bootstrap 2

Author: smarterclayton

pkg/cmd/server/bootstrappolicy/infra_sa_policy.go

@@ -7,6 +7,7 @@ import (
 	"k8s.io/kubernetes/pkg/apis/apps"
 	"k8s.io/kubernetes/pkg/apis/autoscaling"
 	"k8s.io/kubernetes/pkg/apis/batch"
+	"k8s.io/kubernetes/pkg/apis/certificates"
 	"k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/apis/storage"
@@ -67,6 +68,9 @@ const (
 	InfraPetSetControllerServiceAccountName = "pet-set-controller"
 	PetSetControllerRoleName                = "system:pet-set-controller"
 
+	InfraCertificateSigningControllerServiceAccountName = "certificate-signing-controller"
+	CertificateSigningControllerRoleName                = "system:certificate-signing-controller"
+
 	InfraUnidlingControllerServiceAccountName = "unidling-controller"
 	UnidlingControllerRoleName                = "system:unidling-controller"
 
@@ -78,6 +82,9 @@ const (
 
 	InfraServiceIngressIPControllerServiceAccountName = "service-ingress-ip-controller"
 	ServiceIngressIPControllerRoleName                = "system:service-ingress-ip-controller"
+
+	InfraNodeBootstrapServiceAccountName = "node-bootstrap"
+	NodeBootstrapRoleName                = "system:node-bootstrap"
 )
 
 type InfraServiceAccounts struct {
@@ -981,6 +988,30 @@ func init() {
 		panic(err)
 	}
 
+	err = InfraSAs.addServiceAccount(
+		InfraCertificateSigningControllerServiceAccountName,
+		authorizationapi.ClusterRole{
+			ObjectMeta: kapi.ObjectMeta{
+				Name: CertificateSigningControllerRoleName,
+			},
+			Rules: []authorizationapi.PolicyRule{
+				{
+					APIGroups: []string{certificates.GroupName},
+					Verbs:     sets.NewString("list", "watch"),
+					Resources: sets.NewString("certificatesigningrequests"),
+				},
+				{
+					APIGroups: []string{certificates.GroupName},
+					Verbs:     sets.NewString("update"),
+					Resources: sets.NewString("certificatesigningrequests/status", "certificatesigningrequests/approval"),
+				},
+			},
+		},
+	)
+	if err != nil {
+		panic(err)
+	}
+
 	err = InfraSAs.addServiceAccount(
 		InfraEndpointControllerServiceAccountName,
 		authorizationapi.ClusterRole{
@@ -1050,4 +1081,22 @@ func init() {
 		panic(err)
 	}
 
+	err = InfraSAs.addServiceAccount(
+		InfraNodeBootstrapServiceAccountName,
+		authorizationapi.ClusterRole{
+			ObjectMeta: kapi.ObjectMeta{
+				Name: NodeBootstrapRoleName,
+			},
+			Rules: []authorizationapi.PolicyRule{
+				{
+					APIGroups: []string{certificates.GroupName},
+					Verbs:     sets.NewString("create", "get"),
+					Resources: sets.NewString("certificatesigningrequests"),
+				},
+			},
+		},
+	)
+	if err != nil {
+		panic(err)
+	}
 }

pkg/cmd/server/bootstrappolicy/policy.go

@@ -635,6 +635,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 				// TODO: change glusterfs to use DNS lookup so this isn't needed?
 				// Needed for glusterfs volumes
 				authorizationapi.NewRule("get").Groups(kapiGroup).Resources("endpoints").RuleOrDie(),
+				// Nodes are allowed to request CSRs (specifically, request serving certs)
+				authorizationapi.NewRule("get", "create").Groups(certificates.GroupName).Resources("certificatesigningrequests").RuleOrDie(),
 			},
 		},
 

