diff --git a/docs/security.md b/docs/security.md index a1a244c419c97..9d6d3b4947e48 100644 --- a/docs/security.md +++ b/docs/security.md @@ -42,7 +42,7 @@ Kubernetes has a number of authentication mechanisms: ## Kubelet API -By default AnonymousAuth on the kubelet is off and so communication between kube-apiserver and kubelet api is not authenticated. In order to switch on authentication; +By default AnonymousAuth on the kubelet is 'on' and so communication between kube-apiserver and kubelet api is not authenticated. In order to switch on authentication; ```YAML # In the cluster spec @@ -51,7 +51,7 @@ spec: anonymousAuth: false ``` -**Note** on a existing cluster with 'anonymousAuth' unset you would need to first roll out the masters and then update the pools. +**Note** on a existing cluster with 'anonymousAuth' unset you would need to first roll out the masters and then update the node instance groups. ### API Bearer Token diff --git a/nodeup/pkg/model/context.go b/nodeup/pkg/model/context.go index 1d4f0982d7586..fd749af7601ac 100644 --- a/nodeup/pkg/model/context.go +++ b/nodeup/pkg/model/context.go @@ -206,9 +206,14 @@ func (c *NodeupModelContext) UseSecureKubelet() bool { cluster := &c.Cluster.Spec // just to shorten the typing group := &c.InstanceGroup.Spec + // @check on the InstanceGroup itself + if group.Kubelet != nil && group.Kubelet.AnonymousAuth != nil && *group.Kubelet.AnonymousAuth == false { + return true + } + // @check if we have anything specific to master kubelet if c.IsMaster { - if cluster.MasterKubelet != nil && cluster.MasterKubelet.AnonymousAuth != nil && *cluster.MasterKubelet.AnonymousAuth == true { + if cluster.MasterKubelet != nil && cluster.MasterKubelet.AnonymousAuth != nil && *cluster.MasterKubelet.AnonymousAuth == false { return true } } @@ -218,10 +223,5 @@ func (c *NodeupModelContext) UseSecureKubelet() bool { return true } - // @check on the InstanceGroup itself - if group.Kubelet != nil && group.Kubelet.AnonymousAuth != nil && *group.Kubelet.AnonymousAuth == false { - return true - } - return false } diff --git a/nodeup/pkg/model/kubeapiserver.go b/nodeup/pkg/model/kubeapiserver.go index 273a23d3f161e..211dedc385f1c 100644 --- a/nodeup/pkg/model/kubeapiserver.go +++ b/nodeup/pkg/model/kubeapiserver.go @@ -72,15 +72,13 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error { } // @check if we are using secure client certificates for kubelet and grab the certificates - { - if b.UseSecureKubelet() { - name := "kubelet-api" - if err := buildCertificateRequest(c, b.NodeupModelContext, name, ""); err != nil { - return err - } - if err := buildPrivateKeyRequest(c, b.NodeupModelContext, name, ""); err != nil { - return err - } + if b.UseSecureKubelet() { + name := "kubelet-api" + if err := buildCertificateRequest(c, b.NodeupModelContext, name, ""); err != nil { + return err + } + if err := buildPrivateKeyRequest(c, b.NodeupModelContext, name, ""); err != nil { + return err } } @@ -164,10 +162,10 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) { kubeAPIServer.EtcdServers = []string{"https://127.0.0.1:4001"} kubeAPIServer.EtcdServersOverrides = []string{"/events#https://127.0.0.1:4002"} } - - // @check if we are using secure kubelet client certificates + + // @check if we are using secure kubelet client certificates if b.UseSecureKubelet() { - // @note we are making assumption we are using the one's created by the pki model, not custom defined ones + // @note we are making assumption were using the ones created by the pki model, not custom defined ones kubeAPIServer.KubeletClientCertificate = filepath.Join(b.PathSrvKubernetes(), "kubelet-api.pem") kubeAPIServer.KubeletClientKey = filepath.Join(b.PathSrvKubernetes(), "kubelet-api-key.pem") }