Use a lower-privilege Kubelet kubeconfig in system:nodes

* Kubelets can use a lower-privilege TLS client certificate with
Org system:nodes and a binding to the system:node ClusterRole
* Admin kubeconfig's continue to belong to Org system:masters to
provide cluster-admin (available in assets/auth/kubeconfig or as
a Terraform output kubeconfig-admin)
* Remove bare-metal output variable kubeconfig
This commit is contained in:
Dalton Hubble 2019-01-02 23:30:42 -08:00
parent 1c6a0392ad
commit 812a1adb49
31 changed files with 46 additions and 48 deletions

View File

@ -4,13 +4,19 @@ Notable changes between versions.
## Latest ## Latest
* Add ServiceAccounts for `kube-apiserver` and `kube-scheduler` * Add ServiceAccounts for `kube-apiserver` and `kube-scheduler` ([#370](https://github.com/poseidon/typhoon/pull/370))
* Use a lower-privilege TLS client certificate with org `system:nodes` for Kubelets ([#372](https://github.com/poseidon/typhoon/pull/372))
* Bind the `system:nodes` group to the `system:node` ClusterRole
#### AWS #### AWS
* Change `controller_type` and `worker_type` default from t2.small to t3.small * Change `controller_type` and `worker_type` default from t2.small to t3.small
* t3.small is cheaper, provides 2 vCPU (instead of 1), and 5 Gbps of pod-to-pod bandwidth! * t3.small is cheaper, provides 2 vCPU (instead of 1), and 5 Gbps of pod-to-pod bandwidth!
#### Bare-Metal
* Remove the `kubeconfig` output variable
#### Addons #### Addons
* Update Prometheus from v2.5.0 to v2.6.0 * Update Prometheus from v2.5.0 to v2.6.0

View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

View File

@ -68,7 +68,7 @@ data "template_file" "controller-configs" {
# etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,... # etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,...
etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}" etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}"
kubeconfig = "${indent(10, module.bootkube.kubeconfig)}" kubeconfig = "${indent(10, module.bootkube.kubeconfig-kubelet)}"
ssh_authorized_key = "${var.ssh_authorized_key}" ssh_authorized_key = "${var.ssh_authorized_key}"
k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}" k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
cluster_domain_suffix = "${var.cluster_domain_suffix}" cluster_domain_suffix = "${var.cluster_domain_suffix}"

View File

@ -1,5 +1,5 @@
output "kubeconfig-admin" { output "kubeconfig-admin" {
value = "${module.bootkube.user-kubeconfig}" value = "${module.bootkube.kubeconfig-admin-context}"
} }
# Outputs for Kubernetes Ingress # Outputs for Kubernetes Ingress
@ -27,7 +27,7 @@ output "worker_security_groups" {
} }
output "kubeconfig" { output "kubeconfig" {
value = "${module.bootkube.kubeconfig}" value = "${module.bootkube.kubeconfig-kubelet}"
} }
# Outputs for custom load balancing # Outputs for custom load balancing

View File

@ -13,7 +13,7 @@ module "workers" {
spot_price = "${var.worker_price}" spot_price = "${var.worker_price}"
# configuration # configuration
kubeconfig = "${module.bootkube.kubeconfig}" kubeconfig = "${module.bootkube.kubeconfig-kubelet}"
ssh_authorized_key = "${var.ssh_authorized_key}" ssh_authorized_key = "${var.ssh_authorized_key}"
service_cidr = "${var.service_cidr}" service_cidr = "${var.service_cidr}"
cluster_domain_suffix = "${var.cluster_domain_suffix}" cluster_domain_suffix = "${var.cluster_domain_suffix}"

View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

View File

@ -60,7 +60,7 @@ data "template_file" "controller-cloudinit" {
# etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,... # etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,...
etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}" etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}"
kubeconfig = "${indent(6, module.bootkube.kubeconfig)}" kubeconfig = "${indent(6, module.bootkube.kubeconfig-kubelet)}"
ssh_authorized_key = "${var.ssh_authorized_key}" ssh_authorized_key = "${var.ssh_authorized_key}"
k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}" k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
cluster_domain_suffix = "${var.cluster_domain_suffix}" cluster_domain_suffix = "${var.cluster_domain_suffix}"

View File

@ -1,5 +1,5 @@
output "kubeconfig-admin" { output "kubeconfig-admin" {
value = "${module.bootkube.user-kubeconfig}" value = "${module.bootkube.kubeconfig-admin-context}"
} }
# Outputs for Kubernetes Ingress # Outputs for Kubernetes Ingress
@ -27,7 +27,7 @@ output "worker_security_groups" {
} }
output "kubeconfig" { output "kubeconfig" {
value = "${module.bootkube.kubeconfig}" value = "${module.bootkube.kubeconfig-kubelet}"
} }
# Outputs for custom load balancing # Outputs for custom load balancing

