diff --git a/CHANGES.md b/CHANGES.md index 72099b8dc..3298e9e54 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -6,6 +6,9 @@ Notable changes between versions. * Update etcd from v3.3.4 to v3.3.5 ([#213](https://github.com/poseidon/typhoon/pull/213)) * Require Terraform v0.11.x and drop support for v0.10.x ([migration guide](https://typhoon.psdn.io/topics/maintenance/#terraform-v011x)) +* Allow bearer token authentication to the Kubelet ([#216](https://github.com/poseidon/typhoon/issues/215)) + * Require Webhook authorization to the Kubelet + * Switch apiserver X509 client cert org to satisfy new authorization requirement #### AWS diff --git a/aws/container-linux/kubernetes/bootkube.tf b/aws/container-linux/kubernetes/bootkube.tf index 10ed242ce..fd1297511 100644 --- a/aws/container-linux/kubernetes/bootkube.tf +++ b/aws/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=911f4115088b7511f29221f64bf8e93bfa9ee567" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=28f68db28e06e9fe3422ed49c98986375783a862" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/aws/container-linux/kubernetes/cl/controller.yaml.tmpl b/aws/container-linux/kubernetes/cl/controller.yaml.tmpl index 111f09b9a..bb0872432 100644 --- a/aws/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/aws/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -76,6 +76,8 @@ systemd: ExecStart=/usr/lib/coreos/kubelet-wrapper \ --allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/aws/container-linux/kubernetes/workers/cl/worker.yaml.tmpl b/aws/container-linux/kubernetes/workers/cl/worker.yaml.tmpl index 62c2e59be..25e3c3cc2 100644 --- a/aws/container-linux/kubernetes/workers/cl/worker.yaml.tmpl +++ b/aws/container-linux/kubernetes/workers/cl/worker.yaml.tmpl @@ -49,6 +49,8 @@ systemd: ExecStart=/usr/lib/coreos/kubelet-wrapper \ --allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/aws/fedora-atomic/kubernetes/bootkube.tf b/aws/fedora-atomic/kubernetes/bootkube.tf index 263f74e35..5be8d1789 100644 --- a/aws/fedora-atomic/kubernetes/bootkube.tf +++ b/aws/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=911f4115088b7511f29221f64bf8e93bfa9ee567" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=28f68db28e06e9fe3422ed49c98986375783a862" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/aws/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl b/aws/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl index 97ece46a1..216e05a1a 100644 --- a/aws/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl +++ b/aws/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl @@ -53,6 +53,8 @@ write_files: content: | ARGS="--allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/aws/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl b/aws/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl index 62148b765..1f17a5713 100644 --- a/aws/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl +++ b/aws/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl @@ -32,6 +32,8 @@ write_files: content: | ARGS="--allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/bare-metal/container-linux/kubernetes/bootkube.tf b/bare-metal/container-linux/kubernetes/bootkube.tf index e608972b5..3c2aeaca7 100644 --- a/bare-metal/container-linux/kubernetes/bootkube.tf +++ b/bare-metal/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=911f4115088b7511f29221f64bf8e93bfa9ee567" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=28f68db28e06e9fe3422ed49c98986375783a862" cluster_name = "${var.cluster_name}" api_servers = ["${var.k8s_domain_name}"] diff --git a/bare-metal/container-linux/kubernetes/cl/controller.yaml.tmpl b/bare-metal/container-linux/kubernetes/cl/controller.yaml.tmpl index 631f288d6..5ff8ecceb 100644 --- a/bare-metal/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/bare-metal/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -84,6 +84,8 @@ systemd: ExecStart=/usr/lib/coreos/kubelet-wrapper \ --allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/bare-metal/container-linux/kubernetes/cl/worker.yaml.tmpl b/bare-metal/container-linux/kubernetes/cl/worker.yaml.tmpl index dcaf726eb..827e5fc12 100644 --- a/bare-metal/container-linux/kubernetes/cl/worker.yaml.tmpl +++ b/bare-metal/container-linux/kubernetes/cl/worker.yaml.tmpl @@ -57,6 +57,8 @@ systemd: ExecStart=/usr/lib/coreos/kubelet-wrapper \ --allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/bare-metal/fedora-atomic/kubernetes/bootkube.tf b/bare-metal/fedora-atomic/kubernetes/bootkube.tf index b2a336e8c..096771af0 100644 --- a/bare-metal/fedora-atomic/kubernetes/bootkube.tf +++ b/bare-metal/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=911f4115088b7511f29221f64bf8e93bfa9ee567" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=28f68db28e06e9fe3422ed49c98986375783a862" cluster_name = "${var.cluster_name}" api_servers = ["${var.k8s_domain_name}"] diff --git a/bare-metal/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl b/bare-metal/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl index 3d96e1309..990ea89e4 100644 --- a/bare-metal/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl +++ b/bare-metal/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl @@ -38,6 +38,8 @@ write_files: content: | ARGS="--allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/bare-metal/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl b/bare-metal/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl index d242b605c..05a2200d0 100644 --- a/bare-metal/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl +++ b/bare-metal/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl @@ -17,6 +17,8 @@ write_files: content: | ARGS="--allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/digital-ocean/container-linux/kubernetes/bootkube.tf b/digital-ocean/container-linux/kubernetes/bootkube.tf index 5572ec649..be02e103f 100644 --- a/digital-ocean/container-linux/kubernetes/bootkube.tf +++ b/digital-ocean/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=911f4115088b7511f29221f64bf8e93bfa9ee567" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=28f68db28e06e9fe3422ed49c98986375783a862" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/digital-ocean/container-linux/kubernetes/cl/controller.yaml.tmpl b/digital-ocean/container-linux/kubernetes/cl/controller.yaml.tmpl index 4589f8f66..82386b500 100644 --- a/digital-ocean/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/digital-ocean/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -87,6 +87,8 @@ systemd: ExecStart=/usr/lib/coreos/kubelet-wrapper \ --allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/digital-ocean/container-linux/kubernetes/cl/worker.yaml.tmpl b/digital-ocean/container-linux/kubernetes/cl/worker.yaml.tmpl index cb80329ee..0407a1922 100644 --- a/digital-ocean/container-linux/kubernetes/cl/worker.yaml.tmpl +++ b/digital-ocean/container-linux/kubernetes/cl/worker.yaml.tmpl @@ -60,6 +60,8 @@ systemd: ExecStart=/usr/lib/coreos/kubelet-wrapper \ --allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf index 2c307153e..62af210e8 100644 --- a/digital-ocean/fedora-atomic/kubernetes/bootkube.tf +++ b/digital-ocean/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=911f4115088b7511f29221f64bf8e93bfa9ee567" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=28f68db28e06e9fe3422ed49c98986375783a862" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/digital-ocean/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl b/digital-ocean/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl index 350cb8cac..72ab5b25f 100644 --- a/digital-ocean/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl +++ b/digital-ocean/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl @@ -53,6 +53,8 @@ write_files: content: | ARGS="--allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/digital-ocean/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl b/digital-ocean/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl index d333d7b7d..4c2e567be 100644 --- a/digital-ocean/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl +++ b/digital-ocean/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl @@ -32,6 +32,8 @@ write_files: content: | ARGS="--allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/google-cloud/container-linux/kubernetes/bootkube.tf b/google-cloud/container-linux/kubernetes/bootkube.tf index 2c440b49a..45310ade8 100644 --- a/google-cloud/container-linux/kubernetes/bootkube.tf +++ b/google-cloud/container-linux/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=911f4115088b7511f29221f64bf8e93bfa9ee567" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=28f68db28e06e9fe3422ed49c98986375783a862" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/google-cloud/container-linux/kubernetes/cl/controller.yaml.tmpl b/google-cloud/container-linux/kubernetes/cl/controller.yaml.tmpl index bed7d4bac..054d56b63 100644 --- a/google-cloud/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/google-cloud/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -77,6 +77,8 @@ systemd: ExecStart=/usr/lib/coreos/kubelet-wrapper \ --allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/google-cloud/container-linux/kubernetes/workers/cl/worker.yaml.tmpl b/google-cloud/container-linux/kubernetes/workers/cl/worker.yaml.tmpl index 636d754d9..89533e381 100644 --- a/google-cloud/container-linux/kubernetes/workers/cl/worker.yaml.tmpl +++ b/google-cloud/container-linux/kubernetes/workers/cl/worker.yaml.tmpl @@ -50,6 +50,8 @@ systemd: ExecStart=/usr/lib/coreos/kubelet-wrapper \ --allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/google-cloud/fedora-atomic/kubernetes/bootkube.tf b/google-cloud/fedora-atomic/kubernetes/bootkube.tf index 8571edb3f..b094a8f7c 100644 --- a/google-cloud/fedora-atomic/kubernetes/bootkube.tf +++ b/google-cloud/fedora-atomic/kubernetes/bootkube.tf @@ -1,6 +1,6 @@ # Self-hosted Kubernetes assets (kubeconfig, manifests) module "bootkube" { - source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=911f4115088b7511f29221f64bf8e93bfa9ee567" + source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=28f68db28e06e9fe3422ed49c98986375783a862" cluster_name = "${var.cluster_name}" api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"] diff --git a/google-cloud/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl b/google-cloud/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl index 1d4cbacef..64918366a 100644 --- a/google-cloud/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl +++ b/google-cloud/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl @@ -54,6 +54,8 @@ write_files: content: | ARGS="--allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \ diff --git a/google-cloud/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl b/google-cloud/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl index 980a71b8a..6da98b5fb 100644 --- a/google-cloud/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl +++ b/google-cloud/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl @@ -33,6 +33,8 @@ write_files: content: | ARGS="--allow-privileged \ --anonymous-auth=false \ + --authentication-token-webhook \ + --authorization-mode=Webhook \ --client-ca-file=/etc/kubernetes/ca.crt \ --cluster_dns=${k8s_dns_service_ip} \ --cluster_domain=${cluster_domain_suffix} \