Add a doc about the kubeadm design and phases implementation

[luxas]

This document describes the functions of kubeadm and how the phases should be splitted up

@lukemarsden @roberthbailey @mikedanese @errordeveloper @pires @dmmcquay @jbeda

[dmmcquay]

Edits to make the doc more readable.

[dmmcquay]

Suggested edit:

kubeadm init does a lot. In order to make kubeadm the common building block for Kubernetes, each logical phase kubeadm does during init should be invokable separately. Here's an explanation what kubeadm does in these different phases:

[luxas]

Thanks for the grammatical nits, I was in a hurry when writing this so I didn't really pay attention to my wording in this doc, will fix 👍

[dmmcquay]

Suggested edit:

We have to draw the line somewhere about what should be configurable, what shouldn't, and what should be hard-coded in the binary.

[dmmcquay]

Suggested edit:

and the most intuitive location. Having that path configurable would confuse readers of an on-top-of-kubeadm-implemented deployment solution.

[dmmcquay]

Suggested edit:

We've decided to make the Kubernetes directory /etc/kubernetes a constant in the application, since it is clearly the given path in a majority of cases,

[justinsb]

(I'm not even sure you need to justify the choice of /etc/kubernetes)

[dmmcquay]

This doesn't make sense to me.

[mattymo]

yeah, this is just an incomplete thought

[dmmcquay]

Suggested edit:

This means the user can, for example, give his own CA, which then will be used for signing the rest of the certs.

[dmmcquay]

Suggested edit:

First, see that there is an etcd cluster somewhere:

[v1k0d3n]

Suggested edit (nit-picky, only because it's been called out already):

going just a bit further: "First, determine if there is an etcd cluster available:"

[dmmcquay]

Suggested edit:

spin up one locally if external etcd is not be enabled. It should:

[dmmcquay]

Suggested edit:

The master node is patched, the master label is added, and the master is tainted.

[dmmcquay]

Suggested edit:

In the future the base layer of configuration for all kubelets in the cluster will be set in this phase.

[mattymo]

substitute ; for ,

[luxas]

cc @mattymo @v1k0d3n @justinsb @chrislovecnm
You're building tools on top of kubeadm; please comment here what you think about the planned, separately-invokable phases listed here

[luxas]

cc @alexbrand for Kismatic as well :)

[luxas]

cc @andrewrynhard

[philips]

who is the admin?

[pires]

It's a kubeconfig file for the cluster operator to copy to any machine where he wants to control the cluster from.

[rothgar]

Does kubectl read that file by default for system wide settings? I must have missed that and thought the config had to be in ~/.kube/

[philips]

gah, how did we end up with a CSV?

[luxas]

I know, I don't like this at all either, but this is what we've got for bootstrapping :/

[v1k0d3n]

i'm with @philips on this one; why not json?

[luxas]

@v1k0d3n the apiserver doesn't support reading tokens from json, so that's impossible for the time being

What we all want though, and what we're gonna implement is a dynamic way of managing these tokens so we can ditch this file totally (no one likes handling files on disk)

[luxas]

See https://kubernetes.io/docs/admin/kube-apiserver/

--token-auth-file string                                  If set, the file that will be used to secure the secure port of the API server via token authentication.

The new stuff is here: kubernetes/kubernetes#41281

[luxas]

The usage of this file is gonna be replaced by the kubernetes/kubernetes#36101 and kubernetes/kubernetes#41281

[pires]

@luxas you should add your last comment to the document.

[mattymo]

why gateway IP? for snat tricks?

[mattymo]

Can we include localhost and 127.0.0.1 in this list?

[roberthbailey]

I don't think we want to have a cert signed for localhost. That seems like a security issue.

[mattymo]

one cert or one per client?

[roberthbailey]

There's only one client (the apiserver).

[justinsb]

(I'm not even sure you need to justify the choice of /etc/kubernetes)

[justinsb]

Do you mean 100.96.0.1 ? Or is it actually 10.96...?

