set kubelet authentication/authorization webhook

2018-10-06 10:21:04 +08:00 · 2018-10-06 10:21:04 +08:00 · aa869e17ff
parent 64e38717dd
commit aa869e17ff
5 changed files with 10 additions and 8 deletions
--- a/manifests/metrics-server/metrics-server-deployment.yaml
+++ b/manifests/metrics-server/metrics-server-deployment.yaml
@ -35,9 +35,7 @@ spec:
        command:
        - /metrics-server
        - --metric-resolution=30s
-        - --kubelet-port=10255
-        - --deprecated-kubelet-completely-insecure=true
+        - --kubelet-insecure-tls
        volumeMounts:
        - name: tmp-dir
          mountPath: /tmp
-
--- a/roles/kube-master/templates/kube-apiserver-v1.8.service.j2
+++ b/roles/kube-master/templates/kube-apiserver-v1.8.service.j2
@ -10,8 +10,8 @@ ExecStart={{ bin_dir }}/kube-apiserver \
  --insecure-bind-address=127.0.0.1 \
  --authorization-mode=Node,RBAC \
  --kubelet-https=true \
-  --kubelet-client-certificate={{ ca_dir }}/kubernetes.pem \
-  --kubelet-client-key={{ ca_dir }}/kubernetes-key.pem \
+  --kubelet-client-certificate={{ ca_dir }}/admin.pem \
+  --kubelet-client-key={{ ca_dir }}/admin-key.pem \
  --anonymous-auth=false \
  --basic-auth-file={{ ca_dir }}/basic-auth.csv \
  --service-cluster-ip-range={{ SERVICE_CIDR }} \
--- a/roles/kube-master/templates/kube-apiserver.service.j2
+++ b/roles/kube-master/templates/kube-apiserver.service.j2
@ -10,8 +10,8 @@ ExecStart={{ bin_dir }}/kube-apiserver \
  --insecure-bind-address=127.0.0.1 \
  --authorization-mode=Node,RBAC \
  --kubelet-https=true \
-  --kubelet-client-certificate={{ ca_dir }}/kubernetes.pem \
-  --kubelet-client-key={{ ca_dir }}/kubernetes-key.pem \
+  --kubelet-client-certificate={{ ca_dir }}/admin.pem \
+  --kubelet-client-key={{ ca_dir }}/admin-key.pem \
  --anonymous-auth=false \
  --basic-auth-file={{ ca_dir }}/basic-auth.csv \
  --service-cluster-ip-range={{ SERVICE_CIDR }} \
--- a/roles/kube-node/templates/kubelet.service.j2
+++ b/roles/kube-node/templates/kubelet.service.j2
@ -11,6 +11,8 @@ ExecStart={{ bin_dir }}/kubelet \
  --address={{ inventory_hostname }} \
  --allow-privileged=true \
  --anonymous-auth=false \
+  --authentication-token-webhook \
+  --authorization-mode=Webhook \
  --client-ca-file={{ ca_dir }}/ca.pem \
  --cluster-dns={{ CLUSTER_DNS_SVC_IP }} \
  --cluster-domain={{ CLUSTER_DNS_DOMAIN }} \
--- a/roles/prepare/tasks/main.yml
+++ b/roles/prepare/tasks/main.yml
@ -25,9 +25,11 @@
  synchronize: src=/root/.kube/config dest=/root/.kube/config
  delegate_to: "{{ groups.deploy[0] }}"

- name: 分发 CA 证书
+- name: 分发证书相关
  synchronize: src={{ ca_dir }}/{{ item }} dest={{ ca_dir }}/{{ item }}
  with_items:
+  - admin.pem
+  - admin-key.pem
  - ca.pem
  - ca-key.pem
  - ca.csr