Allow nodes to bootstrap and add oc cluster join for nodes
#9547
Conversation
openshift-bot
added
the
needs-rebase
openshift-bot
added
needs-rebase
openshift-bot
added
needs-rebase
smarterclayton
force-pushed
the
joincommand
branch
from
c0f4599 to
9407251
Compare
openshift-bot
removed
the
needs-rebase
smarterclayton
force-pushed
the
joincommand
branch
3 times, most recently
from
f6480bd to
d9c6a4a
Compare
smarterclayton
force-pushed
the
joincommand
branch
from
d9c6a4a to
988c0bb
Compare
|
Created a node-bootstrap.kubeconfig on creation that is a client cert for the account. This simplifies small clusters (because you can just use that file as your bootstrap). However, it's not the ideal outcome, and most people should use |
|
[test] |
smarterclayton
changed the title
oc cluster join an existing clusteroc cluster join for nodes
|
@dgoodwin this is similar to the upstream work, but leverages our existing crypto infra and is capable of starting existing nodes. I think future work may converge, but will be some difference for a while. |
smarterclayton
force-pushed
the
joincommand
branch
3 times, most recently
from
c6b970f to
d6e1c68
Compare
| Add a new node to an existing OpenShift cluster | ||
|
|
||
| .PP | ||
| Uses an existing connection to a Docker daemon to start an OpenShift node. You must provide a secret to connect to the master. Before running command, ensure that you can execute docker commands successfully (ie. 'docker ps'). |
There was a problem hiding this comment.
Could we get more specific on what that secret is and how you obtain it? I am assuming it's kubeconfig output from create-kubeconfig but per below I don't seem to have a node-bootstrap SA.
It might be very useful to spell out exactly how to do this in the output from oc cluster up, or in the "by example" docs somewhere.
There was a problem hiding this comment.
Do you expect that the secret might one day also allow you to use the discovery bits likely landing in 1.6? We would need to plan for how you find an API server if so.
There was a problem hiding this comment.
The secret is a kubeconfig file, that has the ability to request CSR. Expectation here is that your file contains discovery info (we're not focused on self-hosting in OpenShift until it's had time to bake in Kube, so the discovery bits aren't really necessary).
| `) | ||
| ) | ||
|
|
||
| // NewCmdJoin creates a command that joins an existing OpenShift cluster. |
There was a problem hiding this comment.
FWIW we found kubeadm reset pretty handy for both devs and users, oc cluster leave might be a nice addition at some point to just clear everything out and allow user to try again.
| KeyFile: path.Join(certDir, "node-bootstrap.key"), | ||
| }, | ||
| UnqualifiedUser: "node-bootstrap", | ||
| User: "system:serviceaccount:openshift-infra:node-bootstrap", |
There was a problem hiding this comment.
This is supposed to be created by default after oc cluster up? (this did not seem to happen for me) Anything I might be missing that needs to be done to get it created?
There was a problem hiding this comment.
This is created automatically on a new cluster - you would need to rebuild the image if you haven't.
| ) | ||
| if err != nil { | ||
| panic(err) | ||
| } |
There was a problem hiding this comment.
To above question, this looks like it should be creating a node-bootstrap SA, I do see other SA's defined here, but not this one.
|
Where does this fit in larger scope of things, is oc cluster up/join becoming less focused on dev experimentation and headed for something supported? |
| signClient = true | ||
| break | ||
| } | ||
| if len(a.approveKubeletServingCSRsForGroup) > 0 && g == a.approveKubeletServingCSRsForGroup { |
There was a problem hiding this comment.
If you sign serving certificates without confirming that my identity actually owns the hostname that you're signing for, then I can exploit the API to gain a serving cert for another node which in combination with an owned node network will allow me to steal any used secret in the system even if we close the API authorizer gaps.
I haven't dug into the pull, but if you allowed me to get signed cert for the address of the master, I could also steal any node credentials I wanted.
openshift-bot
added
the
needs-rebase
smarterclayton
force-pushed
the
joincommand
branch
from
d6e1c68 to
d970ddb
Compare
No, it would still be focused on the simplest possible workflow that can lead a cluster. |
| Name: fmt.Sprintf("node-bootstrapper-server-%s", safeSecretName(o.NodeArgs.NodeName)), | ||
| }, | ||
| Spec: certificates.CertificateSigningRequestSpec{ | ||
| Request: csrData, |
There was a problem hiding this comment.
TODO to limit to server usage in 1.6
| if err != nil { | ||
| return err | ||
| } | ||
| if err := o.NodeArgs.MergeSerializeableNodeConfig(nodeConfig); err != nil { |
There was a problem hiding this comment.
have you sanity-checked if there's any difference between this and start node --write-config?
