// InitializeTLS checks for a configured TLSCertFile and TLSPrivateKeyFile: if unspecified a new self-signed // certificate and key file are generated. Returns a configured server.TLSOptions object. func InitializeTLS(kc *componentconfig.KubeletConfiguration) (*server.TLSOptions, error) { if kc.TLSCertFile == "" && kc.TLSPrivateKeyFile == "" { kc.TLSCertFile = path.Join(kc.CertDirectory, "kubelet.crt") kc.TLSPrivateKeyFile = path.Join(kc.CertDirectory, "kubelet.key") if !crypto.FoundCertOrKey(kc.TLSCertFile, kc.TLSPrivateKeyFile) { if err := crypto.GenerateSelfSignedCert(nodeutil.GetHostname(kc.HostnameOverride), kc.TLSCertFile, kc.TLSPrivateKeyFile, nil, nil); err != nil { return nil, fmt.Errorf("unable to generate self signed cert: %v", err) } glog.V(4).Infof("Using self-signed cert (%s, %s)", kc.TLSCertFile, kc.TLSPrivateKeyFile) } } tlsOptions := &server.TLSOptions{ Config: &tls.Config{ // Can't use SSLv3 because of POODLE and BEAST // Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher // Can't use TLSv1.1 because of RC4 cipher usage MinVersion: tls.VersionTLS12, // Populate PeerCertificates in requests, but don't yet reject connections without certificates. ClientAuth: tls.RequestClientCert, }, CertFile: kc.TLSCertFile, KeyFile: kc.TLSPrivateKeyFile, } return tlsOptions, nil }
// InitializeTLS checks for a configured TLSCertFile and TLSPrivateKeyFile: if unspecified a new self-signed // certificate and key file are generated. Returns a configured server.TLSOptions object. func InitializeTLS(kc *componentconfig.KubeletConfiguration) (*server.TLSOptions, error) { if kc.TLSCertFile == "" && kc.TLSPrivateKeyFile == "" { kc.TLSCertFile = path.Join(kc.CertDirectory, "kubelet.crt") kc.TLSPrivateKeyFile = path.Join(kc.CertDirectory, "kubelet.key") if !certutil.CanReadCertOrKey(kc.TLSCertFile, kc.TLSPrivateKeyFile) { if err := certutil.GenerateSelfSignedCert(nodeutil.GetHostname(kc.HostnameOverride), kc.TLSCertFile, kc.TLSPrivateKeyFile, nil, nil); err != nil { return nil, fmt.Errorf("unable to generate self signed cert: %v", err) } glog.V(4).Infof("Using self-signed cert (%s, %s)", kc.TLSCertFile, kc.TLSPrivateKeyFile) } } tlsOptions := &server.TLSOptions{ Config: &tls.Config{ // Can't use SSLv3 because of POODLE and BEAST // Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher // Can't use TLSv1.1 because of RC4 cipher usage MinVersion: tls.VersionTLS12, }, CertFile: kc.TLSCertFile, KeyFile: kc.TLSPrivateKeyFile, } if len(kc.Authentication.X509.ClientCAFile) > 0 { clientCAs, err := cert.NewPool(kc.Authentication.X509.ClientCAFile) if err != nil { return nil, fmt.Errorf("unable to load client CA file %s: %v", kc.Authentication.X509.ClientCAFile, err) } // Specify allowed CAs for client certificates tlsOptions.Config.ClientCAs = clientCAs // Populate PeerCertificates in requests, but don't reject connections without verified certificates tlsOptions.Config.ClientAuth = tls.RequestClientCert } return tlsOptions, nil }