View File

@ -12,7 +12,7 @@ module "workers" {
spot_price = "${var.worker_price}" spot_price = "${var.worker_price}"
# configuration # configuration
kubeconfig = "${module.bootkube.kubeconfig}" kubeconfig = "${module.bootkube.kubeconfig-kubelet}"
ssh_authorized_key = "${var.ssh_authorized_key}" ssh_authorized_key = "${var.ssh_authorized_key}"
service_cidr = "${var.service_cidr}" service_cidr = "${var.service_cidr}"
cluster_domain_suffix = "${var.cluster_domain_suffix}" cluster_domain_suffix = "${var.cluster_domain_suffix}"

View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

View File

@ -149,7 +149,7 @@ data "template_file" "controller-configs" {
# etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,... # etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,...
etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}" etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}"
kubeconfig = "${indent(10, module.bootkube.kubeconfig)}" kubeconfig = "${indent(10, module.bootkube.kubeconfig-kubelet)}"
ssh_authorized_key = "${var.ssh_authorized_key}" ssh_authorized_key = "${var.ssh_authorized_key}"
k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}" k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
cluster_domain_suffix = "${var.cluster_domain_suffix}" cluster_domain_suffix = "${var.cluster_domain_suffix}"

View File

@ -1,5 +1,5 @@
output "kubeconfig-admin" { output "kubeconfig-admin" {
value = "${module.bootkube.user-kubeconfig}" value = "${module.bootkube.kubeconfig-admin-context}"
} }
# Outputs for Kubernetes Ingress # Outputs for Kubernetes Ingress
@ -32,5 +32,5 @@ output "backend_address_pool_id" {
} }
output "kubeconfig" { output "kubeconfig" {
value = "${module.bootkube.kubeconfig}" value = "${module.bootkube.kubeconfig-kubelet}"
} }

View File

@ -15,7 +15,7 @@ module "workers" {
priority = "${var.worker_priority}" priority = "${var.worker_priority}"
# configuration # configuration
kubeconfig = "${module.bootkube.kubeconfig}" kubeconfig = "${module.bootkube.kubeconfig-kubelet}"
ssh_authorized_key = "${var.ssh_authorized_key}" ssh_authorized_key = "${var.ssh_authorized_key}"
service_cidr = "${var.service_cidr}" service_cidr = "${var.service_cidr}"
cluster_domain_suffix = "${var.cluster_domain_suffix}" cluster_domain_suffix = "${var.cluster_domain_suffix}"

View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${var.k8s_domain_name}"] api_servers = ["${var.k8s_domain_name}"]

View File

@ -1,7 +1,3 @@
output "kubeconfig" {
value = "${module.bootkube.kubeconfig}"
}
output "kubeconfig-admin" { output "kubeconfig-admin" {
value = "${module.bootkube.user-kubeconfig}" value = "${module.bootkube.kubeconfig-admin-context}"
} }

View File

@ -18,7 +18,7 @@ resource "null_resource" "copy-controller-secrets" {
} }
provisioner "file" { provisioner "file" {
content = "${module.bootkube.kubeconfig}" content = "${module.bootkube.kubeconfig-kubelet}"
destination = "$HOME/kubeconfig" destination = "$HOME/kubeconfig"
} }
@ -94,7 +94,7 @@ resource "null_resource" "copy-worker-secrets" {
} }
provisioner "file" { provisioner "file" {
content = "${module.bootkube.kubeconfig}" content = "${module.bootkube.kubeconfig-kubelet}"
destination = "$HOME/kubeconfig" destination = "$HOME/kubeconfig"
} }

View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${var.k8s_domain_name}"] api_servers = ["${var.k8s_domain_name}"]

View File

@ -1,8 +1,4 @@
output "kubeconfig" {
value = "${module.bootkube.kubeconfig}"
}
output "kubeconfig-admin" { output "kubeconfig-admin" {
value = "${module.bootkube.user-kubeconfig}" value = "${module.bootkube.kubeconfig-admin-context}"
} }

View File

@ -18,7 +18,7 @@ resource "null_resource" "copy-controller-secrets" {
} }
provisioner "file" { provisioner "file" {
content = "${module.bootkube.kubeconfig}" content = "${module.bootkube.kubeconfig-kubelet}"
destination = "$HOME/kubeconfig" destination = "$HOME/kubeconfig"
} }
@ -92,7 +92,7 @@ resource "null_resource" "copy-worker-secrets" {
} }
provisioner "file" { provisioner "file" {
content = "${module.bootkube.kubeconfig}" content = "${module.bootkube.kubeconfig-kubelet}"
destination = "$HOME/kubeconfig" destination = "$HOME/kubeconfig"
} }

View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

View File

@ -10,7 +10,7 @@ resource "null_resource" "copy-controller-secrets" {
} }
provisioner "file" { provisioner "file" {
content = "${module.bootkube.kubeconfig}" content = "${module.bootkube.kubeconfig-kubelet}"
destination = "$HOME/kubeconfig" destination = "$HOME/kubeconfig"
} }
@ -78,7 +78,7 @@ resource "null_resource" "copy-worker-secrets" {
} }
provisioner "file" { provisioner "file" {
content = "${module.bootkube.kubeconfig}" content = "${module.bootkube.kubeconfig-kubelet}"
destination = "$HOME/kubeconfig" destination = "$HOME/kubeconfig"
} }

