Configure TLS for Kubernetes services

brooklyncentral · Nov 25, 2016 · c1a484c · c1a484c
1 parent eb6e2c2
commit c1a484c
Show file tree

Hide file tree

Showing 7 changed files with 233 additions and 85 deletions.
diff --git a/kubernetes/catalog/kubernetes/kubernetes.bom b/kubernetes/catalog/kubernetes/kubernetes.bom
diff --git a/kubernetes/examples/kubernetes.yaml b/kubernetes/examples/kubernetes.yaml
@@ -10,7 +10,7 @@ location:
     region: ams01
     identity: xxxxxxxx
     credential: XXXXXXXX
-    privateKeyFile: ~/.ssh/softlayer.pem
+    privateKeyFile: "~/.ssh/softlayer.pem"
     customizers:
       - $brooklyn:object:
           type: org.apache.brooklyn.location.jclouds.softlayer.SoftLayerSameVlanLocationCustomizer
@@ -23,13 +23,14 @@ services:
     name: "kubernetes"
     brooklyn.config:
       kubernetes.debug: true
-      kubernetes.version: 1.4.3
+      kubernetes.version: 1.4.5
       start.timeout: 30m
       kubernetes.master.size: 2
       kubernetes.initial.size: 4
       kubernetes.max.size: 16
       etcd.initial.size: 3
-      kubernetes.apiserver.port: 8000
+      kubernetes.apiserver.port: 8443
+      kubernetes.apiserver.protocol: "https"
       kubernetes.scaling.cpu.limit: 0.80
       kubernetes.recovery.stabilizationDelay: 30s
       kubernetes.recovery.failOnRecurringFailuresInThisDuration: 300000

