Skip to content

Commit

Permalink
mv TokenRequest and TokenRequestProjection to GA
Browse files Browse the repository at this point in the history
  • Loading branch information
@zshihang
zshihang committed Oct 30, 2020
1 parent f99ad43 commit ff641f6
Show file tree
Hide file tree
Showing 26 changed files with 254 additions and 327 deletions.
52 changes: 52 additions & 0 deletions api/openapi-spec/swagger.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion cmd/kube-apiserver/app/options/options.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -270,7 +270,7 @@ func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
"Turns on aggregator routing requests to endpoints IP rather than cluster IP.")

fs.StringVar(&s.ServiceAccountSigningKeyFile, "service-account-signing-key-file", s.ServiceAccountSigningKeyFile, ""+
"Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key. (Requires the 'TokenRequest' feature gate.)")
"Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key.")

return fss
}
8 changes: 0 additions & 8 deletions cmd/kube-apiserver/app/options/validation.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,14 +120,6 @@ func validateTokenRequest(options *ServerRunOptions) []error {

enableSucceeded := options.ServiceAccountIssuer != nil

if enableAttempted && !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
errs = append(errs, errors.New("the TokenRequest feature is not enabled but --service-account-signing-key-file, --service-account-issuer and/or --api-audiences flags were passed"))
}

if utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) && !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
errs = append(errs, errors.New("the BoundServiceAccountTokenVolume feature depends on the TokenRequest feature, but the TokenRequest features is not enabled"))
}

if !enableAttempted && utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) {
errs = append(errs, errors.New("--service-account-signing-key-file and --service-account-issuer are required flags"))
}
Expand Down
5 changes: 0 additions & 5 deletions cmd/kube-controller-manager/app/controllermanager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ import (
"k8s.io/apiserver/pkg/server"
"k8s.io/apiserver/pkg/server/healthz"
"k8s.io/apiserver/pkg/server/mux"
utilfeature "k8s.io/apiserver/pkg/util/feature"
cacheddiscovery "k8s.io/client-go/discovery/cached"
"k8s.io/client-go/informers"
clientset "k8s.io/client-go/kubernetes"
Expand All @@ -66,7 +65,6 @@ import (
"k8s.io/kubernetes/pkg/controller"
kubectrlmgrconfig "k8s.io/kubernetes/pkg/controller/apis/config"
serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
"k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/pkg/serviceaccount"
)

Expand Down Expand Up @@ -620,9 +618,6 @@ func readCA(file string) ([]byte, error) {
}

