From 0ee6a4efb4eb1b9ef60503489e2586d100342c75 Mon Sep 17 00:00:00 2001 From: Ilya Dmitrichenko Date: Tue, 18 Dec 2018 09:39:03 +0000 Subject: [PATCH] Switch to kubelet config file and enable server TLS bootstrap This is what official bootstrap script uses also. This moves most of the flags to the config files, add adds one new parameter `serverTLSBootstrap`, which is not availables as a flag. --- pkg/nodebootstrap/assets/10-eksclt.al2.conf | 9 +----- pkg/nodebootstrap/assets/kubelet-config.json | 30 ++++++++++++++++++++ pkg/nodebootstrap/userdata_al2.go | 5 ++-- 3 files changed, 34 insertions(+), 10 deletions(-) create mode 100644 pkg/nodebootstrap/assets/kubelet-config.json diff --git a/pkg/nodebootstrap/assets/10-eksclt.al2.conf b/pkg/nodebootstrap/assets/10-eksclt.al2.conf index 5cd6bfd4d6..4f26428a69 100644 --- a/pkg/nodebootstrap/assets/10-eksclt.al2.conf +++ b/pkg/nodebootstrap/assets/10-eksclt.al2.conf @@ -10,23 +10,16 @@ EnvironmentFile=/etc/eksctl/kubelet.local.env ExecStart= ExecStart=/usr/bin/kubelet \ - --address=0.0.0.0 \ --node-ip=${NODE_IP} \ --cluster-dns=${CLUSTER_DNS} \ --max-pods=${MAX_PODS} \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --allow-privileged=true \ --pod-infra-container-image=602401143452.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/eks/pause-amd64:3.1 \ --cloud-provider=aws \ - --cluster-domain=cluster.local \ --cni-bin-dir=/opt/cni/bin \ --cni-conf-dir=/etc/cni/net.d \ --container-runtime=docker \ --network-plugin=cni \ - --cgroup-driver=cgroupfs \ --register-node=true \ --kubeconfig=/etc/eksctl/kubeconfig.yaml \ - --feature-gates=RotateKubeletServerCertificate=true \ - --anonymous-auth=false \ - --client-ca-file=/etc/eksctl/ca.crt + --config=/etc/eksctl/kubelet-config.json diff --git a/pkg/nodebootstrap/assets/kubelet-config.json b/pkg/nodebootstrap/assets/kubelet-config.json new file mode 100644 index 0000000000..d8f7b62602 --- /dev/null +++ b/pkg/nodebootstrap/assets/kubelet-config.json @@ -0,0 +1,30 @@ +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "address": "0.0.0.0", + "authentication": { + "anonymous": { + "enabled": false + }, + "webhook": { + "cacheTTL": "2m0s", + "enabled": true + }, + "x509": { + "clientCAFile": "/etc/eksctl/ca.crt" + } + }, + "authorization": { + "mode": "Webhook", + "webhook": { + "cacheAuthorizedTTL": "5m0s", + "cacheUnauthorizedTTL": "30s" + } + }, + "clusterDomain": "cluster.local", + "cgroupDriver": "cgroupfs", + "featureGates": { + "RotateKubeletServerCertificate": true + }, + "serverTLSBootstrap": true +} \ No newline at end of file diff --git a/pkg/nodebootstrap/userdata_al2.go b/pkg/nodebootstrap/userdata_al2.go index b04da4c5c6..0c7ee2bd09 100644 --- a/pkg/nodebootstrap/userdata_al2.go +++ b/pkg/nodebootstrap/userdata_al2.go @@ -23,8 +23,9 @@ func makeAmazonLinux2Config(spec *api.ClusterConfig, nodeGroupID int) (configFil "metadata.env": {content: strings.Join(makeMetadata(spec), "\n")}, "kubelet.env": {content: strings.Join(makeKubeletParams(spec, nodeGroupID), "\n")}, // TODO: https://github.com/weaveworks/eksctl/issues/161 - "ca.crt": {content: string(spec.CertificateAuthorityData)}, - "kubeconfig.yaml": {content: string(clientConfigData)}, + "kubelet-config.json": {isAsset: true}, + "ca.crt": {content: string(spec.CertificateAuthorityData)}, + "kubeconfig.yaml": {content: string(clientConfigData)}, }, }