There was a problem hiding this comment.
yes, but will do so again.
smarterclayton
force-pushed
the
joincommand
branch
from
10b924a to
dcdb29c
Compare
|
#11772
[test]
…On Mon, Jan 23, 2017 at 9:13 PM, OpenShift Bot ***@***.***> wrote:
continuous-integration/openshift-jenkins/test FAILURE (
https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13212/) (Base
Commit: fac9b78
<fac9b78>
)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#9547 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p-1_mOMZ6AGZwTCFPSalVHc8spWfks5rVV4_gaJpZM4I92KL>
.
|
|
things we'll want to fix before this is no longer marked experimental:
|
|
make sure it's clearly marked experimental, make sure there are follow-ups for the items above. no other comments. |
|
My execution plan for this is:
|
When the --bootstrap flag is provided to `start node`, require --kubeconfig, connect to the master and perform a CSR request for a client cert and a server cert. The node then attempts to read a node-config ConfigMap from openshift-infra - if no value exists, it uses the default config. If the CSR is not approved within a few minutes, the node will crash loop. On the master, enable the cert signer and grant the node-bootstrapper service account the appropriate permission to request CSRs.
smarterclayton
force-pushed
the
joincommand
branch
from
dcdb29c to
2525370
Compare
|
#12635, marked experimental,
[merge]
…On Mon, Jan 23, 2017 at 10:50 PM, OpenShift Bot ***@***.***> wrote:
continuous-integration/openshift-jenkins/test SUCCESS (
https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13214/) (Base
Commit: b0f2c58
<b0f2c58>
)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#9547 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p_qNHC1PbihgMjKefxu0t9t8WvUqks5rVXUigaJpZM4I92KL>
.
|
|
Evaluated for origin test up to 2525370 |
|
Evaluated for origin merge up to 2525370 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13220/) (Base Commit: c971421) |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13232/) (Base Commit: 22d4240) (Image: devenv-rhel7_5761) |
|
can you please add a simple readme on how to use this feature? |
|
still not clear how to generate the boostrap secret. can you please add simple readme or post commands here i will write a READMe i tried multiple options but could not get it right |
|
oc serviceaccounts create-kubeconfig -n openshift-infra node-boostrapper >
FILE
On Jul 15, 2017, at 11:56 AM, Chakradhar Rao Jonagam < [email protected]> wrote:
still not clear how to generate the boostrap secret. can you please add
simple readme or post commands here i will write a READMe i tried multiple
options but could not get it right
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#9547 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p0MWT1_2co2MqXlNRDQMfY3qi0woks5sOOEVgaJpZM4I92KL>
.
|
|
looks like a typo in |
|
You didn't spell bootstrapper correctly
On Jul 16, 2017, at 6:28 PM, Chakradhar Rao Jonagam < [email protected]> wrote:
@smarterclayton <https://github.com/smarterclayton> this is what i get
version information at the bottom.
$ oc serviceaccounts create-kubeconfig -n openshift-infra node-boostrapper
Error from server (NotFound): serviceaccounts "node-boostrapper" not found
$ oc version
oc v3.6.0-rc.0+98b3d56
kubernetes v1.6.1+5115d708d7
features: Basic-Auth
Server https://192.168.99.100:8443
openshift v3.6.0-rc.0+98b3d56
kubernetes v1.6.1+5115d708d7
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#9547 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p0vRdrtFOHG_AfYDvBTMT4RzFJXHks5sOo5sgaJpZM4I92KL>
.
|
|
Tried with correct spelling now. Here is what i tried on mac. masteroc cluster up --docker-machine --create-machine
oc serviceaccounts create-kubeconfig -n openshift-infra node-bootstrapper > secret node1node1
oc cluster join --docker-machine=n1 --create-machine --secret='conentent of secret' Failed with following error on node1 docker-machine -- Finding server IP ...
Using docker-machine IP 192.168.99.101 as the host IP
Using 192.168.99.101 as the server IP
-- Joining OpenShift cluster ...
Starting OpenShift Node using container 'origin'
FAIL
Error: could not start OpenShift container "origin"
Details:
No log available from "origin" container |
|
same issue here using: masternoderesultfailed on the node with the following error: |
|
cc/ @smarterclayton |
Leverage the alpha CSR endpoint in Kube to allow nodes to bootstrap themselves. On startup, the node now accepts
--bootstrapwhich instructs it to perform the following steps:--kubeconfigand attempt to create a CSR for a client cert onsystem:nodes, with the common namesystem:node:NAMEnode-configin namespaceopenshift-infraif it existsThe server creates a new infra service account on startup -
node-bootstrapinopenshift-infra. This account is granted the ability to create client CSRs (and nothing else). The CSR controller is initialized (if no defaults are set) to allow thesystem:service accounts:openshift-infragroup to request client CSRs and thesystem:nodesgroup to request server CSRs. The controller can be disabled by setting an invalid or unused group.Add a new command
oc serviceaccounts create-kubeconfigwhich generates a kubeconfig file for a service account (to make it easy to generate a kubeconfig that can be used to bootstrap the node).Add a new command
oc cluster joinwhich launches a container that acts as a node.