kube-proxy shouldn't reuse kubelet's credentials

kubernetes-retired · Nov 7, 2017 · d0106e4 · d0106e4
1 parent f617c9d
commit d0106e4
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 5 deletions.
diff --git a/pkg/asset/asset.go b/pkg/asset/asset.go
@@ -39,6 +39,7 @@ const (
 	AssetPathManifests                   = "manifests"
 	AssetPathKubelet                     = "manifests/kubelet.yaml"
 	AssetPathProxy                       = "manifests/kube-proxy.yaml"
+	AssetPathProxyKubeConfig             = "manifests/kube-proxy-kubeconfig.yaml"
 	AssetPathKubeFlannel                 = "manifests/kube-flannel.yaml"
 	AssetPathKubeFlannelCfg              = "manifests/kube-flannel-cfg.yaml"
 	AssetPathCalico                      = "manifests/calico.yaml"

diff --git a/pkg/asset/internal/templates.go b/pkg/asset/internal/templates.go
@@ -772,7 +772,7 @@ spec:
         - mountPath: /etc/ssl/certs
           name: ssl-certs-host
           readOnly: true
-        - name: etc-kubernetes
+        - name: kubeconfig
           mountPath: /etc/kubernetes
           readOnly: true
       hostNetwork: true
@@ -786,15 +786,41 @@ spec:
       - hostPath:
           path: /usr/share/ca-certificates
         name: ssl-certs-host
-      - name: etc-kubernetes
-        hostPath:
-          path: /etc/kubernetes
+      - name: kubeconfig
+        secret:
+          secretName: kube-proxy-kubeconfig
   updateStrategy:
     rollingUpdate:
       maxUnavailable: 1
     type: RollingUpdate
 `)
 
+var ProxyKubeConfigTemplate = []byte(`apiVersion: v1
+kind: Secret
+metadata:
+  name: kube-proxy-kubeconfig
+  namespace: kube-system
+stringData:
+  kubeconfig: |
+    apiVersion: v1
+    clusters:
+    - name: local
+      cluster:
+        # Must use actual external API server address. Internal IP is setup by
+        # kube-proxy itself.
+        server: {{ .Server }}
+        certificate-authority-data: {{ .CACert }}
+    users:
+    - name: service-account
+      user:
+        # Use service account token
+        tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+    contexts:
+    - context:
+        cluster: local
+        user: service-account
+`)
+
 var DNSDeploymentTemplate = []byte(`apiVersion: apps/v1beta2
 kind: Deployment
 metadata:

diff --git a/pkg/asset/k8s.go b/pkg/asset/k8s.go
@@ -162,7 +162,11 @@ func newKubeletKubeConfigAssets(assets Assets, conf Config) ([]Asset, error) {
 	if err != nil {
 		return nil, err
 	}
-	return []Asset{assetTokenFile, assetKubeConfig}, nil
+	assetProxyKubeConfig, err := assetFromTemplate(AssetPathProxyKubeConfig, internal.ProxyKubeConfigTemplate, cfg)
+	if err != nil {
+		return nil, err
+	}
+	return []Asset{assetTokenFile, assetKubeConfig, assetProxyKubeConfig}, nil
 }
 
 func newSelfHostedEtcdSecretAssets(assets Assets) (Assets, error) {