From 0ec55ec6213fcdcca38c3f31349667b5ae85d21a Mon Sep 17 00:00:00 2001 From: Henrik Schmidt Date: Tue, 24 Apr 2018 19:55:34 +0200 Subject: [PATCH] Add token authorization webhook (#188) * set --authentication-token-webhook=true * update fixtures --- pkg/userdata/centos/testdata/docker-1.13-aws.golden | 2 +- pkg/userdata/centos/userdata.go | 2 +- ...1.12.6-auto-update-openstack-kubelet-v-version-prefix.golden | 2 +- .../docker-1.12.6-auto-update-openstack-multiple-dns.golden | 2 +- .../testdata/docker-1.12.6-disable-auto-update-aws.golden | 2 +- pkg/userdata/coreos/userdata.go | 1 + pkg/userdata/ubuntu/testdata/cri-o-1.9-digitalocean.golden | 2 +- .../ubuntu/testdata/docker-1.13-dist-upgrade-on-boot-aws.golden | 2 +- .../docker-17.03-openstack-kubelet-v-version-prefix.golden | 2 +- .../ubuntu/testdata/docker-17.03-openstack-multiple-dns.golden | 2 +- pkg/userdata/ubuntu/userdata.go | 2 +- 11 files changed, 11 insertions(+), 10 deletions(-) diff --git a/pkg/userdata/centos/testdata/docker-1.13-aws.golden b/pkg/userdata/centos/testdata/docker-1.13-aws.golden index 8d90616fb..3009b3872 100644 --- a/pkg/userdata/centos/testdata/docker-1.13-aws.golden +++ b/pkg/userdata/centos/testdata/docker-1.13-aws.golden @@ -60,7 +60,7 @@ write_files: - path: "/etc/systemd/system/kubelet.service.d/20-extra.conf" content: | [Service] - Environment="KUBELET_EXTRA_ARGS=--cloud-provider=aws --cloud-config=/etc/kubernetes/cloud-config" + Environment="KUBELET_EXTRA_ARGS=--cloud-provider=aws --cloud-config=/etc/kubernetes/cloud-config --authentication-token-webhook=true" runcmd: - setenforce 0 || true diff --git a/pkg/userdata/centos/userdata.go b/pkg/userdata/centos/userdata.go index 387c6a2b7..d3aef4a60 100644 --- a/pkg/userdata/centos/userdata.go +++ b/pkg/userdata/centos/userdata.go @@ -223,7 +223,7 @@ write_files: - path: "/etc/systemd/system/kubelet.service.d/20-extra.conf" content: | [Service] - Environment="KUBELET_EXTRA_ARGS={{ if .CloudProvider }}--cloud-provider={{ .CloudProvider }} --cloud-config=/etc/kubernetes/cloud-config{{ end}}" + Environment="KUBELET_EXTRA_ARGS={{ if .CloudProvider }}--cloud-provider={{ .CloudProvider }} --cloud-config=/etc/kubernetes/cloud-config{{ end}} --authentication-token-webhook=true" runcmd: - setenforce 0 || true diff --git a/pkg/userdata/coreos/testdata/docker-1.12.6-auto-update-openstack-kubelet-v-version-prefix.golden b/pkg/userdata/coreos/testdata/docker-1.12.6-auto-update-openstack-kubelet-v-version-prefix.golden index 5a859d99f..83ba79968 100644 --- a/pkg/userdata/coreos/testdata/docker-1.12.6-auto-update-openstack-kubelet-v-version-prefix.golden +++ b/pkg/userdata/coreos/testdata/docker-1.12.6-auto-update-openstack-kubelet-v-version-prefix.golden @@ -82,7 +82,7 @@ "name": "docker.service" }, { - "contents": "[Unit]\nDescription=Kubernetes Kubelet\nRequires=docker.service\nAfter=docker.service\n[Service]\nTimeoutStartSec=5min\nEnvironment=KUBELET_IMAGE_TAG=v1.9.2_coreos.0\nEnvironment=\"RKT_RUN_ARGS=--uuid-file-save=/var/cache/kubelet-pod.uuid \\\n --volume=resolv,kind=host,source=/etc/resolv.conf \\\n --mount volume=resolv,target=/etc/resolv.conf \\\n --volume cni-bin,kind=host,source=/opt/cni/bin \\\n --mount volume=cni-bin,target=/opt/cni/bin \\\n --volume cni-conf,kind=host,source=/etc/cni/net.d \\\n --mount volume=cni-conf,target=/etc/cni/net.d \\\n --volume