diff --git a/kubernetes/resources/kubernetes/known_tokens.csv b/kubernetes/resources/kubernetes/known_tokens.csv
@@ -0,0 +1 @@
+DwYThAUb63Mu4au35XHnbe3Y3cTu5u8j,admin,admin
diff --git a/kubernetes/resources/kubernetes/kube-dns.yaml b/kubernetes/resources/kubernetes/kube-dns.yaml
@@ -1,13 +1,13 @@
-apiVersion: v1
 kind: Service
+apiVersion: v1
 metadata:
   name: kube-dns
   namespace: kube-system
   labels:
     app: kube-dns
     name: kube-dns-service
     kubernetes.io/cluster-service: "true"
-    kubernetes.io/name: "KubeDNS"
+    kubernetes.io/name: "kube-dns"
 spec:
   selector:
     app: kube-dns
@@ -30,6 +30,7 @@ metadata:
     name: kube-dns-replicationcontroller
     version: v20
     kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: "kube-dns"
 spec:
   replicas: ${config['template.substitutions']['replicas']}
   selector:
@@ -71,10 +72,17 @@ spec:
             scheme: HTTP
           initialDelaySeconds: 30
           timeoutSeconds: 5
+        volumeMounts:
+          - mountPath: "/etc/kubernetes/kubeconfig"
+            name: kubeconfig
+            readOnly: true
+          - mountPath: "/etc/kubernetes/certs"
+            name: certs
+            readOnly: true
         args:
           - --domain=${config['template.substitutions']['dns_service_domain']}.local.
           - --dns-port=10053
-          - --kube-master-url=${config['template.substitutions']['kubernetes_url']}
+          - --kubecfg-file=/etc/kubernetes/kubeconfig
         ports:
           - containerPort: 10053
             name: dns-local
@@ -113,4 +121,11 @@ spec:
         ports:
           - containerPort: 8080
             protocol: TCP
-      dnsPolicy: Default
+    volumes:
+      - name: kubeconfig
+        hostPath:
+          path: "/etc/kubernetes/kubeconfig"
+      - name: certs
+        hostPath:
+          path: "/etc/kubernetes/certs"
+    dnsPolicy: Default
diff --git a/kubernetes/resources/kubernetes/kubernetes-dashboard.yaml b/kubernetes/resources/kubernetes/kubernetes-dashboard.yaml
@@ -7,34 +7,54 @@ metadata:
     app: kubernetes-dashboard
     name: kubernetes-dashboard-deployment
     version: v1.4.1
+    kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: "kubernetes-dashboard"
 spec:
   replicas: 1
   selector:
     matchLabels:
       app: kubernetes-dashboard
+      kubernetes.io/cluster-service: "true"
   template:
     metadata:
       labels:
         app: kubernetes-dashboard
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
         scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
+        version: v1.4.1
+        kubernetes.io/cluster-service: "true"
     spec:
       containers:
       - name: kubernetes-dashboard
         image: gcr.io/google_containers/kubernetes-dashboard-amd64:v1.4.1
         imagePullPolicy: Always
         ports:
-        - containerPort: 9090
-          protocol: TCP
-        args:
-        - --apiserver-host=${config['template.substitutions']['kubernetes_url']}
+          - containerPort: 9090
+            protocol: TCP
+        volumeMounts:
+          - mountPath: "/etc/kubernetes/kubeconfig"
+            name: kubeconfig
+            readOnly: true
+          - mountPath: "/etc/kubernetes/certs"
+            name: certs
+            readOnly: true
+        env:
+          - name: KUBECONFIG
+            value: "/etc/kubernetes/kubeconfig"
         livenessProbe:
           httpGet:
             path: /
             port: 9090
           initialDelaySeconds: 30
           timeoutSeconds: 30
+      volumes:
+        - name: kubeconfig
+          hostPath:
+            path: "/etc/kubernetes/kubeconfig"
+        - name: certs
+          hostPath:
+            path: "/etc/kubernetes/certs"
 ---
 kind: Service
 apiVersion: v1
@@ -47,7 +67,7 @@ metadata:
 spec:
   type: NodePort
   ports:
-  - port: 80
-    targetPort: 9090
+    - port: 80
+      targetPort: 9090
   selector:
     app: kubernetes-dashboard
diff --git a/kubernetes/resources/kubernetes/policy.jsonl b/kubernetes/resources/kubernetes/policy.jsonl
@@ -0,0 +1,10 @@
+{"user":"admin"}
+{"user":"scheduler", "readonly": true, "resource": "pods"}
+{"user":"scheduler", "resource": "bindings"}
+{"user":"proxy", "resource": "services"}
+{"user":"proxy", "resource": "endpoints"}
+{"user":"kubelet",  "resource": "pods"}
+{"user":"kubelet",  "resource": "nodes"}
+{"user":"kubelet",  "readonly": true, "resource": "services"}
+{"user":"kubelet",  "readonly": true, "resource": "endpoints"}
+{"user":"kubelet", "resource": "events"}
diff --git a/kubernetes/resources/kubernetes/prometheus.yaml b/kubernetes/resources/kubernetes/prometheus.yaml
@@ -7,7 +7,7 @@ metadata:
     app: prometheus
     name: prometheus-service
   annotations:
-    prometheus.io/scrape: 'true'
+    prometheus.io/scrape: "true"
 spec:
   selector:
     app: prometheus
@@ -26,12 +26,20 @@ metadata:
   labels:
     app: prometheus
     name: prometheus-deployment
+    version: v1.1.3
+    kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: "prometheus"
 spec:
   replicas: 1
+  selector:
+    app: prometheus
+    kubernetes.io/cluster-service: "true"
   template:
     metadata:
       labels:
         app: prometheus
+        version: v1.1.3
+        kubernetes.io/cluster-service: "true"
     spec:
       containers:
       - image: quay.io/prometheus/prometheus:v1.1.3
@@ -65,8 +73,8 @@ spec:
           configMap:
             name: prometheus-config
 ---
-apiVersion: v1
 kind: ConfigMap
+apiVersion: v1
 metadata:
   name: prometheus-config
   namespace: kube-system
@@ -81,38 +89,37 @@ data:
           - targets:
               - localhost:9090
       - job_name: 'kubernetes-cluster'
+        scheme: https
+        tls_config:
+          ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+          bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
         kubernetes_sd_configs:
           - api_servers:
-              - ${config['template.substitutions']['kubernetes_url']}
-            basic_auth:
-              username: prometheus
-              password: pr0m3th3us
+              - https://kubernetes.default.svc
+            in_cluster: true
             role: apiserver
       - job_name: 'kubernetes-nodes'
+        scheme: https
+        tls_config:
+          ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+          bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
         kubernetes_sd_configs:
           - api_servers:
-              - ${config['template.substitutions']['kubernetes_url']}
-            basic_auth:
-              username: prometheus
-              password: pr0m3th3us
+              - https://kubernetes.default.svc
+            in_cluster: true
             role: node
         relabel_configs:
           - action: labelmap
             regex: __meta_kubernetes_node_label_(.+)
-          - source_labels: [__meta_kubernetes_role]
-            action: replace
-            target_label: kubernetes_role
-          - source_labels: [__address__]
-            regex: (.*):10250
-            replacement: ${r"${1}:10255"}
-            target_label: __address__
       - job_name: 'kubernetes-service-endpoints'
+        scheme: https
+        tls_config:
+          ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+          bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
         kubernetes_sd_configs:
           - api_servers:
-              - ${config['template.substitutions']['kubernetes_url']}
-            basic_auth:
-              username: prometheus
-              password: pr0m3th3us
+              - https://kubernetes.default.svc
+            in_cluster: true
             role: endpoint
         relabel_configs:
           - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
@@ -138,4 +145,4 @@ data:
             target_label: kubernetes_namespace
           - source_labels: [__meta_kubernetes_service_name]
             action: replace
-            target_label: kubernetes_name
+            target_label: kubernetes_name