func shouldTurnOnDynamicClient(client clientset.Interface) bool {
if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
return false
}
apiResourceList, err := client.Discovery().ServerResourcesForGroupVersion(v1.SchemeGroupVersion.String())
if err != nil {
klog.Warningf("fetch api resource lists failed, use legacy client builder: %v", err)
Expand Down
30 changes: 16 additions & 14 deletions cmd/kubeadm/app/phases/controlplane/manifests.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,20 +132,22 @@ func CreateStaticPodFiles(manifestDir, patchesDir string, cfg *kubeadmapi.Cluste
// getAPIServerCommand builds the right API server command from the given config object and version
func getAPIServerCommand(cfg *kubeadmapi.ClusterConfiguration, localAPIEndpoint *kubeadmapi.APIEndpoint) []string {
defaultArguments := map[string]string{
"advertise-address": localAPIEndpoint.AdvertiseAddress,
"insecure-port": "0",
"enable-admission-plugins": "NodeRestriction",
"service-cluster-ip-range": cfg.Networking.ServiceSubnet,
"service-account-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.ServiceAccountPublicKeyName),
"client-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
"tls-cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerCertName),
"tls-private-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerKeyName),
"kubelet-client-certificate": filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerKubeletClientCertName),
"kubelet-client-key": filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerKubeletClientKeyName),
"enable-bootstrap-token-auth": "true",
"secure-port": fmt.Sprintf("%d", localAPIEndpoint.BindPort),
"allow-privileged": "true",
"kubelet-preferred-address-types": "InternalIP,ExternalIP,Hostname",
"advertise-address": localAPIEndpoint.AdvertiseAddress,
"insecure-port": "0",
"enable-admission-plugins": "NodeRestriction",
"service-cluster-ip-range": cfg.Networking.ServiceSubnet,
"service-account-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.ServiceAccountPublicKeyName),
"service-account-signing-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.ServiceAccountPrivateKeyName),
"service-account-issuer": fmt.Sprintf("https://kubernetes.default.svc.%s", cfg.Networking.DNSDomain),
"client-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
"tls-cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerCertName),
"tls-private-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerKeyName),
"kubelet-client-certificate": filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerKubeletClientCertName),
"kubelet-client-key": filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerKubeletClientKeyName),
"enable-bootstrap-token-auth": "true",
"secure-port": fmt.Sprintf("%d", localAPIEndpoint.BindPort),
"allow-privileged": "true",
"kubelet-preferred-address-types": "InternalIP,ExternalIP,Hostname",
// add options to configure the front proxy. Without the generated client cert, this will never be useable
// so add it unconditionally with recommended values
"requestheader-username-headers": "X-Remote-User",
Expand Down
48 changes: 36 additions & 12 deletions cmd/kubeadm/app/phases/controlplane/manifests_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ func TestGetAPIServerCommand(t *testing.T) {
{
name: "testing defaults",
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
CertificatesDir: testCertsDir,
},
endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
Expand All @@ -207,6 +207,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--enable-admission-plugins=NodeRestriction",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + testCertsDir + "/sa.pub",
"--service-account-signing-key-file=" + testCertsDir + "/sa.key",
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
"--client-ca-file=" + testCertsDir + "/ca.crt",
"--tls-cert-file=" + testCertsDir + "/apiserver.crt",
"--tls-private-key-file=" + testCertsDir + "/apiserver.key",
Expand Down Expand Up @@ -234,7 +236,7 @@ func TestGetAPIServerCommand(t *testing.T) {
{
name: "ipv6 advertise address",
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
CertificatesDir: testCertsDir,
},
endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "2001:db8::1"},
Expand All @@ -244,6 +246,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--enable-admission-plugins=NodeRestriction",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + testCertsDir + "/sa.pub",
"--service-account-signing-key-file=" + testCertsDir + "/sa.key",
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
"--client-ca-file=" + testCertsDir + "/ca.crt",
"--tls-cert-file=" + testCertsDir + "/apiserver.crt",
"--tls-private-key-file=" + testCertsDir + "/apiserver.key",
Expand Down Expand Up @@ -271,7 +275,7 @@ func TestGetAPIServerCommand(t *testing.T) {
{
name: "an external etcd with custom ca, certs and keys",
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
Etcd: kubeadmapi.Etcd{
External: &kubeadmapi.ExternalEtcd{
Endpoints: []string{"https://[2001:abcd:bcda::1]:2379", "https://[2001:abcd:bcda::2]:2379"},
Expand All @@ -289,6 +293,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--enable-admission-plugins=NodeRestriction",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + testCertsDir + "/sa.pub",
"--service-account-signing-key-file=" + testCertsDir + "/sa.key",
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
"--client-ca-file=" + testCertsDir + "/ca.crt",
"--tls-cert-file=" + testCertsDir + "/apiserver.crt",
"--tls-private-key-file=" + testCertsDir + "/apiserver.key",
Expand Down Expand Up @@ -316,7 +322,7 @@ func TestGetAPIServerCommand(t *testing.T) {
{
name: "an insecure etcd",
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
Etcd: kubeadmapi.Etcd{
External: &kubeadmapi.ExternalEtcd{
Endpoints: []string{"http://[::1]:2379", "http://[::1]:2380"},
Expand All @@ -331,6 +337,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--enable-admission-plugins=NodeRestriction",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + testCertsDir + "/sa.pub",
"--service-account-signing-key-file=" + testCertsDir + "/sa.key",
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
"--client-ca-file=" + testCertsDir + "/ca.crt",
"--tls-cert-file=" + testCertsDir + "/apiserver.crt",
"--tls-private-key-file=" + testCertsDir + "/apiserver.key",
Expand All @@ -355,7 +363,7 @@ func TestGetAPIServerCommand(t *testing.T) {
{
name: "test APIServer.ExtraArgs works as expected",
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
CertificatesDir: testCertsDir,
APIServer: kubeadmapi.APIServer{
ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
Expand All @@ -375,6 +383,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--enable-admission-plugins=NodeRestriction",
"--service-cluster-ip-range=baz",
"--service-account-key-file=" + testCertsDir + "/sa.pub",
"--service-account-signing-key-file=" + testCertsDir + "/sa.key",
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
"--client-ca-file=" + testCertsDir + "/ca.crt",
"--tls-cert-file=" + testCertsDir + "/apiserver.crt",
"--tls-private-key-file=" + testCertsDir + "/apiserver.key",
Expand Down Expand Up @@ -404,7 +414,7 @@ func TestGetAPIServerCommand(t *testing.T) {
{
name: "authorization-mode extra-args ABAC",
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
CertificatesDir: testCertsDir,
APIServer: kubeadmapi.APIServer{
ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
Expand All @@ -421,6 +431,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--enable-admission-plugins=NodeRestriction",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + testCertsDir + "/sa.pub",
"--service-account-signing-key-file=" + testCertsDir + "/sa.key",
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
"--client-ca-file=" + testCertsDir + "/ca.crt",
"--tls-cert-file=" + testCertsDir + "/apiserver.crt",
"--tls-private-key-file=" + testCertsDir + "/apiserver.key",
Expand Down Expand Up @@ -448,7 +460,7 @@ func TestGetAPIServerCommand(t *testing.T) {
{
name: "insecure-port extra-args",
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
CertificatesDir: testCertsDir,
APIServer: kubeadmapi.APIServer{
ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
Expand All @@ -465,6 +477,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--enable-admission-plugins=NodeRestriction",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + testCertsDir + "/sa.pub",
"--service-account-signing-key-file=" + testCertsDir + "/sa.key",
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
"--client-ca-file=" + testCertsDir + "/ca.crt",
"--tls-cert-file=" + testCertsDir + "/apiserver.crt",
"--tls-private-key-file=" + testCertsDir + "/apiserver.key",
Expand Down Expand Up @@ -492,7 +506,7 @@ func TestGetAPIServerCommand(t *testing.T) {
{
name: "authorization-mode extra-args Webhook",
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{ServiceSubnet: "bar"},
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
CertificatesDir: testCertsDir,
APIServer: kubeadmapi.APIServer{
ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
Expand All @@ -513,6 +527,8 @@ func TestGetAPIServerCommand(t *testing.T) {
"--enable-admission-plugins=NodeRestriction",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + testCertsDir + "/sa.pub",
"--service-account-signing-key-file=" + testCertsDir + "/sa.key",
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
"--client-ca-file=" + testCertsDir + "/ca.crt",
"--tls-cert-file=" + testCertsDir + "/apiserver.crt",
"--tls-private-key-file=" + testCertsDir + "/apiserver.key",
Expand Down Expand Up @@ -628,7 +644,7 @@ func TestGetControllerManagerCommand(t *testing.T) {
{
name: "custom cluster-cidr for " + cpVersion,
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{PodSubnet: "10.0.1.15/16"},
Networking: kubeadmapi.Networking{PodSubnet: "10.0.1.15/16", DNSDomain: "cluster.local"},
CertificatesDir: testCertsDir,
KubernetesVersion: cpVersion,
},
Expand Down Expand Up @@ -657,7 +673,9 @@ func TestGetControllerManagerCommand(t *testing.T) {
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{
PodSubnet: "10.0.1.15/16",
ServiceSubnet: "172.20.0.0/24"},
ServiceSubnet: "172.20.0.0/24",
DNSDomain: "cluster.local",
},
CertificatesDir: testCertsDir,
KubernetesVersion: cpVersion,
},
Expand Down Expand Up @@ -685,7 +703,7 @@ func TestGetControllerManagerCommand(t *testing.T) {
{
name: "custom extra-args for " + cpVersion,
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{PodSubnet: "10.0.1.15/16"},
Networking: kubeadmapi.Networking{PodSubnet: "10.0.1.15/16", DNSDomain: "cluster.local"},
ControllerManager: kubeadmapi.ControlPlaneComponent{
ExtraArgs: map[string]string{"node-cidr-mask-size": "20"},
},
Expand Down Expand Up @@ -719,7 +737,9 @@ func TestGetControllerManagerCommand(t *testing.T) {
Networking: kubeadmapi.Networking{
PodSubnet: "2001:db8::/64",
ServiceSubnet: "fd03::/112",
DNSDomain: "cluster.local",
},

