Merge pull request #12006 from johngmyers/apiserver-volume

Remove apiserver's access to controller-manager secrets

nodeup/pkg/model/kube_apiserver.go

@@ -130,13 +130,11 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
 		if err := issueCert.AddFileTasks(c, pathSrvKAPI, issueCert.Name, "", nil); err != nil {
 			return err
 		}
-		kubeAPIServer.EtcdCertFile = filepath.Join(pathSrvKAPI, "etcd-client.crt")
-		kubeAPIServer.EtcdKeyFile = filepath.Join(pathSrvKAPI, "etcd-client.key")
 	} else if b.UseEtcdTLS() {
 		kubeAPIServer.EtcdCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt")
-		kubeAPIServer.EtcdCertFile = filepath.Join(b.PathSrvKubernetes(), "etcd-client.pem")
-		kubeAPIServer.EtcdKeyFile = filepath.Join(b.PathSrvKubernetes(), "etcd-client-key.pem")
 	}
+	kubeAPIServer.EtcdCertFile = filepath.Join(pathSrvKAPI, "etcd-client.crt")
+	kubeAPIServer.EtcdKeyFile = filepath.Join(pathSrvKAPI, "etcd-client.key")
 
 	{
 		c.AddTask(&nodetasks.File{
@@ -698,10 +696,10 @@ func (b *KubeAPIServerBuilder) buildPod(kubeAPIServer *kops.KubeAPIServerConfig)
 		addHostPathMapping(pod, container, "cloudconfig", CloudConfigFilePath)
 	}
 
-	pathSrvKubernetes := b.PathSrvKubernetes()
-	if pathSrvKubernetes != "" {
-		addHostPathMapping(pod, container, "srvkube", pathSrvKubernetes)
-	}
+	addHostPathMapping(pod, container, "kubernetesca", filepath.Join(b.PathSrvKubernetes(), "ca.crt"))
+
+	pathSrvKAPI := filepath.Join(b.PathSrvKubernetes(), "kube-apiserver")
+	addHostPathMapping(pod, container, "srvkapi", pathSrvKAPI)
 
 	pathSrvSshproxy := b.PathSrvSshproxy()
 	if pathSrvSshproxy != "" {

nodeup/pkg/model/protokube.go

@@ -101,16 +101,24 @@ func (t *ProtokubeBuilder) Build(c *fi.ModelBuilderContext) error {
 
 		// retrieve the etcd peer certificates and private keys from the keystore
 		if !t.UseEtcdManager() && t.UseEtcdTLS() {
-			for _, x := range []string{"etcd", "etcd-peer", "etcd-client"} {
+			for _, x := range []string{"etcd", "etcd-peer"} {
 				if err := t.BuildCertificateTask(c, x, fmt.Sprintf("%s.pem", x), nil); err != nil {
 					return err
 				}
 			}
-			for _, x := range []string{"etcd", "etcd-peer", "etcd-client"} {
+			for _, x := range []string{"etcd", "etcd-peer"} {
 				if err := t.BuildLegacyPrivateKeyTask(c, x, fmt.Sprintf("%s-key.pem", x), nil); err != nil {
 					return err
 				}
 			}
+			pathEtcdClient := filepath.Join(t.PathSrvKubernetes(), "kube-apiserver", "etcd-client")
+			if err := t.BuildCertificateTask(c, "etcd-client", pathEtcdClient+".crt", nil); err != nil {
+				return err
+			}
+			if err := t.BuildLegacyPrivateKeyTask(c, "etcd-client", pathEtcdClient+".key", nil); err != nil {
+				return err
+			}
+
 		}
 	}
 

nodeup/pkg/model/tests/golden/awsiam/tasks-kube-apiserver.yaml

@@ -123,8 +123,11 @@ contents: |
       - mountPath: /etc/kubernetes/cloud.config
         name: cloudconfig
         readOnly: true
-      - mountPath: /srv/kubernetes
-        name: srvkube
+      - mountPath: /srv/kubernetes/ca.crt
+        name: kubernetesca
+        readOnly: true
+      - mountPath: /srv/kubernetes/kube-apiserver
+        name: srvkapi
         readOnly: true
       - mountPath: /srv/sshproxy
         name: srvsshproxy
@@ -172,8 +175,11 @@ contents: |
         path: /etc/kubernetes/cloud.config
       name: cloudconfig
     - hostPath:
-        path: /srv/kubernetes
-      name: srvkube
+        path: /srv/kubernetes/ca.crt
+      name: kubernetesca
+    - hostPath:
+        path: /srv/kubernetes/kube-apiserver
+      name: srvkapi
     - hostPath:
         path: /srv/sshproxy
       name: srvsshproxy

