1 /* 2 Copyright 2019 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package constants 18 19 import ( 20 "fmt" 21 "net" 22 "os" 23 "path/filepath" 24 "strings" 25 "time" 26 27 "github.com/pkg/errors" 28 29 v1 "k8s.io/api/core/v1" 30 "k8s.io/apimachinery/pkg/util/version" 31 apimachineryversion "k8s.io/apimachinery/pkg/version" 32 componentversion "k8s.io/component-base/version" 33 netutils "k8s.io/utils/net" 34 ) 35 36 const ( 37 // KubernetesDir is the directory Kubernetes owns for storing various configuration files 38 KubernetesDir = "/etc/kubernetes" 39 // ManifestsSubDirName defines directory name to store manifests 40 ManifestsSubDirName = "manifests" 41 // TempDirForKubeadm defines temporary directory for kubeadm 42 // should be joined with KubernetesDir. 43 TempDirForKubeadm = "tmp" 44 45 // CertificateBackdate defines the offset applied to notBefore for CA certificates generated by kubeadm 46 CertificateBackdate = time.Minute * 5 47 // CertificateValidity defines the validity for all the signed certificates generated by kubeadm 48 CertificateValidity = time.Hour * 24 * 365 49 50 // DefaultCertificateDir defines default certificate directory 51 DefaultCertificateDir = "pki" 52 53 // CACertAndKeyBaseName defines certificate authority base name 54 CACertAndKeyBaseName = "ca" 55 // CACertName defines certificate name 56 CACertName = "ca.crt" 57 // CAKeyName defines certificate name 58 CAKeyName = "ca.key" 59 60 // APIServerCertAndKeyBaseName defines API's server certificate and key base name 61 APIServerCertAndKeyBaseName = "apiserver" 62 // APIServerCertName defines API's server certificate name 63 APIServerCertName = "apiserver.crt" 64 // APIServerKeyName defines API's server key name 65 APIServerKeyName = "apiserver.key" 66 // APIServerCertCommonName defines API's server certificate common name (CN) 67 APIServerCertCommonName = "kube-apiserver" 68 69 // APIServerKubeletClientCertAndKeyBaseName defines kubelet client certificate and key base name 70 APIServerKubeletClientCertAndKeyBaseName = "apiserver-kubelet-client" 71 // APIServerKubeletClientCertName defines kubelet client certificate name 72 APIServerKubeletClientCertName = "apiserver-kubelet-client.crt" 73 // APIServerKubeletClientKeyName defines kubelet client key name 74 APIServerKubeletClientKeyName = "apiserver-kubelet-client.key" 75 // APIServerKubeletClientCertCommonName defines kubelet client certificate common name (CN) 76 APIServerKubeletClientCertCommonName = "kube-apiserver-kubelet-client" 77 78 // EtcdCACertAndKeyBaseName defines etcd's CA certificate and key base name 79 EtcdCACertAndKeyBaseName = "etcd/ca" 80 // EtcdCACertName defines etcd's CA certificate name 81 EtcdCACertName = "etcd/ca.crt" 82 // EtcdCAKeyName defines etcd's CA key name 83 EtcdCAKeyName = "etcd/ca.key" 84 85 // EtcdServerCertAndKeyBaseName defines etcd's server certificate and key base name 86 EtcdServerCertAndKeyBaseName = "etcd/server" 87 // EtcdServerCertName defines etcd's server certificate name 88 EtcdServerCertName = "etcd/server.crt" 89 // EtcdServerKeyName defines etcd's server key name 90 EtcdServerKeyName = "etcd/server.key" 91 92 // EtcdListenClientPort defines the port etcd listen on for client traffic 93 EtcdListenClientPort = 2379 94 // EtcdMetricsPort is the port at which to obtain etcd metrics and health status 95 EtcdMetricsPort = 2381 96 97 // EtcdPeerCertAndKeyBaseName defines etcd's peer certificate and key base name 98 EtcdPeerCertAndKeyBaseName = "etcd/peer" 99 // EtcdPeerCertName defines etcd's peer certificate name 100 EtcdPeerCertName = "etcd/peer.crt" 101 // EtcdPeerKeyName defines etcd's peer key name 102 EtcdPeerKeyName = "etcd/peer.key" 103 104 // EtcdListenPeerPort defines the port etcd listen on for peer traffic 105 EtcdListenPeerPort = 2380 106 107 // EtcdHealthcheckClientCertAndKeyBaseName defines etcd's healthcheck client certificate and key base name 108 EtcdHealthcheckClientCertAndKeyBaseName = "etcd/healthcheck-client" 109 // EtcdHealthcheckClientCertName defines etcd's healthcheck client certificate name 110 EtcdHealthcheckClientCertName = "etcd/healthcheck-client.crt" 111 // EtcdHealthcheckClientKeyName defines etcd's healthcheck client key name 112 EtcdHealthcheckClientKeyName = "etcd/healthcheck-client.key" 113 // EtcdHealthcheckClientCertCommonName defines etcd's healthcheck