1.16/kubernetes-1.16.spec b/packages/kubernetes-1.16/kubernetes-1.16.spec index 768b99d05a4..c7df694260a 100644 --- a/packages/kubernetes-1.16/kubernetes-1.16.spec +++ b/packages/kubernetes-1.16/kubernetes-1.16.spec @@ -20,7 +20,9 @@ Source2: kubelet-env Source3: kubelet-config Source4: kubelet-kubeconfig Source5: kubernetes-ca-crt -Source6: kubernetes-tmpfiles.conf +Source6: kubelet-exec-start-conf +Source7: kubelet-bootstrap-kubeconfig +Source8: kubernetes-tmpfiles.conf Source1000: clarify.toml Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch @@ -75,9 +77,11 @@ install -m 0644 %{S:2} %{buildroot}%{_cross_templatedir}/kubelet-env install -m 0644 %{S:3} %{buildroot}%{_cross_templatedir}/kubelet-config install -m 0644 %{S:4} %{buildroot}%{_cross_templatedir}/kubelet-kubeconfig install -m 0644 %{S:5} %{buildroot}%{_cross_templatedir}/kubernetes-ca-crt +install -m 0644 %{S:6} %{buildroot}%{_cross_templatedir}/kubelet-exec-start-conf +install -m 0644 %{S:7} %{buildroot}%{_cross_templatedir}/kubelet-bootstrap-kubeconfig install -d %{buildroot}%{_cross_tmpfilesdir} -install -p -m 0644 %{S:6} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf +install -p -m 0644 %{S:8} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf %cross_scan_attribution --clarify %{S:1000} go-vendor vendor @@ -91,6 +95,8 @@ install -p -m 0644 %{S:6} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf %{_cross_templatedir}/kubelet-env %{_cross_templatedir}/kubelet-config %{_cross_templatedir}/kubelet-kubeconfig +%{_cross_templatedir}/kubelet-bootstrap-kubeconfig +%{_cross_templatedir}/kubelet-exec-start-conf %{_cross_templatedir}/kubernetes-ca-crt %{_cross_tmpfilesdir}/kubernetes.conf diff --git a/packages/kubernetes-1.16/kubernetes-ca-crt b/packages/kubernetes-1.16/kubernetes-ca-crt index 0a726ad63df..ab82c485f56 100644 --- a/packages/kubernetes-1.16/kubernetes-ca-crt +++ b/packages/kubernetes-1.16/kubernetes-ca-crt @@ -1 +1,3 @@ +{{~#if settings.kubernetes.cluster-certificate~}} {{base64_decode settings.kubernetes.cluster-certificate}} +{{~/if~}} diff --git a/packages/kubernetes-1.17/kubelet-bootstrap-kubeconfig b/packages/kubernetes-1.17/kubelet-bootstrap-kubeconfig new file mode 100644 index 00000000000..27bb33e95fc --- /dev/null +++ b/packages/kubernetes-1.17/kubelet-bootstrap-kubeconfig @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: Config +clusters: +- cluster: +{{~#if settings.kubernetes.api-server}} + certificate-authority: "/etc/kubernetes/pki/ca.crt" + server: "{{settings.kubernetes.api-server}}" +{{~/if}} + name: kubernetes +contexts: +- context: + cluster: kubernetes + user: kubelet + name: kubelet +current-context: kubelet +users: +- name: kubelet +{{~#if settings.kubernetes.bootstrap-token}} + user: + token: "{{settings.kubernetes.bootstrap-token}}" +{{~/if}} diff --git a/packages/kubernetes-1.17/kubelet-config b/packages/kubernetes-1.17/kubelet-config index 81b8fa5c041..1a4007dba8d 100644 --- a/packages/kubernetes-1.17/kubelet-config +++ b/packages/kubernetes-1.17/kubelet-config @@ -1,6 +1,16 @@ --- kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 +{{~#if settings.kubernetes.standalone-mode}} +address: 127.0.0.1 +authentication: + anonymous: + enabled: true + webhook: + enabled: false +authorization: + mode: AlwaysAllow +{{~else}} address: 0.0.0.0 authentication: anonymous: @@ -15,6 +25,7 @@ authorization: webhook: cacheAuthorizedTTL: 5m0s cacheUnauthorizedTTL: 30s +{{~/if}} clusterDomain: {{settings.kubernetes.cluster-domain}} clusterDNS: - {{settings.kubernetes.cluster-dns-ip}} diff --git a/packages/kubernetes-1.17/kubelet-exec-start-conf b/packages/kubernetes-1.17/kubelet-exec-start-conf new file mode 100644 index 00000000000..1cc4d9cf246 --- /dev/null +++ b/packages/kubernetes-1.17/kubelet-exec-start-conf @@ -0,0 +1,24 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/kubelet \ +{{~#unless settings.kubernetes.standalone-mode}} + --cloud-provider aws \ + --kubeconfig /etc/kubernetes/kubelet/kubeconfig \ +{{~#if (eq settings.kubernetes.authentication-mode "tls")}} + --bootstrap-kubeconfig /etc/kubernetes/kubelet/bootstrap-kubeconfig \ +{{~/if}} +{{~else}} + --cloud-provider "" \ +{{~/unless}} + --config /etc/kubernetes/kubelet/config \ + --container-runtime=remote \ + --container-runtime-endpoint=unix:///run/dockershim.sock \ + --containerd=/run/dockershim.sock \ + --network-plugin cni \ + --root-dir /var/lib/kubelet \ + --cert-dir /var/lib/kubelet/pki \ + --volume-plugin-dir /var/lib/kubelet/plugins/volume/exec \ + --node-ip ${NODE_IP} \ + --node-labels "${NODE_LABELS}" \ + --register-with-taints "${NODE_TAINTS}" \ + --pod-infra-container-image ${POD_INFRA_CONTAINER_IMAGE} diff --git a/packages/kubernetes-1.17/kubelet-kubeconfig b/packages/kubernetes-1.17/kubelet-kubeconfig index 775e7a576c7..e5309e732e4 100644 --- a/packages/kubernetes-1.17/kubelet-kubeconfig +++ b/packages/kubernetes-1.17/kubelet-kubeconfig @@ -3,8 +3,10 @@ apiVersion: v1 kind: Config clusters: - cluster: +{{~#if settings.kubernetes.api-server}} certificate-authority: "/etc/kubernetes/pki/ca.crt" server: "{{settings.kubernetes.api-server}}" +{{~/if}} name: kubernetes contexts: - context: @@ -14,6 +16,8 @@ contexts: current-context: kubelet users: - name: kubelet +{{~#if (eq settings.kubernetes.authentication-mode "aws")}} +{{~#if settings.kubernetes.cluster-name}} user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 @@ -22,3 +26,10 @@ users: - token - "-i" - "{{settings.kubernetes.cluster-name}}" +{{~/if}} +{{~/if}} +{{~#if (eq settings.kubernetes.authentication-mode "tls")}} + user: + client-certificate: "/var/lib/kubelet/pki/kubelet-client-current.pem" + client-key: "/var/lib/kubelet/pki/kubelet-client-current.pem" +{{~/if}} diff --git a/packages/kubernetes-1.17/kubelet.service b/packages/kubernetes-1.17/kubelet.service index fc9bcad9b46..087323d037d 100644 --- a/packages/kubernetes-1.17/kubelet.service +++ b/packages/kubernetes-1.17/kubelet.service @@ -16,21 +16,8 @@ ExecStartPre=/usr/bin/host-ctr \ --namespace=k8s.io \ pull-image \ --source=${POD_INFRA_CONTAINER_IMAGE} -ExecStart=/usr/bin/kubelet \ - --cloud-provider aws \ - --config /etc/kubernetes/kubelet/config \ - --kubeconfig /etc/kubernetes/kubelet/kubeconfig \ - --container-runtime=remote \ - --container-runtime-endpoint=unix:///run/dockershim.sock \ - --containerd=/run/dockershim.sock \ - --network-plugin cni \ - --root-dir /var/lib/kubelet \ - --cert-dir /var/lib/kubelet/pki \ - --volume-plugin-dir /var/lib/kubelet/plugins/volume/exec \ - --node-ip ${NODE_IP} \ - --node-labels "${NODE_LABELS}" \ - --register-with-taints "${NODE_TAINTS}" \ - --pod-infra-container-image ${POD_INFRA_CONTAINER_IMAGE} +# Must be overridden by a drop-in file or `kubelet` won't start +ExecStart=/usr/bin/false Restart=on-failure RestartForceExitStatus=SIGPIPE diff --git a/packages/kubernetes-1.17/kubernetes-1.17.spec b/packages/kubernetes-1.17/kubernetes-1.17.spec index a943a5eaf11..7ede51ab876 100644 --- a/packages/kubernetes-1.17/kubernetes-1.17.spec +++ b/packages/kubernetes-1.17/kubernetes-1.17.spec @@ -20,7 +20,9 @@ Source2: kubelet-env Source3: kubelet-config Source4: kubelet-kubeconfig Source5: kubernetes-ca-crt -Source6: kubernetes-tmpfiles.conf +Source6: kubelet-exec-start-conf +Source7: kubelet-bootstrap-kubeconfig +Source8: kubernetes-tmpfiles.conf Source1000: clarify.toml Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch @@ -75,9 +77,11 @@ install -m 0644 %{S:2} %{buildroot}%{_cross_templatedir}/kubelet-env install -m 0644 %{S:3} %{buildroot}%{_cross_templatedir}/kubelet-config install -m 0644 %{S:4} %{buildroot}%{_cross_templatedir}/kubelet-kubeconfig install -m 0644 %{S:5} %{buildroot}%{_cross_templatedir}/kubernetes-ca-crt +install -m 0644 %{S:6} %{buildroot}%{_cross_templatedir}/kubelet-exec-start-conf +install -m 0644 %{S:7} %{buildroot}%{_cross_templatedir}/kubelet-bootstrap-kubeconfig install -d %{buildroot}%{_cross_tmpfilesdir} -install -p -m 0644 %{S:6} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf +install -p -m 0644 %{S:8} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf %cross_scan_attribution --clarify %{S:1000} go-vendor vendor @@ -91,6 +95,8 @@ install -p -m 0644 %{S:6} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf %{_cross_templatedir}/kubelet-env %{_cross_templatedir}/kubelet-config %{_cross_templatedir}/kubelet-kubeconfig +%{_cross_templatedir}/kubelet-bootstrap-kubeconfig +%{_cross_templatedir}/kubelet-exec-start-conf %{_cross_templatedir}/kubernetes-ca-crt %{_cross_tmpfilesdir}/kubernetes.conf diff --git a/packages/kubernetes-1.17/kubernetes-ca-crt b/packages/kubernetes-1.17/kubernetes-ca-crt index 0a726ad63df..ab82c485f56 100644 --- a/packages/kubernetes-1.17/kubernetes-ca-crt +++ b/packages/kubernetes-1.17/kubernetes-ca-crt @@ -1 +1,3 @@ +{{~#if settings.kubernetes.cluster-certificate~}} {{base64_decode settings.kubernetes.cluster-certificate}} +{{~/if~}} diff --git a/packages/kubernetes-1.18/kubelet-bootstrap-kubeconfig b/packages/kubernetes-1.18/kubelet-bootstrap-kubeconfig new file mode 100644 index 00000000000..27bb33e95fc --- /dev/null +++ b/packages/kubernetes-1.18/kubelet-bootstrap-kubeconfig @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: Config +clusters: +- cluster: +{{~#if settings.kubernetes.api-server}} + certificate-authority: "/etc/kubernetes/pki/ca.crt" + server: "{{settings.kubernetes.api-server}}" +{{~/if}} + name: kubernetes +contexts: +- context: + cluster: kubernetes + user: kubelet + name: kubelet +current-context: kubelet +users: +- name: kubelet +{{~#if settings.kubernetes.bootstrap-token}} + user: + token: "{{settings.kubernetes.bootstrap-token}}" +{{~/if}} diff --git a/packages/kubernetes-1.18/kubelet-config b/packages/kubernetes-1.18/kubelet-config index 81b8fa5c041..1a4007dba8d 100644 --- a/packages/kubernetes-1.18/kubelet-config +++ b/packages/kubernetes-1.18/kubelet-config @@ -1,6 +1,16 @@ --- kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 +{{~#if settings.kubernetes.standalone-mode}} +address: 127.0.0.1 +authentication: + anonymous: + enabled: true + webhook: + enabled: false +authorization: + mode: AlwaysAllow +{{~else}} address: 0.0.0.0 authentication: anonymous: @@ -15,6 +25,7 @@ authorization: webhook: cacheAuthorizedTTL: 5m0s cacheUnauthorizedTTL: 30s +{{~/if}} clusterDomain: {{settings.kubernetes.cluster-domain}} clusterDNS: - {{settings.kubernetes.cluster-dns-ip}} diff --git a/packages/kubernetes-1.18/kubelet-exec-start-conf b/packages/kubernetes-1.18/kubelet-exec-start-conf new file mode 100644 index 00000000000..1cc4d9cf246 --- /dev/null +++ b/packages/kubernetes-1.18/kubelet-exec-start-conf @@ -0,0 +1,24 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/kubelet \ +{{~#unless settings.kubernetes.standalone-mode}} + --cloud-provider aws \ + --kubeconfig /etc/kubernetes/kubelet/kubeconfig \ +{{~#if (eq settings.kubernetes.authentication-mode "tls")}} + --bootstrap-kubeconfig /etc/kubernetes/kubelet/bootstrap-kubeconfig \ +{{~/if}} +{{~else}} + --cloud-provider "" \ +{{~/unless}} + --config /etc/kubernetes/kubelet/config \ + --container-runtime=remote \ + --container-runtime-endpoint=unix:///run/dockershim.sock \ + --containerd=/run/dockershim.sock \ + --network-plugin cni \ + --root-dir /var/lib/kubelet \ + --cert-dir /var/lib/kubelet/pki \ + --volume-plugin-dir /var/lib/kubelet/plugins/volume/exec \ + --node-ip ${NODE_IP} \ + --node-labels "${NODE_LABELS}" \ + --register-with-taints "${NODE_TAINTS}" \ + --pod-infra-container-image ${POD_INFRA_CONTAINER_IMAGE} diff --git a/packages/kubernetes-1.18/kubelet-kubeconfig b/packages/kubernetes-1.18/kubelet-kubeconfig index 775e7a576c7..e5309e732e4 100644 --- a/packages/kubernetes-1.18/kubelet-kubeconfig +++ b/packages/kubernetes-1.18/kubelet-kubeconfig @@ -3,8 +3,10 @@ apiVersion: v1 kind: Config clusters: - cluster: +{{~#if settings.kubernetes.api-server}} certificate-authority: "/etc/kubernetes/pki/ca.crt" server: "{{settings.kubernetes.api-server}}" +{{~/if}} name: kubernetes contexts: - context: @@ -14,6 +16,8 @@ contexts: current-context: kubelet users: - name: kubelet +{{~#if (eq settings.kubernetes.authentication-mode "aws")}} +{{~#if settings.kubernetes.cluster-name}} user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 @@ -22,3 +26,10 @@ users: - token - "-i" - "{{settings.kubernetes.cluster-name}}" +{{~/if}} +{{~/if}} +{{~#if (eq settings.kubernetes.authentication-mode "tls")}} + user: + client-certificate: "/var/lib/kubelet/pki/kubelet-client-current.pem" + client-key: "/var/lib/kubelet/pki/kubelet-client-current.pem" +{{~/if}} diff --git a/packages/kubernetes-1.18/kubelet.service b/packages/kubernetes-1.18/kubelet.service index fc9bcad9b46..087323d037d 100644 --- a/packages/kubernetes-1.18/kubelet.service +++ b/packages/kubernetes-1.18/kubelet.service @@ -16,21 +16,8 @@ ExecStartPre=/usr/bin/host-ctr \ --namespace=k8s.io \ pull-image \ --source=${POD_INFRA_CONTAINER_IMAGE} -ExecStart=/usr/bin/kubelet \ - --cloud-provider aws \ - --config /etc/kubernetes/kubelet/config \ - --kubeconfig /etc/kubernetes/kubelet/kubeconfig \ - --container-runtime=remote \ - --container-runtime-endpoint=unix:///run/dockershim.sock \ - --containerd=/run/dockershim.sock \ - --network-plugin cni \ - --root-dir /var/lib/kubelet \ - --cert-dir /var/lib/kubelet/pki \ - --volume-plugin-dir /var/lib/kubelet/plugins/volume/exec \ - --node-ip ${NODE_IP} \ - --node-labels "${NODE_LABELS}" \ - --register-with-taints "${NODE_TAINTS}" \ - --pod-infra-container-image ${POD_INFRA_CONTAINER_IMAGE} +# Must be overridden by a drop-in file or `kubelet` won't start +ExecStart=/usr/bin/false Restart=on-failure RestartForceExitStatus=SIGPIPE diff --git a/packages/kubernetes-1.18/kubernetes-1.18.spec b/packages/kubernetes-1.18/kubernetes-1.18.spec index 250ef7ba306..fe85b9b473e 100644 --- a/packages/kubernetes-1.18/kubernetes-1.18.spec +++ b/packages/kubernetes-1.18/kubernetes-1.18.spec @@ -20,7 +20,9 @@ Source2: kubelet-env Source3: kubelet-config Source4: kubelet-kubeconfig Source5: kubernetes-ca-crt -Source6: kubernetes-tmpfiles.conf +Source6: kubelet-exec-start-conf +Source7: kubelet-bootstrap-kubeconfig +Source8: kubernetes-tmpfiles.conf Source1000: clarify.toml Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch @@ -72,9 +74,11 @@ install -m 0644 %{S:2} %{buildroot}%{_cross_templatedir}/kubelet-env install -m 0644 %{S:3} %{buildroot}%{_cross_templatedir}/kubelet-config install -m 0644 %{S:4} %{buildroot}%{_cross_templatedir}/kubelet-kubeconfig install -m 0644 %{S:5} %{buildroot}%{_cross_templatedir}/kubernetes-ca-crt +install -m 0644 %{S:6} %{buildroot}%{_cross_templatedir}/kubelet-exec-start-conf +install -m 0644 %{S:7} %{buildroot}%{_cross_templatedir}/kubelet-bootstrap-kubeconfig install -d %{buildroot}%{_cross_tmpfilesdir} -install -p -m 0644 %{S:6} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf +install -p -m 0644 %{S:8} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf %cross_scan_attribution --clarify %{S:1000} go-vendor vendor @@ -88,6 +92,8 @@ install -p -m 0644 %{S:6} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf %{_cross_templatedir}/kubelet-env %{_cross_templatedir}/kubelet-config %{_cross_templatedir}/kubelet-kubeconfig +%{_cross_templatedir}/kubelet-bootstrap-kubeconfig +%{_cross_templatedir}/kubelet-exec-start-conf %{_cross_templatedir}/kubernetes-ca-crt %{_cross_tmpfilesdir}/kubernetes.conf diff --git a/packages/kubernetes-1.18/kubernetes-ca-crt b/packages/kubernetes-1.18/kubernetes-ca-crt index 0a726ad63df..ab82c485f56 100644 --- a/packages/kubernetes-1.18/kubernetes-ca-crt +++ b/packages/kubernetes-1.18/kubernetes-ca-crt @@ -1 +1,3 @@ +{{~#if settings.kubernetes.cluster-certificate~}} {{base64_decode settings.kubernetes.cluster-certificate}} +{{~/if~}} diff --git a/packages/kubernetes-1.19/kubelet-bootstrap-kubeconfig b/packages/kubernetes-1.19/kubelet-bootstrap-kubeconfig new file mode 100644 index 00000000000..27bb33e95fc --- /dev/null +++ b/packages/kubernetes-1.19/kubelet-bootstrap-kubeconfig @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: Config +clusters: +- cluster: +{{~#if settings.kubernetes.api-server}} + certificate-authority: "/etc/kubernetes/pki/ca.crt" + server: "{{settings.kubernetes.api-server}}" +{{~/if}} + name: kubernetes +contexts: +- context: + cluster: kubernetes + user: kubelet + name: kubelet +current-context: kubelet +users: +- name: kubelet +{{~#if settings.kubernetes.bootstrap-token}} + user: + token: "{{settings.kubernetes.bootstrap-token}}" +{{~/if}} diff --git a/packages/kubernetes-1.19/kubelet-config b/packages/kubernetes-1.19/kubelet-config index 5112b9e6bc2..13aeb88f1f8 100644 --- a/packages/kubernetes-1.19/kubelet-config +++ b/packages/kubernetes-1.19/kubelet-config @@ -1,6 +1,16 @@ --- kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 +{{~#if settings.kubernetes.standalone-mode}} +address: 127.0.0.1 +authentication: + anonymous: + enabled: true + webhook: + enabled: false +authorization: + mode: AlwaysAllow +{{~else}} address: 0.0.0.0 authentication: anonymous: @@ -15,6 +25,7 @@ authorization: webhook: cacheAuthorizedTTL: 5m0s cacheUnauthorizedTTL: 30s +{{~/if}} clusterDomain: {{settings.kubernetes.cluster-domain}} clusterDNS: - {{settings.kubernetes.cluster-dns-ip}} diff --git a/packages/kubernetes-1.19/kubelet-exec-start-conf b/packages/kubernetes-1.19/kubelet-exec-start-conf new file mode 100644 index 00000000000..65a693cb49b --- /dev/null +++ b/packages/kubernetes-1.19/kubelet-exec-start-conf @@ -0,0 +1,23 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/kubelet \ +{{~#unless settings.kubernetes.standalone-mode}} + --cloud-provider aws \ + --kubeconfig /etc/kubernetes/kubelet/kubeconfig \ +{{~#if (eq settings.kubernetes.authentication-mode "tls")}} + --bootstrap-kubeconfig /etc/kubernetes/kubelet/bootstrap-kubeconfig \ +{{~/if}} +{{~else}} + --cloud-provider "" \ +{{~/unless}} + --config /etc/kubernetes/kubelet/config \ + --container-runtime=remote \ + --container-runtime-endpoint=unix:///run/dockershim.sock \ + --containerd=/run/dockershim.sock \ + --network-plugin cni \ + --root-dir /var/lib/kubelet \ + --cert-dir /var/lib/kubelet/pki \ + --node-ip ${NODE_IP} \ + --node-labels "${NODE_LABELS}" \ + --register-with-taints "${NODE_TAINTS}" \ + --pod-infra-container-image ${POD_INFRA_CONTAINER_IMAGE} diff --git a/packages/kubernetes-1.19/kubelet-kubeconfig b/packages/kubernetes-1.19/kubelet-kubeconfig index 775e7a576c7..e5309e732e4 100644 --- a/packages/kubernetes-1.19/kubelet-kubeconfig +++ b/packages/kubernetes-1.19/kubelet-kubeconfig @@ -3,8 +3,10 @@ apiVersion: v1 kind: Config clusters: - cluster: +{{~#if settings.kubernetes.api-server}} certificate-authority: "/etc/kubernetes/pki/ca.crt" server: "{{settings.kubernetes.api-server}}" +{{~/if}} name: kubernetes contexts: - context: @@ -14,6 +16,8 @@ contexts: current-context: kubelet users: - name: kubelet +{{~#if (eq settings.kubernetes.authentication-mode "aws")}} +{{~#if settings.kubernetes.cluster-name}} user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 @@ -22,3 +26,10 @@ users: - token - "-i" - "{{settings.kubernetes.cluster-name}}" +{{~/if}} +{{~/if}} +{{~#if (eq settings.kubernetes.authentication-mode "tls")}} + user: + client-certificate: "/var/lib/kubelet/pki/kubelet-client-current.pem" + client-key: "/var/lib/kubelet/pki/kubelet-client-current.pem" +{{~/if}} diff --git a/packages/kubernetes-1.19/kubelet.service b/packages/kubernetes-1.19/kubelet.service index 42c109a67e0..5941466ea5b 100644 --- a/packages/kubernetes-1.19/kubelet.service +++ b/packages/kubernetes-1.19/kubelet.service @@ -15,20 +15,8 @@ ExecStartPre=/usr/bin/host-ctr \ --namespace=k8s.io \ pull-image \ --source=${POD_INFRA_CONTAINER_IMAGE} -ExecStart=/usr/bin/kubelet \ - --cloud-provider aws \ - --config /etc/kubernetes/kubelet/config \ - --kubeconfig /etc/kubernetes/kubelet/kubeconfig \ - --container-runtime=remote \ - --container-runtime-endpoint=unix:///run/dockershim.sock \ - --containerd=/run/dockershim.sock \ - --network-plugin cni \ - --root-dir /var/lib/kubelet \ - --cert-dir /var/lib/kubelet/pki \ - --node-ip ${NODE_IP} \ - --node-labels "${NODE_LABELS}" \ - --register-with-taints "${NODE_TAINTS}" \ - --pod-infra-container-image ${POD_INFRA_CONTAINER_IMAGE} +# Must be overridden by a drop-in file or `kubelet` won't start +ExecStart=/usr/bin/false Restart=on-failure RestartForceExitStatus=SIGPIPE diff --git a/packages/kubernetes-1.19/kubernetes-1.19.spec b/packages/kubernetes-1.19/kubernetes-1.19.spec index 212fcda2d41..9e31587c04e 100644 --- a/packages/kubernetes-1.19/kubernetes-1.19.spec +++ b/packages/kubernetes-1.19/kubernetes-1.19.spec @@ -20,7 +20,9 @@ Source2: kubelet-env Source3: kubelet-config Source4: kubelet-kubeconfig Source5: kubernetes-ca-crt -Source6: kubernetes-tmpfiles.conf +Source6: kubelet-exec-start-conf +Source7: kubelet-bootstrap-kubeconfig +Source8: kubernetes-tmpfiles.conf Source1000: clarify.toml Patch1: 0001-always-set-relevant-variables-for-cross-compiling.patch @@ -69,9 +71,11 @@ install -m 0644 %{S:2} %{buildroot}%{_cross_templatedir}/kubelet-env install -m 0644 %{S:3} %{buildroot}%{_cross_templatedir}/kubelet-config install -m 0644 %{S:4} %{buildroot}%{_cross_templatedir}/kubelet-kubeconfig install -m 0644 %{S:5} %{buildroot}%{_cross_templatedir}/kubernetes-ca-crt +install -m 0644 %{S:6} %{buildroot}%{_cross_templatedir}/kubelet-exec-start-conf +install -m 0644 %{S:7} %{buildroot}%{_cross_templatedir}/kubelet-bootstrap-kubeconfig install -d %{buildroot}%{_cross_tmpfilesdir} -install -p -m 0644 %{S:6} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf +install -p -m 0644 %{S:8} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf %cross_scan_attribution --clarify %{S:1000} go-vendor vendor @@ -85,6 +89,8 @@ install -p -m 0644 %{S:6} %{buildroot}%{_cross_tmpfilesdir}/kubernetes.conf %{_cross_templatedir}/kubelet-env %{_cross_templatedir}/kubelet-config %{_cross_templatedir}/kubelet-kubeconfig +%{_cross_templatedir}/kubelet-bootstrap-kubeconfig +%{_cross_templatedir}/kubelet-exec-start-conf %{_cross_templatedir}/kubernetes-ca-crt %{_cross_tmpfilesdir}/kubernetes.conf diff --git a/packages/kubernetes-1.19/kubernetes-ca-crt b/packages/kubernetes-1.19/kubernetes-ca-crt index 0a726ad63df..ab82c485f56 100644 --- a/packages/kubernetes-1.19/kubernetes-ca-crt +++ b/packages/kubernetes-1.19/kubernetes-ca-crt @@ -1 +1,3 @@ +{{~#if settings.kubernetes.cluster-certificate~}} {{base64_decode settings.kubernetes.cluster-certificate}} +{{~/if~}} diff --git a/sources/Cargo.lock b/sources/Cargo.lock index 9a65c175413..85c4c071fc9 100644 --- a/sources/Cargo.lock +++ b/sources/Cargo.lock @@ -1621,6 +1621,20 @@ dependencies = [ "winapi-build", ] +[[package]] +name = "kubelet-standalone-tls-services" +version = "0.1.0" +dependencies = [ + "migration-helpers", +] + +[[package]] +name = "kubelet-standalone-tls-settings" +version = "0.1.0" +dependencies = [ + "migration-helpers", +] + [[package]] name = "language-tags" version = "0.2.2" diff --git a/sources/Cargo.toml b/sources/Cargo.toml index f9219de9028..d4e28a773bb 100644 --- a/sources/Cargo.toml +++ b/sources/Cargo.toml @@ -40,6 +40,8 @@ members = [ "api/migration/migrations/v1.0.5/add-proxy-services", "api/migration/migrations/v1.0.6/metricdog-init", "api/migration/migrations/v1.0.6/add-static-pods", + "api/migration/migrations/v1.0.6/kubelet-standalone-tls-settings", + "api/migration/migrations/v1.0.6/kubelet-standalone-tls-services", "bottlerocket-release", diff --git a/sources/api/migration/migrations/v1.0.6/kubelet-standalone-tls-services/Cargo.toml b/sources/api/migration/migrations/v1.0.6/kubelet-standalone-tls-services/Cargo.toml new file mode 100644 index 00000000000..82e96ae9b7c --- /dev/null +++ b/sources/api/migration/migrations/v1.0.6/kubelet-standalone-tls-services/Cargo.toml @@ -0,0 +1,12 @@ +[package] +name = "kubelet-standalone-tls-services" +version = "0.1.0" +authors = ["Ben Cressey "] +license = "Apache-2.0 OR MIT" +edition = "2018" +publish = false +# Don't rebuild crate just because of changes to README. +exclude = ["README.md"] + +[dependencies] +migration-helpers = { path = "../../../migration-helpers" } diff --git a/sources/api/migration/migrations/v1.0.6/kubelet-standalone-tls-services/src/main.rs b/sources/api/migration/migrations/v1.0.6/kubelet-standalone-tls-services/src/main.rs new file mode 100644 index 00000000000..d926a0ab98f --- /dev/null +++ b/sources/api/migration/migrations/v1.0.6/kubelet-standalone-tls-services/src/main.rs @@ -0,0 +1,50 @@ +#![deny(rust_2018_idioms)] + +use migration_helpers::common_migrations::{ListReplacement, ReplaceListsMigration}; +use migration_helpers::{migrate, Result}; +use std::process; + +/// We updated the configuration files and restart commands to support running kubelet in +/// standalone mode, and for configuring it to use TLS auth. They need to be restored to +/// the prior values on downgrade. +fn run() -> Result<()> { + migrate(ReplaceListsMigration(vec![ + ListReplacement { + setting: "services.kubernetes.configuration-files", + old_vals: &[ + "kubelet-env", + "kubelet-config", + "kubelet-kubeconfig", + "kubernetes-ca-crt", + "proxy-env", + ], + new_vals: &[ + "kubelet-env", + "kubelet-config", + "kubelet-kubeconfig", + "kubelet-bootstrap-kubeconfig", + "kubelet-exec-start-conf", + "kubernetes-ca-crt", + "proxy-env", + ], + }, + ListReplacement { + setting: "services.kubernetes.restart-commands", + old_vals: &["/bin/systemctl try-restart kubelet.service"], + new_vals: &[ + "/usr/bin/systemctl daemon-reload", + "/bin/systemctl try-restart kubelet.service", + ], + }, + ])) +} + +// Returning a Result from main makes it print a Debug representation of the error, but with Snafu +// we have nice Display representations of the error, so we wrap "main" (run) and print any error. +// https://github.com/shepmaster/snafu/issues/110 +fn main() { + if let Err(e) = run() { + eprintln!