Add authentication-token-webhook-cache-ttl flag to kubelet config

[ihoegen]

Also moves AuthenticationTokenWebhook flag from api to kubelet

[mikesplain]

Thanks @ihoegen for the quick fix.

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ihoegen, mikesplain

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mikesplain]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[markine]

@ihoegen Could you please cherry pick this into 1.9 and cut 1.9.3? Thank you!

[ihoegen]

@markine Just opened a PR for the cherry-pick, #5562

[badgerspoke]

Are we sure this is working? I built from master (because neither 1.9 nor 1.10 appeared to include this) and set my kubelet config like so (per https://github.com/coreos/prometheus-operator/tree/master/contrib/kube-prometheus#prerequisites):

kubelet:
    anonymousAuth: false
    authenticationTokenWebhook: true
    authorizationMode: Webhook

.. and used the kops add-on to get prometheus:

spec:
  addons:
    - manifest: kubernetes-dashboard
    - manifest: prometheus-operator

.. then created a new cluster. Once it was up i checked kubelet on the master, but the flag wasn't honoured:

admin@ip-10-28-39-225:~$ journalctl -u kubelet|grep -i webho
Aug 09 05:44:20 ip-10-28-39-225 kubelet[1219]: I0809 05:44:20.110976    1219 flags.go:52] FLAG: --authentication-token-webhook="false"
Aug 09 05:44:20 ip-10-28-39-225 kubelet[1219]: I0809 05:44:20.111284    1219 flags.go:52] FLAG: --authentication-token-webhook-cache-ttl="2m0s"
Aug 09 05:44:20 ip-10-28-39-225 kubelet[1219]: I0809 05:44:20.111572    1219 flags.go:52] FLAG: --authorization-mode="Webhook"
Aug 09 05:44:20 ip-10-28-39-225 kubelet[1219]: I0809 05:44:20.111861    1219 flags.go:52] FLAG: --authorization-webhook-cache-authorized-ttl="5m0s"
Aug 09 05:44:20 ip-10-28-39-225 kubelet[1219]: I0809 05:44:20.112148    1219 flags.go:52] FLAG: --authorization-webhook-cache-unauthorized-ttl="30s"

Result:

admin@ip-10-28-49-150:~$ kubectl  get po|grep prom
prometheus-operator-784bcf6d6-zfgxk   1/1       Running   0          3h
admin@ip-10-28-49-150:~$ kubectl logs prometheus-operator-784bcf6d6-zfgxk
Error from server (Forbidden): Forbidden (user=kubelet-api, verb=get, resource=nodes, subresource=proxy) ( pods/log prometheus-operator-784bcf6d6-zfgxk)
admin@ip-10-28-49-150:~$ 

Versions:

$ ./src/bin/kops version
Version 1.10.0-beta.1 (git-b213de6c2)

admin@ip-10-28-49-150:~$ kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.8", GitCommit:"c138b85178156011dc934c2c9f4837476876fb07", GitTreeState:"clean", BuildDate:"2018-05-21T19:01:12Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.8", GitCommit:"c138b85178156011dc934c2c9f4837476876fb07", GitTreeState:"clean", BuildDate:"2018-05-21T18:53:18Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

What have I done wrong? Even if I manually tweak the kubelet flags and restart it on my master and (single) node this persists.