Merge pull request kubernetes#87179 from Jefftree/netproxy-uds

UDS + GRPC Support for Network Proxy

Author: k8s-ci-robot

Godeps/LICENSES

@@ -28,14 +28,12 @@ spec:
           hostPath:
             path: /etc/srv/kubernetes/pki/konnectivity-agent
       containers:
-        - image: gcr.io/google-containers/proxy-agent:v0.0.3
+        - image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.4
           name: konnectivity-agent
           command: ["/proxy-agent"]
           args: [
                   "--logtostderr=true",
-                  "--ca-cert=/etc/srv/kubernetes/pki/konnectivity-agent/ca.crt",
-                  "--agent-cert=/etc/srv/kubernetes/pki/konnectivity-agent/client.crt",
-                  "--agent-key=/etc/srv/kubernetes/pki/konnectivity-agent/client.key",
+                  "--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
                   "--proxy-server-host=__APISERVER_IP__",
                   "--proxy-server-port=8132"
                   ]
@@ -59,6 +57,3 @@ spec:
               path: /healthz
             initialDelaySeconds: 15
             timeoutSeconds: 15
-          volumeMounts:
-            - name: pki
-              mountPath: /etc/srv/kubernetes/pki/konnectivity-agent

cluster/gce/addons/konnectivity-agent/daemonset.yaml

@@ -807,18 +807,16 @@ kind: EgressSelectorConfiguration
 egressSelections:
 - name: cluster
   connection:
-    type: http-connect
-    httpConnect:
-      url: https://127.0.0.1:8131
-      caBundle: /etc/srv/kubernetes/pki/konnectivity-server/ca.crt
-      clientKey: /etc/srv/kubernetes/pki/konnectivity-server/client.key
-      clientCert: /etc/srv/kubernetes/pki/konnectivity-server/client.crt
+    proxyProtocol: HTTPConnect
+    transport:
+      uds:
+        udsName: /etc/srv/kubernetes/konnectivity/konnectivity-server.socket
 - name: master
   connection:
-    type: direct
+    proxyProtocol: Direct
 - name: etcd
   connection:
-    type: direct
+    proxyProtocol: Direct
 EOF
   fi
 
@@ -1645,34 +1643,29 @@ function start-etcd-servers {
 
 # Replaces the variables in the konnectivity-server manifest file with the real values, and then
 # copy the file to the manifest dir
-# $1: value for variable "server_port"
-# $2: value for variable "agent_port"
-# $3: value for bariable "admin_port"
+# $1: value for variable "agent_port"
+# $2: value for bariable "admin_port"
 function prepare-konnectivity-server-manifest {
   local -r temp_file="/tmp/konnectivity-server.yaml"
   params=()
   cp "${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/konnectivity-server.yaml" "${temp_file}"
   params+=("--log-file=/var/log/konnectivity-server.log")
   params+=("--logtostderr=false")
   params+=("--log-file-max-size=0")
-  params+=("--server-ca-cert=${KONNECTIVITY_SERVER_CA_CERT_PATH}")
-  params+=("--server-cert=${KONNECTIVITY_SERVER_CERT_PATH}")
-  params+=("--server-key=${KONNECTIVITY_SERVER_KEY_PATH}")
-  params+=("--cluster-ca-cert=${KONNECTIVITY_AGENT_CA_CERT_PATH}")
-  params+=("--cluster-cert=${KONNECTIVITY_AGENT_CERT_PATH}")
-  params+=("--cluster-key=${KONNECTIVITY_AGENT_KEY_PATH}")
+  params+=("--uds-name=/etc/srv/kubernetes/konnectivity/konnectivity-server.socket")
+  params+=("--cluster-cert=/etc/srv/kubernetes/pki/apiserver.crt")
+  params+=("--cluster-key=/etc/srv/kubernetes/pki/apiserver.key")
   params+=("--mode=http-connect")
-  params+=("--server-port=$1")
-  params+=("--agent-port=$2")
-  params+=("--admin-port=$3")
+  params+=("--server-port=0")
+  params+=("--agent-port=$1")
+  params+=("--admin-port=$2")
   konnectivity_args=""
   for param in "${params[@]}"; do
     konnectivity_args+=", \"${param}\""
   done
   sed -i -e "s@{{ *konnectivity_args *}}@${konnectivity_args}@g" "${temp_file}"
-  sed -i -e "s@{{ *server_port *}}@$1@g" "${temp_file}"
-  sed -i -e "s@{{ *agent_port *}}@$2@g" "${temp_file}"
-  sed -i -e "s@{{ *admin_port *}}@$3@g" "${temp_file}"
+  sed -i -e "s@{{ *agent_port *}}@$1@g" "${temp_file}"
+  sed -i -e "s@{{ *admin_port *}}@$2@g" "${temp_file}"
   sed -i -e "s@{{ *liveness_probe_initial_delay *}}@30@g" "${temp_file}"
   mv "${temp_file}" /etc/kubernetes/manifests
 }
@@ -1683,7 +1676,7 @@ function prepare-konnectivity-server-manifest {
 function start-konnectivity-server {
   echo "Start konnectivity server pods"
   prepare-log-file /var/log/konnectivity-server.log
-  prepare-konnectivity-server-manifest "8131" "8132" "8133"
+  prepare-konnectivity-server-manifest "8132" "8133"
 }
 
