Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable encryption between kubelet and kube-apiserver on Magnum clusters #365

Open
runlevel-six opened this issue Apr 25, 2024 · 0 comments
Open

Enable encryption between kubelet and kube-apiserver on Magnum clusters #365

runlevel-six opened this issue Apr 25, 2024 · 0 comments

Comments

@runlevel-six
Copy link

runlevel-six commented Apr 25, 2024
edited
Loading

In our CAPI clusters we enable TLS between kubelet and kube-apiserver as a security measure. We would like to see if this can be enabled via an optional flag in Magnum clusters. We enable this in CAPI/CAP-M3 in the kubeadmControlPlane object - here is the code we use (line 24 is the only kubeadm component needed, and lines 41-44 and 14-48) are the changes we make to kubelet after cluster initialization to complete the work.

apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlane
metadata:
  name: undercloud-k8s00-kcp-dpdk
spec:
  replicas: 3
  rolloutStrategy:
    rollingUpdate:
      maxSurge: 0
  version: 1.28.4
  machineTemplate:
    infrastructureRef:
      ...
  kubeadmConfigSpec:
    clusterConfiguration:
      ...
      featureGates:
        EtcdLearnerMode: true
      networking:
        ...
      apiServer:
        extraArgs:
          ...
          kubelet-certificate-authority: /etc/kubernetes/pki/ca.crt
        extraVolumes:
          ...
      controllerManager:
        ...
      scheduler:
        ...
      etcd:
        ...
    initConfiguration:
      ...
    joinConfiguration:
      ...
    preKubeadmCommands:
      ...
    postKubeadmCommands:
      ...
    - "sed -i '/^cgroupDriver: systemd.*/a serverTLSBootstrap: true' /var/lib/kubelet/config.yaml"
    - "sed -i '/^serverTLSBootstrap: true.*/a maxPods: 500' /var/lib/kubelet/config.yaml"
    - systemctl restart kubelet
    - kubectl --kubeconfig=/etc/kubernetes/admin.conf certificate approve $(kubectl --kubeconfig=/etc/kubernetes/admin.conf get csr --no-headers | awk '{ print $1 }' | tr '\n' ' ')
    ... <INSTALL CNI>
    - helm --kubeconfig=/etc/kubernetes/admin.conf repo add kubelet-csr-approver https://postfinance.github.io/kubelet-csr-approver
    - helm --kubeconfig=/etc/kubernetes/admin.conf repo update
    - helm --kubeconfig=/etc/kubernetes/admin.conf upgrade kubelet-csr-approver kubelet-csr-approver/kubelet-csr-approver --namespace kube-system --install --set bypassDnsResolution='true' --set providerIpPrefixes='10.8.192.0/16'
  ... <OTHER DEPLOYMENTS AND CONFIGURATIONS>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@runlevel-six