Bind kubelet to all interfaces and use webhook auth

This commit is contained in:
Erik Wilson 2019-04-26 15:02:30 -07:00
parent 305b596745
commit c9941895d6
3 changed files with 5 additions and 3 deletions

View File

@ -301,7 +301,7 @@ func get(envInfo *cmds.Agent) (*config.Node, error) {
nodeConfig.AgentConfig.ClusterDomain = controlConfig.ClusterDomain
nodeConfig.AgentConfig.ResolvConf = locateOrGenerateResolvConf(envInfo)
nodeConfig.AgentConfig.CACertPath = clientCA
nodeConfig.AgentConfig.ListenAddress = "127.0.0.1"
nodeConfig.AgentConfig.ListenAddress = "0.0.0.0"
nodeConfig.AgentConfig.KubeConfig = kubeConfig
nodeConfig.AgentConfig.RootDir = filepath.Join(envInfo.DataDir, "kubelet")
nodeConfig.CACerts = info.CACerts

View File

@ -16,6 +16,7 @@ import (
"k8s.io/component-base/logs"
app2 "k8s.io/kubernetes/cmd/kube-proxy/app"
"k8s.io/kubernetes/cmd/kubelet/app"
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
_ "k8s.io/kubernetes/pkg/client/metrics/prometheus" // for client metric registration
_ "k8s.io/kubernetes/pkg/version/prometheus" // for version metric registration
@ -64,6 +65,7 @@ func kubelet(cfg *config.Agent) {
//"cgroup-root": "/k3s",
"cgroup-driver": "cgroupfs",
"authentication-token-webhook": "true",
"authorization-mode": modes.ModeWebhook,
}
if cfg.RootDir != "" {
argsMap["root-dir"] = cfg.RootDir

View File

@ -455,8 +455,8 @@ func genTokenCerts(config *config.Control, runtime *config.ControlRuntime) error
return err
}
if err := createClientCertKey(regen, "kubernetes",
nil, &certutil.AltNames{
if err := createClientCertKey(regen, "kubernetes", []string{"system:masters"},
&certutil.AltNames{
DNSNames: []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes", "localhost"},
IPs: []net.IP{apiServerServiceIP, localhostIP},
}, x509KeyClientUsage,