("{}", e); + process::exit(1); + } +} diff --git a/sources/api/migration/migrations/v1.0.6/kubelet-standalone-tls-settings/Cargo.toml b/sources/api/migration/migrations/v1.0.6/kubelet-standalone-tls-settings/Cargo.toml new file mode 100644 index 00000000000..1d286a6ccc7 --- /dev/null +++ b/sources/api/migration/migrations/v1.0.6/kubelet-standalone-tls-settings/Cargo.toml @@ -0,0 +1,12 @@ +[package] +name = "kubelet-standalone-tls-settings" +version = "0.1.0" +authors = ["Ben Cressey "] +license = "Apache-2.0 OR MIT" +edition = "2018" +publish = false +# Don't rebuild crate just because of changes to README. +exclude = ["README.md"] + +[dependencies] +migration-helpers = { path = "../../../migration-helpers" } diff --git a/sources/api/migration/migrations/v1.0.6/kubelet-standalone-tls-settings/src/main.rs b/sources/api/migration/migrations/v1.0.6/kubelet-standalone-tls-settings/src/main.rs new file mode 100644 index 00000000000..f43e670bff8 --- /dev/null +++ b/sources/api/migration/migrations/v1.0.6/kubelet-standalone-tls-settings/src/main.rs @@ -0,0 +1,28 @@ +#![deny(rust_2018_idioms)] + +use migration_helpers::common_migrations::AddPrefixesMigration; +use migration_helpers::{migrate, Result}; +use std::process; + +/// We added new settings for running kubelet in standalone mode, and for using TLS auth. +/// We also added new configuration files to apply these settings. They need to be removed +/// when we downgrade. +fn run() -> Result<()> { + migrate(AddPrefixesMigration(vec![ + "settings.kubernetes.bootstrap-token", + "settings.kubernetes.authentication-mode", + "settings.kubernetes.standalone-mode", + "configuration-files.kubelet-bootstrap-kubeconfig", + "configuration-files.kubelet-exec-start-conf", + ])) +} + +// Returning a Result from main makes it print a Debug representation of the error, but with Snafu +// we have nice Display representations of the error, so we wrap "main" (run) and print any error. +// https://github.com/shepmaster/snafu/issues/110 +fn main() { + if let Err(e) = run() { + eprintln!("{}", e); + process::exit(1); + } +} diff --git a/sources/models/src/aws-k8s-1.15/defaults.d/50-aws-k8s.toml b/sources/models/src/aws-k8s-1.15/defaults.d/50-aws-k8s.toml index a24885efbb0..5366962aeb8 100644 --- a/sources/models/src/aws-k8s-1.15/defaults.d/50-aws-k8s.toml +++ b/sources/models/src/aws-k8s-1.15/defaults.d/50-aws-k8s.toml @@ -5,8 +5,20 @@ template-path = "/usr/share/templates/containerd-config-toml_aws-k8s" # Kubernetes. [services.kubernetes] -configuration-files = ["kubelet-env", "kubelet-config", "kubelet-kubeconfig", "kubernetes-ca-crt", "proxy-env"] -restart-commands = ["/bin/systemctl try-restart kubelet.service"] +configuration-files = [ + "kubelet-env", + "kubelet-config", + "kubelet-kubeconfig", + "kubelet-bootstrap-kubeconfig", + "kubelet-exec-start-conf", + "kubernetes-ca-crt", + "proxy-env", +] + +restart-commands = [ + "/usr/bin/systemctl daemon-reload", + "/usr/bin/systemctl try-restart kubelet.service" +] [configuration-files.kubelet-env] path = "/etc/kubernetes/kubelet/env" @@ -20,10 +32,18 @@ template-path = "/usr/share/templates/kubelet-config" path = "/etc/kubernetes/kubelet/kubeconfig" template-path = "/usr/share/templates/kubelet-kubeconfig" +[configuration-files.kubelet-bootstrap-kubeconfig] +path = "/etc/kubernetes/kubelet/bootstrap-kubeconfig" +template-path = "/usr/share/templates/kubelet-bootstrap-kubeconfig" + [configuration-files.kubernetes-ca-crt] path = "/etc/kubernetes/pki/ca.crt" template-path = "/usr/share/templates/kubernetes-ca-crt" +[configuration-files.kubelet-exec-start-conf] +path = "/etc/systemd/system/kubelet.service.d/exec-start.conf" +template-path = "/usr/share/templates/kubelet-exec-start-conf" + [metadata.settings.kubernetes] max-pods.setting-generator = "pluto max-pods" cluster-dns-ip.setting-generator = "pluto cluster-dns-ip" @@ -36,6 +56,8 @@ affected-services = ["kubernetes", "containerd"] [settings.kubernetes] cluster-domain = "cluster.local" +standalone-mode = false +authentication-mode = "aws" # Metrics [settings.metrics] diff --git a/sources/models/src/lib.rs b/sources/models/src/lib.rs index 76272060a89..9e221d59e45 100644 --- a/sources/models/src/lib.rs +++ b/sources/models/src/lib.rs @@ -99,7 +99,8 @@ use std::net::Ipv4Addr; use crate::modeled_types::{ DNSDomain, ECSAgentLogLevel, ECSAttributeKey, ECSAttributeValue, FriendlyVersion, Identifier, - KubernetesClusterName, KubernetesLabelKey, KubernetesLabelValue, KubernetesTaintValue, + KubernetesAuthenticationMode, KubernetesBootstrapToken, KubernetesClusterName, + KubernetesLabelKey, KubernetesLabelValue, KubernetesTaintValue, Lockdown, SingleLineString, SysctlKey, Url, ValidBase64, }; @@ -114,15 +115,21 @@ struct StaticPod { // IMDS via Sundog's child "Pluto". #[model] struct KubernetesSettings { - // Settings we require