Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
3b53ea5e
Unverified
Commit
3b53ea5e
authored
Dec 04, 2018
by
Kubernetes Prow Robot
Committed by
GitHub
Dec 04, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #71690 from liggitt/secured-kubelet
enable secured kubelet in hack/local-up-cluster.sh
parents
33a37702
67849e6a
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
10 additions
and
2 deletions
+10
-2
local-up-cluster.sh
hack/local-up-cluster.sh
+10
-2
No files found.
hack/local-up-cluster.sh
View file @
3b53ea5e
...
...
@@ -483,6 +483,7 @@ function generate_certs {
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' controller system:kube-controller-manager
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' scheduler system:kube-scheduler
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' admin system:admin system:masters
kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" '
client
-ca
' kube-apiserver kube-apiserver
# Create matching certificates for kube-aggregator
kube::util::create_serving_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" "server-ca" kube-aggregator api.kube-public.svc "localhost" ${API_HOST_IP}
...
...
@@ -573,6 +574,8 @@ function start_apiserver {
--vmodule="${LOG_SPEC}" \
--cert-dir="${CERT_DIR}" \
--client-ca-file="${CERT_DIR}/client-ca.crt" \
--kubelet-client-certificate="${CERT_DIR}/client-kube-apiserver.crt" \
--kubelet-client-key="${CERT_DIR}/client-kube-apiserver.key" \
--service-account-key-file="${SERVICE_ACCOUNT_KEY}" \
--service-account-lookup="${SERVICE_ACCOUNT_LOOKUP}" \
--enable-admission-plugins="${ENABLE_ADMISSION_PLUGINS}" \
...
...
@@ -616,6 +619,9 @@ function start_apiserver {
AUTH_ARGS="--client-key=${CERT_DIR}/client-admin.key --client-certificate=${CERT_DIR}/client-admin.crt"
fi
# Grant apiserver permission to speak to the kubelet
kubectl --kubeconfig "${CERT_DIR}/admin.kubeconfig" create clusterrolebinding kube-apiserver-kubelet-admin --clusterrole=system:kubelet-api-admin --user=kube-apiserver
${CONTROLPLANE_SUDO} cp "${CERT_DIR}/admin.kubeconfig" "${CERT_DIR}/admin-kube-aggregator.kubeconfig"
${CONTROLPLANE_SUDO} chown $(whoami) "${CERT_DIR}/admin-kube-aggregator.kubeconfig"
${KUBECTL} config set-cluster local-up-cluster --kubeconfig="${CERT_DIR}/admin-kube-aggregator.kubeconfig" --server="https://${API_HOST_IP}:31090"
...
...
@@ -723,14 +729,16 @@ function start_kubelet {
fi
auth_args=""
if [[
-n "
${
KUBELET_AUTHORIZATION_WEBHOOK
:-}
" ]]; then
if [[
"
${
KUBELET_AUTHORIZATION_WEBHOOK
:-}
" != "
false
" ]]; then
auth_args="
${
auth_args
}
--authorization-mode=Webhook
"
fi
if [[
-n "
${
KUBELET_AUTHENTICATION_WEBHOOK
:-}
" ]]; then
if [[
"
${
KUBELET_AUTHENTICATION_WEBHOOK
:-}
" != "
false
" ]]; then
auth_args="
${
auth_args
}
--authentication-token-webhook
"
fi
if [[ -n "
${
CLIENT_CA_FILE
:-}
" ]]; then
auth_args="
${
auth_args
}
--client-ca-file=
${
CLIENT_CA_FILE
}
"
else
auth_args="
${
auth_args
}
--client-ca-file=
${
CERT_DIR
}
/client-ca.crt
"
fi
cni_conf_dir_args=""
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment