Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 86f10e57d1c288fc97be7a03b03b31bedfcb0f44 / . / metropolis / node / kubernetes / apiserver.go
blob: 427d05914db85de02c4afdc6a47b6d7b3238400f [file] [log] [blame]
Tim Windelschmidt6d33a432025-02-04 14:34:25 +0100[diff] [blame]1// Copyright The Monogon Project Authors.
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]2// SPDX-License-Identifier: Apache-2.0
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]3
4package kubernetes
5
6import (
7 "context"
Lorenz Brun6211e4d2023-11-14 19:09:40 +0100[diff] [blame]8 "encoding/json"
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]9 "encoding/pem"
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]10 "fmt"
11 "net"
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]12 "os/exec"
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]13
Lorenz Brun6211e4d2023-11-14 19:09:40 +0100[diff] [blame]14 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
15 "k8s.io/apimachinery/pkg/runtime"
16 "k8s.io/apimachinery/pkg/runtime/schema"
17 "k8s.io/apiserver/pkg/apis/apiserver"
18 "k8s.io/kubernetes/plugin/pkg/admission/security/podsecurity"
19 podsecurityadmissionv1 "k8s.io/pod-security-admission/admission/api/v1"
20
Jan Schär0f8ce4c2025-09-04 13:27:50 +0200[diff] [blame]21 "source.monogon.dev/metropolis/node/allocs"
Serge Bazanski31370b02021-01-07 16:31:14 +0100[diff] [blame]22 "source.monogon.dev/metropolis/node/core/localstorage"
23 "source.monogon.dev/metropolis/node/kubernetes/pki"
Tim Windelschmidt9f21f532024-05-07 15:14:20 +0200[diff] [blame]24 "source.monogon.dev/osbase/fileargs"
25 "source.monogon.dev/osbase/supervisor"
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]26)
27
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]28type apiserverService struct {
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]29 KPKI *pki.PKI
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]30 AdvertiseAddress net.IP
31 ServiceIPRange net.IPNet
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]32 EphemeralConsensusDirectory *localstorage.EphemeralConsensusDirectory
33
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]34 // All PKI-related things are in DER
35 idCA []byte
36 kubeletClientCert []byte
37 kubeletClientKey []byte
38 aggregationCA []byte
39 aggregationClientCert []byte
40 aggregationClientKey []byte
41 serviceAccountPrivKey []byte // In PKIX form
42 serverCert []byte
43 serverKey []byte
44}
45
Lorenz Brun6211e4d2023-11-14 19:09:40 +0100[diff] [blame]46func mustWrapUnknownJSON(o schema.ObjectKind) *runtime.Unknown {
47 oRaw, err := json.Marshal(o)
48 if err != nil {
49 panic("While marshaling object into runtime.Unknown: " + err.Error())
50 }
51 var typ runtime.TypeMeta
52 typ.SetGroupVersionKind(o.GroupVersionKind())
53 return &runtime.Unknown{
54 TypeMeta: typ,
55 Raw: oRaw,
56 ContentType: runtime.ContentTypeJSON,
57 }
58}
59
60func mustMarshalJSON(o any) []byte {
61 out, err := json.Marshal(o)
62 if err != nil {
63 panic("mustMarshalJSON failed: " + err.Error())
64 }
65 return out
66}
67
68var (
69 podsecurityadmission = &podsecurityadmissionv1.PodSecurityConfiguration{
70 TypeMeta: metav1.TypeMeta{
71 APIVersion: podsecurityadmissionv1.SchemeGroupVersion.String(),
72 Kind: "PodSecurityConfiguration",
73 },
74 Defaults: podsecurityadmissionv1.PodSecurityDefaults{
75 Enforce: "baseline",
76 Warn: "baseline",
77 Audit: "baseline",
78 },
79 Exemptions: podsecurityadmissionv1.PodSecurityExemptions{},
80 }
81
82 admissionConfig = apiserver.AdmissionConfiguration{
83 TypeMeta: metav1.TypeMeta{
84 APIVersion: apiserver.SchemeGroupVersion.String(),
85 Kind: "AdmissionConfiguration",
86 },
87 Plugins: []apiserver.AdmissionPluginConfiguration{{
88 Name: podsecurity.PluginName,
89 Configuration: mustWrapUnknownJSON(podsecurityadmission),
90 }},
91 }
92
93 admissionConfigRaw = mustMarshalJSON(admissionConfig)
94)
95
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]96func (s *apiserverService) loadPKI(ctx context.Context) error {
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]97 for _, el := range []struct {
98 targetCert *[]byte
99 targetKey *[]byte
100 name pki.KubeCertificateName
101 }{
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]102 {&s.idCA, nil, pki.IdCA},
Serge Bazanski9411f7c2021-03-10 13:12:53 +0100[diff] [blame]103 {&s.kubeletClientCert, &s.kubeletClientKey, pki.APIServerKubeletClient},
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]104 {&s.aggregationCA, nil, pki.AggregationCA},
105 {&s.aggregationClientCert, &s.aggregationClientKey, pki.FrontProxyClient},
106 {&s.serverCert, &s.serverKey, pki.APIServer},
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]107 } {
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]108 cert, key, err := s.KPKI.Certificate(ctx, el.name)
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]109 if err != nil {
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]110 return fmt.Errorf("could not load certificate %q from PKI: %w", el.name, err)
Serge Bazanskidbfc6382020-06-19 20:35:43 +0200[diff] [blame]111 }
112 if el.targetCert != nil {
113 *el.targetCert = cert
114 }
115 if el.targetKey != nil {
116 *el.targetKey = key
117 }
118 }
119
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]120 var err error
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]121 s.serviceAccountPrivKey, err = s.KPKI.ServiceAccountKey(ctx)
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]122 if err != nil {
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]123 return fmt.Errorf("could not load serviceaccount privkey: %w", err)
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]124 }
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]125 return nil
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]126}
127
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]128func (s *apiserverService) Run(ctx context.Context) error {
129 if err := s.loadPKI(ctx); err != nil {
130 return fmt.Errorf("loading PKI data failed: %w", err)
131 }
132 args, err := fileargs.New()
133 if err != nil {
134 panic(err) // If this fails, something is very wrong. Just crash.
