Browse Source

Merge pull request #2019 from chadswen/disable-api-insecure-port

Support for disabling apiserver insecure port (the sequel)
pull/2191/head
Brad Beam 6 years ago
committed by GitHub
parent
commit
0c8bed21ee
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 44 additions and 8 deletions
  1. 4
      inventory/group_vars/k8s-cluster.yml
  2. 5
      roles/kubernetes-apps/ansible/tasks/main.yml
  3. 5
      roles/kubernetes-apps/cluster_roles/tasks/main.yml
  4. 5
      roles/kubernetes/master/handlers/main.yml
  5. 2
      roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
  6. 12
      roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
  7. 7
      roles/kubernetes/preinstall/tasks/verify-settings.yml
  8. 12
      roles/kubespray-defaults/defaults/main.yaml

4
inventory/group_vars/k8s-cluster.yml

@ -20,7 +20,7 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
# This is where to save basic auth file # This is where to save basic auth file
kube_users_dir: "{{ kube_config_dir }}/users" kube_users_dir: "{{ kube_config_dir }}/users"
kube_api_anonymous_auth: false
kube_api_anonymous_auth: true
## Change this to use another Kubernetes version, e.g. a current beta release ## Change this to use another Kubernetes version, e.g. a current beta release
kube_version: v1.9.0 kube_version: v1.9.0
@ -106,6 +106,8 @@ kube_network_node_prefix: 24
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}" kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
kube_apiserver_port: 6443 # (https) kube_apiserver_port: 6443 # (https)
kube_apiserver_insecure_port: 8080 # (http) kube_apiserver_insecure_port: 8080 # (http)
# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true
#kube_apiserver_insecure_port: 0 # (disabled)
# DNS configuration. # DNS configuration.
# Kubernetes cluster name, also will be used as DNS domain # Kubernetes cluster name, also will be used as DNS domain

5
roles/kubernetes-apps/ansible/tasks/main.yml

@ -1,7 +1,10 @@
--- ---
- name: Kubernetes Apps | Wait for kube-apiserver - name: Kubernetes Apps | Wait for kube-apiserver
uri: uri:
url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
url: "{{ kube_apiserver_endpoint }}/healthz"
validate_certs: no
client_cert: "{{ kube_apiserver_client_cert }}"
client_key: "{{ kube_apiserver_client_key }}"
register: result register: result
until: result.status == 200 until: result.status == 200
retries: 10 retries: 10

5
roles/kubernetes-apps/cluster_roles/tasks/main.yml

@ -1,7 +1,10 @@
--- ---
- name: Kubernetes Apps | Wait for kube-apiserver - name: Kubernetes Apps | Wait for kube-apiserver
uri: uri:
url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
url: "{{ kube_apiserver_endpoint }}/healthz"
validate_certs: no
client_cert: "{{ kube_apiserver_client_cert }}"
client_key: "{{ kube_apiserver_client_key }}"
register: result register: result
until: result.status == 200 until: result.status == 200
retries: 10 retries: 10

5
roles/kubernetes/master/handlers/main.yml

@ -78,7 +78,10 @@
- name: Master | wait for the apiserver to be running - name: Master | wait for the apiserver to be running
uri: uri:
url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
url: "{{ kube_apiserver_endpoint }}/healthz"
validate_certs: no
client_cert: "{{ kube_apiserver_client_cert }}"
client_key: "{{ kube_apiserver_client_key }}"
register: result register: result
until: result.status == 200 until: result.status == 200
retries: 20 retries: 20

2
roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml

@ -6,7 +6,7 @@
remote_src: yes remote_src: yes
with_items: with_items:
- {src: apiserver.pem, dest: apiserver.crt} - {src: apiserver.pem, dest: apiserver.crt}
- {src: apiserver.pem, dest: apiserver.key}
- {src: apiserver-key.pem, dest: apiserver.key}
- {src: ca.pem, dest: ca.crt} - {src: ca.pem, dest: ca.crt}
- {src: ca-key.pem, dest: ca.key} - {src: ca-key.pem, dest: ca.key}
register: kubeadm_copy_old_certs register: kubeadm_copy_old_certs

12
roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2

@ -111,9 +111,17 @@ spec:
httpGet: httpGet:
host: 127.0.0.1 host: 127.0.0.1
path: /healthz path: /healthz
{% if kube_apiserver_insecure_port == 0 %}
port: {{ kube_apiserver_port }}
scheme: HTTPS
{% else %}
port: {{ kube_apiserver_insecure_port }} port: {{ kube_apiserver_insecure_port }}
initialDelaySeconds: 30
timeoutSeconds: 10
{% endif %}
failureThreshold: 8
initialDelaySeconds: 15
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
volumeMounts: volumeMounts:
- mountPath: {{ kube_config_dir }} - mountPath: {{ kube_config_dir }}
name: kubernetes-config name: kubernetes-config

7
roles/kubernetes/preinstall/tasks/verify-settings.yml

@ -78,9 +78,14 @@
when: kubelet_fail_swap_on|default(true) when: kubelet_fail_swap_on|default(true)
ignore_errors: "{{ ignore_assert_errors }}" ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if RBAC is not enabled when dashboard is enabled - name: Stop if RBAC is not enabled when dashboard is enabled
assert: assert:
that: rbac_enabled that: rbac_enabled
when: dashboard_enabled when: dashboard_enabled
ignore_errors: "{{ ignore_assert_errors }}"
- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
assert:
that: rbac_enabled and kube_api_anonymous_auth
when: kube_apiserver_insecure_port == 0
ignore_errors: "{{ ignore_assert_errors }}" ignore_errors: "{{ ignore_assert_errors }}"

12
roles/kubespray-defaults/defaults/main.yaml

@ -229,6 +229,18 @@ kube_apiserver_endpoint: |-
{%- endif %} {%- endif %}
kube_apiserver_insecure_endpoint: >- kube_apiserver_insecure_endpoint: >-
http://{{ kube_apiserver_insecure_bind_address | regex_replace('0\.0\.0\.0','127.0.0.1') }}:{{ kube_apiserver_insecure_port }} http://{{ kube_apiserver_insecure_bind_address | regex_replace('0\.0\.0\.0','127.0.0.1') }}:{{ kube_apiserver_insecure_port }}
kube_apiserver_client_cert: |-
{% if kubeadm_enabled -%}
{{ kube_cert_dir }}/ca.crt
{%- else -%}
{{ kube_cert_dir }}/apiserver.pem
{%- endif %}
kube_apiserver_client_key: |-
{% if kubeadm_enabled -%}
{{ kube_cert_dir }}/ca.key
{%- else -%}
{{ kube_cert_dir }}/apiserver-key.pem
{%- endif %}
# Vars for pointing to etcd endpoints # Vars for pointing to etcd endpoints
is_etcd_master: "{{ inventory_hostname in groups['etcd'] }}" is_etcd_master: "{{ inventory_hostname in groups['etcd'] }}"

Loading…
Cancel
Save