[luxas]

10.96.0.1/12 is the default service subnet for kubeadm

[pires]

I know it's the default but do we really need a /12 (10.96.0.0 - 10.111.255.255) for this?

[justinsb]

Presumably we aren't changing how kubeadm works here, so this is not the venue, but any notion of "hostname" is a huge red-flag for AWS compatibility

[roberthbailey]

I think this should be optional and not included as a SAN by default.

[justinsb]

This precludes/complicates use with an existing CA infrastructure I believe. On the assumption though that doc is about the phases, and this is the existing kubeadm behaviour we are document, I'm going to stop calling out these issues. If that's not right, and we are actually decided what the keys should look like, let me know and I will review with that mindset.

[roberthbailey]

That is an excellent point. We can't be too prescriptive about fields of the certs, since we need to allow certs generated by organizations to work smoothly with kubeadm.

[justinsb]

This looks cool. kops could probably use the RBAC generation phase today (although we would want to be sure that it was HA safe, and that it did not reapply if users deleted the RBAC policies). The RBAC layer feels almost like it could be a manifest - perhaps this meshes into the add-on-manager-v2 discussion (where I need to produce some form of strawman design doc based on the existing works).

[luxas]

Thanks for the comments everyone, I'll look at this tomorrow or so and update it with your suggestion and more detail 👍

[roberthbailey]

Remove the "First off" part of the sentence.

[roberthbailey]

I think this should be optional and not included as a SAN by default.

[roberthbailey]

I don't think we want to have a cert signed for localhost. That seems like a security issue.

[roberthbailey]

That is an excellent point. We can't be too prescriptive about fields of the certs, since we need to allow certs generated by organizations to work smoothly with kubeadm.

[roberthbailey]

There's only one client (the apiserver).

[roberthbailey]

@mikedanese

I think it needs to have the usage for signing certs (KeyUsageCertSign) and shouldn't have any other key usages set.

[roberthbailey]

I guess a client cert is ok here for bootstrapping, but once you have the cluster configured you should really throw it away in favor of configuring users so that things like audit logging can track who did what when.

[roberthbailey]

If this kubelet is going to connect to the apiserver, shouldn't we use TLS bootstrapping to get it a client cert and give it a temporary token instead?

[roberthbailey]

This will need to change once we support HA. In particular, we'll need to generate another set of certificates (possibly in a different cert universe) for the etcd instances to form a quorum.

[luxas]

@davidopp does this sound good to you?

[luxas]

cc @philips @jbeda

[davidopp]

What is this taint supposed to signify? If it is for the master node(s) only, then use the same key and value (if any) as you use for the label on the master. (e.g. node-role.kubenetes.io/master with no value)

Also keep in mind that if you add a taint, then all pods that are supposed to run on the node will need a toleration for that taint.

[pires]

So far this LGTM.

@luxas this is a good job, particularly knowing you're the most active code contributor to kubeadm. Hat off to you!

[pires]

I know it's the default but do we really need a /12 (10.96.0.0 - 10.111.255.255) for this?

[pires]

What is this exactly, the apiserver pod IP?

[luxas]

This is what's returned from 0.0.0.0, the IP address from the default (main) net interface

[pires]

I haven't seen this in the form of flags or configuration (haven't updated on the configuration API WIP PR). Are we planning ahead?

[luxas]

This has been possible from the beginning by using --api-external-dns-names, but it will probably be exposed in an other shape in the future (via the API Group)

[pires]

Is DNS integrated with RBAC in any way? I don't think so.

[pires]

Is DNS integrated with RBAC in any way? I don't think so.

[luxas]

This isn't related to DNS, but RBAC. Being in the system:master Organization (maps to Group in RBAC), basically makes you use sudo while talking to the cluster.

[pires]

Can you provide a link or a little explanation why?

[luxas]

done

[pires]

I should help here. When does this doc need to be merged?

[luxas]

When the design is fully settled and agreed on :)

[pires]

Can you please provide a link, even if to just the PR, to what the BootstrapSigner is?

