Added support for service-account and tokens.

pires · Jun 3, 2015 · 3bc7b3d · 3bc7b3d
1 parent bc1d7ab
commit 3bc7b3d
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -173,6 +173,14 @@ you which to mount the allowed syntax is...
   disabled: false
 ```
 
+### Kubernetes Service-Account key file
+
+`kube-serviceaccount.key` file has been generated for the sake of simplicity of deployment. If you want to generate your own, run:
+
+```
+openssl genrsa -out kube-serviceaccount.key 2048 2>/dev/null
+```
+
 ## TL;DR
 
 ```

diff --git a/Vagrantfile b/Vagrantfile
@@ -58,6 +58,7 @@ Vagrant.require_version ">= 1.6.0"
 
 MASTER_YAML = File.join(File.dirname(__FILE__), "master.yaml")
 NODE_YAML = File.join(File.dirname(__FILE__), "node.yaml")
+SSL_FILE = File.join(File.dirname(__FILE__), "kube-serviceaccount.key")
 
 USE_DOCKERCFG = ENV['USE_DOCKERCFG'] || false
 DOCKERCFG = File.expand_path(ENV['DOCKERCFG'] || "~/.dockercfg")
@@ -394,6 +395,10 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
         end
       end
 
+      if File.exist?(SSL_FILE)
+        kHost.vm.provision :file, :source => "#{SSL_FILE}", :destination => "/tmp/kube-serviceaccount.key"
+      end
+
       if File.exist?(cfg)
         kHost.vm.provision :file, :source => "#{cfg}", :destination => "/tmp/vagrantfile-user-data"
         if enable_proxy

diff --git a/kube-serviceaccount.key b/kube-serviceaccount.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAwF7aKaNQvpXro18UWwma8teGhxYF6fjJRT7W/tRv7S7i8KmV
+EKqxz9e4i2ds33KSyLtNdmZKTOEOpQ7idcUog6O82Et87wcptFL2azxY0HvJ+tuc
+Ftlmzg04DRuR2Xon9l/kuvrPc3wM5JYHmsfReZazLzGd5SotSNmRO+0l60sUl6zu
+BlNckTOvffB++/L1xKKBzcrFXIn2tLtd/gVNzL01JcxT8g7p40fXKa6Py1+Lz5FT
+LAIpwC5LvLU/2UxqhZfYAPfSNtFAJNxhdhC2QYjHuOxoYMdwYVkA4BiZPRQpfOYx
+M7DHZ4n+zB3G1A05tthsPSTsFAC5Gr2eYaKuWQIDAQABAoIBABd7fKYYiYK6Skln
+EdULFx8NsB5NUet9sxQA173DsOYDEzDNgqTGMW5tptldhqzAD6rxMkOBuRApaOA9
+MOevaYKoOiUtEdMbzLt2ZR4x/6VzdvRoWmVvpF0CwBTZiLRDdR1eF0270BcIzYoZ
+xlPekHOHMdhQ9jVDMMPzywbFrBtMmHqkxUdMk2v5ZrOMrOnbO83reWfj6dxRmqtj
+cLyxghUadOnIMgyskUpp0ztmRYlJcZOP3XsfqJWeyA2RyMKI8ro9FOG2KnwfxZPQ
+G9D2TojyyEhLFc+ZE53XGdtp2lqw2xWIbhNmZUv1aIl1OTd346XsaTp16yYHStnu
+QD5VNAECgYEA9tExA/0X+paJwDKsRZR3pcOuMN5uZKz8iGaz79YUFQb6CYe4/e4C
+zQ0eg52B8x3y+q1js7DNj7Lagjh1OkZYMDQmfa9pSETHDxMZMIdt3SNwQ04YRNsB
+Xx7CHVqRoKBclm/d0XXdGlZFLCx0aSHzCHNhJSi67wApgL6N5m0zDQUCgYEAx4cV
+hEYZwnk6vsBoDKa1f9a8ySW3+Dr2KtEpWKXSinsfAoWXkL1vgXooYLE/A5qDQmGe
+vdmBSHmitapV1dHgF2Zw3nQE7rx2rmUJWNV67Z8T3q/XRXwU0APITnL5/JASA3yJ
+SFKs/2yTA8/cevxOkp0QZI5MHPOBsCED33z3PEUCgYASLNFpM8gCQfee2Zxp+0bc
+RA6dtqN2cm6eNMHnVWJhMgRTk1UCDfbS1rZ6hqy9FGWCJCaFYu2gOVFx6WpogimY
+Ux7KfpJIKhhmecePFUn30NZBfoy29VGiiYdN1g+HPofS5CX3eLBxcgzh9dwUqdVV
+t/ldXSR22RI1UtLsNvpdaQKBgDek9541ApgWwQhTlnD4ySNG2s1qBH1ozCAyxsof
+LLFMFuDYKuXFvuQoEjytEbrKi5KmsOOXVhPFQFhTka6Y4lsESbPwPTPrQVnveYTZ
+vHeqZpszBOEu8or0kxc1v3vtHej1AUA3NmHhgLqObJmr5anDvb+dY6KrUl6xRmg8
+bKLVAoGAaRR76SJcjPD5lwWbUm9UQ23O1s8fur9q6tVOGxPcM1O/kGgouMuywBl4
+I5fFnBY+1IIvcLxcPyFPlVSz0u0B+8JqYmPk2/nGeYHXNEvbN4InL8fjP96aMyrG
+2hcLrMGktQicFbTX1QR9Yush7XaVmHyt/TS6RUkdl0LroFOSUWE=
+-----END RSA PRIVATE KEY-----
diff --git a/master.yaml b/master.yaml
@@ -141,12 +141,15 @@ coreos:
         ExecStartPre=/usr/bin/chmod +x /opt/bin/kube-apiserver
         ExecStartPre=/opt/bin/wupiao $private_ipv4:2379/v2/machines
         ExecStart=/opt/bin/kube-apiserver \
+          --service_account_key_file=/tmp/kube-serviceaccount.key \
+          --service_account_lookup=false \
+          --admission_control=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota \
           --allow_privileged=true \
           --insecure_bind_address=0.0.0.0 \
           --insecure_port=8080 \
           --kubelet_https=true \
           --secure_port=6443 \
-          --portal_net=10.100.0.0/16 \
+          --service-cluster-ip-range=10.100.0.0/16 \
           --etcd_servers=http://$private_ipv4:2379 \
           --public_address_override=$public_ipv4 \
           --cloud_provider=__CLOUDPROVIDER__ \
@@ -167,6 +170,7 @@ coreos:
         ExecStartPre=/usr/bin/chmod +x /opt/bin/kube-controller-manager
         ExecStartPre=/opt/bin/wupiao $private_ipv4:8080
         ExecStart=/opt/bin/kube-controller-manager \
+          --service_account_private_key_file=/tmp/kube-serviceaccount.key \
           --master=$private_ipv4:8080 \
           --cloud_provider=__CLOUDPROVIDER__ \
           --pod_eviction_timeout=30s \