From 88ea55df49c0d7309536fce300a4df6fff2c25dc Mon Sep 17 00:00:00 2001 From: Josh Woodcock Date: Sun, 13 Oct 2019 18:04:06 -0500 Subject: [PATCH] Performance and security enhancment for ingress-dns addon --- .../ingress-dns/ingress-dns-configmap.yaml | 51 ---- .../ingress-dns-nginx-pod.yaml.tmpl | 229 ------------------ ...s-server-pod.yaml => ingress-dns-pod.yaml} | 31 +-- .../addons/ingress-dns/ingress-dns-svc.yaml | 37 --- pkg/minikube/assets/addons.go | 22 +- 5 files changed, 13 insertions(+), 357 deletions(-) delete mode 100644 deploy/addons/ingress-dns/ingress-dns-configmap.yaml delete mode 100644 deploy/addons/ingress-dns/ingress-dns-nginx-pod.yaml.tmpl rename deploy/addons/ingress-dns/{ingress-dns-dns-server-pod.yaml => ingress-dns-pod.yaml} (81%) delete mode 100644 deploy/addons/ingress-dns/ingress-dns-svc.yaml diff --git a/deploy/addons/ingress-dns/ingress-dns-configmap.yaml b/deploy/addons/ingress-dns/ingress-dns-configmap.yaml deleted file mode 100644 index 4e2fb5a6e17d..000000000000 --- a/deploy/addons/ingress-dns/ingress-dns-configmap.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 2016 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v1 -data: - map-hash-bucket-size: "128" - hsts: "false" -kind: ConfigMap -metadata: - name: minikube-ingress-dns-nginx-load-balancer-conf - namespace: kube-system - labels: - app: minikube-ingress-dns - app.kubernetes.io/part-of: kube-system - addonmanager.kubernetes.io/mode: EnsureExists ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: minikube-ingress-dns-tcp-services - namespace: kube-system - labels: - app: minikube-ingress-dns - app.kubernetes.io/part-of: kube-system - addonmanager.kubernetes.io/mode: EnsureExists -data: - 53: "kube-system/kube-ingress-dns-minikube:5353" ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: minikube-ingress-dns-udp-services - namespace: kube-system - labels: - app: minikube-ingress-dns - app.kubernetes.io/part-of: kube-system - addonmanager.kubernetes.io/mode: EnsureExists -data: - 53: "kube-system/kube-ingress-dns-minikube:5353" \ No newline at end of file diff --git a/deploy/addons/ingress-dns/ingress-dns-nginx-pod.yaml.tmpl b/deploy/addons/ingress-dns/ingress-dns-nginx-pod.yaml.tmpl deleted file mode 100644 index 33900b619838..000000000000 --- a/deploy/addons/ingress-dns/ingress-dns-nginx-pod.yaml.tmpl +++ /dev/null @@ -1,229 +0,0 @@ -# Copyright 2016 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: minikube-ingress-dns-nginx-ingress - namespace: kube-system - labels: - kubernetes.io/bootstrapping: rbac-defaults - app: minikube-ingress-dns-nginx-ingress-controller - app.kubernetes.io/part-of: kube-system - addonmanager.kubernetes.io/mode: Reconcile ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: system:minikube-ingress-dns-nginx-ingress - labels: - kubernetes.io/bootstrapping: rbac-defaults - app: minikube-ingress-dns-nginx-ingress-controller - app.kubernetes.io/part-of: kube-system - addonmanager.kubernetes.io/mode: Reconcile -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - verbs: - - update ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: system::minikube-ingress-dns-nginx-ingress-role - namespace: kube-system - labels: - kubernetes.io/bootstrapping: rbac-defaults - app: minikube-ingress-dns-nginx-ingress-controller - app.kubernetes.io/part-of: kube-system - addonmanager.kubernetes.io/mode: Reconcile -rules: - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - # Defaults to "-" - # Here: "-" - # This has to be adapted if you change either parameter - # when launching the nginx-ingress-controller. - - ingress-controller-leader-nginx - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: system::minikube-ingress-dns-nginx-ingress-role-binding - namespace: kube-system - labels: - kubernetes.io/bootstrapping: rbac-defaults - app: minikube-ingress-dns-nginx-ingress-controller - app.kubernetes.io/part-of: kube-system - addonmanager.kubernetes.io/mode: EnsureExists -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: system::minikube-ingress-dns-nginx-ingress-role -subjects: - - kind: ServiceAccount - name: minikube-ingress-dns-nginx-ingress - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: system:minikube-ingress-dns-nginx-ingress - labels: - kubernetes.io/bootstrapping: rbac-defaults - app: minikube-ingress-dns-nginx-ingress-controller - app.kubernetes.io/part-of: kube-system - addonmanager.kubernetes.io/mode: EnsureExists -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:minikube-ingress-dns-nginx-ingress -subjects: - - kind: ServiceAccount - name: minikube-ingress-dns-nginx-ingress - namespace: kube-system ---- -apiVersion: v1 -kind: Pod -metadata: - name: minikube-ingress-dns-nginx-ingress-controller - namespace: kube-system - labels: - app: minikube-ingress-dns-nginx-ingress-controller - app.kubernetes.io/part-of: kube-system - addonmanager.kubernetes.io/mode: EnsureExists -spec: - serviceAccountName: minikube-ingress-dns-nginx-ingress - terminationGracePeriodSeconds: 60 - hostNetwork: true - containers: - - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller{{.ExoticArch}}:0.26.1 - name: nginx-ingress-controller - imagePullPolicy: IfNotPresent - readinessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - livenessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - timeoutSeconds: 1 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - containerPort: 53 - hostPort: 53 - - containerPort: 8008 - - containerPort: 4333 - args: - - /nginx-ingress-controller - - --configmap=$(POD_NAMESPACE)/minikube-ingress-dns-nginx-load-balancer-conf - - --tcp-services-configmap=$(POD_NAMESPACE)/minikube-ingress-dns-tcp-services - - --udp-services-configmap=$(POD_NAMESPACE)/minikube-ingress-dns-udp-services - - --annotations-prefix=nginx.ingress.kubernetes.io - - --http-port=8008 - - --https-port=4333 - # use minikube IP address in ingress status field - - --report-node-internal-ip-address - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - # www-data -> 33 - runAsUser: 33 \ No newline at end of file diff --git a/deploy/addons/ingress-dns/ingress-dns-dns-server-pod.yaml b/deploy/addons/ingress-dns/ingress-dns-pod.yaml similarity index 81% rename from deploy/addons/ingress-dns/ingress-dns-dns-server-pod.yaml rename to deploy/addons/ingress-dns/ingress-dns-pod.yaml index aaaea7425b61..5c16e12c0136 100644 --- a/deploy/addons/ingress-dns/ingress-dns-dns-server-pod.yaml +++ b/deploy/addons/ingress-dns/ingress-dns-pod.yaml @@ -35,16 +35,6 @@ metadata: app.kubernetes.io/part-of: kube-system addonmanager.kubernetes.io/mode: Reconcile rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - patch - resourceNames: - - tcp-services - - udp-services - apiGroups: - "" - "extensions" @@ -65,11 +55,11 @@ metadata: app: minikube-ingress-dns kubernetes.io/bootstrapping: rbac-defaults app.kubernetes.io/part-of: kube-system - addonmanager.kubernetes.io/mode: EnsureExists + addonmanager.kubernetes.io/mode: Reconcile roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: minikube-ingress-dns subjects: - kind: ServiceAccount name: minikube-ingress-dns @@ -83,20 +73,21 @@ metadata: labels: app: minikube-ingress-dns app.kubernetes.io/part-of: kube-system - addonmanager.kubernetes.io/mode: EnsureExists + addonmanager.kubernetes.io/mode: Reconcile spec: serviceAccountName: minikube-ingress-dns + hostNetwork: true containers: - name: minikube-ingress-dns - image: "cryptexlabs/minikube-ingress-dns:0.1.1" + image: "cryptexlabs/minikube-ingress-dns:0.2.0" imagePullPolicy: IfNotPresent ports: - - containerPort: 5353 - hostPort: 5353 - protocol: TCP - - containerPort: 5353 - hostPort: 5353 + - containerPort: 53 protocol: UDP env: - name: DNS_PORT - value: "5353" \ No newline at end of file + value: "53" + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP \ No newline at end of file diff --git a/deploy/addons/ingress-dns/ingress-dns-svc.yaml b/deploy/addons/ingress-dns/ingress-dns-svc.yaml deleted file mode 100644 index 41187d95d8f5..000000000000 --- a/deploy/addons/ingress-dns/ingress-dns-svc.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2016 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v1 -kind: Service -metadata: - name: kube-ingress-dns-minikube - namespace: kube-system - labels: - app: minikube-ingress-dns - app.kubernetes.io/part-of: kube-system - addonmanager.kubernetes.io/mode: EnsureExists -spec: - selector: - app: minikube-ingress-dns - clusterIP: None - ports: - - name: tcp-port - port: 5353 - targetPort: 5353 - protocol: TCP - - name: udp-port - port: 5353 - targetPort: 5353 - protocol: UDP \ No newline at end of file diff --git a/pkg/minikube/assets/addons.go b/pkg/minikube/assets/addons.go index f2c73b981316..18cfd22251fb 100644 --- a/pkg/minikube/assets/addons.go +++ b/pkg/minikube/assets/addons.go @@ -350,27 +350,9 @@ var Addons = map[string]*Addon{ }, false, "helm-tiller"), "ingress-dns": NewAddon([]*BinAsset{ MustBinAsset( - "deploy/addons/ingress-dns/ingress-dns-configmap.yaml", + "deploy/addons/ingress-dns/ingress-dns-pod.yaml", vmpath.GuestAddonsDir, - "ingress-dns-configmap.yaml", - "0640", - false), - MustBinAsset( - "deploy/addons/ingress-dns/ingress-dns-dns-server-pod.yaml", - vmpath.GuestAddonsDir, - "ingress-dns-dns-server-pod.yaml", - "0640", - false), - MustBinAsset( - "deploy/addons/ingress-dns/ingress-dns-nginx-pod.yaml.tmpl", - vmpath.GuestAddonsDir, - "ingress-dns-nginx-pod.yaml", - "0640", - true), - MustBinAsset( - "deploy/addons/ingress-dns/ingress-dns-svc.yaml", - vmpath.GuestAddonsDir, - "ingress-dns-svc.yaml", + "ingress-dns-pod.yaml", "0640", false), }, false, "ingress-dns"),