From e9f8035c60e40ac941c3e64ef771bca87abfd9e8 Mon Sep 17 00:00:00 2001
From: Hassan Kaous <hkyq8@mst.edu>
Date: Fri, 1 Dec 2017 14:36:07 -0600
Subject: [PATCH] Kubernetes Proxy Service Account

Use service account token to manage certs

Change-Id: Ibfdef1bcea13f87fc52ef03c59021ed31a0df3e0
---
 charts/proxy/templates/configmap-etc.yaml | 46 --------------------
 charts/proxy/templates/daemonset.yaml     | 51 +++++++----------------
 charts/proxy/templates/rbac.yaml          | 37 ++++++++++++++++
 charts/proxy/templates/secret.yaml        | 20 ---------
 charts/proxy/values.yaml                  | 13 +++---
 examples/basic/armada-resources.yaml      |  5 ---
 examples/complete/armada-resources.yaml   |  5 ---
 promenade/generator.py                    |  3 --
 8 files changed, 56 insertions(+), 124 deletions(-)
 delete mode 100644 charts/proxy/templates/configmap-etc.yaml
 create mode 100644 charts/proxy/templates/rbac.yaml
 delete mode 100644 charts/proxy/templates/secret.yaml

diff --git a/charts/proxy/templates/configmap-etc.yaml b/charts/proxy/templates/configmap-etc.yaml
deleted file mode 100644
index 335d72be..00000000
--- a/charts/proxy/templates/configmap-etc.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-{{/*
-Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: kubernetes-proxy-etc
-data:
-  kubeconfig.yaml: |-
-    ---
-    apiVersion: v1
-    clusters:
-    - cluster:
-        server: https://{{ .Values.network.kubernetes_netloc }}
-        certificate-authority: pki/cluster-ca.pem
-      name: kubernetes
-    contexts:
-    - context:
-        cluster: kubernetes
-        user: proxy
-      name: proxy@kubernetes
-    current-context: proxy@kubernetes
-    kind: Config
-    preferences: {}
-    users:
-    - name: proxy
-      user:
-        client-certificate: pki/proxy.pem
-        client-key: pki/proxy-key.pem
-
-  cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }}
-  proxy.pem: {{ .Values.secrets.tls.cert | quote }}
diff --git a/charts/proxy/templates/daemonset.yaml b/charts/proxy/templates/daemonset.yaml
index 0b6faac9..88978090 100644
--- a/charts/proxy/templates/daemonset.yaml
+++ b/charts/proxy/templates/daemonset.yaml
@@ -30,7 +30,6 @@ spec:
 {{ tuple $envAll "kubernetes" "proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
-        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
       hostNetwork: true
       dnsPolicy: Default
@@ -47,23 +46,22 @@ spec:
           {{- range .Values.command_prefix }}
           - {{ . }}
           {{- end }}
-          - --hostname-override=$(NODE_NAME)                  
-          - --kubeconfig=/etc/kubernetes/proxy/kubeconfig.yaml 
+          - --hostname-override=$(NODE_NAME)
 {{ tuple $envAll $envAll.Values.pod.resources.proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-        env:
-          - name: NODE_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: spec.nodeName
         securityContext:
           privileged: true
-#        livenessProbe:
-#          httpGet:
-#            path: /healthz
-#            port: 10249
-#          initialDelaySeconds: 15
-#          periodSeconds: 15
-#          failureThreshold: 3
+        # volumeMounts:
+        #  - mountPath: /run/xtables.lock
+        #    name: xtables-lock
+        #   readOnly: false
+        # - mountPath: /lib/modules
+        #   name: lib-modules
+        #   readOnly: true
+        env:
+          - name: KUBERNETES_SERVICE_HOST
+            value: {{ .Values.kube_service.host }}
+          - name: KUBERNETES_SERVICE_PORT
+            value: {{ .Values.kube_service.port | quote }}
         readinessProbe:
           exec:
             command:
@@ -71,29 +69,8 @@ spec:
             - -c
             - |-
               set -ex
-
               iptables-save | grep 'default/kubernetes:https'
           initialDelaySeconds: 15
           periodSeconds: 15
-        volumeMounts:
-          - name: kubernetes-proxy-etc
-            mountPath: /etc/kubernetes/proxy/kubeconfig.yaml
-            subPath: kubeconfig.yaml
-          - name: kubernetes-proxy-etc
-            mountPath: /etc/kubernetes/proxy/pki/proxy.pem
-            subPath: proxy.pem
-          - name: kubernetes-proxy-etc
-            mountPath: /etc/kubernetes/proxy/pki/cluster-ca.pem
-            subPath: cluster-ca.pem
-          - name: proxy-secret
-            mountPath: /etc/kubernetes/proxy/pki/proxy-key.pem
-            subPath: proxy-key.pem
-      volumes:
-        - name: kubernetes-proxy-etc
-          configMap:
-            name: kubernetes-proxy-etc
-            defaultMode: 0444
-        - name: proxy-secret
-          secret:
-            secretName: kubernetes-proxy
+      serviceAccountName: kube-proxy
 {{- end }}
diff --git a/charts/proxy/templates/rbac.yaml b/charts/proxy/templates/rbac.yaml
new file mode 100644
index 00000000..38790797
--- /dev/null
+++ b/charts/proxy/templates/rbac.yaml
@@ -0,0 +1,37 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# limitations under the License.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-proxy
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: system:kube-proxy
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+subjects:
+  - kind: ServiceAccount
+    name: kube-proxy
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: system:node-proxier
+  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/charts/proxy/templates/secret.yaml b/charts/proxy/templates/secret.yaml
deleted file mode 100644
index bd826384..00000000
--- a/charts/proxy/templates/secret.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: kubernetes-proxy
-type: Opaque
-data:
-  proxy-key.pem: {{ .Values.secrets.tls.key | b64enc }}
diff --git a/charts/proxy/values.yaml b/charts/proxy/values.yaml
index 3b687aa7..569c9762 100644
--- a/charts/proxy/values.yaml
+++ b/charts/proxy/values.yaml
@@ -15,8 +15,7 @@
 
