From 5f5c623d15ae3f9b5078b48ff790deb591476338 Mon Sep 17 00:00:00 2001 From: Etienne Audet-Cobello Date: Thu, 13 Jun 2024 08:51:19 -0400 Subject: [PATCH 01/10] change default args to conform with cis hardening --- src/k8s/pkg/k8sd/setup/kube_apiserver.go | 3 +++ src/k8s/pkg/k8sd/setup/kube_apiserver_test.go | 6 ++++++ src/k8s/pkg/k8sd/setup/kube_controller_manager.go | 1 + .../pkg/k8sd/setup/kube_controller_manager_test.go | 2 ++ src/k8s/pkg/k8sd/setup/kubelet.go | 3 ++- src/k8s/pkg/k8sd/setup/kubelet_test.go | 12 ++++++++---- 6 files changed, 22 insertions(+), 5 deletions(-) diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver.go b/src/k8s/pkg/k8sd/setup/kube_apiserver.go index 636b5f156..459bb498e 100644 --- a/src/k8s/pkg/k8sd/setup/kube_apiserver.go +++ b/src/k8s/pkg/k8sd/setup/kube_apiserver.go @@ -81,6 +81,9 @@ func KubeAPIServer(snap snap.Snap, serviceCIDR string, authWebhookURL string, en "--tls-cert-file": path.Join(snap.KubernetesPKIDir(), "apiserver.crt"), "--tls-cipher-suites": strings.Join(apiserverTLSCipherSuites, ","), "--tls-private-key-file": path.Join(snap.KubernetesPKIDir(), "apiserver.key"), + "--anonymous-auth": "false", + "--profiling": "false", + "--requests-timeout": "300s", } switch datastore.GetType() { diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go index 20e06adcb..507e30c0c 100644 --- a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go +++ b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go @@ -68,6 +68,9 @@ func TestKubeAPIServer(t *testing.T) { {key: "--requestheader-username-headers", expectedVal: "X-Remote-User"}, {key: "--proxy-client-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.crt")}, {key: "--proxy-client-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.key")}, + {key: "--anonymous-auth", expectedVal: "false"}, + {key: "--profiling", expectedVal: "false"}, + {key: "--requests-timeout", expectedVal: "300s"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -116,6 +119,9 @@ func TestKubeAPIServer(t *testing.T) { {key: "--tls-cipher-suites", expectedVal: apiserverTLSCipherSuites}, {key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.key")}, {key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))}, + {key: "--anonymous-auth", expectedVal: "false"}, + {key: "--profiling", expectedVal: "false"}, + {key: "--requests-timeout", expectedVal: "300s"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager.go index 91f68fcd9..9add71b6d 100644 --- a/src/k8s/pkg/k8sd/setup/kube_controller_manager.go +++ b/src/k8s/pkg/k8sd/setup/kube_controller_manager.go @@ -22,6 +22,7 @@ func KubeControllerManager(snap snap.Snap, extraArgs map[string]*string) error { "--root-ca-file": path.Join(snap.KubernetesPKIDir(), "ca.crt"), "--service-account-private-key-file": path.Join(snap.KubernetesPKIDir(), "serviceaccount.key"), "--use-service-account-credentials": "true", + "--terminated-pod-gc-threshold": "12500", } // enable cluster-signing if certificates are available if _, err := os.Stat(path.Join(snap.KubernetesPKIDir(), "ca.key")); err == nil { diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go index e6878b2a1..5c2e243c4 100644 --- a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go +++ b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go @@ -49,6 +49,7 @@ func TestKubeControllerManager(t *testing.T) { {key: "--use-service-account-credentials", expectedVal: "true"}, {key: "--cluster-signing-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, {key: "--cluster-signing-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.key")}, + {key: "--terminated-pod-gc-threshold", expectedVal: "12500"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -94,6 +95,7 @@ func TestKubeControllerManager(t *testing.T) { {key: "--root-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, {key: "--service-account-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")}, {key: "--use-service-account-credentials", expectedVal: "true"}, + {key: "--terminated-pod-gc-threshold", expectedVal: "12500"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { diff --git a/src/k8s/pkg/k8sd/setup/kubelet.go b/src/k8s/pkg/k8sd/setup/kubelet.go index 4563cb224..b645fcc75 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet.go +++ b/src/k8s/pkg/k8sd/setup/kubelet.go @@ -45,7 +45,8 @@ func kubelet(snap snap.Snap, hostname string, nodeIP net.IP, clusterDNS string, args := map[string]string{ "--anonymous-auth": "false", "--authentication-token-webhook": "true", - "--cert-dir": snap.KubernetesPKIDir(), + "--tls-cert-file": path.Join(snap.KubernetesPKIDir(), "kubelet.crt"), + "--tls-private-key": path.Join(snap.KubernetesPKIDir(), "kubelet.key"), "--client-ca-file": path.Join(snap.KubernetesPKIDir(), "client-ca.crt"), "--container-runtime-endpoint": path.Join(snap.ContainerdSocketDir(), "containerd.sock"), "--containerd": path.Join(snap.ContainerdSocketDir(), "containerd.sock"), diff --git a/src/k8s/pkg/k8sd/setup/kubelet_test.go b/src/k8s/pkg/k8sd/setup/kubelet_test.go index 76686491a..93b16502f 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet_test.go +++ b/src/k8s/pkg/k8sd/setup/kubelet_test.go @@ -55,7 +55,8 @@ func TestKubelet(t *testing.T) { }{ {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, @@ -165,7 +166,8 @@ func TestKubelet(t *testing.T) { }{ {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, @@ -211,7 +213,8 @@ func TestKubelet(t *testing.T) { }{ {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, @@ -320,7 +323,8 @@ func TestKubelet(t *testing.T) { }{ {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, From fbdce9d603881787ae51e9a9cd1cbe3bb0321214 Mon Sep 17 00:00:00 2001 From: Etienne Audet-Cobello Date: Thu, 13 Jun 2024 08:55:39 -0400 Subject: [PATCH 02/10] sort --- src/k8s/pkg/k8sd/setup/kube_apiserver.