diff --git a/docs/08-bootstrapping-kubernetes-controllers.md b/docs/08-bootstrapping-kubernetes-controllers.md index db64cca9..e7ab4f8b 100644 --- a/docs/08-bootstrapping-kubernetes-controllers.md +++ b/docs/08-bootstrapping-kubernetes-controllers.md @@ -79,7 +79,7 @@ ExecStart=/usr/local/bin/kube-apiserver \\ --etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \\ --event-ttl=1h \\ --experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\ - --insecure-bind-address=0.0.0.0 \\ + --insecure-bind-address=127.0.0.1 \\ --kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\ --kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \\ --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\ @@ -118,7 +118,7 @@ ExecStart=/usr/local/bin/kube-controller-manager \\ --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\ --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\ --leader-elect=true \\ - --master=http://${INTERNAL_IP}:8080 \\ + --master=http://127.0.0.1:8080 \\ --root-ca-file=/var/lib/kubernetes/ca.pem \\ --service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \\ --service-cluster-ip-range=10.32.0.0/16 \\ @@ -144,7 +144,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes [Service] ExecStart=/usr/local/bin/kube-scheduler \\ --leader-elect=true \\ - --master=http://${INTERNAL_IP}:8080 \\ + --master=http://127.0.0.1:8080 \\ --v=2 Restart=on-failure RestartSec=5 diff --git a/docs/09-bootstrapping-kubernetes-workers.md b/docs/09-bootstrapping-kubernetes-workers.md index c38761fa..acfd6c00 100644 --- a/docs/09-bootstrapping-kubernetes-workers.md +++ b/docs/09-bootstrapping-kubernetes-workers.md @@ -185,6 +185,8 @@ Requires=crio.service [Service] ExecStart=/usr/local/bin/kubelet \\ + --anonymous-auth=false \\ + --authorization-mode=Webhook \\ --allow-privileged=true \\ --cluster-dns=10.32.0.10 \\ --cluster-domain=cluster.local \\ @@ -199,6 +201,7 @@ ExecStart=/usr/local/bin/kubelet \\ --register-node=true \\ --require-kubeconfig \\ --runtime-request-timeout=10m \\ + --client-ca-file=/var/lib/kubernetes/ca.pem \\ --tls-cert-file=/var/lib/kubelet/${HOSTNAME}.pem \\ --tls-private-key-file=/var/lib/kubelet/${HOSTNAME}-key.pem \\ --v=2 @@ -258,7 +261,7 @@ sudo systemctl start crio kubelet kube-proxy > Remember to run the above commands on each worker node: `worker-0`, `worker-1`, and `worker-2`. -## Verification +## Implement RBAC for Kubelet Authorization Login to one of the controller nodes: @@ -266,7 +269,57 @@ Login to one of the controller nodes: gcloud compute ssh controller-0 ``` -List the registered Kubernetes nodes: +Define a ```clusterrole``` with the proper permissions for kubelet API access and a ```clusterrolebinding``` to allow the ```kubernetes``` user to use that ```clusterrole```. +``` +cat > kubelet-rbac.yaml << EOF +--- +apiVersion: v1 +kind: List +metadata: {} +items: +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:kube-apiserver-to-kubelet + rules: + - apiGroups: + - "" + resources: + - nodes/proxy + - nodes/stats + - nodes/log + - nodes/spec + - nodes/metrics + verbs: + - "*" +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRoleBinding + metadata: + name: system:kube-apiserver + namespace: "" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:kube-apiserver-to-kubelet + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: kubernetes +EOF +``` + +Create the ```clusterrole``` and ```clusterrolebinding``` in the cluster. +``` +kubectl create -f kubelet-rbac.yaml +``` + +## Verification + +While still logged into one of the controller nodes, list the registered Kubernetes nodes: ``` kubectl get nodes