@@ -652,8 +652,13 @@ function create-master-auth {
652652 append_or_replace_prefixed_line " ${known_tokens_csv} " " ${GCE_GLBC_TOKEN} ," " system:controller:glbc,uid:system:controller:glbc"
653653 fi
654654 if [[ -n " ${ADDON_MANAGER_TOKEN:- } " ; then
655- append_or_replace_prefixed_line " ${known_tokens_csv} " " ${ADDON_MANAGER_TOKEN} ," " system:addon-manager,uid:system:addon-manager,system:masters"
655+ append_or_replace_prefixed_line " ${known_tokens_csv} " " ${ADDON_MANAGER_TOKEN} ," " system:addon-manager,uid:system:addon-manager,system:masters"
656656 fi
657+ if [[ -n " ${KONNECTIVITY_SERVER_TOKEN:- } " ; then
658+ append_or_replace_prefixed_line " ${known_tokens_csv} " " ${KONNECTIVITY_SERVER_TOKEN} ," " system:konnectivity-server,uid:system:konnectivity-server"
659+ create-kubeconfig " konnectivity-server" ${KONNECTIVITY_SERVER_TOKEN}
660+ fi
661+
657662 if [[ -n " ${EXTRA_STATIC_AUTH_COMPONENTS:- } " ; then
658663 # Create a static Bearer token and kubeconfig for extra, comma-separated components.
659664 IFS=" ," read -r -a extra_components <<< " ${EXTRA_STATIC_AUTH_COMPONENTS:-}"
@@ -810,7 +815,8 @@ egressSelections:
810815 proxyProtocol: HTTPConnect
811816 transport:
812817 uds:
813- udsName: /etc/srv/kubernetes/konnectivity/konnectivity-server.socket
818+ udsName: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket
819+
814820- name: master
815821 connection:
816822 proxyProtocol: Direct
@@ -1652,13 +1658,17 @@ function prepare-konnectivity-server-manifest {
16521658 params+=(" --log-file=/var/log/konnectivity-server.log"
16531659 params+=(" --logtostderr=false"
16541660 params+=(" --log-file-max-size=0"
1655- params+=(" --uds-name=/etc/srv/kubernetes/konnectivity/konnectivity-server.socket"
1661+ params+=(" --uds-name=/etc/srv/kubernetes/konnectivity-server /konnectivity-server.socket"
16561662 params+=(" --cluster-cert=/etc/srv/kubernetes/pki/apiserver.crt"
16571663 params+=(" --cluster-key=/etc/srv/kubernetes/pki/apiserver.key"
16581664 params+=(" --mode=http-connect"
16591665 params+=(" --server-port=0"
16601666 params+=(" --agent-port=$1 "
16611667 params+=(" --admin-port=$2 "
1668+ params+=(" --agent-namespace=kube-system"
1669+ params+=(" --agent-service-account=konnectivity-agent"
1670+ params+=(" --kubeconfig=/etc/srv/kubernetes/konnectivity-server/kubeconfig"
1671+ params+=(" --authentication-audience=system:konnectivity-server"
16621672 konnectivity_args=" "
16631673 for param in " ${params[@]} " ; do
16641674 konnectivity_args+=" , \" ${param} \" "
@@ -2469,7 +2479,7 @@ function setup-node-termination-handler-manifest {
24692479}
24702480
24712481function setup-konnectivity-agent-manifest {
2472- local -r manifest=" /etc/kubernetes/addons/konnectivity-agent/daemonset .yaml"
2482+ local -r manifest=" /etc/kubernetes/addons/konnectivity-agent/konnectivity-agent-ds .yaml"
24732483 sed -i " s|__APISERVER_IP__|${KUBERNETES_MASTER_NAME} |g" " ${manifest} "
24742484}
24752485
@@ -2777,6 +2787,10 @@ function main() {
27772787 if [[ " ${ENABLE_APISERVER_INSECURE_PORT:- false} " != " true" ; then
27782788 KUBE_BOOTSTRAP_TOKEN=" $( secure_random 32) "
27792789 fi
2790+ if [[ " ${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:- false} " == " true" ; then
2791+ KONNECTIVITY_SERVER_TOKEN=" $( secure_random 32) "
2792+ fi
2793+
27802794
27812795 setup-os-params
27822796 config-ip-firewall
0 commit comments