From baf0a331c91691cb2197178b774eca681e059a4c Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Mon, 23 Sep 2024 16:38:21 +0200 Subject: [PATCH 1/2] Don't generate static tokens for nodes and control planes Nodes to api-server relies by default certificates, and bootstrap tokens, and there should be no need to generate tokens for every nodes, even when enabling static token auth. --- docs/ansible/ansible.md | 2 - docs/operations/upgrades.md | 2 +- roles/kubernetes/control-plane/meta/main.yml | 4 -- .../tasks/0050-create_directories.yml | 2 - .../kubernetes/tokens/files/kube-gen-token.sh | 34 ---------- .../kubernetes/tokens/tasks/check-tokens.yml | 41 ------------ roles/kubernetes/tokens/tasks/gen_tokens.yml | 63 ------------------- roles/kubernetes/tokens/tasks/main.yml | 21 ------- 8 files changed, 1 insertion(+), 168 deletions(-) delete mode 100644 roles/kubernetes/tokens/files/kube-gen-token.sh delete mode 100644 roles/kubernetes/tokens/tasks/check-tokens.yml delete mode 100644 roles/kubernetes/tokens/tasks/gen_tokens.yml delete mode 100644 roles/kubernetes/tokens/tasks/main.yml diff --git a/docs/ansible/ansible.md b/docs/ansible/ansible.md index 5e79d966d..3297e1080 100644 --- a/docs/ansible/ansible.md +++ b/docs/ansible/ansible.md @@ -174,8 +174,6 @@ The following tags are defined in playbooks: | init | Windows kubernetes init nodes | | iptables | Flush and clear iptable when resetting | | k8s-pre-upgrade | Upgrading K8s cluster | -| k8s-secrets | Configuring K8s certs/keys | -| k8s-gen-tokens | Configuring K8s tokens | | kata-containers | Configuring kata-containers runtime | | krew | Install and manage krew | | kubeadm | Roles linked to kubeadm tasks | diff --git a/docs/operations/upgrades.md b/docs/operations/upgrades.md index 6c915c765..ff768ebdc 100644 --- a/docs/operations/upgrades.md +++ b/docs/operations/upgrades.md @@ -392,7 +392,7 @@ ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd --limi Upgrade kubelet: ```ShellSession -ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs,k8s-gen-tokens +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs ``` Upgrade Kubernetes master components: diff --git a/roles/kubernetes/control-plane/meta/main.yml b/roles/kubernetes/control-plane/meta/main.yml index 7b2cfe365..9e5d86e0f 100644 --- a/roles/kubernetes/control-plane/meta/main.yml +++ b/roles/kubernetes/control-plane/meta/main.yml @@ -1,10 +1,6 @@ --- dependencies: - role: kubernetes/kubeadm_common - - role: kubernetes/tokens - when: kube_token_auth - tags: - - k8s-secrets - role: adduser user: "{{ addusers.etcd }}" when: diff --git a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml index 7c4072c95..7f1cdb5d3 100644 --- a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml +++ b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml @@ -9,7 +9,6 @@ become: true tags: - kubelet - - k8s-secrets - kube-controller-manager - kube-apiserver - bootstrap-os @@ -34,7 +33,6 @@ become: true tags: - kubelet - - k8s-secrets - kube-controller-manager - kube-apiserver - bootstrap-os diff --git a/roles/kubernetes/tokens/files/kube-gen-token.sh b/roles/kubernetes/tokens/files/kube-gen-token.sh deleted file mode 100644 index 121b52263..000000000 --- a/roles/kubernetes/tokens/files/kube-gen-token.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash - -# Copyright 2015 The Kubernetes Authors All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -token_dir=${TOKEN_DIR:-/var/srv/kubernetes} -token_file="${token_dir}/known_tokens.csv" - -create_accounts=($@) - -if [ ! -e "${token_file}" ]; then - touch "${token_file}" -fi - -for account in "${create_accounts[@]}"; do - if grep ",${account}," "${token_file}" ; then - continue - fi - token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null) - echo "${token},${account},${account}" >> "${token_file}" - echo "${token}" > "${token_dir}/${account}.token" - echo "Added ${account}" -done diff --git a/roles/kubernetes/tokens/tasks/check-tokens.yml b/roles/kubernetes/tokens/tasks/check-tokens.yml deleted file mode 100644 index baa0c9f03..000000000 --- a/roles/kubernetes/tokens/tasks/check-tokens.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -- name: "Check_tokens | check if the tokens have already been generated on first control plane node" - stat: - path: "{{ kube_token_dir }}/known_tokens.csv" - get_attributes: false - get_checksum: true - get_mime: false - delegate_to: "{{ groups['kube_control_plane'][0] }}" - register: known_tokens_control_plane - run_once: true - -- name: "Check_tokens | Set default value for 'sync_tokens' and 'gen_tokens' to false" - set_fact: - sync_tokens: false - gen_tokens: false - -- name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true" - set_fact: - gen_tokens: true - when: not known_tokens_control_plane.stat.exists and kube_token_auth | default(true) - run_once: true - -- name: "Check tokens | check if a cert already exists" - stat: - path: "{{ kube_token_dir }}/known_tokens.csv" - get_attributes: false - get_checksum: true - get_mime: false - register: known_tokens - -- name: "Check_tokens | Set 'sync_tokens' to true" - set_fact: - sync_tokens: >- - {%- set tokens = {'sync': False} -%} - {%- for server in groups['kube_control_plane'] | intersect(ansible_play_batch) - if (not hostvars[server].known_tokens.stat.exists) or - (hostvars[server].known_tokens.stat.checksum | default('') != known_tokens_control_plane.stat.checksum | default('')) -%} - {%- set _ = tokens.update({'sync': True}) -%} - {%- endfor -%} - {{ tokens.sync }} - run_once: true diff --git a/roles/kubernetes/tokens/tasks/gen_tokens.yml b/roles/kubernetes/tokens/tasks/gen_tokens.yml deleted file mode 100644 index 67b45f9ae..000000000 --- a/roles/kubernetes/tokens/tasks/gen_tokens.