View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

View File

@ -10,7 +10,7 @@ resource "null_resource" "copy-controller-secrets" {
} }
provisioner "file" { provisioner "file" {
content = "${module.bootkube.kubeconfig}" content = "${module.bootkube.kubeconfig-kubelet}"
destination = "$HOME/kubeconfig" destination = "$HOME/kubeconfig"
} }
@ -76,7 +76,7 @@ resource "null_resource" "copy-worker-secrets" {
} }
provisioner "file" { provisioner "file" {
content = "${module.bootkube.kubeconfig}" content = "${module.bootkube.kubeconfig-kubelet}"
destination = "$HOME/kubeconfig" destination = "$HOME/kubeconfig"
} }

View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

View File

@ -87,7 +87,7 @@ data "template_file" "controller-configs" {
# etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,... # etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,...
etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}" etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}"
kubeconfig = "${indent(10, module.bootkube.kubeconfig)}" kubeconfig = "${indent(10, module.bootkube.kubeconfig-kubelet)}"
ssh_authorized_key = "${var.ssh_authorized_key}" ssh_authorized_key = "${var.ssh_authorized_key}"
k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}" k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
cluster_domain_suffix = "${var.cluster_domain_suffix}" cluster_domain_suffix = "${var.cluster_domain_suffix}"

View File

@ -1,5 +1,5 @@
output "kubeconfig-admin" { output "kubeconfig-admin" {
value = "${module.bootkube.user-kubeconfig}" value = "${module.bootkube.kubeconfig-admin-context}"
} }
# Outputs for Kubernetes Ingress # Outputs for Kubernetes Ingress
@ -21,7 +21,7 @@ output "network_name" {
} }
output "kubeconfig" { output "kubeconfig" {
value = "${module.bootkube.kubeconfig}" value = "${module.bootkube.kubeconfig-kubelet}"
} }
# Outputs for custom firewalling # Outputs for custom firewalling

View File

@ -13,7 +13,7 @@ module "workers" {
preemptible = "${var.worker_preemptible}" preemptible = "${var.worker_preemptible}"
# configuration # configuration
kubeconfig = "${module.bootkube.kubeconfig}" kubeconfig = "${module.bootkube.kubeconfig-kubelet}"
ssh_authorized_key = "${var.ssh_authorized_key}" ssh_authorized_key = "${var.ssh_authorized_key}"
service_cidr = "${var.service_cidr}" service_cidr = "${var.service_cidr}"
cluster_domain_suffix = "${var.cluster_domain_suffix}" cluster_domain_suffix = "${var.cluster_domain_suffix}"

View File

@ -1,6 +1,6 @@
# Self-hosted Kubernetes assets (kubeconfig, manifests) # Self-hosted Kubernetes assets (kubeconfig, manifests)
module "bootkube" { module "bootkube" {
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270" source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b"
cluster_name = "${var.cluster_name}" cluster_name = "${var.cluster_name}"
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]

View File

@ -79,7 +79,7 @@ data "template_file" "controller-cloudinit" {
# etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,... # etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,...
etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}" etcd_initial_cluster = "${join(",", data.template_file.etcds.*.rendered)}"
kubeconfig = "${indent(6, module.bootkube.kubeconfig)}" kubeconfig = "${indent(6, module.bootkube.kubeconfig-kubelet)}"
ssh_authorized_key = "${var.ssh_authorized_key}" ssh_authorized_key = "${var.ssh_authorized_key}"
k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}" k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
cluster_domain_suffix = "${var.cluster_domain_suffix}" cluster_domain_suffix = "${var.cluster_domain_suffix}"

View File

@ -1,5 +1,5 @@
output "kubeconfig-admin" { output "kubeconfig-admin" {
value = "${module.bootkube.user-kubeconfig}" value = "${module.bootkube.kubeconfig-admin-context}"
} }
# Outputs for Kubernetes Ingress # Outputs for Kubernetes Ingress
@ -21,7 +21,7 @@ output "network_name" {
} }
output "kubeconfig" { output "kubeconfig" {
value = "${module.bootkube.kubeconfig}" value = "${module.bootkube.kubeconfig-kubelet}"
} }
# Outputs for custom firewalling # Outputs for custom firewalling

View File

@ -13,7 +13,7 @@ module "workers" {
preemptible = "${var.worker_preemptible}" preemptible = "${var.worker_preemptible}"
# configuration # configuration
kubeconfig = "${module.bootkube.kubeconfig}" kubeconfig = "${module.bootkube.kubeconfig-kubelet}"
ssh_authorized_key = "${var.ssh_authorized_key}" ssh_authorized_key = "${var.ssh_authorized_key}"
service_cidr = "${var.service_cidr}" service_cidr = "${var.service_cidr}"
cluster_domain_suffix = "${var.cluster_domain_suffix}" cluster_domain_suffix = "${var.cluster_domain_suffix}"