client certificate common name (CN) 114 EtcdHealthcheckClientCertCommonName = "kube-etcd-healthcheck-client" 115 116 // APIServerEtcdClientCertAndKeyBaseName defines apiserver's etcd client certificate and key base name 117 APIServerEtcdClientCertAndKeyBaseName = "apiserver-etcd-client" 118 // APIServerEtcdClientCertName defines apiserver's etcd client certificate name 119 APIServerEtcdClientCertName = "apiserver-etcd-client.crt" 120 // APIServerEtcdClientKeyName defines apiserver's etcd client key name 121 APIServerEtcdClientKeyName = "apiserver-etcd-client.key" 122 // APIServerEtcdClientCertCommonName defines apiserver's etcd client certificate common name (CN) 123 APIServerEtcdClientCertCommonName = "kube-apiserver-etcd-client" 124 125 // ServiceAccountKeyBaseName defines SA key base name 126 ServiceAccountKeyBaseName = "sa" 127 // ServiceAccountPublicKeyName defines SA public key base name 128 ServiceAccountPublicKeyName = "sa.pub" 129 // ServiceAccountPrivateKeyName defines SA private key base name 130 ServiceAccountPrivateKeyName = "sa.key" 131 132 // FrontProxyCACertAndKeyBaseName defines front proxy CA certificate and key base name 133 FrontProxyCACertAndKeyBaseName = "front-proxy-ca" 134 // FrontProxyCACertName defines front proxy CA certificate name 135 FrontProxyCACertName = "front-proxy-ca.crt" 136 // FrontProxyCAKeyName defines front proxy CA key name 137 FrontProxyCAKeyName = "front-proxy-ca.key" 138 139 // FrontProxyClientCertAndKeyBaseName defines front proxy certificate and key base name 140 FrontProxyClientCertAndKeyBaseName = "front-proxy-client" 141 // FrontProxyClientCertName defines front proxy certificate name 142 FrontProxyClientCertName = "front-proxy-client.crt" 143 // FrontProxyClientKeyName defines front proxy key name 144 FrontProxyClientKeyName = "front-proxy-client.key" 145 // FrontProxyClientCertCommonName defines front proxy certificate common name 146 FrontProxyClientCertCommonName = "front-proxy-client" //used as subject.commonname attribute (CN) 147 148 // AdminKubeConfigFileName defines name for the kubeconfig aimed to be used by the admin of the cluster 149 AdminKubeConfigFileName = "admin.conf" 150 // SuperAdminKubeConfigFileName defines name for the kubeconfig aimed to be used by the super-admin of the cluster 151 SuperAdminKubeConfigFileName = "super-admin.conf" 152 153 // KubeletBootstrapKubeConfigFileName defines the file name for the kubeconfig that the kubelet will use to do 154 // the TLS bootstrap to get itself an unique credential 155 KubeletBootstrapKubeConfigFileName = "bootstrap-kubelet.conf" 156 157 // KubeletKubeConfigFileName defines the file name for the kubeconfig that the control-plane kubelet will use for talking 158 // to the API server 159 KubeletKubeConfigFileName = "kubelet.conf" 160 // ControllerManagerKubeConfigFileName defines the file name for the controller manager's kubeconfig file 161 ControllerManagerKubeConfigFileName = "controller-manager.conf" 162 // SchedulerKubeConfigFileName defines the file name for the scheduler's kubeconfig file 163 SchedulerKubeConfigFileName = "scheduler.conf" 164 165 // Some well-known users, groups, roles and clusterrolebindings in the core Kubernetes authorization system 166 167 // ControllerManagerUser defines the well-known user the controller-manager should be authenticated as 168 ControllerManagerUser = "system:kube-controller-manager" 169 // SchedulerUser defines the well-known user the scheduler should be authenticated as 170 SchedulerUser = "system:kube-scheduler" 171 // NodesUserPrefix defines the user name prefix as requested by the Node authorizer. 172 NodesUserPrefix = "system:node:" 173 // SystemPrivilegedGroup defines the well-known group for the apiservers. This group is also superuser by default 174 // (i.e. bound to the cluster-admin ClusterRole) 175 SystemPrivilegedGroup = "system:masters" 176 // NodesGroup defines the well-known group for all nodes. 