CertificatesDir: testCertsDir,
KubernetesVersion: cpVersion,
},
Expand Down Expand Up @@ -750,6 +770,7 @@ func TestGetControllerManagerCommand(t *testing.T) {
Networking: kubeadmapi.Networking{
PodSubnet: "2001:db8::/64,10.1.0.0/16",
ServiceSubnet: "fd03::/112,192.168.0.0/16",
DNSDomain: "cluster.local",
},
CertificatesDir: testCertsDir,
KubernetesVersion: cpVersion,
Expand Down Expand Up @@ -780,7 +801,10 @@ func TestGetControllerManagerCommand(t *testing.T) {
{
name: "dual-stack networking custom extra-args for " + cpVersion,
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{PodSubnet: "10.0.1.15/16,2001:db8::/64"},
Networking: kubeadmapi.Networking{
PodSubnet: "10.0.1.15/16,2001:db8::/64",
DNSDomain: "cluster.local",
},
ControllerManager: kubeadmapi.ControlPlaneComponent{
ExtraArgs: map[string]string{"node-cidr-mask-size-ipv4": "20", "node-cidr-mask-size-ipv6": "80"},
},
Expand Down
13 changes: 13 additions & 0 deletions hack/make-rules/test-cmd.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,15 @@ source "${KUBE_ROOT}/hack/lib/init.sh"
source "${KUBE_ROOT}/hack/lib/test.sh"
source "${KUBE_ROOT}/test/cmd/legacy-script.sh"