 # Calculates the following variables based on env variables, which will be used

cluster/gce/gci/configure-helper.sh

@@ -324,11 +324,18 @@ function start-kube-apiserver {
 
   local csc_config_mount=""
   local csc_config_volume=""
+  local default_konnectivity_socket_vol=""
+  local default_konnectivity_socket_mnt=""
   if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
     # Create the EgressSelectorConfiguration yaml file to control the Egress Selector.
     csc_config_mount="{\"name\": \"cscconfigmount\",\"mountPath\": \"/etc/srv/kubernetes/egress_selector_configuration.yaml\", \"readOnly\": false},"
     csc_config_volume="{\"name\": \"cscconfigmount\",\"hostPath\": {\"path\": \"/etc/srv/kubernetes/egress_selector_configuration.yaml\", \"type\": \"FileOrCreate\"}},"
     params+=" --egress-selector-config-file=/etc/srv/kubernetes/egress_selector_configuration.yaml"
+
+    # UDS socket for communication between apiserver and konnectivity-server
+    local default_konnectivity_socket_path="/etc/srv/kubernetes/konnectivity"
+    default_konnectivity_socket_vol="{ \"name\": \"konnectivity-socket\", \"hostPath\": {\"path\": \"${default_konnectivity_socket_path}\", \"type\": \"DirectoryOrCreate\"}},"
+    default_konnectivity_socket_mnt="{ \"name\": \"konnectivity-socket\", \"mountPath\": \"${default_konnectivity_socket_path}\", \"readOnly\": false},"
   fi
 
   local container_env=""
@@ -377,6 +384,8 @@ function start-kube-apiserver {
   sed -i -e "s@{{audit_webhook_config_volume}}@${audit_webhook_config_volume}@g" "${src_file}"
   sed -i -e "s@{{webhook_exec_auth_plugin_mount}}@${webhook_exec_auth_plugin_mount}@g" "${src_file}"
   sed -i -e "s@{{webhook_exec_auth_plugin_volume}}@${webhook_exec_auth_plugin_volume}@g" "${src_file}"
+  sed -i -e "s@{{konnectivity_socket_mount}}@${default_konnectivity_socket_mnt}@g" "${src_file}"
+  sed -i -e "s@{{konnectivity_socket_volume}}@${default_konnectivity_socket_vol}@g" "${src_file}"
 
   cp "${src_file}" "${ETC_MANIFESTS:-/etc/kubernetes/manifests}"
 }

cluster/gce/gci/configure-kubeapiserver.sh

@@ -11,7 +11,7 @@ spec:
   hostNetwork: true
   containers:
   - name: konnectivity-server-container
-    image: gcr.io/google-containers/proxy-server:v0.0.3
+    image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-server:v0.0.4
     resources:
       requests:
         cpu: 25m
@@ -25,9 +25,6 @@ spec:
       initialDelaySeconds: {{ liveness_probe_initial_delay }}
       timeoutSeconds: 60
     ports:
-    - name: serverport
-      containerPort: {{ server_port }}
-      hostPort: {{ server_port }}
     - name: agentport
       containerPort: {{ agent_port }}
       hostPort: {{ agent_port }}
@@ -38,21 +35,21 @@ spec:
     - name: varlogkonnectivityserver
       mountPath: /var/log/konnectivity-server.log
       readOnly: false
-    - name: pkiserver
-      mountPath: /etc/srv/kubernetes/pki/konnectivity-server
-      readOnly: true
-    - name: pkiagent
-      mountPath: /etc/srv/kubernetes/pki/konnectivity-agent
+    - name: pki
+      mountPath: /etc/srv/kubernetes/pki
       readOnly: true
+    - name: konnectivity-uds
+      mountPath: /etc/srv/kubernetes/konnectivity
+      readOnly: false
   volumes:
   - name: varlogkonnectivityserver
     hostPath:
       path: /var/log/konnectivity-server.log
       type: FileOrCreate
-  - name: pkiserver
+  - name: pki
     hostPath:
-      path: /etc/srv/kubernetes/pki/konnectivity-server
-  - name: pkiagent
+      path: /etc/srv/kubernetes/pki
+  - name: konnectivity-uds
     hostPath:
-      path: /etc/srv/kubernetes/pki/konnectivity-agent
-
+      path: /etc/srv/kubernetes/konnectivity
+      type: DirectoryOrCreate