177 NodesGroup = "system:nodes" 178 // NodeBootstrapTokenAuthGroup specifies which group a Node Bootstrap Token should be authenticated in 179 NodeBootstrapTokenAuthGroup = "system:bootstrappers:kubeadm:default-node-token" 180 // KubeProxyClusterRoleName sets the name for the kube-proxy ClusterRole 181 KubeProxyClusterRoleName = "system:node-proxier" 182 // NodeBootstrapperClusterRoleName defines the name of the auto-bootstrapped ClusterRole for letting someone post a CSR 183 NodeBootstrapperClusterRoleName = "system:node-bootstrapper" 184 // CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR 185 // Starting from v1.8, CSRAutoApprovalClusterRoleName is automatically created by the API server on startup 186 CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:nodeclient" 187 // NodeSelfCSRAutoApprovalClusterRoleName is a role defined in default 1.8 RBAC policies for automatic CSR approvals for automatically rotated node certificates 188 NodeSelfCSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient" 189 // NodesClusterRoleBinding defines the well-known ClusterRoleBinding which binds the too permissive system:node 190 // ClusterRole to the system:nodes group. Since kubeadm is using the Node Authorizer, this ClusterRoleBinding's 191 // system:nodes group subject is removed if present. 192 NodesClusterRoleBinding = "system:node" 193 194 // KubeletBaseConfigMapRole defines the base kubelet configuration ConfigMap. 195 KubeletBaseConfigMapRole = "kubeadm:kubelet-config" 196 // KubeProxyClusterRoleBindingName sets the name for the kube-proxy CluterRoleBinding 197 KubeProxyClusterRoleBindingName = "kubeadm:node-proxier" 198 // NodeKubeletBootstrap defines the name of the ClusterRoleBinding that lets kubelets post CSRs 199 NodeKubeletBootstrap = "kubeadm:kubelet-bootstrap" 200 // GetNodesClusterRoleName defines the name of the ClusterRole and ClusterRoleBinding to get nodes 201 GetNodesClusterRoleName = "kubeadm:get-nodes" 202 // NodeAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve node CSRs 203 NodeAutoApproveBootstrapClusterRoleBinding = "kubeadm:node-autoapprove-bootstrap" 204 // NodeAutoApproveCertificateRotationClusterRoleBinding defines name of the ClusterRoleBinding that makes the csrapprover approve node auto rotated CSRs 205 NodeAutoApproveCertificateRotationClusterRoleBinding = "kubeadm:node-autoapprove-certificate-rotation" 206 // ClusterAdminsGroupAndClusterRoleBinding is the name of the Group used for kubeadm generated cluster 207 // admin credentials and the name of the ClusterRoleBinding that binds the same Group to the "cluster-admin" 208 // built-in ClusterRole. 209 ClusterAdminsGroupAndClusterRoleBinding = "kubeadm:cluster-admins" 210 211 // KubernetesAPICallTimeout specifies how long kubeadm should wait for API calls 212 KubernetesAPICallTimeout = 1 * time.Minute 213 // KubernetesAPICallRetryInterval defines how long kubeadm should wait before retrying a failed API operation 214 KubernetesAPICallRetryInterval = 500 * time.Millisecond 215 216 // DiscoveryTimeout specifies the default discovery timeout for kubeadm (used unless one is specified in the JoinConfiguration) 217 DiscoveryTimeout = 5 * time.Minute 218 // DiscoveryRetryInterval specifies how long kubeadm should wait before retrying to connect to the control-plane when doing discovery 219 DiscoveryRetryInterval = 5 * time.Second 220 221 // TLSBootstrapTimeout specifies how long kubeadm should wait for the kubelet to perform the TLS Bootstrap 222 TLSBootstrapTimeout = 5 * time.Minute 223 // TLSBootstrapRetryInterval specifies how long kubeadm should wait before retrying the TLS Bootstrap check 224 TLSBootstrapRetryInterval = 1 * time.Second 225 226 // EtcdAPICallTimeout specifies how much time to wait for completion of requests against the etcd API. 227 EtcdAPICallTimeout = 2 * time.Minute 228 // EtcdAPICallRetryInterval specifies how frequently to retry requests against the etcd API. 229 EtcdAPICallRetryInterval = 500 * time.Millisecond 230 231 // ControlPlaneComponentHealthCheckTimeout specifies the default control plane component health check timeout 232 ControlPlaneComponentHealthCheckTimeout = 4 * time.Minute 233 234 // KubeletHealthCheckTimeout specifies the default kubelet timeout 235 KubeletHealthCheckTimeout = 4 * time.Minute 236 237 // UpgradeManifestsTimeout specifies the default timeout for upgradring static Pod manifests 238 UpgradeManifestsTimeout = 5 * time.Minute 239 240 // PullImageRetry specifies how many times ContainerRuntime retries when pulling image failed 241 PullImageRetry = 5 242 // RemoveContainerRetry specifies how many times ContainerRuntime retries when removing container failed 243 RemoveContainerRetry = 5 244 245 // MinimumAddressesInServiceSubnet defines minimum amount of nodes the Service subnet should allow. 