From f97b6af095b040f6d0cb4bdba818025f68b085c4 Mon Sep 17 00:00:00 2001 From: Frederic Branczyk <fbranczyk@gmail.com> Date: Tue, 9 Jan 2018 22:32:21 +0100 Subject: [PATCH] *: Adapt documentation and scripts to use minikube kubelet authN/authZ --- README.md | 12 ++++++++ hack/cluster-monitoring/minikube-deploy | 13 +++++++- .../k8s/minikube/kube-controller-manager.yaml | 30 ------------------- manifests/k8s/minikube/kube-scheduler.yaml | 30 ------------------- 4 files changed, 24 insertions(+), 61 deletions(-) delete mode 100644 manifests/k8s/minikube/kube-controller-manager.yaml delete mode 100644 manifests/k8s/minikube/kube-scheduler.yaml diff --git a/README.md b/README.md index 804dc942..4ada050d 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,18 @@ CoreOS' Tectonic technology. Otherwise, you can simply make use of repository are adapted to work with a [multi-node setup](https://github.com/kubernetes-incubator/bootkube/tree/master/hack/multi-node) using [bootkube](https://github.com/kubernetes-incubator/bootkube). + +> We assume that the kubelet uses token authN and authZ, as otherwise +> Prometheus needs a client certificate, which gives it full access to the +> kubelet, rather than just the metrics. Token authN and authZ allows more fine +> grained and easier access control. Simply start minikube with the following +> command (you can of course adapt the version and memory to your needs): +> +> $ minikube delete && minikube start --kubernetes-version=v1.9.1 --memory=4096 --bootstrapper=kubeadm --extra-config=kubelet.authentication-token-webhook=true --extra-config=kubelet.authorization-mode=Webhook --extra-config=scheduler.address=0.0.0.0 --extra-config=controller-manager.address=0.0.0.0 +> +> In future versions of minikube and kubeadm this will be the default, but for +> the time being, we will have to configure it ourselves. + ## Monitoring Kubernetes The manifests here use the [Prometheus Operator](https://github.com/coreos/prometheus-operator), diff --git a/hack/cluster-monitoring/minikube-deploy b/hack/cluster-monitoring/minikube-deploy index ab7e72e4..64cb86be 100755 --- a/hack/cluster-monitoring/minikube-deploy +++ b/hack/cluster-monitoring/minikube-deploy @@ -1,6 +1,17 @@ #!/usr/bin/env bash +# We assume that the kubelet uses token authN and authZ, as otherwise +# Prometheus needs a client certificate, which gives it full access to the +# kubelet, rather than just the metrics. Token authN and authZ allows more fine +# grained and easier access control. Simply start minikube with the following +# command (you can of course adapt the version and memory to your needs): +# +# $ minikube delete && minikube start --kubernetes-version=v1.9.1 --memory=4096 --bootstrapper=kubeadm --extra-config=kubelet.authentication-token-webhook=true --extra-config=kubelet.authorization-mode=Webhook --extra-config=scheduler.address=0.0.0.0 --extra-config=controller-manager.address=0.0.0.0 +# +# In future versions of minikube and kubeadm this will be the default, but for +# the time being, we will have to configure it ourselves. + hack/cluster-monitoring/deploy -awk 'FNR==1{print "---"}1' manifests/k8s/minikube/*.yaml | sed s/MINIKUBE_IP/`minikube ip`/g | kubectl --namespace=kube-system apply -f - +kubectl --namespace=kube-system apply -f manifests/k8s/kubeadm/ diff --git a/manifests/k8s/minikube/kube-controller-manager.yaml b/manifests/k8s/minikube/kube-controller-manager.yaml deleted file mode 100644 index d33015aa..00000000 --- a/manifests/k8s/minikube/kube-controller-manager.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - namespace: kube-system - name: kube-controller-manager-prometheus-discovery - labels: - k8s-app: kube-controller-manager -spec: - type: ClusterIP - clusterIP: None - ports: - - name: http-metrics - port: 10252 - targetPort: 10252 - protocol: TCP ---- -apiVersion: v1 -kind: Endpoints -metadata: - namespace: kube-system - name: kube-controller-manager-prometheus-discovery - labels: - k8s-app: kube-controller-manager -subsets: -- addresses: - - ip: MINIKUBE_IP - ports: - - name: http-metrics - port: 10252 - protocol: TCP diff --git a/manifests/k8s/minikube/kube-scheduler.yaml b/manifests/k8s/minikube/kube-scheduler.yaml deleted file mode 100644 index 8599575c..00000000 --- a/manifests/k8s/minikube/kube-scheduler.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - namespace: kube-system - name: kube-scheduler-prometheus-discovery - labels: - k8s-app: kube-scheduler -spec: - type: ClusterIP - clusterIP: None - ports: - - name: http-metrics - port: 10251 - targetPort: 10251 - protocol: TCP ---- -apiVersion: v1 -kind: Endpoints -metadata: - namespace: kube-system - name: kube-scheduler-prometheus-discovery - labels: - k8s-app: kube-scheduler -subsets: -- addresses: - - ip: MINIKUBE_IP - ports: - - name: http-metrics - port: 10251 - protocol: TCP -- GitLab