pkg/cmd/server/kubernetes/master.go

@@ -30,6 +30,7 @@ import (
 	"k8s.io/kubernetes/pkg/client/typed/dynamic"
 	kclient "k8s.io/kubernetes/pkg/client/unversioned"
 	clientadapter "k8s.io/kubernetes/pkg/client/unversioned/adapters/internalclientset"
+	certcontroller "k8s.io/kubernetes/pkg/controller/certificates"
 	"k8s.io/kubernetes/pkg/controller/deployment"
 	"k8s.io/kubernetes/pkg/controller/garbagecollector/metaonly"
 	"k8s.io/kubernetes/pkg/master"
@@ -484,3 +485,23 @@ func (c *MasterConfig) createSchedulerConfig() (*scheduler.Config, error) {
 	// if the config file isn't provided, use the default provider
 	return configFactory.CreateFromProvider(factory.DefaultProvider)
 }
+
+func (c *MasterConfig) RunCertificateSigningController(client *client.Client) {
+	if len(c.ControllerManager.ApproveAllKubeletCSRsForGroup) == 0 {
+		return
+	}
+	resyncPeriod := kctrlmgr.ResyncPeriod(c.ControllerManager)()
+	clientset := clientadapter.FromUnversionedClient(client)
+	approver := certcontroller.NewGroupApprover(clientset.Certificates().CertificateSigningRequests(), c.ControllerManager.ApproveAllKubeletCSRsForGroup, "system:nodes")
+	certController, err := certcontroller.NewCertificateController(
+		clientset,
+		resyncPeriod,
+		c.ControllerManager.ClusterSigningCertFile,
+		c.ControllerManager.ClusterSigningKeyFile,
+		approver,
+	)
+	if err != nil {
+		glog.Fatalf("Failed to start certificate controller: %v", err)
+	}
+	go certController.Run(1, utilwait.NeverStop)
+}

pkg/cmd/server/kubernetes/master_config.go

@@ -178,6 +178,8 @@ func BuildKubernetesMasterConfig(options configapi.MasterConfig, requestContextM
 	// Defaults are tested in TestCMServerDefaults
 	cmserver := cmapp.NewCMServer()
 	// Adjust defaults
+	cmserver.ClusterSigningCertFile = ""
+	cmserver.ClusterSigningKeyFile = ""
 	cmserver.Address = ""                   // no healthz endpoint
 	cmserver.Port = 0                       // no healthz endpoint
 	cmserver.EnableGarbageCollector = false // disabled until we add the controller

pkg/cmd/server/start/start_master.go

@@ -120,6 +120,18 @@ func NewCommandStartMaster(basename string, out, errout io.Writer) (*cobra.Comma
 				config.KubernetesMasterConfig.MasterIP = ip.String()
 			}
 		}
+		if config.KubernetesMasterConfig != nil {
+			args := config.KubernetesMasterConfig.ControllerArguments
+			if args == nil {
+				args = make(configapi.ExtendedArguments)
+				config.KubernetesMasterConfig.ControllerArguments = args
+			}
+			if len(args["cluster-signing-cert-file"]) == 0 && len(args["cluster-signing-key-file"]) == 0 && len(args["insecure-experimental-approve-all-kubelet-csrs-for-group"]) == 0 {
+				args["cluster-signing-cert-file"] = []string{admin.DefaultCertFilename(options.MasterArgs.ConfigDir.Value(), admin.CAFilePrefix)}
+				args["cluster-signing-key-file"] = []string{admin.DefaultKeyFilename(options.MasterArgs.ConfigDir.Value(), admin.CAFilePrefix)}
+				args["insecure-experimental-approve-all-kubelet-csrs-for-group"] = []string{"system:serviceaccounts:openshift-infra"}
+			}
+		}
 		return nil
 	}
 
@@ -645,6 +657,11 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro
 			glog.Fatalf("Could not get client for pet set controller: %v", err)
 		}
 
+		_, _, certificateSigningClient, err := oc.GetServiceAccountClients(bootstrappolicy.InfraCertificateSigningControllerServiceAccountName)
+		if err != nil {
+			glog.Fatalf("Could not get client for disruption budget controller: %v", err)
+		}
+
 		namespaceControllerClientConfig, _, namespaceControllerKubeClient, err := oc.GetServiceAccountClients(bootstrappolicy.InfraNamespaceControllerServiceAccountName)
 		if err != nil {
 			glog.Fatalf("Could not get client for namespace controller: %v", err)
@@ -695,6 +712,8 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro
 
 		kc.RunServiceLoadBalancerController(serviceLoadBalancerClient)
 
+		kc.RunCertificateSigningController(certificateSigningClient)
+
 		appsEnabled := len(configapi.GetEnabledAPIVersionsForGroup(kc.Options, apps.GroupName)) > 0
 		if appsEnabled {
 			kc.RunPetSetController(petSetClient)