246 // We need at least ten, because the DNS service is always at the tenth cluster clusterIP 247 MinimumAddressesInServiceSubnet = 10 248 249 // MaximumBitsForServiceSubnet defines maximum possible size of the service subnet in terms of bits. 250 // For example, if the value is 20, then the largest supported service subnet is /12 for IPv4 and /108 for IPv6. 251 // Note however that anything in between /108 and /112 will be clamped to /112 due to the limitations of the underlying allocation logic. 252 // TODO: https://github.com/kubernetes/enhancements/pull/1881 253 MaximumBitsForServiceSubnet = 20 254 255 // MinimumAddressesInPodSubnet defines minimum amount of pods in the cluster. 256 // We need at least more than services, an IPv4 /28 or IPv6 /128 subnet means 14 util addresses 257 MinimumAddressesInPodSubnet = 14 258 259 // PodSubnetNodeMaskMaxDiff is limited to 16 due to an issue with uncompressed IP bitmap in core: 260 // xref: #44918 261 // The node subnet mask size must be no more than the pod subnet mask size + 16 262 PodSubnetNodeMaskMaxDiff = 16 263 264 // DefaultCertTokenDuration specifies the default amount of time that the token used by upload certs will be valid 265 // Default behaviour is 2 hours 266 DefaultCertTokenDuration = 2 * time.Hour 267 268 // CertificateKeySize specifies the size of the key used to encrypt certificates on uploadcerts phase 269 CertificateKeySize = 32 270 271 // LabelNodeRoleControlPlane specifies that a node hosts control-plane components 272 LabelNodeRoleControlPlane = "node-role.kubernetes.io/control-plane" 273 274 // LabelExcludeFromExternalLB can be set on a node to exclude it from external load balancers. 275 // This is added to control plane nodes to preserve backwards compatibility with a legacy behavior. 276 LabelExcludeFromExternalLB = "node.kubernetes.io/exclude-from-external-load-balancers" 277 278 // AnnotationKubeadmCRISocket specifies the annotation kubeadm uses to preserve the crisocket information given to kubeadm at 279 // init/join time for use later. kubeadm annotates the node object with this information 280 AnnotationKubeadmCRISocket = "kubeadm.alpha.kubernetes.io/cri-socket" 281 282 // KubeadmConfigConfigMap specifies in what ConfigMap in the kube-system namespace the `kubeadm init` configuration should be stored 283 KubeadmConfigConfigMap = "kubeadm-config" 284 285 // ClusterConfigurationConfigMapKey specifies in what ConfigMap key the cluster configuration should be stored 286 ClusterConfigurationConfigMapKey = "ClusterConfiguration" 287 288 // KubeProxyConfigMap specifies in what ConfigMap in the kube-system namespace the kube-proxy configuration should be stored 289 KubeProxyConfigMap = "kube-proxy" 290 291 // KubeProxyConfigMapKey specifies in what ConfigMap key the component config of kube-proxy should be stored 292 KubeProxyConfigMapKey = "config.conf" 293 294 // KubeletBaseConfigurationConfigMap specifies in what ConfigMap in the kube-system namespace the initial remote configuration of kubelet should be stored 295 KubeletBaseConfigurationConfigMap = "kubelet-config" 296 297 // KubeletBaseConfigurationConfigMapKey specifies in what ConfigMap key the initial remote configuration of kubelet should be stored 298 KubeletBaseConfigurationConfigMapKey = "kubelet" 299 300 // KubeletRunDirectory specifies the directory where the kubelet runtime information is stored. 301 KubeletRunDirectory = "/var/lib/kubelet" 302 303 // KubeletConfigurationFileName specifies the file name on the node which stores initial remote configuration of kubelet 304 // This file should exist under KubeletRunDirectory 305 KubeletConfigurationFileName = "config.yaml" 306 307 // KubeletEnvFileName is a file "kubeadm init" writes at runtime. Using that interface, kubeadm can customize certain 308 // kubelet flags conditionally based on the environment at runtime. Also, parameters given to the configuration file 309 // might be passed through this file. "kubeadm init" writes one variable, with the name ${KubeletEnvFileVariableName}. 