[pires]

Please add, make sure CNI plug-in supports the new RBAC mode if RBAC is enabled.

[pires]

We also need the pod network or is this gone now?

[deads2k]

There should also be a CA keypair and client certificate for the Authenticating Proxy described here: https://kubernetes.io/docs/admin/authentication/#authenticating-proxy. It's near zero cost in the kube-apiserver to have it, there's no exposure unless actual machine access is had, and future extension stories (https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/kubernetes-sig-api-machinery/o2v-HjAHk0k/Rg4lNeEACQAJ) rely upon it.

[davidopp]

Having a value of "true" is probably not useful. Why not just have the key (node-role.kubernetes.io/master) and no value?

[pires]

It makes so much sense to me that I now feel dumb because I didn't think about it first.

[luxas]

Updated this now with a lot more detail about what should be done in kubeadm.
Also includes proposal for kubeadm phase

[jbeda]

Missing a "`" here.

[jbeda]

This looks pretty darn good to me.

One question on UX and please correct me if I'm wrong. Here are my assumptions:

• There will be a limited number of flags for kubeadm init and kubeadm join. This is to keep this surface area simple.
• There will be extra options exposed as flags on individual phases.
• If users want access to those options they have 2 choices:
  • Run the phases individually
  • Create a config file (different ones for join and init) and pass that to the top level command.

[jbeda]

Not 100% necessary for v1 of this but it would be awesome if there were a kubeadm init --plan that would just output this for the options that are passed in. In this case users can understand what kubeadm is planning on doing in terms of the phases and make it clear that kubeadm is really just a bundle command.

[fabriziopandini]

+1

[timothysc]

should describe how. Ideally not just a massive command line arg list, but also a config file.

[luxas]

Everything described here will be available to config via the configfile which is going to expose a nice (the nicest) way of actually setting a kubeadm cluster up.
I should point that out much better...

[timothysc]

We need to be certain we don't resource starve CPU on etcd + we need to make certain we open up ulimit caps ~ 65536 as a sane default.

[luxas]

@timothysc Could you send a quick PR on the ulimit thing for etcd?

[timothysc]

So I dug on this and found out that we still don't support ulimit on pods, but we can override dockers startup defaults.. :-/

[fabriziopandini]

Nice to have: Additional aliases for each phase with a numbered prefix. e.g.

• kubeadm phase 1-certs ... (where 1-certs is alias for certscertificates`)
• kubeadm phase 2-kubeconfig ... (where 2-kubeconfig is alias for kubeconfig)

Those aliases could help users in understanding/using the right sequence of phases, and also in having a better experience with autocompletion.

[fabriziopandini]

I suggest to provide a more consistent approach for outputs across the entire kubeadm phase UX, harmonising current approaches:

• kubeadm phase certs selfsign use --cert-dir=
• kubeadm phase kubeconfig clientcert writes to stdout
• kubeadm phase controlplane * writes to /etc/kubernetes/manifests/*
• kubeadm phase addons cluster-info apply directly to the apiserver
• eg

A first draft for possible alternative solution is:

• by default all kubeadm phase commands should provide the same experience of kubeadm init:
  • kubeadm phase certs and kubeadm phase token writes to --cert-dir, which defaults to /etc/kubernetes/pki
  • kubeadm phase kubeconfig clientcert writes to /etc/kubernetes/; to be defined a rule for deriving filename from --client-name=(this is easier to implement if we will specialize kubeconfig phase)
  • kubeadm phase controlplane * writes to /etc/kubernetes/manifests/*.yaml
  • kubeadm phase addons * apply directly to the apiserver
• if invoked with a --stdoutflag, all kubeadm phase commands should write to stdout; the output for the most of the commands is a yaml string or a sequence of kubectl commands; to be defined a format for kubeadm phase certs (alternative support --stdout only where it make sense)

[fabriziopandini]

might be that considering self-hosted as an addons can be confusing for users.
I suggest to treat self-hosted phase separately from addons

[fabriziopandini]

Not sure if offering a generic kubeconfig clientcert/token phase can offer the simplest choice for users, because it requires to call this phase 4 times (kubelet,scheduler,controller-manager,admin), each one with very specific parameters.

