From aa869e17ffd6353158464496aa36a3542681e9ad Mon Sep 17 00:00:00 2001 From: gjmzj Date: Sat, 6 Oct 2018 10:21:04 +0800 Subject: [PATCH] set kubelet authentication/authorization webhook --- manifests/metrics-server/metrics-server-deployment.yaml | 4 +--- roles/kube-master/templates/kube-apiserver-v1.8.service.j2 | 4 ++-- roles/kube-master/templates/kube-apiserver.service.j2 | 4 ++-- roles/kube-node/templates/kubelet.service.j2 | 2 ++ roles/prepare/tasks/main.yml | 4 +++- 5 files changed, 10 insertions(+), 8 deletions(-) diff --git a/manifests/metrics-server/metrics-server-deployment.yaml b/manifests/metrics-server/metrics-server-deployment.yaml index 7457a41..e2bfa67 100644 --- a/manifests/metrics-server/metrics-server-deployment.yaml +++ b/manifests/metrics-server/metrics-server-deployment.yaml @@ -35,9 +35,7 @@ spec: command: - /metrics-server - --metric-resolution=30s - - --kubelet-port=10255 - - --deprecated-kubelet-completely-insecure=true + - --kubelet-insecure-tls volumeMounts: - name: tmp-dir mountPath: /tmp - diff --git a/roles/kube-master/templates/kube-apiserver-v1.8.service.j2 b/roles/kube-master/templates/kube-apiserver-v1.8.service.j2 index ecb7993..c1357d7 100644 --- a/roles/kube-master/templates/kube-apiserver-v1.8.service.j2 +++ b/roles/kube-master/templates/kube-apiserver-v1.8.service.j2 @@ -10,8 +10,8 @@ ExecStart={{ bin_dir }}/kube-apiserver \ --insecure-bind-address=127.0.0.1 \ --authorization-mode=Node,RBAC \ --kubelet-https=true \ - --kubelet-client-certificate={{ ca_dir }}/kubernetes.pem \ - --kubelet-client-key={{ ca_dir }}/kubernetes-key.pem \ + --kubelet-client-certificate={{ ca_dir }}/admin.pem \ + --kubelet-client-key={{ ca_dir }}/admin-key.pem \ --anonymous-auth=false \ --basic-auth-file={{ ca_dir }}/basic-auth.csv \ --service-cluster-ip-range={{ SERVICE_CIDR }} \ diff --git a/roles/kube-master/templates/kube-apiserver.service.j2 b/roles/kube-master/templates/kube-apiserver.service.j2 index 57378a9..bc22bc0 100644 --- a/roles/kube-master/templates/kube-apiserver.service.j2 +++ b/roles/kube-master/templates/kube-apiserver.service.j2 @@ -10,8 +10,8 @@ ExecStart={{ bin_dir }}/kube-apiserver \ --insecure-bind-address=127.0.0.1 \ --authorization-mode=Node,RBAC \ --kubelet-https=true \ - --kubelet-client-certificate={{ ca_dir }}/kubernetes.pem \ - --kubelet-client-key={{ ca_dir }}/kubernetes-key.pem \ + --kubelet-client-certificate={{ ca_dir }}/admin.pem \ + --kubelet-client-key={{ ca_dir }}/admin-key.pem \ --anonymous-auth=false \ --basic-auth-file={{ ca_dir }}/basic-auth.csv \ --service-cluster-ip-range={{ SERVICE_CIDR }} \ diff --git a/roles/kube-node/templates/kubelet.service.j2 b/roles/kube-node/templates/kubelet.service.j2 index aa43e6a..6d77ff7 100644 --- a/roles/kube-node/templates/kubelet.service.j2 +++ b/roles/kube-node/templates/kubelet.service.j2 @@ -11,6 +11,8 @@ ExecStart={{ bin_dir }}/kubelet \ --address={{ inventory_hostname }} \ --allow-privileged=true \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file={{ ca_dir }}/ca.pem \ --cluster-dns={{ CLUSTER_DNS_SVC_IP }} \ --cluster-domain={{ CLUSTER_DNS_DOMAIN }} \ diff --git a/roles/prepare/tasks/main.yml b/roles/prepare/tasks/main.yml index b56e9d6..fe7a3fa 100644 --- a/roles/prepare/tasks/main.yml +++ b/roles/prepare/tasks/main.yml @@ -25,9 +25,11 @@ synchronize: src=/root/.kube/config dest=/root/.kube/config delegate_to: "{{ groups.deploy[0] }}" -- name: 分发 CA 证书 +- name: 分发证书相关 synchronize: src={{ ca_dir }}/{{ item }} dest={{ ca_dir }}/{{ item }} with_items: + - admin.pem + - admin-key.pem - ca.pem - ca-key.pem - ca.csr