310 // This file should exist under KubeletRunDirectory 311 KubeletEnvFileName = "kubeadm-flags.env" 312 313 // KubeletEnvFileVariableName specifies the shell script variable name "kubeadm init" should write a value to in KubeletEnvFile 314 KubeletEnvFileVariableName = "KUBELET_KUBEADM_ARGS" 315 316 // KubeletHealthzPort is the port of the kubelet healthz endpoint 317 KubeletHealthzPort = 10248 318 319 // MinExternalEtcdVersion indicates minimum external etcd version which kubeadm supports 320 MinExternalEtcdVersion = "3.4.13-4" 321 322 // DefaultEtcdVersion indicates the default etcd version that kubeadm uses 323 DefaultEtcdVersion = "3.5.12-0" 324 325 // Etcd defines variable used internally when referring to etcd component 326 Etcd = "etcd" 327 // KubeAPIServer defines variable used internally when referring to kube-apiserver component 328 KubeAPIServer = "kube-apiserver" 329 // KubeControllerManager defines variable used internally when referring to kube-controller-manager component 330 KubeControllerManager = "kube-controller-manager" 331 // KubeScheduler defines variable used internally when referring to kube-scheduler component 332 KubeScheduler = "kube-scheduler" 333 // KubeProxy defines variable used internally when referring to kube-proxy component 334 KubeProxy = "kube-proxy" 335 // CoreDNS defines variable used internally when referring to the CoreDNS component 336 CoreDNS = "CoreDNS" 337 // Kubelet defines variable used internally when referring to the Kubelet 338 Kubelet = "kubelet" 339 // Kubeadm defines variable used internally when referring to the kubeadm component 340 Kubeadm = "kubeadm" 341 342 // KubeCertificatesVolumeName specifies the name for the Volume that is used for injecting certificates to control plane components (can be both a hostPath volume or a projected, all-in-one volume) 343 KubeCertificatesVolumeName = "k8s-certs" 344 345 // KubeConfigVolumeName specifies the name for the Volume that is used for injecting the kubeconfig to talk securely to the api server for a control plane component if applicable 346 KubeConfigVolumeName = "kubeconfig" 347 348 // DefaultCIImageRepository points to image registry where CI uploads images from ci build job 349 DefaultCIImageRepository = "gcr.io/k8s-staging-ci-images" 350 351 // CoreDNSConfigMap specifies in what ConfigMap in the kube-system namespace the CoreDNS config should be stored 352 CoreDNSConfigMap = "coredns" 353 354 // CoreDNSDeploymentName specifies the name of the Deployment for CoreDNS add-on 355 CoreDNSDeploymentName = "coredns" 356 357 // CoreDNSImageName specifies the name of the image for CoreDNS add-on 358 CoreDNSImageName = "coredns" 359 360 // CoreDNSVersion is the version of CoreDNS to be deployed if it is used 361 CoreDNSVersion = "v1.11.1" 362 363 // ClusterConfigurationKind is the string kind value for the ClusterConfiguration struct 364 ClusterConfigurationKind = "ClusterConfiguration" 365 366 // InitConfigurationKind is the string kind value for the InitConfiguration struct 367 InitConfigurationKind = "InitConfiguration" 368 369 // JoinConfigurationKind is the string kind value for the JoinConfiguration struct 370 JoinConfigurationKind = "JoinConfiguration" 371 372 // ResetConfigurationKind is the string kind value for the ResetConfiguration struct 373 ResetConfigurationKind = "ResetConfiguration" 374 375 // YAMLDocumentSeparator is the separator for YAML documents 376 // TODO: Find a better place for this constant 377 YAMLDocumentSeparator = "---\n" 378 379 // CIKubernetesVersionPrefix is the prefix for CI Kubernetes version 380 CIKubernetesVersionPrefix = "ci/" 381 382 // DefaultAPIServerBindAddress is the default bind address for the API Server 383 DefaultAPIServerBindAddress = "0.0.0.0" 384 385 // ControlPlaneNumCPU is the number of CPUs required on control-plane 386 ControlPlaneNumCPU = 2 387 388 // ControlPlaneMem is the number of megabytes of memory required on the control-plane 389 // Below that amount of RAM running a stable control plane would be difficult. 390 ControlPlaneMem = 1700 391 392 // KubeadmCertsSecret specifies in what Secret in the kube-system namespace the certificates should be stored 393 KubeadmCertsSecret = "kubeadm-certs" 394 395 // KubeletPort is the default port for the kubelet server on each host machine. 396 // May be overridden by a flag at startup. 397 KubeletPort = 10250 398 // KubeSchedulerPort is the default port for the scheduler status server. 399 // May be overridden by a flag at startup. 400 KubeSchedulerPort = 10259 401 // KubeControllerManagerPort is the default port for the controller manager status server. 