 manifests:
   daemonset_proxy: true
-  configmap_etc: true
-  secret: true
+  rbac: true
 
 pod:
   lifecycle:
@@ -45,12 +44,6 @@ images:
     proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.6
   pull_policy: "IfNotPresent"
 
-secrets:
-  tls:
-    ca: placeholder
-    cert: placeholder
-    key: placeholder
-
 command_prefix:
   - /proxy
   - --proxy-mode=iptables
@@ -58,3 +51,7 @@ command_prefix:
 
 network:
   kubernetes_netloc: 10.96.0.1
+
+kube_service:
+  host: 127.0.0.1
+  port: 6553
diff --git a/examples/basic/armada-resources.yaml b/examples/basic/armada-resources.yaml
index 35cef7f6..a6134682 100644
--- a/examples/basic/armada-resources.yaml
+++ b/examples/basic/armada-resources.yaml
@@ -153,11 +153,6 @@ data:
   upgrade:
     no_hooks: true
   values:
-    secrets:
-      tls:
-        ca: placeholder
-        cert: placeholder
-        key: placeholder
     images:
       tags:
         proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.6
diff --git a/examples/complete/armada-resources.yaml b/examples/complete/armada-resources.yaml
index bfe2dceb..ca94b9b6 100644
--- a/examples/complete/armada-resources.yaml
+++ b/examples/complete/armada-resources.yaml
@@ -196,11 +196,6 @@ data:
   upgrade:
     no_hooks: true
   values:
-    secrets:
-      tls:
-        ca: placeholder
-        cert: placeholder
-        key: placeholder
     images:
       tags:
         proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.6
diff --git a/promenade/generator.py b/promenade/generator.py
index e00c4d1f..5d21c4be 100644
--- a/promenade/generator.py
+++ b/promenade/generator.py
@@ -56,9 +56,6 @@ class Generator:
 
         self.gen_kubelet_certificates()
 
-        self.gen(
-            'certificate', 'proxy', ca='kubernetes', cn='system:kube-proxy')
-
         # Certificates for kubectl admin
         self.gen(
             'certificate',