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -- name: Gen_tokens | copy tokens generation script - copy: - src: "kube-gen-token.sh" - dest: "{{ kube_script_dir }}/kube-gen-token.sh" - mode: "0700" - run_once: true - delegate_to: "{{ groups['kube_control_plane'][0] }}" - when: gen_tokens | default(false) - -- name: Gen_tokens | generate tokens for control plane components - command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}" - environment: - TOKEN_DIR: "{{ kube_token_dir }}" - with_nested: - - [ "system:kubectl" ] - - "{{ groups['kube_control_plane'] }}" - register: gentoken_control_plane - changed_when: "'Added' in gentoken_control_plane.stdout" - run_once: true - delegate_to: "{{ groups['kube_control_plane'][0] }}" - when: gen_tokens | default(false) - -- name: Gen_tokens | generate tokens for node components - command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}" - environment: - TOKEN_DIR: "{{ kube_token_dir }}" - with_nested: - - [ 'system:kubelet' ] - - "{{ groups['kube_node'] }}" - register: gentoken_node - changed_when: "'Added' in gentoken_node.stdout" - run_once: true - delegate_to: "{{ groups['kube_control_plane'][0] }}" - when: gen_tokens | default(false) - -- name: Gen_tokens | Get list of tokens from first control plane node - command: "find {{ kube_token_dir }} -maxdepth 1 -type f" - register: tokens_list - check_mode: false - delegate_to: "{{ groups['kube_control_plane'][0] }}" - run_once: true - when: sync_tokens | default(false) - -- name: Gen_tokens | Gather tokens - shell: "set -o pipefail && tar cfz - {{ tokens_list.stdout_lines | join(' ') }} | base64 --wrap=0" - args: - executable: /bin/bash - register: tokens_data - check_mode: false - delegate_to: "{{ groups['kube_control_plane'][0] }}" - run_once: true - when: sync_tokens | default(false) - -- name: Gen_tokens | Copy tokens on control plane nodes - shell: "set -o pipefail && echo '{{ tokens_data.stdout | quote }}' | base64 -d | tar xz -C /" - args: - executable: /bin/bash - when: - - ('kube_control_plane' in group_names) - - sync_tokens | default(false) - - inventory_hostname != groups['kube_control_plane'][0] - - tokens_data.stdout diff --git a/roles/kubernetes/tokens/tasks/main.yml b/roles/kubernetes/tokens/tasks/main.yml deleted file mode 100644 index cab5a06bd..000000000 --- a/roles/kubernetes/tokens/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- name: Check tokens - import_tasks: check-tokens.yml - tags: - - k8s-secrets - - k8s-gen-tokens - - facts - -- name: Make sure the tokens directory exits - file: - path: "{{ kube_token_dir }}" - state: directory - mode: "0644" - group: "{{ kube_cert_group }}" - -- name: Generate tokens - import_tasks: gen_tokens.yml - tags: - - k8s-secrets - - k8s-gen-tokens From a2a2dfa4196c0667c8dc7be7d7abfd92bb2f5000 Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Mon, 23 Sep 2024 20:37:56 +0200 Subject: [PATCH 2/2] k8s/control-plane: cleanup excessive defaulting --- .../control-plane/templates/kubeadm-config.v1beta3.yaml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 index 9dd5e4376..4e5530315 100644 --- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 +++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 @@ -148,7 +148,7 @@ apiServer: profiling: "{{ kube_profiling }}" request-timeout: "{{ kube_apiserver_request_timeout }}" enable-aggregator-routing: "{{ kube_api_aggregator_routing }}" -{% if kube_token_auth | default(true) %} +{% if kube_token_auth %} token-auth-file: {{ kube_token_dir }}/known_tokens.csv {% endif %} {% if kube_apiserver_service_account_lookup %} @@ -230,14 +230,14 @@ apiServer: {% if kube_apiserver_tracing %} tracing-config-file: {{ kube_config_dir }}/tracing/apiserver-tracing.yaml {% endif %} -{% if kubernetes_audit or kube_token_auth | default(true) or kube_webhook_token_auth | default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] ) or apiserver_extra_volumes or ssl_ca_dirs | length %} +{% if kubernetes_audit or kube_token_auth or kube_webhook_token_auth or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] ) or apiserver_extra_volumes or ssl_ca_dirs | length %} extraVolumes: {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] %} - name: cloud-config hostPath: {{ kube_config_dir }}/cloud_config mountPath: {{ kube_config_dir }}/cloud_config {% endif %} -{% if kube_token_auth | default(true) %} +{% if kube_token_auth %} - name: token-auth-config hostPath: {{ kube_token_dir }} mountPath: {{ kube_token_dir }}