Kubernetes Proxy Service Account
Use service account token to manage certs Change-Id: Ibfdef1bcea13f87fc52ef03c59021ed31a0df3e0
This commit is contained in:
parent
b0c879995a
commit
e9f8035c60
|
@ -1,46 +0,0 @@
|
|||
{{/*
|
||||
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: kubernetes-proxy-etc
|
||||
data:
|
||||
kubeconfig.yaml: |-
|
||||
---
|
||||
apiVersion: v1
|
||||
clusters:
|
||||
- cluster:
|
||||
server: https://{{ .Values.network.kubernetes_netloc }}
|
||||
certificate-authority: pki/cluster-ca.pem
|
||||
name: kubernetes
|
||||
contexts:
|
||||
- context:
|
||||
cluster: kubernetes
|
||||
user: proxy
|
||||
name: proxy@kubernetes
|
||||
current-context: proxy@kubernetes
|
||||
kind: Config
|
||||
preferences: {}
|
||||
users:
|
||||
- name: proxy
|
||||
user:
|
||||
client-certificate: pki/proxy.pem
|
||||
client-key: pki/proxy-key.pem
|
||||
|
||||
cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }}
|
||||
proxy.pem: {{ .Values.secrets.tls.cert | quote }}
|
|
@ -30,7 +30,6 @@ spec:
|
|||
{{ tuple $envAll "kubernetes" "proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
annotations:
|
||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
hostNetwork: true
|
||||
dnsPolicy: Default
|
||||
|
@ -47,23 +46,22 @@ spec:
|
|||
{{- range .Values.command_prefix }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
- --hostname-override=$(NODE_NAME)
|
||||
- --kubeconfig=/etc/kubernetes/proxy/kubeconfig.yaml
|
||||
- --hostname-override=$(NODE_NAME)
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
env:
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
securityContext:
|
||||
privileged: true
|
||||
# livenessProbe:
|
||||
# httpGet:
|
||||
# path: /healthz
|
||||
# port: 10249
|
||||
# initialDelaySeconds: 15
|
||||
# periodSeconds: 15
|
||||
# failureThreshold: 3
|
||||
# volumeMounts:
|
||||
# - mountPath: /run/xtables.lock
|
||||
# name: xtables-lock
|
||||
# readOnly: false
|
||||
# - mountPath: /lib/modules
|
||||
# name: lib-modules
|
||||
# readOnly: true
|
||||
env:
|
||||
- name: KUBERNETES_SERVICE_HOST
|
||||
value: {{ .Values.kube_service.host }}
|
||||
- name: KUBERNETES_SERVICE_PORT
|
||||
value: {{ .Values.kube_service.port | quote }}
|
||||
readinessProbe:
|
||||
exec:
|
||||
command:
|
||||
|
@ -71,29 +69,8 @@ spec:
|
|||
- -c
|
||||
- |-
|
||||
set -ex
|
||||
|
||||
iptables-save | grep 'default/kubernetes:https'
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 15
|
||||
volumeMounts:
|
||||
- name: kubernetes-proxy-etc
|
||||
mountPath: /etc/kubernetes/proxy/kubeconfig.yaml
|
||||
subPath: kubeconfig.yaml
|
||||
- name: kubernetes-proxy-etc
|
||||
mountPath: /etc/kubernetes/proxy/pki/proxy.pem
|
||||
subPath: proxy.pem
|
||||
- name: kubernetes-proxy-etc
|
||||
mountPath: /etc/kubernetes/proxy/pki/cluster-ca.pem
|
||||
subPath: cluster-ca.pem
|
||||
- name: proxy-secret
|
||||
mountPath: /etc/kubernetes/proxy/pki/proxy-key.pem
|
||||
subPath: proxy-key.pem
|
||||
volumes:
|
||||
- name: kubernetes-proxy-etc
|
||||
configMap:
|
||||
name: kubernetes-proxy-etc
|
||||
defaultMode: 0444
|
||||
- name: proxy-secret
|
||||
secret:
|
||||
secretName: kubernetes-proxy
|
||||
serviceAccountName: kube-proxy
|
||||
{{- end }}
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
# limitations under the License.
|
||||
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kube-proxy
|
||||
namespace: kube-system
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: system:kube-proxy
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: Reconcile
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kube-proxy
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: system:node-proxier
|
||||
apiGroup: rbac.authorization.k8s.io
|
|
@ -1,20 +0,0 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: kubernetes-proxy
|
||||
type: Opaque
|
||||
data:
|
||||
proxy-key.pem: {{ .Values.secrets.tls.key | b64enc }}
|
|
@ -15,8 +15,7 @@
|
|||
|
||||
manifests:
|
||||
daemonset_proxy: true
|
||||
configmap_etc: true
|
||||
secret: true
|
||||
rbac: true
|
||||
|
||||
pod:
|
||||
lifecycle:
|
||||
|
@ -45,12 +44,6 @@ images:
|
|||
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.6
|
||||
pull_policy: "IfNotPresent"
|
||||
|
||||
secrets:
|
||||
tls:
|
||||
ca: placeholder
|
||||
cert: placeholder
|
||||
key: placeholder
|
||||
|
||||
command_prefix:
|
||||
- /proxy
|
||||
- --proxy-mode=iptables
|
||||
|
@ -58,3 +51,7 @@ command_prefix:
|
|||
|
||||
network:
|
||||
kubernetes_netloc: 10.96.0.1
|
||||
|
||||
kube_service:
|
||||
host: 127.0.0.1
|
||||
port: 6553
|
||||
|
|
|
@ -153,11 +153,6 @@ data:
|
|||
upgrade:
|
||||
no_hooks: true
|
||||
values:
|
||||
secrets:
|
||||
tls:
|
||||
ca: placeholder
|
||||
cert: placeholder
|
||||
key: placeholder
|
||||
images:
|
||||
tags:
|
||||
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.6
|
||||
|
|
|
@ -196,11 +196,6 @@ data:
|
|||
upgrade:
|
||||
no_hooks: true
|
||||
values:
|
||||
secrets:
|
||||
tls:
|
||||
ca: placeholder
|
||||
cert: placeholder
|
||||
key: placeholder
|
||||
images:
|
||||
tags:
|
||||
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.6
|
||||
|
|
|
@ -56,9 +56,6 @@ class Generator:
|
|||
|
||||
self.gen_kubelet_certificates()
|
||||
|
||||
self.gen(
|
||||
'certificate', 'proxy', ca='kubernetes', cn='system:kube-proxy')
|
||||
|
||||
# Certificates for kubectl admin
|
||||
self.gen(
|
||||
'certificate',
|
||||
|
|
Loading…
Reference in New Issue