the user to specify, likely via user data. + // Settings that must be specified via user data or through API requests. Not all settings are + // useful for all modes. For example, in standalone mode the user does not need to specify any + // cluster information, and the bootstrap token is only needed for TLS authentication mode. cluster_name: KubernetesClusterName, cluster_certificate: ValidBase64, api_server: Url, node_labels: HashMap, node_taints: HashMap, static_pods: HashMap, + authentication_mode: KubernetesAuthenticationMode, + bootstrap_token: KubernetesBootstrapToken, + standalone_mode: bool, - // Dynamic settings. + // Settings where we generate a value based on the runtime environment. The user can specify a + // value to override the generated one, but typically would not. max_pods: u32, cluster_dns_ip: Ipv4Addr, cluster_domain: DNSDomain, diff --git a/sources/models/src/modeled_types/kubernetes.rs b/sources/models/src/modeled_types/kubernetes.rs index 8bda0d8586b..e6c0d098a60 100644 --- a/sources/models/src/modeled_types/kubernetes.rs +++ b/sources/models/src/modeled_types/kubernetes.rs @@ -337,3 +337,103 @@ mod test_kubernetes_cluster_name { } } } + +// =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= + +/// KubernetesAuthenticationMode represents a string that is a valid authentication mode for the +/// kubelet. It stores the original string and makes it accessible through standard traits. +#[derive(Debug, Clone, Eq, PartialEq, Hash)] +pub struct KubernetesAuthenticationMode { + inner: String, +} + +impl TryFrom<&str> for KubernetesAuthenticationMode { + type Error = error::Error; + + fn try_from(input: &str) -> Result { + ensure!( + matches!(input, "aws" | "tls" ), + error::InvalidAuthenticationMode { input } + ); + Ok(KubernetesAuthenticationMode { + inner: input.to_string(), + }) + } +} + +string_impls_for!(KubernetesAuthenticationMode, "KubernetesAuthenticationMode"); + +#[cfg(test)] +mod test_kubernetes_authentication_mode { + use super::KubernetesAuthenticationMode; + use std::convert::TryFrom; + + #[test] + fn good_modes() { + for ok in &["aws", "tls"] { + KubernetesAuthenticationMode::try_from(*ok).unwrap(); + } + } + + #[test] + fn bad_modes() { + for err in &["", "anonymous"] { + KubernetesAuthenticationMode::try_from(*err).unwrap_err(); + } + } +} + +// =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= + +/// KubernetesBootstrapToken represents a string that is a valid bootstrap token for Kubernetes. +/// It stores the original string and makes it accessible through standard traits. +// https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/ +#[derive(Debug, Clone, Eq, PartialEq, Hash)] +pub struct KubernetesBootstrapToken { + inner: String, +} + +lazy_static! { + pub(crate) static ref KUBERNETES_BOOTSTRAP_TOKEN: Regex = Regex::new( + r"^[a-z0-9]{6}\.[a-z0-9]{16}$").unwrap(); +} + +impl TryFrom<&str> for KubernetesBootstrapToken { + type Error = error::Error; + + fn try_from(input: &str) -> Result { + ensure!( + KUBERNETES_BOOTSTRAP_TOKEN.is_match(input), + error::Pattern { + thing: "Kubernetes bootstrap token", + pattern: KUBERNETES_BOOTSTRAP_TOKEN.clone(), + input + } + ); + Ok(KubernetesBootstrapToken { + inner: input.to_string(), + }) + } +} + +string_impls_for!(KubernetesBootstrapToken, "KubernetesBootstrapToken"); + +#[cfg(test)] +mod test_kubernetes_bootstrap_token { + use super::KubernetesBootstrapToken; + use std::convert::TryFrom; + + #[test] + fn good_tokens() { + for ok in &["abcdef.0123456789abcdef", "07401b.f395accd246ae52d"] { + KubernetesBootstrapToken::try_from(*ok).unwrap(); + } + } + + #[test] + fn bad_names() { + for err in &["", "ABCDEF.0123456789ABCDEF", "secret", &"a".repeat(23)] { + KubernetesBootstrapToken::try_from(*err).unwrap_err(); + } + } +} diff --git a/sources/models/src/modeled_types/mod.rs b/sources/models/src/modeled_types/mod.rs index 3a632183ae9..421b76135e4 100644 --- a/sources/models/src/modeled_types/mod.rs +++ b/sources/models/src/modeled_types/mod.rs @@ -42,6 +42,9 @@ pub mod error { #[snafu(display("{} given invalid input: {}", thing, input))] BigPattern { thing: String, input: String }, + #[snafu(display("Invalid Kubernetes authentication mode '{}'", input))] + InvalidAuthenticationMode { input: String }, + #[snafu(display("Given invalid cluster name '{}': {}", name, msg))] InvalidClusterName { name: String, msg: String },