402 // May be overridden by a flag at startup. 403 KubeControllerManagerPort = 10257 404 405 // EtcdAdvertiseClientUrlsAnnotationKey is the annotation key on every etcd pod, describing the 406 // advertise client URLs 407 EtcdAdvertiseClientUrlsAnnotationKey = "kubeadm.kubernetes.io/etcd.advertise-client-urls" 408 // KubeAPIServerAdvertiseAddressEndpointAnnotationKey is the annotation key on every apiserver pod, 409 // describing the API endpoint (advertise address and bind port of the api server) 410 KubeAPIServerAdvertiseAddressEndpointAnnotationKey = "kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint" 411 // ComponentConfigHashAnnotationKey holds the config map annotation key that kubeadm uses to store 412 // a SHA256 sum to check for user changes 413 ComponentConfigHashAnnotationKey = "kubeadm.kubernetes.io/component-config.hash" 414 415 // ControlPlaneTier is the value used in the tier label to identify control plane components 416 ControlPlaneTier = "control-plane" 417 418 // Mode* constants were copied from pkg/kubeapiserver/authorizer/modes 419 // to avoid kubeadm dependency on the internal module 420 // TODO: share Mode* constants in component config 421 422 // ModeAlwaysAllow is the mode to set all requests as authorized 423 ModeAlwaysAllow string = "AlwaysAllow" 424 // ModeAlwaysDeny is the mode to set no requests as authorized 425 ModeAlwaysDeny string = "AlwaysDeny" 426 // ModeABAC is the mode to use Attribute Based Access Control to authorize 427 ModeABAC string = "ABAC" 428 // ModeWebhook is the mode to make an external webhook call to authorize 429 ModeWebhook string = "Webhook" 430 // ModeRBAC is the mode to use Role Based Access Control to authorize 431 ModeRBAC string = "RBAC" 432 // ModeNode is an authorization mode that authorizes API requests made by kubelets. 433 ModeNode string = "Node" 434 435 // PauseVersion indicates the default pause image version for kubeadm 436 PauseVersion = "3.9" 437 438 // CgroupDriverSystemd holds the systemd driver type 439 CgroupDriverSystemd = "systemd" 440 441 // KubeControllerManagerUserName is the username of the user that kube-controller-manager runs as. 442 KubeControllerManagerUserName string = "kubeadm-kcm" 443 // KubeAPIServerUserName is the username of the user that kube-apiserver runs as. 444 KubeAPIServerUserName string = "kubeadm-kas" 445 // KubeSchedulerUserName is the username of the user that kube-scheduler runs as. 446 KubeSchedulerUserName string = "kubeadm-ks" 447 // EtcdUserName is the username of the user that etcd runs as. 448 EtcdUserName string = "kubeadm-etcd" 449 // ServiceAccountKeyReadersGroupName is the group of users that are allowed to read the service account private key. 450 ServiceAccountKeyReadersGroupName string = "kubeadm-sa-key-readers" 451 // UpgradeConfigurationKind is the string kind value for the UpgradeConfiguration struct 452 UpgradeConfigurationKind = "UpgradeConfiguration" 453 ) 454 455 var ( 456 // ControlPlaneTaint is the taint to apply on the PodSpec for being able to run that Pod on the control-plane 457 ControlPlaneTaint = v1.Taint{ 458 Key: LabelNodeRoleControlPlane, 459 Effect: v1.TaintEffectNoSchedule, 460 } 461 462 // ControlPlaneToleration is the toleration to apply on the PodSpec for being able to run that Pod on the control-plane 463 ControlPlaneToleration = v1.Toleration{ 464 Key: LabelNodeRoleControlPlane, 465 Effect: v1.TaintEffectNoSchedule, 466 } 467 468 // ControlPlaneComponents defines the control-plane component names 469 ControlPlaneComponents = []string{KubeAPIServer, KubeControllerManager, KubeScheduler} 470 471 // MinimumControlPlaneVersion specifies the minimum control plane version kubeadm can deploy 472 MinimumControlPlaneVersion = getSkewedKubernetesVersion(-1) 473 474 // MinimumKubeletVersion specifies the minimum version of kubelet which kubeadm supports 475 MinimumKubeletVersion = getSkewedKubernetesVersion(-3) 476 477 // CurrentKubernetesVersion specifies current Kubernetes version supported by kubeadm 478 CurrentKubernetesVersion = getSkewedKubernetesVersion(0) 479 480 // SupportedEtcdVersion lists officially supported etcd versions with corresponding Kubernetes releases 481 SupportedEtcdVersion = map[uint8]string{ 482 22: "3.5.12-0", 483 23: "3.5.12-0", 484 24: "3.5.12-0", 485 25: "3.5.12-0", 486 26: "3.5.12-0", 487 27: "3.5.12-0", 488 28: "3.5.12-0", 489 29: "3.5.12-0", 490 30: "3.5.12-0", 491 } 492 493 // KubeadmCertsClusterRoleName sets the name for the ClusterRole that allows 494 // the bootstrap tokens to access the kubeadm-certs Secret during the join of a new control-plane 495 KubeadmCertsClusterRoleName = fmt.Sprintf("kubeadm:%s", KubeadmCertsSecret) 496 497 // defaultKubernetesPlaceholderVersion is a placeholder version in case the component-base 498 // version was not populated during build. 