etc-kubernetes,kind=host,source=/etc/kubernetes \\\n --mount volume=etc-kubernetes,target=/etc/kubernetes \\\n --volume var-log,kind=host,source=/var/log \\\n --mount volume=var-log,target=/var/log\"\nExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests\nExecStartPre=/bin/mkdir -p /etc/cni/net.d\nExecStartPre=/bin/mkdir -p /opt/cni/bin\nExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/cache/kubelet-pod.uuid\nExecStart=/usr/lib/coreos/kubelet-wrapper \\\n --container-runtime=docker \\\n --allow-privileged=true \\\n --cni-bin-dir=/opt/cni/bin \\\n --cni-conf-dir=/etc/cni/net.d \\\n --cluster-dns=10.10.10.10 \\\n --cluster-domain=cluster.local \\\n --network-plugin=cni \\\n --cloud-provider=openstack \\\n --cloud-config=/etc/kubernetes/cloud-config \\\n --cert-dir=/etc/kubernetes/ \\\n --pod-manifest-path=/etc/kubernetes/manifests \\\n --resolv-conf=/etc/resolv.conf \\\n --rotate-certificates=true \\\n --kubeconfig=/etc/kubernetes/kubeconfig \\\n --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \\\n --lock-file=/var/run/lock/kubelet.lock \\\n --exit-on-lock-contention \\\n --read-only-port 0 \\\n --authorization-mode=Webhook \\\n --anonymous-auth=false \\\n --client-ca-file=/etc/kubernetes/ca.crt\nExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid\nRestart=always\nRestartSec=10\n[Install]\nWantedBy=multi-user.target\n", + "contents": "[Unit]\nDescription=Kubernetes Kubelet\nRequires=docker.service\nAfter=docker.service\n[Service]\nTimeoutStartSec=5min\nEnvironment=KUBELET_IMAGE_TAG=v1.9.2_coreos.0\nEnvironment=\"RKT_RUN_ARGS=--uuid-file-save=/var/cache/kubelet-pod.uuid \\\n --volume=resolv,kind=host,source=/etc/resolv.conf \\\n --mount volume=resolv,target=/etc/resolv.conf \\\n --volume cni-bin,kind=host,source=/opt/cni/bin \\\n --mount volume=cni-bin,target=/opt/cni/bin \\\n --volume cni-conf,kind=host,source=/etc/cni/net.d \\\n --mount volume=cni-conf,target=/etc/cni/net.d \\\n --volume etc-kubernetes,kind=host,source=/etc/kubernetes \\\n --mount volume=etc-kubernetes,target=/etc/kubernetes \\\n --volume var-log,kind=host,source=/var/log \\\n --mount volume=var-log,target=/var/log\"\nExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests\nExecStartPre=/bin/mkdir -p /etc/cni/net.d\nExecStartPre=/bin/mkdir -p /opt/cni/bin\nExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/cache/kubelet-pod.uuid\nExecStart=/usr/lib/coreos/kubelet-wrapper \\\n --container-runtime=docker \\\n --allow-privileged=true \\\n --cni-bin-dir=/opt/cni/bin \\\n --cni-conf-dir=/etc/cni/net.d \\\n --cluster-dns=10.10.10.10 \\\n --cluster-domain=cluster.local \\\n --authentication-token-webhook=true \\\n --network-plugin=cni \\\n --cloud-provider=openstack \\\n --cloud-config=/etc/kubernetes/cloud-config \\\n --cert-dir=/etc/kubernetes/ \\\n --pod-manifest-path=/etc/kubernetes/manifests \\\n --resolv-conf=/etc/resolv.conf \\\n --rotate-certificates=true \\\n --kubeconfig=/etc/kubernetes/kubeconfig \\\n --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \\\n --lock-file=/var/run/lock/kubelet.lock \\\n --exit-on-lock-contention \\\n --read-only-port 0 \\\n --authorization-mode=Webhook \\\n --anonymous-auth=false \\\n --client-ca-file=/etc/kubernetes/ca.crt\nExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid\nRestart=always\nRestartSec=10\n[Install]\nWantedBy=multi-user.target\n", "dropins": [ { "contents": "[Unit]\nRequires=docker.service\nAfter=docker.service\n", diff --git a/pkg/userdata/coreos/testdata/docker-1.12.6-auto-update-openstack-multiple-dns.golden b/pkg/userdata/coreos/testdata/docker-1.12.6-auto-update-openstack-multiple-dns.golden index 3567f3b95..b3d653739 100644 --- a/pkg/userdata/coreos/testdata/docker-1.12.6-auto-update-openstack-multiple-dns.golden +++ b/pkg/userdata/coreos/testdata/docker-1.12.6-auto-update-openstack-multiple-dns.golden @@ -82,7 +82,7 @@ "name": "docker.service" }, { - "contents": "[Unit]\nDescription=Kubernetes Kubelet\nRequires=docker.service\nAfter=docker.service\n[Service]\nTimeoutStartSec=5min\nEnvironment=KUBELET_IMAGE_TAG=v1.9.2_coreos.0\nEnvironment=\"RKT_RUN_ARGS=--uuid-file-save=/var/cache/kubelet-pod.uuid \\\n --volume=resolv,kind=host,source=/etc/resolv.conf \\\n --mount volume=resolv,target=/etc/resolv.conf \\\n --volume cni-bin,kind=host,source=/opt/cni/bin \\\n --mount volume=cni-bin,target=/opt/cni/bin \\\n --volume cni-conf,kind=host,source=/etc/cni/net.d \\\n --mount volume=cni-conf,target=/etc/cni/net.d \\\n --volume etc-kubernetes,kind=host,source=/etc/kubernetes \\\n --mount volume=etc-kubernetes,target=/etc/kubernetes \\\n --volume var-log,kind=host,source=/var/log \\\n --mount volume=var-log,target=/var/log\"\nExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests\nExecStartPre=/bin/mkdir -p /etc/cni/net.d\nExecStartPre=/bin/mkdir -p /opt/cni/bin\nExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/cache/kubelet-pod.uuid\nExecStart=/usr/lib/coreos/kubelet-wrapper \\\n --container-runtime=docker \\\n --allow-privileged=true \\\n --cni-bin-dir=/opt/cni/bin \\\n --cni-conf-dir=/etc/cni/net.d \\\n --cluster-dns=10.10.10.10,10.10.10.11,10.10.10.12 \\\n --cluster-domain=cluster.local \\\n --network-plugin=cni \\\n --cloud-provider=openstack \\\n --cloud-config=/etc/kubernetes/cloud-config \\\n --cert-dir=/etc/kubernetes/ \\\n --pod-manifest-path=/etc/kubernetes/manifests \\\n --resolv-conf=/etc/resolv.conf \\\n --rotate-certificates=true \\\n --kubeconfig=/etc/kubernetes/kubeconfig \\\n --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \\\n --lock-file=/var/run/lock/kubelet.lock \\\n --exit-on-lock-contention \\\n --read-only-port 0 \\\n --authorization-mode=Webhook \\\n --anonymous-auth=false \\\n --client-ca-file=/etc/kubernetes/ca.crt\nExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid\nRestart=always\nRestartSec=10\n[Install]\nWantedBy=multi-user.target\n", + "contents": "[Unit]\nDescription=Kubernetes Kubelet\nRequires=docker.service\nAfter=docker.service\n[Service]\nTimeoutStartSec=5min\nEnvironment=KUBELET_IMAGE_TAG=v1.9.2_coreos.0\nEnvironment=\"RKT_RUN_ARGS=--uuid-file-save=/var/cache/kubelet-pod.uuid \\\n --volume=resolv,kind=host,source=/etc/resolv.conf \\\n --mount volume=resolv,target=/etc/resolv.conf \\\n --volume cni-bin,kind=host,source=/opt/cni/bin \\\n --mount volume=cni-bin,target=/opt/cni/bin \\\n --volume cni-conf,kind=host,source=/etc/cni/net.d \\\n --mount volume=cni-conf,target=/etc/cni/net.d \\\n --volume etc-kubernetes,kind=host,source=/etc/kubernetes \\\n --mount volume=etc-kubernetes,target=/etc/kubernetes \\\n --volume var-log,kind=host,source=/var/log \\\n --mount volume=var-log,target=/var/log\"\nExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests\nExecStartPre=/bin/mkdir -p /etc/cni/net.d\nExecStartPre=/bin/mkdir -p /opt/cni/bin\nExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/cache/kubelet-pod.uuid\nExecStart=/usr/lib/coreos/kubelet-wrapper \\\n --container-runtime=docker \\\n --allow-privileged=true \\\n --cni-bin-dir=/opt/cni/bin \\\n --cni-conf-dir=/etc/cni/net.d \\\n --cluster-dns=10.10.10.10,10.10.10.11,10.10.10.12 \\\n --cluster-domain=cluster.local \\\n --authentication-token-webhook=true \\\n --network-plugin=cni \\\n --cloud-provider=openstack \\\n --cloud-config=/etc/kubernetes/cloud-config \\\n --cert-dir=/etc/kubernetes/ \\\n --pod-manifest-path=/etc/kubernetes/manifests \\\n --resolv-conf=/etc/resolv.conf \\\n --rotate-certificates=true \\\n --kubeconfig=/etc/kubernetes/kubeconfig \\\n --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \\\n --lock-file=/var/run/lock/kubelet.lock \\\n --exit-on-lock-contention \\\n --read-only-port 0 \\\n --authorization-mode=Webhook \\\n --anonymous-auth=false \\\n --client-ca-file=/etc/kubernetes/ca.crt\nExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid\nRestart=always\nRestartSec=10\n[Install]\nWantedBy=multi-user.target\n", "dropins": [ { "contents": "[Unit]\nRequires=docker.service\nAfter=docker.service\n", diff --git a/pkg/userdata/coreos/testdata/docker-1.12.6-disable-auto-update-aws.golden b/pkg/userdata/coreos/testdata/docker-1.12.6-disable-auto-update-aws.golden index b57a84bdc..564e78096 100644 --- a/pkg/userdata/coreos/testdata/docker-1.12.6-disable-auto-update-aws.golden +++ b/pkg/userdata/coreos/testdata/docker-1.12.6-disable-auto-update-aws.golden @@ -90,7 +90,7 @@ "name": "docker.service" }, { - "contents": "[Unit]\nDescription=Kubernetes Kubelet\nRequires=docker.service\nAfter=docker.service\n[Service]\nTimeoutStartSec=5min\nEnvironment=KUBELET_IMAGE_TAG=v1.9.2_coreos.0\nEnvironment=\"RKT_RUN_ARGS=--uuid-file-save=/var/cache/kubelet-pod.uuid \\\n --volume=resolv,kind=host,source=/etc/resolv.conf \\\n --mount volume=resolv,target=/etc/resolv.conf \\\n --volume cni-bin,kind=host,source=/opt/cni/bin \\\n --mount volume=cni-bin,target=/opt/cni/bin \\\n --volume cni-conf,kind=host,source=/etc/cni/net.d \\\n --mount volume=cni-conf,target=/etc/cni/net.d \\\n --volume etc-kubernetes,kind=host,source=/etc/kubernetes \\\n --mount volume=etc-kubernetes,target=/etc/kubernetes \\\n --volume var-log,kind=host,source=/var/log \\\n --mount volume=var-log,target=/var/log\"\nExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests\nExecStartPre=/bin/mkdir -p /etc/cni/net.d\nExecStartPre=/bin/mkdir -p /opt/cni/bin\nExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/cache/kubelet-pod.uuid\nExecStart=/usr/lib/coreos/kubelet-wrapper \\\n --container-runtime=docker \\\n --allow-privileged=true \\\n --cni-bin-dir=/opt/cni/bin \\\n --cni-conf-dir=/etc/cni/net.d \\\n --cluster-dns=10.10.10.10 \\\n --cluster-domain=cluster.local \\\n --network-plugin=cni \\\n --cloud-provider=aws \\\n --cloud-config=/etc/kubernetes/cloud-config \\\n --cert-dir=/etc/kubernetes/ \\\n --pod-manifest-path=/etc/kubernetes/manifests \\\n --resolv-conf=/etc/resolv.conf \\\n --rotate-certificates=true \\\n --kubeconfig=/etc/kubernetes/kubeconfig \\\n --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \\\n --lock-file=/var/run/lock/kubelet.lock \\\n --exit-on-lock-contention \\\n --read-only-port 0 \\\n --authorization-mode=Webhook \\\n --anonymous-auth=false \\\n --client-ca-file=/etc/kubernetes/ca.crt\nExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid\nRestart=always\nRestartSec=10\n[Install]\nWantedBy=multi-user.target\n", + "contents": "[Unit]\nDescription=Kubernetes Kubelet\nRequires=docker.service\nAfter=docker.service\n[Service]\nTimeoutStartSec=5min\nEnvironment=KUBELET_IMAGE_TAG=v1.9.2_coreos.0\nEnvironment=\"RKT_RUN_ARGS=--uuid-file-save=/var/cache/kubelet-pod.uuid \\\n --volume=resolv,kind=host,source=/etc/resolv.conf \\\n --mount volume=resolv,target=/etc/resolv.conf \\\n --volume cni-bin,kind=host,source=/opt/cni/bin \\\n --mount volume=cni-bin,target=/opt/cni/bin \\\n --volume cni-conf,kind=host,source=/etc/cni/net.d \\\n --mount volume=cni-conf,target=/etc/cni/net.d \\\n --volume etc-kubernetes,kind=host,source=/etc/kubernetes \\\n --mount volume=etc-kubernetes,target=/etc/kubernetes \\\n --volume var-log,kind=host,source=/var/log \\\n --mount volume=var-log,target=/var/log\"\nExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests\nExecStartPre=/bin/mkdir -p /etc/cni/net.d\nExecStartPre=/bin/mkdir -p /opt/cni/bin\nExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/cache/kubelet-pod.uuid\nExecStart=/usr/lib/coreos/kubelet-wrapper \\\n --container-runtime=docker \\\n --allow-privileged=true \\\n --cni-bin-dir=/opt/cni/bin \\\n --cni-conf-dir=/etc/cni/net.d \\\n --cluster-dns=10.10.10.10 \\\n --cluster-domain=cluster.local \\\n --authentication-token-webhook=true \\\n --network-plugin=cni \\\n --cloud-provider=aws \\\n --cloud-config=/etc/kubernetes/cloud-config \\\n --cert-dir=/etc/kubernetes/ \\\n --pod-manifest-path=/etc/kubernetes/manifests \\\n --resolv-conf=/etc/resolv.conf \\\n --rotate-certificates=true \\\n --kubeconfig=/etc/kubernetes/kubeconfig \\\n --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \\\n --lock-file=/var/run/lock/kubelet.lock \\\n --exit-on-lock-contention \\\n --read-only-port 0 \\\n --authorization-mode=Webhook \\\n --anonymous-auth=false \\\n --client-ca-file=/etc/kubernetes/ca.crt\nExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid\nRestart=always\nRestartSec=10\n[Install]\nWantedBy=multi-user.target\n", "dropins": [ { "contents": "[Unit]\nRequires=docker.service\nAfter=docker.service\n", diff --git a/pkg/userdata/coreos/userdata.go b/pkg/userdata/coreos/userdata.go index 33579dd9b..20a5026d2 100644 --- a/pkg/userdata/coreos/userdata.go +++ b/pkg/userdata/coreos/userdata.go @@ -196,6 +196,7 @@ systemd: --cni-conf-dir=/etc/cni/net.d \ --cluster-dns={{ ipSliceToCommaSeparatedString .ClusterDNSIPs }} \ --cluster-domain=cluster.local \ + --authentication-token-webhook=true \ --network-plugin=cni \ {{- if .CloudProvider }} --cloud-provider={{ .CloudProvider }} \ diff --git a/pkg/userdata/ubuntu/testdata/cri-o-1.9-digitalocean.golden b/pkg/userdata/ubuntu/testdata/cri-o-1.9-digitalocean.golden index 968ad881b..cf3d4121f 100644 --- a/pkg/userdata/ubuntu/testdata/cri-o-1.9-digitalocean.golden +++ b/pkg/userdata/ubuntu/testdata/cri-o-1.9-digitalocean.golden @@ -147,7 +147,7 @@ write_files: - path: "/etc/systemd/system/kubelet.service.d/20-extra.conf" content: | [Service] - Environment="KUBELET_EXTRA_ARGS= \ + Environment="KUBELET_EXTRA_ARGS= --authentication-token-webhook=true \ --container-runtime=remote --container-runtime-endpoint=unix:///var/run/crio/crio.sock --cgroup-driver=systemd" - path: "/etc/systemd/system/kubelet.service.d/30-clusterdns.conf" diff --git a/pkg/userdata/ubuntu/testdata/docker-1.13-dist-upgrade-on-boot-aws.golden b/pkg/userdata/ubuntu/testdata/docker-1.13-dist-upgrade-on-boot-aws.golden index 159e822ed..209506835 100644 --- a/pkg/userdata/ubuntu/testdata/docker-1.13-dist-upgrade-on-boot-aws.golden +++ b/pkg/userdata/ubuntu/testdata/docker-1.13-dist-upgrade-on-boot-aws.golden @@ -126,7 +126,7 @@ write_files: - path: "/etc/systemd/system/kubelet.service.d/20-extra.conf" content: | [Service] - Environment="KUBELET_EXTRA_ARGS=--cloud-provider=aws --cloud-config=/etc/kubernetes/cloud-config \ + Environment="KUBELET_EXTRA_ARGS=--cloud-provider=aws --cloud-config=/etc/kubernetes/cloud-config --authentication-token-webhook=true \ " - path: "/etc/systemd/system/kubelet.service.d/30-clusterdns.conf" diff --git a/pkg/userdata/ubuntu/testdata/docker-17.03-openstack-kubelet-v-version-prefix.golden b/pkg/userdata/ubuntu/testdata/docker-17.03-openstack-kubelet-v-version-prefix.golden index 3a500a656..8b60abb96 100644 --- a/pkg/userdata/ubuntu/testdata/docker-17.03-openstack-kubelet-v-version-prefix.golden +++ b/pkg/userdata/ubuntu/testdata/docker-17.03-openstack-kubelet-v-version-prefix.golden @@ -126,7 +126,7 @@ write_files: - path: "/etc/systemd/system/kubelet.service.d/20-extra.conf" content: | [Service] - Environment="KUBELET_EXTRA_ARGS=--cloud-provider=openstack --cloud-config=/etc/kubernetes/cloud-config \ + Environment="KUBELET_EXTRA_ARGS=--cloud-provider=openstack --cloud-config=/etc/kubernetes/cloud-config --authentication-token-webhook=true \ " - path: "/etc/systemd/system/kubelet.service.d/30-clusterdns.conf" diff --git a/pkg/userdata/ubuntu/testdata/docker-17.03-openstack-multiple-dns.golden b/pkg/userdata/ubuntu/testdata/docker-17.03-openstack-multiple-dns.golden index f9ef4228a..5c4958101 100644 --- a/pkg/userdata/ubuntu/testdata/docker-17.03-openstack-multiple-dns.golden +++ b/pkg/userdata/ubuntu/testdata/docker-17.03-openstack-multiple-dns.golden @@ -126,7 +126,7 @@ write_files: - path: "/etc/systemd/system/kubelet.service.d/20-extra.conf" content: | [Service] - Environment="KUBELET_EXTRA_ARGS=--cloud-provider=openstack --cloud-config=/etc/kubernetes/cloud-config \ + Environment="KUBELET_EXTRA_ARGS=--cloud-provider=openstack --cloud-config=/etc/kubernetes/cloud-config --authentication-token-webhook=true \ " - path: "/etc/systemd/system/kubelet.service.d/30-clusterdns.conf" diff --git a/pkg/userdata/ubuntu/userdata.go b/pkg/userdata/ubuntu/userdata.go index e9c1b1946..c6dde717c 100644 --- a/pkg/userdata/ubuntu/userdata.go +++ b/pkg/userdata/ubuntu/userdata.go @@ -313,7 +313,7 @@ write_files: - path: "/etc/systemd/system/kubelet.service.d/20-extra.conf" content: | [Service] - Environment="KUBELET_EXTRA_ARGS={{ if .CloudProvider }}--cloud-provider={{ .CloudProvider }} --cloud-config=/etc/kubernetes/cloud-config{{ end}} \ + Environment="KUBELET_EXTRA_ARGS={{ if .CloudProvider }}--cloud-provider={{ .CloudProvider }} --cloud-config=/etc/kubernetes/cloud-config{{ end}} --authentication-token-webhook=true \ {{ if eq .MachineSpec.Versions.ContainerRuntime.Name "cri-o"}} --container-runtime=remote --container-runtime-endpoint=unix:///var/run/crio/crio.sock --cgroup-driver=systemd{{ end }}" - path: "/etc/systemd/system/kubelet.service.d/30-clusterdns.conf"