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver.go b/src/k8s/pkg/k8sd/setup/kube_apiserver.go index 459bb498e..be2e9e43b 100644 --- a/src/k8s/pkg/k8sd/setup/kube_apiserver.go +++ b/src/k8s/pkg/k8sd/setup/kube_apiserver.go @@ -65,6 +65,7 @@ func KubeAPIServer(snap snap.Snap, serviceCIDR string, authWebhookURL string, en args := map[string]string{ "--allow-privileged": "true", + "--anonymous-auth": "false", "--authentication-token-webhook-config-file": authTokenWebhookConfigFile, "--authorization-mode": authorizationMode, "--client-ca-file": path.Join(snap.KubernetesPKIDir(), "client-ca.crt"), @@ -73,6 +74,8 @@ func KubeAPIServer(snap snap.Snap, serviceCIDR string, authWebhookURL string, en "--kubelet-client-certificate": path.Join(snap.KubernetesPKIDir(), "apiserver-kubelet-client.crt"), "--kubelet-client-key": path.Join(snap.KubernetesPKIDir(), "apiserver-kubelet-client.key"), "--kubelet-preferred-address-types": "InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP", + "--profiling": "false", + "--requests-timeout": "300s", "--secure-port": "6443", "--service-account-issuer": "https://kubernetes.default.svc", "--service-account-key-file": path.Join(snap.KubernetesPKIDir(), "serviceaccount.key"), @@ -81,9 +84,6 @@ func KubeAPIServer(snap snap.Snap, serviceCIDR string, authWebhookURL string, en "--tls-cert-file": path.Join(snap.KubernetesPKIDir(), "apiserver.crt"), "--tls-cipher-suites": strings.Join(apiserverTLSCipherSuites, ","), "--tls-private-key-file": path.Join(snap.KubernetesPKIDir(), "apiserver.key"), - "--anonymous-auth": "false", - "--profiling": "false", - "--requests-timeout": "300s", } switch datastore.GetType() { From 27112cc07771be4ec28f2e69ac01efb6333c2fb1 Mon Sep 17 00:00:00 2001 From: Etienne Audet-Cobello Date: Thu, 13 Jun 2024 09:14:38 -0400 Subject: [PATCH 03/10] vim can sort --- src/k8s/pkg/k8sd/setup/kube_apiserver_test.go | 28 ++++++++-------- .../setup/kube_controller_manager_test.go | 6 ++-- src/k8s/pkg/k8sd/setup/kubelet_test.go | 32 +++++++++---------- 3 files changed, 33 insertions(+), 33 deletions(-) diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go index 507e30c0c..6da0cea2d 100644 --- a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go +++ b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go @@ -44,14 +44,25 @@ func TestKubeAPIServer(t *testing.T) { expectedVal string }{ {key: "--allow-privileged", expectedVal: "true"}, + {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook-config-file", expectedVal: path.Join(s.Mock.ServiceExtraConfigDir, "auth-token-webhook.conf")}, {key: "--authorization-mode", expectedVal: "Node,RBAC"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--enable-admission-plugins", expectedVal: "NodeRestriction"}, + {key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))}, {key: "--kubelet-certificate-authority", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, {key: "--kubelet-client-certificate", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.crt")}, {key: "--kubelet-client-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.key")}, {key: "--kubelet-preferred-address-types", expectedVal: "InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP"}, + {key: "--profiling", expectedVal: "false"}, + {key: "--proxy-client-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.crt")}, + {key: "--proxy-client-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.key")}, + {key: "--requestheader-allowed-names", expectedVal: "front-proxy-client"}, + {key: "--requestheader-client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-ca.crt")}, + {key: "--requestheader-extra-headers-prefix", expectedVal: "X-Remote-Extra-"}, + {key: "--requestheader-group-headers", expectedVal: "X-Remote-Group"}, + {key: "--requestheader-username-headers", expectedVal: "X-Remote-User"}, + {key: "--requests-timeout", expectedVal: "300s"}, {key: "--secure-port", expectedVal: "6443"}, {key: "--service-account-issuer", expectedVal: "https://kubernetes.default.svc"}, {key: "--service-account-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")}, @@ -60,17 +71,6 @@ func TestKubeAPIServer(t *testing.T) { {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.crt")}, {key: "--tls-cipher-suites", expectedVal: apiserverTLSCipherSuites}, {key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.key")}, - {key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))}, - {key: "--requestheader-client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-ca.crt")}, - {key: "--requestheader-allowed-names", expectedVal: "front-proxy-client"}, - {key: "--requestheader-extra-headers-prefix", expectedVal: "X-Remote-Extra-"}, - {key: "--requestheader-group-headers", expectedVal: "X-Remote-Group"}, - {key: "--requestheader-username-headers", expectedVal: "X-Remote-User"}, - {key: "--proxy-client-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.crt")}, - {key: "--proxy-client-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.key")}, - {key: "--anonymous-auth", expectedVal: "false"}, - {key: "--profiling", expectedVal: "false"}, - {key: "--requests-timeout", expectedVal: "300s"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -102,14 +102,17 @@ func TestKubeAPIServer(t *testing.T) { expectedVal string }{ {key: "--allow-privileged", expectedVal: "true"}, + {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook-config-file", expectedVal: path.Join(s.Mock.ServiceExtraConfigDir, "auth-token-webhook.conf")}, {key: "--authorization-mode", expectedVal: "Node,RBAC"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--enable-admission-plugins", expectedVal: "NodeRestriction"}, + {key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))}, {key: "--kubelet-certificate-authority", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, {key: "--kubelet-client-certificate", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.crt")}, {key: "--kubelet-client-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.key")}, {key: "--kubelet-preferred-address-types", expectedVal: "InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP"}, + {key: "--requests-timeout", expectedVal: "300s"}, {key: "--secure-port", expectedVal: "6443"}, {key: "--service-account-issuer", expectedVal: "https://kubernetes.default.svc"}, {key: "--service-account-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")}, @@ -118,10 +121,7 @@ func