135 }
136 defer args.Close()
137
138 cmd := exec.CommandContext(ctx, "/kubernetes/bin/kube", "kube-apiserver",
139 fmt.Sprintf("--advertise-address=%v", s.AdvertiseAddress.String()),
140 "--authorization-mode=Node,RBAC",
141 args.FileOpt("--client-ca-file", "client-ca.pem",
142 pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: s.idCA})),
Lorenz Brun6211e4d2023-11-14 19:09:40 +0100[diff] [blame]143 "--enable-admission-plugins=NodeRestriction",
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]144 "--enable-aggregator-routing=true",
Jan Schär0f8ce4c2025-09-04 13:27:50 +0200[diff] [blame]145 fmt.Sprintf("--secure-port=%d", allocs.PortKubernetesAPI),
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]146 fmt.Sprintf("--etcd-servers=unix:///%s:0", s.EphemeralConsensusDirectory.ClientSocket.FullPath()),
147 args.FileOpt("--kubelet-client-certificate", "kubelet-client-cert.pem",
148 pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: s.kubeletClientCert})),
149 args.FileOpt("--kubelet-client-key", "kubelet-client-key.pem",
150 pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: s.kubeletClientKey})),
151 "--kubelet-preferred-address-types=InternalIP",
152 args.FileOpt("--proxy-client-cert-file", "aggregation-client-cert.pem",
153 pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: s.aggregationClientCert})),
154 args.FileOpt("--proxy-client-key-file", "aggregation-client-key.pem",
155 pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: s.aggregationClientKey})),
Lorenz Bruncc078df2021-12-23 11:51:55 +0100[diff] [blame]156 "--requestheader-allowed-names=front-proxy-client,metropolis-auth-proxy-client",
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]157 args.FileOpt("--requestheader-client-ca-file", "aggregation-ca.pem",
158 pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: s.aggregationCA})),
159 "--requestheader-extra-headers-prefix=X-Remote-Extra-",
160 "--requestheader-group-headers=X-Remote-Group",
161 "--requestheader-username-headers=X-Remote-User",
162 args.FileOpt("--service-account-key-file", "service-account-pubkey.pem",
163 pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: s.serviceAccountPrivKey})),
Lorenz Brund13c1c62022-03-30 19:58:58 +0200[diff] [blame]164 args.FileOpt("--service-account-signing-key-file", "service-account-signing-key.pem",
165 pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: s.serviceAccountPrivKey})),
166 "--service-account-issuer", "https://metropolis.internal", // TODO: Figure out federation
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]167 fmt.Sprintf("--service-cluster-ip-range=%v", s.ServiceIPRange.String()),
Tim Windelschmidt03000772023-07-03 02:19:28 +0200[diff] [blame]168 // We use a patch for the allocator that prevents usage of system ports.
Tim Windelschmidt92316fd2024-04-18 23:06:40 +0200[diff] [blame]169 "--service-node-port-range=1-65535",
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]170 args.FileOpt("--tls-cert-file", "server-cert.pem",
171 pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: s.serverCert})),
172 args.FileOpt("--tls-private-key-file", "server-key.pem",
173 pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: s.serverKey})),
Lorenz Brun6211e4d2023-11-14 19:09:40 +0100[diff] [blame]174 args.FileOpt("--admission-control-config-file", "admission-control.json", admissionConfigRaw),
Leopold Schabel4cfcc0b2024-07-24 13:23:26 +0000[diff] [blame]175 "--allow-privileged=true",
Lorenz Brund58edf42024-11-27 20:38:14 +0000[diff] [blame]176 extraFeatureGates.AsFlag(),
Serge Bazanskic2c7ad92020-07-13 17:20:09 +0200[diff] [blame]177 )
178 if args.Error() != nil {
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]179 return err
180 }
Serge Bazanski05604292021-03-12 17:47:21 +0100[diff] [blame]181 return supervisor.RunCommand(ctx, cmd, supervisor.ParseKLog())
Lorenz Brun6e8f69c2019-11-18 10:44:24 +0100[diff] [blame]182}