func autoConvert_v1alpha1_KubeletConfiguration_To_componentconfig_KubeletConfiguration(in *KubeletConfiguration, out *componentconfig.KubeletConfiguration, s conversion.Scope) error { out.PodManifestPath = in.PodManifestPath out.SyncFrequency = in.SyncFrequency out.FileCheckFrequency = in.FileCheckFrequency out.HTTPCheckFrequency = in.HTTPCheckFrequency out.ManifestURL = in.ManifestURL out.ManifestURLHeader = in.ManifestURLHeader if err := api.Convert_Pointer_bool_To_bool(&in.EnableServer, &out.EnableServer, s); err != nil { return err } out.Address = in.Address out.Port = in.Port out.ReadOnlyPort = in.ReadOnlyPort out.TLSCertFile = in.TLSCertFile out.TLSPrivateKeyFile = in.TLSPrivateKeyFile out.CertDirectory = in.CertDirectory if err := Convert_v1alpha1_KubeletAuthentication_To_componentconfig_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil { return err } if err := Convert_v1alpha1_KubeletAuthorization_To_componentconfig_KubeletAuthorization(&in.Authorization, &out.Authorization, s); err != nil { return err } out.HostnameOverride = in.HostnameOverride out.PodInfraContainerImage = in.PodInfraContainerImage out.DockerEndpoint = in.DockerEndpoint out.RootDirectory = in.RootDirectory out.SeccompProfileRoot = in.SeccompProfileRoot if err := api.Convert_Pointer_bool_To_bool(&in.AllowPrivileged, &out.AllowPrivileged, s); err != nil { return err } out.HostNetworkSources = *(*[]string)(unsafe.Pointer(&in.HostNetworkSources)) out.HostPIDSources = *(*[]string)(unsafe.Pointer(&in.HostPIDSources)) out.HostIPCSources = *(*[]string)(unsafe.Pointer(&in.HostIPCSources)) if err := api.Convert_Pointer_int32_To_int32(&in.RegistryPullQPS, &out.RegistryPullQPS, s); err != nil { return err } out.RegistryBurst = in.RegistryBurst if err := api.Convert_Pointer_int32_To_int32(&in.EventRecordQPS, &out.EventRecordQPS, s); err != nil { return err } out.EventBurst = in.EventBurst if err := api.Convert_Pointer_bool_To_bool(&in.EnableDebuggingHandlers, &out.EnableDebuggingHandlers, s); err != nil { return err } out.MinimumGCAge = in.MinimumGCAge out.MaxPerPodContainerCount = in.MaxPerPodContainerCount if err := api.Convert_Pointer_int32_To_int32(&in.MaxContainerCount, &out.MaxContainerCount, s); err != nil { return err } out.CAdvisorPort = in.CAdvisorPort out.HealthzPort = in.HealthzPort out.HealthzBindAddress = in.HealthzBindAddress if err := api.Convert_Pointer_int32_To_int32(&in.OOMScoreAdj, &out.OOMScoreAdj, s); err != nil { return err } if err := api.Convert_Pointer_bool_To_bool(&in.RegisterNode, &out.RegisterNode, s); err != nil { return err } out.ClusterDomain = in.ClusterDomain out.MasterServiceNamespace = in.MasterServiceNamespace out.ClusterDNS = in.ClusterDNS out.StreamingConnectionIdleTimeout = in.StreamingConnectionIdleTimeout out.NodeStatusUpdateFrequency = in.NodeStatusUpdateFrequency out.ImageMinimumGCAge = in.ImageMinimumGCAge if err := api.Convert_Pointer_int32_To_int32(&in.ImageGCHighThresholdPercent, &out.ImageGCHighThresholdPercent, s); err != nil { return err } if err := api.Convert_Pointer_int32_To_int32(&in.ImageGCLowThresholdPercent, &out.ImageGCLowThresholdPercent, s); err != nil { return err } out.LowDiskSpaceThresholdMB = in.LowDiskSpaceThresholdMB out.VolumeStatsAggPeriod = in.VolumeStatsAggPeriod out.NetworkPluginName = in.NetworkPluginName out.NetworkPluginDir = in.NetworkPluginDir out.CNIConfDir = in.CNIConfDir out.CNIBinDir = in.CNIBinDir out.NetworkPluginMTU = in.NetworkPluginMTU out.VolumePluginDir = in.VolumePluginDir out.CloudProvider = in.CloudProvider out.CloudConfigFile = in.CloudConfigFile out.KubeletCgroups = in.KubeletCgroups out.RuntimeCgroups = in.RuntimeCgroups out.SystemCgroups = in.SystemCgroups out.CgroupRoot = in.CgroupRoot if err := api.Convert_Pointer_bool_To_bool(&in.ExperimentalCgroupsPerQOS, &out.ExperimentalCgroupsPerQOS, s); err != nil { return err } out.CgroupDriver = in.CgroupDriver out.ContainerRuntime = in.ContainerRuntime out.RemoteRuntimeEndpoint = in.RemoteRuntimeEndpoint out.RemoteImageEndpoint = in.RemoteImageEndpoint out.RuntimeRequestTimeout = in.RuntimeRequestTimeout out.RktPath = in.RktPath out.ExperimentalMounterPath = in.ExperimentalMounterPath out.RktAPIEndpoint = in.RktAPIEndpoint out.RktStage1Image = in.RktStage1Image if err := api.Convert_Pointer_string_To_string(&in.LockFilePath, &out.LockFilePath, s); err != nil { return err } out.ExitOnLockContention = in.ExitOnLockContention out.HairpinMode = in.HairpinMode out.BabysitDaemons = in.BabysitDaemons out.MaxPods = in.MaxPods out.NvidiaGPUs = in.NvidiaGPUs out.DockerExecHandlerName = in.DockerExecHandlerName out.PodCIDR = in.PodCIDR out.ResolverConfig = in.ResolverConfig if err := api.Convert_Pointer_bool_To_bool(&in.CPUCFSQuota, &out.CPUCFSQuota, s); err != nil { return err } if err := api.Convert_Pointer_bool_To_bool(&in.Containerized, &out.Containerized, s); err != nil { return err } out.MaxOpenFiles = in.MaxOpenFiles if err := api.Convert_Pointer_bool_To_bool(&in.ReconcileCIDR, &out.ReconcileCIDR, s); err != nil { return err } if err := api.Convert_Pointer_bool_To_bool(&in.RegisterSchedulable, &out.RegisterSchedulable, s); err != nil { return err } out.ContentType = in.ContentType if err := api.Convert_Pointer_int32_To_int32(&in.KubeAPIQPS, &out.KubeAPIQPS, s); err != nil { return err } out.KubeAPIBurst = in.KubeAPIBurst if err := api.Convert_Pointer_bool_To_bool(&in.SerializeImagePulls, &out.SerializeImagePulls, s); err != nil { return err } out.OutOfDiskTransitionFrequency = in.OutOfDiskTransitionFrequency out.NodeIP = in.NodeIP out.NodeLabels = *(*map[string]string)(unsafe.Pointer(&in.NodeLabels)) out.NonMasqueradeCIDR = in.NonMasqueradeCIDR out.EnableCustomMetrics = in.EnableCustomMetrics if err := api.Convert_Pointer_string_To_string(&in.EvictionHard, &out.EvictionHard, s); err != nil { return err } out.EvictionSoft = in.EvictionSoft out.EvictionSoftGracePeriod = in.EvictionSoftGracePeriod out.EvictionPressureTransitionPeriod = in.EvictionPressureTransitionPeriod out.EvictionMaxPodGracePeriod = in.EvictionMaxPodGracePeriod out.EvictionMinimumReclaim = in.EvictionMinimumReclaim out.PodsPerCore = in.PodsPerCore if err := api.Convert_Pointer_bool_To_bool(&in.EnableControllerAttachDetach, &out.EnableControllerAttachDetach, s); err != nil { return err } out.SystemReserved = *(*config.ConfigurationMap)(unsafe.Pointer(&in.SystemReserved)) out.KubeReserved = *(*config.ConfigurationMap)(unsafe.Pointer(&in.KubeReserved)) out.ProtectKernelDefaults = in.ProtectKernelDefaults if err := api.Convert_Pointer_bool_To_bool(&in.MakeIPTablesUtilChains, &out.MakeIPTablesUtilChains, s); err != nil { return err } if err := api.Convert_Pointer_int32_To_int32(&in.IPTablesMasqueradeBit, &out.IPTablesMasqueradeBit, s); err != nil { return err } if err := api.Convert_Pointer_int32_To_int32(&in.IPTablesDropBit, &out.IPTablesDropBit, s); err != nil { return err } out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls)) out.FeatureGates = in.FeatureGates out.EnableCRI = in.EnableCRI out.ExperimentalFailSwapOn = in.ExperimentalFailSwapOn out.ExperimentalCheckNodeCapabilitiesBeforeMount = in.ExperimentalCheckNodeCapabilitiesBeforeMount return nil }