TestKubeAPIServer(t *testing.T) { {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.crt")}, {key: "--tls-cipher-suites", expectedVal: apiserverTLSCipherSuites}, {key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.key")}, - {key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))}, - {key: "--anonymous-auth", expectedVal: "false"}, {key: "--profiling", expectedVal: "false"}, - {key: "--requests-timeout", expectedVal: "300s"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go index 5c2e243c4..5bdc820d7 100644 --- a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go +++ b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go @@ -40,16 +40,16 @@ func TestKubeControllerManager(t *testing.T) { }{ {key: "--authentication-kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "controller.conf")}, {key: "--authorization-kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "controller.conf")}, + {key: "--cluster-signing-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, + {key: "--cluster-signing-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.key")}, {key: "--kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "controller.conf")}, {key: "--leader-elect-lease-duration", expectedVal: "30s"}, {key: "--leader-elect-renew-deadline", expectedVal: "15s"}, {key: "--profiling", expectedVal: "false"}, {key: "--root-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, {key: "--service-account-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")}, - {key: "--use-service-account-credentials", expectedVal: "true"}, - {key: "--cluster-signing-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, - {key: "--cluster-signing-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.key")}, {key: "--terminated-pod-gc-threshold", expectedVal: "12500"}, + {key: "--use-service-account-credentials", expectedVal: "true"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { diff --git a/src/k8s/pkg/k8sd/setup/kubelet_test.go b/src/k8s/pkg/k8sd/setup/kubelet_test.go index 93b16502f..5145e7a78 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet_test.go +++ b/src/k8s/pkg/k8sd/setup/kubelet_test.go @@ -55,25 +55,25 @@ func TestKubelet(t *testing.T) { }{ {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, - {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, + {key: "--cloud-provider", expectedVal: "provider"}, + {key: "--cluster-dns", expectedVal: "10.152.1.1"}, + {key: "--cluster-domain", expectedVal: "test-cluster.local"}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--eviction-hard", expectedVal: "'memory.available<100Mi,nodefs.available<1Gi,imagefs.available<1Gi'"}, {key: "--fail-swap-on", expectedVal: "false"}, {key: "--hostname-override", expectedVal: "dev"}, {key: "--kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "kubelet.conf")}, + {key: "--node-ip", expectedVal: "192.168.0.1"}, {key: "--node-labels", expectedVal: expectedControlPlaneLabels}, {key: "--read-only-port", expectedVal: "0"}, {key: "--register-with-taints", expectedVal: ""}, {key: "--root-dir", expectedVal: s.Mock.KubeletRootDir}, {key: "--serialize-image-pulls", expectedVal: "false"}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, {key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites}, - {key: "--cluster-dns", expectedVal: "10.152.1.1"}, - {key: "--cloud-provider", expectedVal: "provider"}, - {key: "--cluster-domain", expectedVal: "test-cluster.local"}, - {key: "--node-ip", expectedVal: "192.168.0.1"}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -166,8 +166,6 @@ func TestKubelet(t *testing.T) { }{ {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, - {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, @@ -180,7 +178,9 @@ func TestKubelet(t *testing.T) { {key: "--register-with-taints", expectedVal: ""}, {key: "--root-dir", expectedVal: s.Mock.KubeletRootDir}, {key: "--serialize-image-pulls", expectedVal: "false"}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, {key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -213,25 +213,25 @@ func TestKubelet(t *testing.T) { }{ {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, - {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, + {key: "--cloud-provider", expectedVal: "provider"}, + {key: "--cluster-dns", expectedVal: "10.152.1.1"}, + {key: "--cluster-domain", expectedVal: "test-cluster.local"}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--eviction-hard", expectedVal: "'memory.available<100Mi,nodefs.available<1Gi,imagefs.available<1Gi'"}, {key: "--fail-swap-on", expectedVal: "false"}, {key: "--hostname-override", expectedVal: "dev"}, {key: "--kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "kubelet.conf")}, + {key: "--node-ip", expectedVal: "192.168.0.1"}, {key: "--node-labels", expectedVal: expectedWorkerLabels}, {key: "--read-only-port", expectedVal: "0"}, {key: "--register-with-taints", expectedVal: ""}, {key: "--root-dir", expectedVal: s.Mock.KubeletRootDir}, {key: "--serialize-image-pulls", expectedVal: "false"}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, {key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites}, - {key: "--cloud-provider", expectedVal: "provider"}, - {key: "--cluster-dns", expectedVal: "10.152.1.1"}, - {key: "--cluster-domain", expectedVal: "test-cluster.local"}, - {key: "--node-ip", expectedVal: "192.168.0.1"}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -323,8 +323,6 @@ func TestKubelet(t *testing.T) { }{ {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, - {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, @@ -337,7 +335,9 @@ func TestKubelet(t *testing.T) { {key: "--register-with-taints", expectedVal: ""}, {key: "--root-dir", expectedVal: s.Mock.KubeletRootDir}, {key: "--serialize-image-pulls", expectedVal: "false"}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, {key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { From b95155050041dba9403a1a13789704ebc00284c9 Mon Sep 17 00:00:00 2001 From: Etienne Audet-Cobello Date: Thu, 13 Jun 2024 10:38:22 -0400 Subject: [PATCH 04/10] fix tests --- src/k8s/pkg/k8sd/setup/kube_apiserver_test.go | 23 +++++++++++-------- .../setup/kube_controller_manager_test.go | 1 + src/k8s/pkg/k8sd/setup/kubelet_test.go | 22 ++++++++++-------- 3 files changed, 26 insertions(+), 20 deletions(-) diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go index 6da0cea2d..9038c91a5 100644 --- a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go +++ b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go @@ -112,6 +112,7 @@ func TestKubeAPIServer(t *testing.T) { {key: "--kubelet-client-certificate", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.crt")}, {key: "--kubelet-client-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.key")}, {key: "--kubelet-preferred-address-types", expectedVal: "InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP"}, + {key: "--profiling", expectedVal: "false"}, {key: "--requests-timeout", expectedVal: "300s"}, {key: "--secure-port", expectedVal: "6443"}, {key: "--service-account-issuer", expectedVal: "https://kubernetes.default.svc"}, @@ -121,7 +122,6 @@ func TestKubeAPIServer(t *testing.T) { {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.crt")}, {key: "--tls-cipher-suites", expectedVal: apiserverTLSCipherSuites}, {key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.key")}, - {key: "--profiling", expectedVal: "false"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -157,14 +157,26 @@ func TestKubeAPIServer(t *testing.T) { key string expectedVal string }{ + {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook-config-file", expectedVal: path.Join(s.Mock.ServiceExtraConfigDir, "auth-token-webhook.conf")}, {key: "--authorization-mode", expectedVal: "Node,RBAC"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--enable-admission-plugins", expectedVal: "NodeRestriction"}, + {key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))}, {key: "--kubelet-certificate-authority", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, {key: "--kubelet-client-certificate", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.crt")}, {key: "--kubelet-client-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.key")}, {key: "--kubelet-preferred-address-types", expectedVal: "InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP"}, + {key: "--my-extra-arg", expectedVal: "my-extra-val"}, + {key: "--profiling", expectedVal: "false"}, + {key: "--proxy-client-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.crt")}, + {key: "--proxy-client-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.key")}, + {key: "--requestheader-allowed-names", expectedVal: "front-proxy-client"}, + {key: "--requestheader-client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-ca.crt")}, + {key: "--requestheader-extra-headers-prefix", expectedVal: "X-Remote-Extra-"}, + {key: "--requestheader-group-headers", expectedVal: "X-Remote-Group"}, + {key: "--requestheader-username-headers", expectedVal: "X-Remote-User"}, + {key: "--requests-timeout", expectedVal: "300s"}, {key: "--secure-port", expectedVal: "1337"}, {key: "--service-account-issuer", expectedVal: "https://kubernetes.default.svc"}, {key: "--service-account-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")}, @@ -173,15 +185,6 @@ func TestKubeAPIServer(t *testing.T) { {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.crt")}, {key: "--tls-cipher-suites", expectedVal: apiserverTLSCipherSuites}, {key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver.key")}, - {key: "--etcd-servers", expectedVal: fmt.Sprintf("unix://%s", path.Join(s.Mock.K8sDqliteStateDir, "k8s-dqlite.sock"))}, - {key: "--requestheader-client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-ca.crt")}, - {key: "--requestheader-allowed-names", expectedVal: "front-proxy-client"}, - {key: "--requestheader-extra-headers-prefix", expectedVal: "X-Remote-Extra-"}, - {key: "--requestheader-group-headers", expectedVal: "X-Remote-Group"}, - {key: "--requestheader-username-headers", expectedVal: "X-Remote-User"}, - {key: "--proxy-client-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.crt")}, - {key: "--proxy-client-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.key")}, - {key: "--my-extra-arg", expectedVal: "my-extra-val"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go index 5bdc820d7..3b66265cd 100644 --- a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go +++ b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go @@ -151,6 +151,7 @@ func TestKubeControllerManager(t *testing.T) { {key: "--cluster-signing-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, {key: "--cluster-signing-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.key")}, {key: "--my-extra-arg", expectedVal: "my-extra-val"}, + {key: "--terminated-pod-gc-threshold", expectedVal: "12500"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { diff --git a/src/k8s/pkg/k8sd/setup/kubelet_test.go b/src/k8s/pkg/k8sd/setup/kubelet_test.go index 5145e7a78..899197d48 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet_test.go +++ b/src/k8s/pkg/k8sd/setup/kubelet_test.go @@ -109,27 +109,28 @@ func TestKubelet(t *testing.T) { key string expectedVal string }{ + // Overwritten by extraArgs {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, + {key: "--cluster-dns", expectedVal: "10.152.1.1"}, + {key: "--cluster-domain", expectedVal: "override.local"}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--eviction-hard", expectedVal: "'memory.available<100Mi,nodefs.available<1Gi,imagefs.available<1Gi'"}, {key: "--fail-swap-on", expectedVal: "false"}, {key: "--hostname-override", expectedVal: "dev"}, {key: "--kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "kubelet.conf")}, + {key: "--my-extra-arg", expectedVal: "my-extra-val"}, + {key: "--node-ip", expectedVal: "192.168.0.1"}, {key: "--node-labels", expectedVal: expectedControlPlaneLabels}, {key: "--read-only-port", expectedVal: "0"}, {key: "--register-with-taints", expectedVal: ""}, {key: "--root-dir", expectedVal: s.Mock.KubeletRootDir}, {key: "--serialize-image-pulls", expectedVal: "false"}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, {key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites}, - {key: "--cluster-dns", expectedVal: "10.152.1.1"}, - // Overwritten by extraArgs - {key: "--cluster-domain", expectedVal: "override.local"}, - {key: "--node-ip", expectedVal: "192.168.0.1"}, - {key: "--my-extra-arg", expectedVal: "my-extra-val"}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -269,23 +270,24 @@ func TestKubelet(t *testing.T) { }{ {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authentication-token-webhook", expectedVal: "true"}, - {key: "--cert-dir", expectedVal: s.Mock.KubernetesPKIDir}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, + {key: "--cluster-dns", expectedVal: "10.152.1.1"}, + {key: "--cluster-domain", expectedVal: "override.local"}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--eviction-hard", expectedVal: "'memory.available<100Mi,nodefs.available<1Gi,imagefs.available<1Gi'"}, {key: "--fail-swap-on", expectedVal: "false"}, {key: "--hostname-override", expectedVal: "dev"}, {key: "--kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "kubelet.conf")}, + {key: "--node-ip", expectedVal: "192.168.0.1"}, {key: "--node-labels", expectedVal: expectedWorkerLabels}, {key: "--read-only-port", expectedVal: "0"}, {key: "--register-with-taints", expectedVal: ""}, {key: "--root-dir", expectedVal: s.Mock.KubeletRootDir}, {key: "--serialize-image-pulls", expectedVal: "false"}, + {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, {key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites}, - {key: "--cluster-dns", expectedVal: "10.152.1.1"}, - {key: "--cluster-domain", expectedVal: "override.local"}, - {key: "--node-ip", expectedVal: "192.168.0.1"}, + {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { From 46f71157c0772e8b6607fa15725716885d6c74ad Mon Sep 17 00:00:00 2001 From: Etienne Audet-Cobello Date: Thu, 13 Jun 2024 12:27:25 -0400 Subject: [PATCH 05/10] revert --- src/k8s/pkg/k8sd/setup/kubelet_test.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/k8s/pkg/k8sd/setup/kubelet_test.go b/src/k8s/pkg/k8sd/setup/kubelet_test.go index 899197d48..caf07f4cc 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet_test.go +++ b/src/k8s/pkg/k8sd/setup/kubelet_test.go @@ -114,15 +114,12 @@ func TestKubelet(t *testing.T) { {key: "--authentication-token-webhook", expectedVal: "true"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--cluster-dns", expectedVal: "10.152.1.1"}, - {key: "--cluster-domain", expectedVal: "override.local"}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--eviction-hard", expectedVal: "'memory.available<100Mi,nodefs.available<1Gi,imagefs.available<1Gi'"}, {key: "--fail-swap-on", expectedVal: "false"}, {key: "--hostname-override", expectedVal: "dev"}, {key: "--kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "kubelet.conf")}, - {key: "--my-extra-arg", expectedVal: "my-extra-val"}, - {key: "--node-ip", expectedVal: "192.168.0.1"}, {key: "--node-labels", expectedVal: expectedControlPlaneLabels}, {key: "--read-only-port", expectedVal: "0"}, {key: "--register-with-taints", expectedVal: ""}, @@ -131,6 +128,10 @@ func TestKubelet(t *testing.T) { {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, {key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites}, {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, + // Overwritten by extraArgs + {key: "--cluster-domain", expectedVal: "override.local"}, + {key: "--node-ip", expectedVal: "192.168.0.1"}, + {key: "--my-extra-arg", expectedVal: "my-extra-val"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { From bbe9dd58b199ff1c4cd42aa2a089faa4e24874db Mon Sep 17 00:00:00 2001 From: Etienne Audet-Cobello Date: Thu, 13 Jun 2024 14:11:05 -0400 Subject: [PATCH 06/10] set webhook auth mode --- src/k8s/pkg/k8sd/setup/kubelet.go | 1 + 1 file changed, 1 insertion(+) diff --git a/src/k8s/pkg/k8sd/setup/kubelet.go b/src/k8s/pkg/k8sd/setup/kubelet.go index b645fcc75..553d3ef1b 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet.go +++ b/src/k8s/pkg/k8sd/setup/kubelet.go @@ -44,6 +44,7 @@ func KubeletWorker(snap snap.Snap, hostname string, nodeIP net.IP, clusterDNS st func kubelet(snap snap.Snap, hostname string, nodeIP net.IP, clusterDNS string, clusterDomain string, cloudProvider string, taints []string, labels []string, extraArgs map[string]*string) error { args := map[string]string{ "--anonymous-auth": "false", + "--authorization-mode": "Webhook", "--authentication-token-webhook": "true", "--tls-cert-file": path.Join(snap.KubernetesPKIDir(), "kubelet.crt"), "--tls-private-key": path.Join(snap.KubernetesPKIDir(), "kubelet.key"), From 5ab9823120c700f8d1d81a4469430da39c2c84b5 Mon Sep 17 00:00:00 2001 From: Etienne Audet-Cobello Date: Thu, 13 Jun 2024 14:36:50 -0400 Subject: [PATCH 07/10] tls-private-key should be tls-private-key-file --- src/k8s/pkg/k8sd/setup/kubelet.go | 2 +- src/k8s/pkg/k8sd/setup/kubelet_test.go | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/k8s/pkg/k8sd/setup/kubelet.go b/src/k8s/pkg/k8sd/setup/kubelet.go index 553d3ef1b..263816290 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet.go +++ b/src/k8s/pkg/k8sd/setup/kubelet.go @@ -47,7 +47,7 @@ func kubelet(snap snap.Snap, hostname string, nodeIP net.IP, clusterDNS string, "--authorization-mode": "Webhook", "--authentication-token-webhook": "true", "--tls-cert-file": path.Join(snap.KubernetesPKIDir(), "kubelet.crt"), - "--tls-private-key": path.Join(snap.KubernetesPKIDir(), "kubelet.key"), + "--tls-private-key-file": path.Join(snap.KubernetesPKIDir(), "kubelet.key"), "--client-ca-file": path.Join(snap.KubernetesPKIDir(), "client-ca.crt"), "--container-runtime-endpoint": path.Join(snap.ContainerdSocketDir(), "containerd.sock"), "--containerd": path.Join(snap.ContainerdSocketDir(), "containerd.sock"), diff --git a/src/k8s/pkg/k8sd/setup/kubelet_test.go b/src/k8s/pkg/k8sd/setup/kubelet_test.go index caf07f4cc..6ac69b051 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet_test.go +++ b/src/k8s/pkg/k8sd/setup/kubelet_test.go @@ -73,7 +73,7 @@ func TestKubelet(t *testing.T) { {key: "--serialize-image-pulls", expectedVal: "false"}, {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, {key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites}, - {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, + {key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -127,7 +127,7 @@ func TestKubelet(t *testing.T) { {key: "--serialize-image-pulls", expectedVal: "false"}, {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, {key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites}, - {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, + {key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, // Overwritten by extraArgs {key: "--cluster-domain", expectedVal: "override.local"}, {key: "--node-ip", expectedVal: "192.168.0.1"}, @@ -182,7 +182,7 @@ func TestKubelet(t *testing.T) { {key: "--serialize-image-pulls", expectedVal: "false"}, {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, {key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites}, - {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, + {key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -233,7 +233,7 @@ func TestKubelet(t *testing.T) { {key: "--serialize-image-pulls", expectedVal: "false"}, {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, {key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites}, - {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, + {key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -288,7 +288,7 @@ func TestKubelet(t *testing.T) { {key: "--serialize-image-pulls", expectedVal: "false"}, {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, {key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites}, - {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, + {key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -340,7 +340,7 @@ func TestKubelet(t *testing.T) { {key: "--serialize-image-pulls", expectedVal: "false"}, {key: "--tls-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.crt")}, {key: "--tls-cipher-suites", expectedVal: kubeletTLSCipherSuites}, - {key: "--tls-private-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, + {key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { From f9d7b46bd62c6ed6f8b5fd36caaac7d1ccdd85b0 Mon Sep 17 00:00:00 2001 From: Etienne Audet-Cobello Date: Thu, 13 Jun 2024 14:42:10 -0400 Subject: [PATCH 08/10] add argument to test cases --- src/k8s/pkg/k8sd/setup/kubelet_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/k8s/pkg/k8sd/setup/kubelet_test.go b/src/k8s/pkg/k8sd/setup/kubelet_test.go index 6ac69b051..63476bc7c 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet_test.go +++ b/src/k8s/pkg/k8sd/setup/kubelet_test.go @@ -54,6 +54,7 @@ func TestKubelet(t *testing.T) { expectedVal string }{ {key: "--anonymous-auth", expectedVal: "false"}, + {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--authentication-token-webhook", expectedVal: "true"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--cloud-provider", expectedVal: "provider"}, @@ -111,6 +112,7 @@ func TestKubelet(t *testing.T) { }{ // Overwritten by extraArgs {key: "--anonymous-auth", expectedVal: "false"}, + {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--authentication-token-webhook", expectedVal: "true"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--cluster-dns", expectedVal: "10.152.1.1"}, @@ -167,6 +169,7 @@ func TestKubelet(t *testing.T) { expectedVal string }{ {key: "--anonymous-auth", expectedVal: "false"}, + {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--authentication-token-webhook", expectedVal: "true"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, @@ -214,6 +217,7 @@ func TestKubelet(t *testing.T) { expectedVal string }{ {key: "--anonymous-auth", expectedVal: "false"}, + {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--authentication-token-webhook", expectedVal: "true"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--cloud-provider", expectedVal: "provider"}, @@ -270,6 +274,7 @@ func TestKubelet(t *testing.T) { expectedVal string }{ {key: "--anonymous-auth", expectedVal: "false"}, + {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--authentication-token-webhook", expectedVal: "true"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--cluster-dns", expectedVal: "10.152.1.1"}, @@ -325,6 +330,7 @@ func TestKubelet(t *testing.T) { expectedVal string }{ {key: "--anonymous-auth", expectedVal: "false"}, + {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--authentication-token-webhook", expectedVal: "true"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, From 68eb35f94e5360f9a30539ad90872d6c4295065c Mon Sep 17 00:00:00 2001 From: Etienne Audet-Cobello Date: Thu, 13 Jun 2024 14:55:25 -0400 Subject: [PATCH 09/10] request-timeout, not requests-timeout --- src/k8s/pkg/k8sd/setup/kube_apiserver.go | 2 +- src/k8s/pkg/k8sd/setup/kube_apiserver_test.go | 6 +++--- src/k8s/pkg/k8sd/setup/kubelet_test.go | 1 - 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver.go b/src/k8s/pkg/k8sd/setup/kube_apiserver.go index be2e9e43b..aa4756530 100644 --- a/src/k8s/pkg/k8sd/setup/kube_apiserver.go +++ b/src/k8s/pkg/k8sd/setup/kube_apiserver.go @@ -75,7 +75,7 @@ func KubeAPIServer(snap snap.Snap, serviceCIDR string, authWebhookURL string, en "--kubelet-client-key": path.Join(snap.KubernetesPKIDir(), "apiserver-kubelet-client.key"), "--kubelet-preferred-address-types": "InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP", "--profiling": "false", - "--requests-timeout": "300s", + "--request-timeout": "300s", "--secure-port": "6443", "--service-account-issuer": "https://kubernetes.default.svc", "--service-account-key-file": path.Join(snap.KubernetesPKIDir(), "serviceaccount.key"), diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go index 9038c91a5..10f5b77f9 100644 --- a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go +++ b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go @@ -62,7 +62,7 @@ func TestKubeAPIServer(t *testing.T) { {key: "--requestheader-extra-headers-prefix", expectedVal: "X-Remote-Extra-"}, {key: "--requestheader-group-headers", expectedVal: "X-Remote-Group"}, {key: "--requestheader-username-headers", expectedVal: "X-Remote-User"}, - {key: "--requests-timeout", expectedVal: "300s"}, + {key: "--request-timeout", expectedVal: "300s"}, {key: "--secure-port", expectedVal: "6443"}, {key: "--service-account-issuer", expectedVal: "https://kubernetes.default.svc"}, {key: "--service-account-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")}, @@ -113,7 +113,7 @@ func TestKubeAPIServer(t *testing.T) { {key: "--kubelet-client-key", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "apiserver-kubelet-client.key")}, {key: "--kubelet-preferred-address-types", expectedVal: "InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP"}, {key: "--profiling", expectedVal: "false"}, - {key: "--requests-timeout", expectedVal: "300s"}, + {key: "--request-timeout", expectedVal: "300s"}, {key: "--secure-port", expectedVal: "6443"}, {key: "--service-account-issuer", expectedVal: "https://kubernetes.default.svc"}, {key: "--service-account-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")}, @@ -176,7 +176,7 @@ func TestKubeAPIServer(t *testing.T) { {key: "--requestheader-extra-headers-prefix", expectedVal: "X-Remote-Extra-"}, {key: "--requestheader-group-headers", expectedVal: "X-Remote-Group"}, {key: "--requestheader-username-headers", expectedVal: "X-Remote-User"}, - {key: "--requests-timeout", expectedVal: "300s"}, + {key: "--request-timeout", expectedVal: "300s"}, {key: "--secure-port", expectedVal: "1337"}, {key: "--service-account-issuer", expectedVal: "https://kubernetes.default.svc"}, {key: "--service-account-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")}, diff --git a/src/k8s/pkg/k8sd/setup/kubelet_test.go b/src/k8s/pkg/k8sd/setup/kubelet_test.go index 63476bc7c..f34d83f61 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet_test.go +++ b/src/k8s/pkg/k8sd/setup/kubelet_test.go @@ -110,7 +110,6 @@ func TestKubelet(t *testing.T) { key string expectedVal string }{ - // Overwritten by extraArgs {key: "--anonymous-auth", expectedVal: "false"}, {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--authentication-token-webhook", expectedVal: "true"}, From 765dd4e3f108896391612fc0742ddc090d81ba0c Mon Sep 17 00:00:00 2001 From: Etienne Audet-Cobello Date: Thu, 13 Jun 2024 15:11:20 -0400 Subject: [PATCH 10/10] sort keys --- src/k8s/pkg/k8sd/setup/kube_apiserver_test.go | 4 ++-- src/k8s/pkg/k8sd/setup/kube_controller_manager.go | 2 +- .../pkg/k8sd/setup/kube_controller_manager_test.go | 8 ++++---- src/k8s/pkg/k8sd/setup/kubelet.go | 6 +++--- src/k8s/pkg/k8sd/setup/kubelet_test.go | 14 +++++++------- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go index 10f5b77f9..1332dff0b 100644 --- a/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go +++ b/src/k8s/pkg/k8sd/setup/kube_apiserver_test.go @@ -57,12 +57,12 @@ func TestKubeAPIServer(t *testing.T) { {key: "--profiling", expectedVal: "false"}, {key: "--proxy-client-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.crt")}, {key: "--proxy-client-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.key")}, + {key: "--request-timeout", expectedVal: "300s"}, {key: "--requestheader-allowed-names", expectedVal: "front-proxy-client"}, {key: "--requestheader-client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-ca.crt")}, {key: "--requestheader-extra-headers-prefix", expectedVal: "X-Remote-Extra-"}, {key: "--requestheader-group-headers", expectedVal: "X-Remote-Group"}, {key: "--requestheader-username-headers", expectedVal: "X-Remote-User"}, - {key: "--request-timeout", expectedVal: "300s"}, {key: "--secure-port", expectedVal: "6443"}, {key: "--service-account-issuer", expectedVal: "https://kubernetes.default.svc"}, {key: "--service-account-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")}, @@ -171,12 +171,12 @@ func TestKubeAPIServer(t *testing.T) { {key: "--profiling", expectedVal: "false"}, {key: "--proxy-client-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.crt")}, {key: "--proxy-client-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-client.key")}, + {key: "--request-timeout", expectedVal: "300s"}, {key: "--requestheader-allowed-names", expectedVal: "front-proxy-client"}, {key: "--requestheader-client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "front-proxy-ca.crt")}, {key: "--requestheader-extra-headers-prefix", expectedVal: "X-Remote-Extra-"}, {key: "--requestheader-group-headers", expectedVal: "X-Remote-Group"}, {key: "--requestheader-username-headers", expectedVal: "X-Remote-User"}, - {key: "--request-timeout", expectedVal: "300s"}, {key: "--secure-port", expectedVal: "1337"}, {key: "--service-account-issuer", expectedVal: "https://kubernetes.default.svc"}, {key: "--service-account-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")}, diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager.go index 9add71b6d..746a44eb2 100644 --- a/src/k8s/pkg/k8sd/setup/kube_controller_manager.go +++ b/src/k8s/pkg/k8sd/setup/kube_controller_manager.go @@ -21,8 +21,8 @@ func KubeControllerManager(snap snap.Snap, extraArgs map[string]*string) error { "--profiling": "false", "--root-ca-file": path.Join(snap.KubernetesPKIDir(), "ca.crt"), "--service-account-private-key-file": path.Join(snap.KubernetesPKIDir(), "serviceaccount.key"), - "--use-service-account-credentials": "true", "--terminated-pod-gc-threshold": "12500", + "--use-service-account-credentials": "true", } // enable cluster-signing if certificates are available if _, err := os.Stat(path.Join(snap.KubernetesPKIDir(), "ca.key")); err == nil { diff --git a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go index 3b66265cd..7b5af3c0e 100644 --- a/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go +++ b/src/k8s/pkg/k8sd/setup/kube_controller_manager_test.go @@ -94,8 +94,8 @@ func TestKubeControllerManager(t *testing.T) { {key: "--profiling", expectedVal: "false"}, {key: "--root-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, {key: "--service-account-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")}, - {key: "--use-service-account-credentials", expectedVal: "true"}, {key: "--terminated-pod-gc-threshold", expectedVal: "12500"}, + {key: "--use-service-account-credentials", expectedVal: "true"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -142,16 +142,16 @@ func TestKubeControllerManager(t *testing.T) { }{ {key: "--authentication-kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "controller.conf")}, {key: "--authorization-kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "controller.conf")}, + {key: "--cluster-signing-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, + {key: "--cluster-signing-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.key")}, {key: "--kubeconfig", expectedVal: path.Join(s.Mock.KubernetesConfigDir, "controller.conf")}, {key: "--leader-elect-renew-deadline", expectedVal: "15s"}, {key: "--profiling", expectedVal: "true"}, {key: "--root-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, {key: "--service-account-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "serviceaccount.key")}, + {key: "--terminated-pod-gc-threshold", expectedVal: "12500"}, {key: "--use-service-account-credentials", expectedVal: "true"}, - {key: "--cluster-signing-cert-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.crt")}, - {key: "--cluster-signing-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "ca.key")}, {key: "--my-extra-arg", expectedVal: "my-extra-val"}, - {key: "--terminated-pod-gc-threshold", expectedVal: "12500"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { diff --git a/src/k8s/pkg/k8sd/setup/kubelet.go b/src/k8s/pkg/k8sd/setup/kubelet.go index 263816290..6a4e417a0 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet.go +++ b/src/k8s/pkg/k8sd/setup/kubelet.go @@ -44,10 +44,8 @@ func KubeletWorker(snap snap.Snap, hostname string, nodeIP net.IP, clusterDNS st func kubelet(snap snap.Snap, hostname string, nodeIP net.IP, clusterDNS string, clusterDomain string, cloudProvider string, taints []string, labels []string, extraArgs map[string]*string) error { args := map[string]string{ "--anonymous-auth": "false", - "--authorization-mode": "Webhook", "--authentication-token-webhook": "true", - "--tls-cert-file": path.Join(snap.KubernetesPKIDir(), "kubelet.crt"), - "--tls-private-key-file": path.Join(snap.KubernetesPKIDir(), "kubelet.key"), + "--authorization-mode": "Webhook", "--client-ca-file": path.Join(snap.KubernetesPKIDir(), "client-ca.crt"), "--container-runtime-endpoint": path.Join(snap.ContainerdSocketDir(), "containerd.sock"), "--containerd": path.Join(snap.ContainerdSocketDir(), "containerd.sock"), @@ -60,7 +58,9 @@ func kubelet(snap snap.Snap, hostname string, nodeIP net.IP, clusterDNS string, "--register-with-taints": strings.Join(taints, ","), "--root-dir": snap.KubeletRootDir(), "--serialize-image-pulls": "false", + "--tls-cert-file": path.Join(snap.KubernetesPKIDir(), "kubelet.crt"), "--tls-cipher-suites": strings.Join(kubeletTLSCipherSuites, ","), + "--tls-private-key-file": path.Join(snap.KubernetesPKIDir(), "kubelet.key"), } if cloudProvider != "" { args["--cloud-provider"] = cloudProvider diff --git a/src/k8s/pkg/k8sd/setup/kubelet_test.go b/src/k8s/pkg/k8sd/setup/kubelet_test.go index f34d83f61..43e09faa1 100644 --- a/src/k8s/pkg/k8sd/setup/kubelet_test.go +++ b/src/k8s/pkg/k8sd/setup/kubelet_test.go @@ -54,8 +54,8 @@ func TestKubelet(t *testing.T) { expectedVal string }{ {key: "--anonymous-auth", expectedVal: "false"}, - {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--authentication-token-webhook", expectedVal: "true"}, + {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--cloud-provider", expectedVal: "provider"}, {key: "--cluster-dns", expectedVal: "10.152.1.1"}, @@ -111,8 +111,8 @@ func TestKubelet(t *testing.T) { expectedVal string }{ {key: "--anonymous-auth", expectedVal: "false"}, - {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--authentication-token-webhook", expectedVal: "true"}, + {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--cluster-dns", expectedVal: "10.152.1.1"}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, @@ -131,8 +131,8 @@ func TestKubelet(t *testing.T) { {key: "--tls-private-key-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "kubelet.key")}, // Overwritten by extraArgs {key: "--cluster-domain", expectedVal: "override.local"}, - {key: "--node-ip", expectedVal: "192.168.0.1"}, {key: "--my-extra-arg", expectedVal: "my-extra-val"}, + {key: "--node-ip", expectedVal: "192.168.0.1"}, } for _, tc := range tests { t.Run(tc.key, func(t *testing.T) { @@ -168,8 +168,8 @@ func TestKubelet(t *testing.T) { expectedVal string }{ {key: "--anonymous-auth", expectedVal: "false"}, - {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--authentication-token-webhook", expectedVal: "true"}, + {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, @@ -216,8 +216,8 @@ func TestKubelet(t *testing.T) { expectedVal string }{ {key: "--anonymous-auth", expectedVal: "false"}, - {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--authentication-token-webhook", expectedVal: "true"}, + {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--cloud-provider", expectedVal: "provider"}, {key: "--cluster-dns", expectedVal: "10.152.1.1"}, @@ -273,8 +273,8 @@ func TestKubelet(t *testing.T) { expectedVal string }{ {key: "--anonymous-auth", expectedVal: "false"}, - {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--authentication-token-webhook", expectedVal: "true"}, + {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--cluster-dns", expectedVal: "10.152.1.1"}, {key: "--cluster-domain", expectedVal: "override.local"}, @@ -329,8 +329,8 @@ func TestKubelet(t *testing.T) { expectedVal string }{ {key: "--anonymous-auth", expectedVal: "false"}, - {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--authentication-token-webhook", expectedVal: "true"}, + {key: "--authorization-mode", expectedVal: "Webhook"}, {key: "--client-ca-file", expectedVal: path.Join(s.Mock.KubernetesPKIDir, "client-ca.crt")}, {key: "--container-runtime-endpoint", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")}, {key: "--containerd", expectedVal: path.Join(s.Mock.ContainerdSocketDir, "containerd.sock")},