nodeup/pkg/model/tests/golden/dedicated-apiserver/tasks-kube-apiserver.yaml

@@ -101,8 +101,11 @@ contents: |
       - mountPath: /etc/kubernetes/cloud.config
         name: cloudconfig
         readOnly: true
-      - mountPath: /srv/kubernetes
-        name: srvkube
+      - mountPath: /srv/kubernetes/ca.crt
+        name: kubernetesca
+        readOnly: true
+      - mountPath: /srv/kubernetes/kube-apiserver
+        name: srvkapi
         readOnly: true
       - mountPath: /srv/sshproxy
         name: srvsshproxy
@@ -147,8 +150,11 @@ contents: |
         path: /etc/kubernetes/cloud.config
       name: cloudconfig
     - hostPath:
-        path: /srv/kubernetes
-      name: srvkube
+        path: /srv/kubernetes/ca.crt
+      name: kubernetesca
+    - hostPath:
+        path: /srv/kubernetes/kube-apiserver
+      name: srvkapi
     - hostPath:
         path: /srv/sshproxy
       name: srvsshproxy

nodeup/pkg/model/tests/golden/minimal/tasks-kube-apiserver.yaml

@@ -101,8 +101,11 @@ contents: |
       - mountPath: /etc/kubernetes/cloud.config
         name: cloudconfig
         readOnly: true
-      - mountPath: /srv/kubernetes
-        name: srvkube
+      - mountPath: /srv/kubernetes/ca.crt
+        name: kubernetesca
+        readOnly: true
+      - mountPath: /srv/kubernetes/kube-apiserver
+        name: srvkapi
         readOnly: true
       - mountPath: /srv/sshproxy
         name: srvsshproxy
@@ -147,8 +150,11 @@ contents: |
         path: /etc/kubernetes/cloud.config
       name: cloudconfig
     - hostPath:
-        path: /srv/kubernetes
-      name: srvkube
+        path: /srv/kubernetes/ca.crt
+      name: kubernetesca
+    - hostPath:
+        path: /srv/kubernetes/kube-apiserver
+      name: srvkapi
     - hostPath:
         path: /srv/sshproxy
       name: srvsshproxy

nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-amd64.yaml

@@ -101,8 +101,11 @@ contents: |
       - mountPath: /etc/kubernetes/cloud.config
         name: cloudconfig
         readOnly: true
-      - mountPath: /srv/kubernetes
-        name: srvkube
+      - mountPath: /srv/kubernetes/ca.crt
+        name: kubernetesca
+        readOnly: true
+      - mountPath: /srv/kubernetes/kube-apiserver
+        name: srvkapi
         readOnly: true
       - mountPath: /srv/sshproxy
         name: srvsshproxy
@@ -147,8 +150,11 @@ contents: |
         path: /etc/kubernetes/cloud.config
       name: cloudconfig
     - hostPath:
-        path: /srv/kubernetes
-      name: srvkube
+        path: /srv/kubernetes/ca.crt
+      name: kubernetesca
+    - hostPath:
+        path: /srv/kubernetes/kube-apiserver
+      name: srvkapi
     - hostPath:
         path: /srv/sshproxy
       name: srvsshproxy

nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-arm64.yaml

@@ -101,8 +101,11 @@ contents: |
       - mountPath: /etc/kubernetes/cloud.config
         name: cloudconfig
         readOnly: true
-      - mountPath: /srv/kubernetes
-        name: srvkube
+      - mountPath: /srv/kubernetes/ca.crt
+        name: kubernetesca
+        readOnly: true
+      - mountPath: /srv/kubernetes/kube-apiserver
+        name: srvkapi
         readOnly: true
       - mountPath: /srv/sshproxy
         name: srvsshproxy
@@ -147,8 +150,11 @@ contents: |
         path: /etc/kubernetes/cloud.config
       name: cloudconfig
     - hostPath:
-        path: /srv/kubernetes
-      name: srvkube
+        path: /srv/kubernetes/ca.crt
+      name: kubernetesca
+    - hostPath:
+        path: /srv/kubernetes/kube-apiserver
+      name: srvkapi
     - hostPath:
         path: /srv/sshproxy
       name: srvsshproxy

nodeup/pkg/model/tests/golden/without-etcd-events/tasks-kube-apiserver.yaml

@@ -100,8 +100,11 @@ contents: |
       - mountPath: /etc/kubernetes/cloud.config
         name: cloudconfig
         readOnly: true
-      - mountPath: /srv/kubernetes
-        name: srvkube
+      - mountPath: /srv/kubernetes/ca.crt
+        name: kubernetesca
+        readOnly: true
+      - mountPath: /srv/kubernetes/kube-apiserver
+        name: srvkapi
         readOnly: true
       - mountPath: /srv/sshproxy
         name: srvsshproxy
@@ -146,8 +149,11 @@ contents: |
         path: /etc/kubernetes/cloud.config
       name: cloudconfig
     - hostPath:
-        path: /srv/kubernetes
-      name: srvkube
+        path: /srv/kubernetes/ca.crt
+      name: kubernetesca
+    - hostPath:
+        path: /srv/kubernetes/kube-apiserver
+      name: srvkapi
     - hostPath:
         path: /srv/sshproxy
       name: srvsshproxy