Requested Changes

- fixed the various issues highlighted in #3125
- changed the docuementation to make more sense
- changed the logic of the UseSecureKubelet to return early

docs/security.md

@@ -42,7 +42,7 @@ Kubernetes has a number of authentication mechanisms:
 
 ## Kubelet API
 
-By default AnonymousAuth on the kubelet is off and so communication between kube-apiserver and kubelet api is not authenticated. In order to switch on authentication;
+By default AnonymousAuth on the kubelet is 'on' and so communication between kube-apiserver and kubelet api is not authenticated. In order to switch on authentication;
 
 ```YAML
 # In the cluster spec
@@ -51,7 +51,7 @@ spec:
     anonymousAuth: false
 ```
 
-**Note** on a existing cluster with 'anonymousAuth' unset you would need to first roll out the masters and then update the pools. 
+**Note** on a existing cluster with 'anonymousAuth' unset you would need to first roll out the masters and then update the node instance groups.
 
 ### API Bearer Token
 

nodeup/pkg/model/context.go

@@ -206,9 +206,14 @@ func (c *NodeupModelContext) UseSecureKubelet() bool {
 	cluster := &c.Cluster.Spec // just to shorten the typing
 	group := &c.InstanceGroup.Spec
 
+	// @check on the InstanceGroup itself
+	if group.Kubelet != nil && group.Kubelet.AnonymousAuth != nil && *group.Kubelet.AnonymousAuth == false {
+		return true
+	}
+
 	// @check if we have anything specific to master kubelet
 	if c.IsMaster {
-		if cluster.MasterKubelet != nil && cluster.MasterKubelet.AnonymousAuth != nil && *cluster.MasterKubelet.AnonymousAuth == true {
+		if cluster.MasterKubelet != nil && cluster.MasterKubelet.AnonymousAuth != nil && *cluster.MasterKubelet.AnonymousAuth == false {
 			return true
 		}
 	}
@@ -218,10 +223,5 @@ func (c *NodeupModelContext) UseSecureKubelet() bool {
 		return true
 	}
 
-	// @check on the InstanceGroup itself
-	if group.Kubelet != nil && group.Kubelet.AnonymousAuth != nil && *group.Kubelet.AnonymousAuth == false {
-		return true
-	}
-
 	return false
 }

nodeup/pkg/model/kubeapiserver.go

@@ -72,15 +72,13 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
 	}
 
 	// @check if we are using secure client certificates for kubelet and grab the certificates
-	{
-		if b.UseSecureKubelet() {
-			name := "kubelet-api"
-			if err := buildCertificateRequest(c, b.NodeupModelContext, name, ""); err != nil {
-				return err
-			}
-			if err := buildPrivateKeyRequest(c, b.NodeupModelContext, name, ""); err != nil {
-				return err
-			}
+	if b.UseSecureKubelet() {
+		name := "kubelet-api"
+		if err := buildCertificateRequest(c, b.NodeupModelContext, name, ""); err != nil {
+			return err
+		}
+		if err := buildPrivateKeyRequest(c, b.NodeupModelContext, name, ""); err != nil {
+			return err
 		}
 	}
 
@@ -164,10 +162,10 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 		kubeAPIServer.EtcdServers = []string{"https://127.0.0.1:4001"}
 		kubeAPIServer.EtcdServersOverrides = []string{"/events#https://127.0.0.1:4002"}
 	}
-   
-        // @check if we are using secure kubelet client certificates
+
+	// @check if we are using secure kubelet client certificates
 	if b.UseSecureKubelet() {
-		// @note we are making assumption we are using the one's created by the pki model, not custom defined ones
+		// @note we are making assumption were using the ones created by the pki model, not custom defined ones
 		kubeAPIServer.KubeletClientCertificate = filepath.Join(b.PathSrvKubernetes(), "kubelet-api.pem")
 		kubeAPIServer.KubeletClientKey = filepath.Join(b.PathSrvKubernetes(), "kubelet-api-key.pem")
 	}