A draft alternative proposal, might be specializing kubeconfig phase with dedicate sub-commands:

• kubeconfig kubelet (Inputs: --api-server, --cert-dir)
• kubeconfig scheduler (Inputs: --api-server, --cert-dir)
• kubeconfig controller-manager (Inputs: --api-server, --cert-dir)
• kubeconfig admin (Inputs: --api-server, --cert-dir)
  All commands should produce a clientCert (default mode) expet if if --token flag is provided)

Additionally

• it could be useful to support a kubeconfig all (or simply kubeconfig without subcommands) allowing to generate all 4 default config files in a single action
• it could be useful to support a kubeconfig user (Inputs: --api-server, --cert-dir, --name, --organization), allowing to create kubeconfig files fore other admins/other cluster users
• for kubeconfig admin and kubeconfig user it could be useful to to generate also an alternative output format, providing kubectl config set-cluster, kubectl config set credentials commands linking to separated certificates files (e.g. useful for admin managing more that one cluster... > with a kubeconfig containing many clusters/credentitals)

[fabriziopandini]

it could be useful to support a controlplane all (or simply controlplane without subcommands) allowing to generate all control plane components in a single action

[fabriziopandini]

I suggest to keep an approach more consistent with kubeadm init, providing flags --image-repository=gcr.io/google_containersand --use-kubernetes-version=${STABLE_VERSION}instead of--image=...`

[fabriziopandini]

By extending etcd flags, it is possible to provide with a minimal effort an early support for creating HA clusters, e.g.:

1. With kubeadmin init, create the first master with
   • --apiserver-advertise-address and --cert-altnames properly set
   • an etcd.yaml that contains instructions for spinning up an etcd instance that should be member of an etcd cluster
2. Manually copy /etcd/kubernetes folder to a second and third masters (probably also necessary to replace kubelet.conf with a new one containing new credentials, created with kubeconfig user)
3. Manually setup a LB/DNS in front of all api-servers (matching with --apiserver-advertise-address and --cert-altnames)
4. Join nodes

In order to support this a possibile solution is:

• add --name flag to etcd command, and assign to it a unique name (e.g. the nodename value retrived from Downward API)
• add a --etcd-cluster-discovery flag supporting a dynamic approach for setting up an etcd cluster (no need of knowing the name/ip of nodes in advance, but access to internet/to another etcd instance required)
• add a `--etcd-cluster-members' flag supporting a static approach for setting up an etcd cluster (required knowing the name/ip of nodes in advance, no need of access to internet/to another etcd instance)
• add other flag to etcd command required in a cluster configuration (--initial-advertise-peer-urls and
  --listen-peer-urls)

[fabriziopandini]

Using kubectlin the middle of a kubeadmsequence of phasessounds a little bit strange. With low priority (but also low effort), it might make sense to implement a phase also for this step.

[fabriziopandini]

Looking at kubeadm init code, it seems there are also two additional steps here: CreateServiceAccounts and CreateRBACRules.
In order to make kubeadm init a full "bundle command", also those steps should be implemented as phases.

[timothysc]

I'm of the opinion we should merge this and move along with updates as 1.8 progresses.

[mtaufen]

suggest: "This document strives to explain the phases of work that happen under the hood."

[mtaufen]

Are you relying on the componentconfig API group? Be careful with this, that group will be deleted soon (as soon as every component's config has been moved out of it).

[luxas]

No, it's what I think the new ComponentConfiguration stuff looks like: https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/apis/kubeadm/v1alpha1/types.go

in it's own API group and everything. Not coupled to anything else, just reusing the API machinery

[mtaufen]

Ah, ok nice!

[mtaufen]

Is this versioned?

[luxas]

yes, see the code above

[mtaufen]

This is really cool!

[luxas]

Thank you @mtaufen!

@timothysc Totally agree -- will merge now and follow up as we go.