func autoConvert_v1alpha1_KubeletConfiguration_To_componentconfig_KubeletConfiguration(in *KubeletConfiguration, out *componentconfig.KubeletConfiguration, s conversion.Scope) error { SetDefaults_KubeletConfiguration(in) if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { return err } out.PodManifestPath = in.PodManifestPath out.SyncFrequency = in.SyncFrequency out.FileCheckFrequency = in.FileCheckFrequency out.HTTPCheckFrequency = in.HTTPCheckFrequency out.ManifestURL = in.ManifestURL out.ManifestURLHeader = in.ManifestURLHeader if err := api.Convert_Pointer_bool_To_bool(&in.EnableServer, &out.EnableServer, s); err != nil { return err } out.Address = in.Address out.Port = in.Port out.ReadOnlyPort = in.ReadOnlyPort out.TLSCertFile = in.TLSCertFile out.TLSPrivateKeyFile = in.TLSPrivateKeyFile out.CertDirectory = in.CertDirectory out.HostnameOverride = in.HostnameOverride out.PodInfraContainerImage = in.PodInfraContainerImage out.DockerEndpoint = in.DockerEndpoint out.RootDirectory = in.RootDirectory out.SeccompProfileRoot = in.SeccompProfileRoot if err := api.Convert_Pointer_bool_To_bool(&in.AllowPrivileged, &out.AllowPrivileged, s); err != nil { return err } out.HostNetworkSources = in.HostNetworkSources out.HostPIDSources = in.HostPIDSources out.HostIPCSources = in.HostIPCSources if err := api.Convert_Pointer_int32_To_int32(&in.RegistryPullQPS, &out.RegistryPullQPS, s); err != nil { return err } out.RegistryBurst = in.RegistryBurst if err := api.Convert_Pointer_int32_To_int32(&in.EventRecordQPS, &out.EventRecordQPS, s); err != nil { return err } out.EventBurst = in.EventBurst if err := api.Convert_Pointer_bool_To_bool(&in.EnableDebuggingHandlers, &out.EnableDebuggingHandlers, s); err != nil { return err } out.MinimumGCAge = in.MinimumGCAge out.MaxPerPodContainerCount = in.MaxPerPodContainerCount if err := api.Convert_Pointer_int32_To_int32(&in.MaxContainerCount, &out.MaxContainerCount, s); err != nil { return err } out.CAdvisorPort = in.CAdvisorPort out.HealthzPort = in.HealthzPort out.HealthzBindAddress = in.HealthzBindAddress if err := api.Convert_Pointer_int32_To_int32(&in.OOMScoreAdj, &out.OOMScoreAdj, s); err != nil { return err } if err := api.Convert_Pointer_bool_To_bool(&in.RegisterNode, &out.RegisterNode, s); err != nil { return err } out.ClusterDomain = in.ClusterDomain out.MasterServiceNamespace = in.MasterServiceNamespace out.ClusterDNS = in.ClusterDNS out.StreamingConnectionIdleTimeout = in.StreamingConnectionIdleTimeout out.NodeStatusUpdateFrequency = in.NodeStatusUpdateFrequency out.ImageMinimumGCAge = in.ImageMinimumGCAge if err := api.Convert_Pointer_int32_To_int32(&in.ImageGCHighThresholdPercent, &out.ImageGCHighThresholdPercent, s); err != nil { return err } if err := api.Convert_Pointer_int32_To_int32(&in.ImageGCLowThresholdPercent, &out.ImageGCLowThresholdPercent, s); err != nil { return err } out.LowDiskSpaceThresholdMB = in.LowDiskSpaceThresholdMB out.VolumeStatsAggPeriod = in.VolumeStatsAggPeriod out.NetworkPluginName = in.NetworkPluginName out.NetworkPluginDir = in.NetworkPluginDir out.VolumePluginDir = in.VolumePluginDir out.CloudProvider = in.CloudProvider out.CloudConfigFile = in.CloudConfigFile out.KubeletCgroups = in.KubeletCgroups out.RuntimeCgroups = in.RuntimeCgroups out.SystemCgroups = in.SystemCgroups out.CgroupRoot = in.CgroupRoot if err := api.Convert_Pointer_bool_To_bool(&in.CgroupsPerQOS, &out.CgroupsPerQOS, s); err != nil { return err } out.ContainerRuntime = in.ContainerRuntime out.RuntimeRequestTimeout = in.RuntimeRequestTimeout out.RktPath = in.RktPath out.RktAPIEndpoint = in.RktAPIEndpoint out.RktStage1Image = in.RktStage1Image if err := api.Convert_Pointer_string_To_string(&in.LockFilePath, &out.LockFilePath, s); err != nil { return err } out.ExitOnLockContention = in.ExitOnLockContention if err := api.Convert_Pointer_bool_To_bool(&in.ConfigureCBR0, &out.ConfigureCBR0, s); err != nil { return err } out.HairpinMode = in.HairpinMode out.BabysitDaemons = in.BabysitDaemons out.MaxPods = in.MaxPods out.NvidiaGPUs = in.NvidiaGPUs out.DockerExecHandlerName = in.DockerExecHandlerName out.PodCIDR = in.PodCIDR out.ResolverConfig = in.ResolverConfig if err := api.Convert_Pointer_bool_To_bool(&in.CPUCFSQuota, &out.CPUCFSQuota, s); err != nil { return err } if err := api.Convert_Pointer_bool_To_bool(&in.Containerized, &out.Containerized, s); err != nil { return err } out.MaxOpenFiles = in.MaxOpenFiles if err := api.Convert_Pointer_bool_To_bool(&in.ReconcileCIDR, &out.ReconcileCIDR, s); err != nil { return err } if err := api.Convert_Pointer_bool_To_bool(&in.RegisterSchedulable, &out.RegisterSchedulable, s); err != nil { return err } out.ContentType = in.ContentType if err := api.Convert_Pointer_int32_To_int32(&in.KubeAPIQPS, &out.KubeAPIQPS, s); err != nil { return err } out.KubeAPIBurst = in.KubeAPIBurst if err := api.Convert_Pointer_bool_To_bool(&in.SerializeImagePulls, &out.SerializeImagePulls, s); err != nil { return err } out.ExperimentalFlannelOverlay = in.ExperimentalFlannelOverlay out.OutOfDiskTransitionFrequency = in.OutOfDiskTransitionFrequency out.NodeIP = in.NodeIP out.NodeLabels = in.NodeLabels out.NonMasqueradeCIDR = in.NonMasqueradeCIDR out.EnableCustomMetrics = in.EnableCustomMetrics if err := api.Convert_Pointer_string_To_string(&in.EvictionHard, &out.EvictionHard, s); err != nil { return err } out.EvictionSoft = in.EvictionSoft out.EvictionSoftGracePeriod = in.EvictionSoftGracePeriod out.EvictionPressureTransitionPeriod = in.EvictionPressureTransitionPeriod out.EvictionMaxPodGracePeriod = in.EvictionMaxPodGracePeriod out.EvictionMinimumReclaim = in.EvictionMinimumReclaim out.PodsPerCore = in.PodsPerCore if err := api.Convert_Pointer_bool_To_bool(&in.EnableControllerAttachDetach, &out.EnableControllerAttachDetach, s); err != nil { return err } if in.SystemReserved != nil { in, out := &in.SystemReserved, &out.SystemReserved *out = make(config.ConfigurationMap, len(*in)) for key, val := range *in { (*out)[key] = val } } else { out.SystemReserved = nil } if in.KubeReserved != nil { in, out := &in.KubeReserved, &out.KubeReserved *out = make(config.ConfigurationMap, len(*in)) for key, val := range *in { (*out)[key] = val } } else { out.KubeReserved = nil } out.ProtectKernelDefaults = in.ProtectKernelDefaults return nil }