# setup envs for TokenRequest required flags
SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-true}
SERVICE_ACCOUNT_KEY=${SERVICE_ACCOUNT_KEY:-/tmp/kube-serviceaccount.key}
# Generate ServiceAccount key if needed
if [[ ! -f "${SERVICE_ACCOUNT_KEY}" ]]; then
mkdir -p "$(dirname "${SERVICE_ACCOUNT_KEY}")"
openssl genrsa -out "${SERVICE_ACCOUNT_KEY}" 2048 2>/dev/null
fi

# Runs kube-apiserver
#
# Exports:
Expand Down Expand Up @@ -64,6 +73,10 @@ function run_kube_apiserver() {
--disable-admission-plugins="${DISABLE_ADMISSION_PLUGINS}" \
--etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \
--runtime-config=api/v1 \
--service-account-key-file="${SERVICE_ACCOUNT_KEY}" \
--service-account-lookup="${SERVICE_ACCOUNT_LOOKUP}" \
--service-account-issuer="https://kubernetes.default.svc" \
--service-account-signing-key-file="${SERVICE_ACCOUNT_KEY}" \
--storage-media-type="${KUBE_TEST_API_STORAGE_TYPE-}" \
--cert-dir="${TMPDIR:-/tmp/}" \
--service-cluster-ip-range="10.0.0.0/24" \
Expand Down
Loading

0 comments on commit ff641f6

Please sign in to comment.