Requested Changes

- fixed the various issues highlighted in #3125 - changed the docuementation to make more sense - changed the logic of the UseSecureKubelet to return early
kubernetes · Aug 8, 2017 · 9873fc1 · 9873fc1
1 parent 2fb60b9
commit 9873fc1
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 22 deletions.
diff --git a/docs/security.md b/docs/security.md
@@ -42,7 +42,7 @@ Kubernetes has a number of authentication mechanisms:
 
 ## Kubelet API
 
-By default AnonymousAuth on the kubelet is off and so communication between kube-apiserver and kubelet api is not authenticated. In order to switch on authentication;
+By default AnonymousAuth on the kubelet is 'on' and so communication between kube-apiserver and kubelet api is not authenticated. In order to switch on authentication;
 
 ```YAML
 # In the cluster spec
@@ -51,7 +51,7 @@ spec:
     anonymousAuth: false
 ```
 
-**Note** on a existing cluster with 'anonymousAuth' unset you would need to first roll out the masters and then update the pools. 
+**Note** on a existing cluster with 'anonymousAuth' unset you would need to first roll out the masters and then update the node instance groups.
 
 ### API Bearer Token
 

diff --git a/nodeup/pkg/model/context.go b/nodeup/pkg/model/context.go
@@ -206,9 +206,14 @@ func (c *NodeupModelContext) UseSecureKubelet() bool {
 	cluster := &c.Cluster.Spec // just to shorten the typing
 	group := &c.InstanceGroup.Spec
 
+	// @check on the InstanceGroup itself
+	if group.Kubelet != nil && group.Kubelet.AnonymousAuth != nil && *group.Kubelet.AnonymousAuth == false {
+		return true
+	}
+
 	// @check if we have anything specific to master kubelet
 	if c.IsMaster {
-		if cluster.MasterKubelet != nil && cluster.MasterKubelet.AnonymousAuth != nil && *cluster.MasterKubelet.AnonymousAuth == true {
+		if cluster.MasterKubelet != nil && cluster.MasterKubelet.AnonymousAuth != nil && *cluster.MasterKubelet.AnonymousAuth == false {
 			return true
 		}
 	}
@@ -218,10 +223,5 @@ func (c *NodeupModelContext) UseSecureKubelet() bool {
 		return true
 	}
 
-	// @check on the InstanceGroup itself
-	if group.Kubelet != nil && group.Kubelet.AnonymousAuth != nil && *group.Kubelet.AnonymousAuth == false {
-		return true
-	}
-
 	return false
 }
diff --git a/nodeup/pkg/model/convenience.go b/nodeup/pkg/model/convenience.go
@@ -26,7 +26,7 @@ import (
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 
-        "github.com/golang/glog"
+	"github.com/golang/glog"
 )
 
 // s is a helper that builds a *string from a string value

diff --git a/nodeup/pkg/model/kubeapiserver.go b/nodeup/pkg/model/kubeapiserver.go
@@ -72,15 +72,13 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
 	}
 
 	// @check if we are using secure client certificates for kubelet and grab the certificates
-	{
-		if b.UseSecureKubelet() {
-			name := "kubelet-api"
-			if err := buildCertificateRequest(c, b.NodeupModelContext, name, ""); err != nil {
-				return err
-			}
-			if err := buildPrivateKeyRequest(c, b.NodeupModelContext, name, ""); err != nil {
-				return err
-			}
+	if b.UseSecureKubelet() {
+		name := "kubelet-api"
+		if err := buildCertificateRequest(c, b.NodeupModelContext, name, ""); err != nil {
+			return err
+		}
+		if err := buildPrivateKeyRequest(c, b.NodeupModelContext, name, ""); err != nil {
+			return err
 		}
 	}
 
@@ -164,10 +162,10 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 		kubeAPIServer.EtcdServers = []string{"https://127.0.0.1:4001"}
 		kubeAPIServer.EtcdServersOverrides = []string{"/events#https://127.0.0.1:4002"}
 	}
-   
-        // @check if we are using secure kubelet client certificates
+
+	// @check if we are using secure kubelet client certificates
 	if b.UseSecureKubelet() {
-		// @note we are making assumption we are using the one's created by the pki model, not custom defined ones
+		// @note we are making assumption were using the ones created by the pki model, not custom defined ones
 		kubeAPIServer.KubeletClientCertificate = filepath.Join(b.PathSrvKubernetes(), "kubelet-api.pem")
 		kubeAPIServer.KubeletClientKey = filepath.Join(b.PathSrvKubernetes(), "kubelet-api-key.pem")
 	}

diff --git a/pkg/model/pki.go b/pkg/model/pki.go
@@ -44,7 +44,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 		c.AddTask(t)
 	}
-        {
+	{
 		// Generate a kubelet client certificate for api to speak securely to kubelets. This change was first
 		// introduced in https://github.com/kubernetes/kops/pull/2831 where server.cert/key were used. With kubernetes >= 1.7
 		// the certificate usage is being checked (obviously the above was server not client certificate) and so now fails