499 defaultKubernetesPlaceholderVersion = version.MustParseSemantic("v1.0.0-placeholder-version") 500 ) 501 502 // getSkewedKubernetesVersion returns the current MAJOR.(MINOR+n).0 Kubernetes version with a skew of 'n' 503 // It uses the kubeadm version provided by the 'component-base/version' package. This version must be populated 504 // by passing linker flags during the kubeadm build process. If the version is empty, assume that kubeadm 505 // was either build incorrectly or this code is running in unit tests. 506 func getSkewedKubernetesVersion(n int) *version.Version { 507 versionInfo := componentversion.Get() 508 return getSkewedKubernetesVersionImpl(&versionInfo, n) 509 } 510 511 func getSkewedKubernetesVersionImpl(versionInfo *apimachineryversion.Info, n int) *version.Version { 512 // TODO: update if the kubeadm version gets decoupled from the Kubernetes version. 513 // This would require keeping track of the supported skew in a table. 514 // More changes would be required if the kubelet version one day decouples from that of Kubernetes. 515 var ver *version.Version 516 if len(versionInfo.Major) == 0 { 517 return defaultKubernetesPlaceholderVersion 518 } 519 ver = version.MustParseSemantic(versionInfo.GitVersion) 520 // Append the MINOR version skew. 521 // TODO: handle the case of Kubernetes moving to v2.0 or having MAJOR version updates in the future. 522 // This would require keeping track (in a table) of the last MINOR for a particular MAJOR. 523 minor := uint(int(ver.Minor()) + n) 524 return version.MustParseSemantic(fmt.Sprintf("v%d.%d.0", ver.Major(), minor)) 525 } 526 527 // EtcdSupportedVersion returns officially supported version of etcd for a specific Kubernetes release 528 // If passed version is not in the given list, the function returns the nearest version with a warning 529 func EtcdSupportedVersion(supportedEtcdVersion map[uint8]string, versionString string) (etcdVersion *version.Version, warning, err error) { 530 kubernetesVersion, err := version.ParseSemantic(versionString) 531 if err != nil { 532 return nil, nil, err 533 } 534 desiredVersion, etcdStringVersion := uint8(kubernetesVersion.Minor()), "" 535 536 min, max := ^uint8(0), uint8(0) 537 for k, v := range supportedEtcdVersion { 538 if desiredVersion == k { 539 etcdStringVersion = v 540 break 541 } 542 if k < min { 543 min = k 544 } 545 if k > max { 546 max = k 547 } 548 } 549 550 if len(etcdStringVersion) == 0 { 551 if desiredVersion < min { 552 etcdStringVersion = supportedEtcdVersion[min] 553 } 554 if desiredVersion > max { 555 etcdStringVersion = supportedEtcdVersion[max] 556 } 557 warning = errors.Errorf("could not find officially supported version of etcd for Kubernetes %s, falling back to the nearest etcd version (%s)", 558 versionString, etcdStringVersion) 559 } 560 561 etcdVersion, err = version.ParseSemantic(etcdStringVersion) 562 if err != nil { 563 return nil, nil, err 564 } 565 566 return etcdVersion, warning, nil 567 } 568 569 // GetStaticPodDirectory returns the location on the disk where the Static Pod should be present 570 func GetStaticPodDirectory() string { 571 return filepath.Join(KubernetesDir, ManifestsSubDirName) 572 } 573 574 // GetStaticPodFilepath returns the location on the disk where the Static Pod should be present 575 func GetStaticPodFilepath(componentName, manifestsDir string) string { 576 return filepath.Join(manifestsDir, componentName+".yaml") 577 } 578 579 // GetAdminKubeConfigPath returns the location on the disk where admin kubeconfig is located by default 580 func GetAdminKubeConfigPath() string { 581 return filepath.Join(KubernetesDir, AdminKubeConfigFileName) 582 } 583 584 // GetSuperAdminKubeConfigPath returns the location on the disk where admin kubeconfig is located by default 585 func GetSuperAdminKubeConfigPath() string { 586 return filepath.Join(KubernetesDir, SuperAdminKubeConfigFileName) 587 } 588 589 // GetBootstrapKubeletKubeConfigPath returns the location on the disk where bootstrap kubelet kubeconfig is located by default 590 func GetBootstrapKubeletKubeConfigPath() string { 591 return filepath.Join(KubernetesDir, KubeletBootstrapKubeConfigFileName) 592 } 593 594 // GetKubeletKubeConfigPath returns the location on the disk where kubelet kubeconfig is located by default 595 func GetKubeletKubeConfigPath() string { 596 return filepath.Join(KubernetesDir, KubeletKubeConfigFileName) 597 } 598 599 // CreateTempDirForKubeadm is a function that creates a temporary directory under /etc/kubernetes/tmp (not using /tmp as that would potentially be dangerous) 600 func CreateTempDirForKubeadm(kubernetesDir, dirName string) (string, error) { 601 tempDir := filepath.Join(KubernetesDir, TempDirForKubeadm) 602 if len(kubernetesDir) != 0 { 603 tempDir = filepath.Join(kubernetesDir, TempDirForKubeadm) 604 } 605 606 // creates target folder if not already exists 607 if err := os.MkdirAll(tempDir, 0700); err != nil { 608 return "", errors.Wrapf(err, "failed to create directory %q", tempDir) 609 } 610 611 tempDir, err := os.MkdirTemp(tempDir, dirName) 612 if err != nil { 613 return "", errors.Wrap(err, "couldn't create a temporary directory") 614 } 615 return tempDir, nil 616 } 617 618 // CreateTimestampDirForKubeadm is a function that creates a temporary directory under /etc/kubernetes/tmp formatted with the current date 619 func CreateTimestampDirForKubeadm(kubernetesDir, dirName string) (string, error) { 620 tempDir := filepath.Join(KubernetesDir, TempDirForKubeadm) 621 if len(kubernetesDir) != 0 { 622 tempDir = filepath.Join(kubernetesDir, TempDirForKubeadm) 623 } 624 625 // creates target folder if not already exists 626 if err := os.MkdirAll(tempDir, 0700); err != nil { 627 return "", errors.Wrapf(err, "failed to create directory %q", tempDir) 628 } 629 630 timestampDirName := fmt.Sprintf("%s-%s", dirName, time.Now().Format("2006-01-02-15-04-05")) 631 timestampDir := filepath.Join(tempDir, timestampDirName) 632 if err := os.Mkdir(timestampDir, 0700); err != nil { 633 return "", errors.Wrap(err, "could not create timestamp directory") 634 } 635 636 return timestampDir, nil 637 } 638 639 // GetDNSIP returns a dnsIP, which is 10th IP in svcSubnet CIDR range 640 func GetDNSIP(svcSubnetList string) (net.IP, error) { 641 // Get the service subnet CIDR 642 svcSubnetCIDR, err := GetKubernetesServiceCIDR(svcSubnetList) 643 if err != nil { 644 return nil, errors.Wrapf(err, "unable to get internal Kubernetes Service IP from the given service CIDR (%s)", svcSubnetList) 645 } 646 647 // Selects the 10th IP in service subnet CIDR range as dnsIP 648 dnsIP, err := netutils.GetIndexedIP(svcSubnetCIDR, 10) 649 if err != nil { 650 return nil, errors.Wrap(err, "unable to get internal Kubernetes Service IP from the given service CIDR") 651 } 652 653 return dnsIP, nil 654 } 655 656 // GetKubernetesServiceCIDR returns the default Service CIDR for the Kubernetes internal service 657 func GetKubernetesServiceCIDR(svcSubnetList string) (*net.IPNet, error) { 658 // The default service address family for the cluster is the address family of the first 659 // service cluster IP range configured via the `--service-cluster-ip-range` flag 660 // of the kube-controller-manager and kube-apiserver. 661 svcSubnets, err := netutils.ParseCIDRs(strings.Split(svcSubnetList, ",")) 662 if err != nil { 663 return nil, errors.Wrapf(err, "unable to parse ServiceSubnet %v", svcSubnetList) 664 } 665 if len(svcSubnets) == 0 { 666 return nil, errors.New("received empty ServiceSubnet") 667 } 668 return svcSubnets[0], nil 669 } 670 671 // GetAPIServerVirtualIP returns the IP of the internal Kubernetes API service 672 func GetAPIServerVirtualIP(svcSubnetList string) (net.IP, error) { 673 svcSubnet, err := GetKubernetesServiceCIDR(svcSubnetList) 674 if err != nil { 675 return nil, errors.Wrap(err, "unable to get internal Kubernetes Service IP from the given service CIDR") 676 } 677 internalAPIServerVirtualIP, err := netutils.GetIndexedIP(svcSubnet, 1) 678 if err != nil { 679 return nil, errors.Wrapf(err, "unable to get the first IP address from the given CIDR: %s", svcSubnet.String()) 680 } 681 return internalAPIServerVirtualIP, nil 682 } 683