diff --git a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
index 26e3b46a46de4db10a9b88056f121dd3f21ba510..e25804e66fb73879373fada9735d9527845c429a 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
@@ -54,6 +54,16 @@ apiServerExtraArgs:
runtime-config: {{ kube_api_runtime_config | join(',') }}
{% endif %}
allow-privileged: "true"
+{% if kube_version | version_compare('1.9', '>=') %}
+ requestheader-client-ca-file: "{{ kube_cert_dir }}/ca.pem"
+ requestheader-allowed-names: "{{ kube_api_requestheader_allowed_names }}"
+ requestheader-extra-headers-prefix: "X-Remote-Extra-"
+ requestheader-group-headers: "X-Remote-Group"
+ requestheader-username-headers: "X-Remote-User"
+ enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
+ proxy-client-cert-file: "{{ kube_cert_dir }}/front-proxy-client.pem"
+ proxy-client-key-file: "{{ kube_cert_dir }}/front-proxy-client-key.pem"
+{% endif %}
controllerManagerExtraArgs:
node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
node-monitor-period: {{ kube_controller_node_monitor_period }}
diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index 751ce93921998874c2a187bf7ffed3164e7aea15..d6f065ea5c0bcff518a8149573dfcba4298e2455 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -101,14 +101,14 @@ spec:
- --feature-gates={{ kube_feature_gates|join(',') }}
{% endif %}
{% if kube_version | version_compare('1.9', '>=') %}
- - --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem
- - --requestheader-allowed-names=system:aggregator-proxy-client
- - "--requestheader-extra-headers-prefix=X-Remote-Extra-"
+ - --requestheader-client-ca-file={{ kube_cert_dir }}/ca.pem
+ - --requestheader-allowed-names={{ kube_api_requestheader_allowed_names }}
+ - --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- - --enable-aggregator-routing=true
- - --proxy-client-cert-file=/etc/kubernetes/ssl/aggregator-proxy-client.pem
- - --proxy-client-key-file=/etc/kubernetes/ssl/aggregator-proxy-client-key.pem
+ - --enable-aggregator-routing={{ kube_api_aggregator_routing }}
+ - --proxy-client-cert-file={{ kube_cert_dir }}/front-proxy-client.pem
+ - --proxy-client-key-file={{ kube_cert_dir }}/front-proxy-client-key.pem
{% endif %}
{% if apiserver_custom_flags is string %}
- {{ apiserver_custom_flags }}
diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh
index 8cfc0728acc15e48596b4ec1dc2a823ad71c0000..750e9c4fe79680cf430b423bea57f16313240bb5 100755
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -94,7 +94,7 @@ if [ -n "$MASTERS" ]; then
# kube-controller-manager
gen_key_and_cert "kube-controller-manager" "/CN=system:kube-controller-manager"
# metrics aggregator
- gen_key_and_cert "aggregator-proxy-client" "/CN=system:aggregator-proxy-client"
+ gen_key_and_cert "front-proxy-client" "/CN=front-proxy-client"
for host in $MASTERS; do
cn="${host%%.*}"
diff --git a/roles/kubernetes/secrets/tasks/check-certs.yml b/roles/kubernetes/secrets/tasks/check-certs.yml
index 3b3b203006777e5f28a2189c972b26cfeb04f98a..6278897710c8814cac0a30ef3d931c1ded673491 100644
--- a/roles/kubernetes/secrets/tasks/check-certs.yml
+++ b/roles/kubernetes/secrets/tasks/check-certs.yml
@@ -26,8 +26,8 @@
- kube-scheduler-key.pem
- kube-controller-manager.pem
- kube-controller-manager-key.pem
- - aggregator-proxy-client.pem
- - aggregator-proxy-client-key.pem
+ - front-proxy-client.pem
+ - front-proxy-client-key.pem
- admin-{{ inventory_hostname }}.pem
- admin-{{ inventory_hostname }}-key.pem
- node-{{ inventory_hostname }}.pem
@@ -48,8 +48,8 @@
'{{ kube_cert_dir }}/kube-scheduler-key.pem',
'{{ kube_cert_dir }}/kube-controller-manager.pem',
'{{ kube_cert_dir }}/kube-controller-manager-key.pem',
- '{{ kube_cert_dir }}/aggregator-proxy-client.pem',
- '{{ kube_cert_dir }}/aggregator-proxy-client-key.pem',
+ '{{ kube_cert_dir }}/front-proxy-client.pem',
+ '{{ kube_cert_dir }}/front-proxy-client-key.pem',
{% for host in groups['kube-master'] %}
'{{ kube_cert_dir }}/admin-{{ host }}.pem'
'{{ kube_cert_dir }}/admin-{{ host }}-key.pem'
@@ -68,9 +68,10 @@
gen_master_certs: |-
{%- set gen = False -%}
{% set existing_certs = kubecert_master.files|map(attribute='path')|list|sort %}
- {% for cert in ['apiserver.pem', 'apiserver-key.pem', 'kube-scheduler.pem',
- 'kube-scheduler-key.pem', 'kube-controller-manager.pem',
- 'kube-controller-manager-key.pem','aggregator-proxy-client.pem','aggregator-proxy-client-key.pem'] -%}
+ {% for cert in ['apiserver.pem', 'apiserver-key.pem',
+ 'kube-scheduler.pem','kube-scheduler-key.pem',
+ 'kube-controller-manager.pem','kube-controller-manager-key.pem',
+ 'front-proxy-client.pem','front-proxy-client-key.pem'] -%}
{% set cert_file = "%s/%s.pem"|format(kube_cert_dir, cert) %}
{% if not cert_file in existing_certs -%}
{%- set gen = True -%}
diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
index 0b88e0f145d0dd39b3751d37314be9dfccc76d72..c1dfeb394a1fe1980fc3d539498c86e1face0c51 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -73,8 +73,8 @@
'kube-scheduler-key.pem',
'kube-controller-manager.pem',
'kube-controller-manager-key.pem',
- 'aggregator-proxy-client.pem',
- 'aggregator-proxy-client-key.pem',
+ 'front-proxy-client.pem',
+ 'front-proxy-client-key.pem',
{% for node in groups['kube-master'] %}
'admin-{{ node }}.pem',
'admin-{{ node }}-key.pem',
@@ -84,8 +84,8 @@
'admin-{{ inventory_hostname }}-key.pem',
'apiserver.pem',
'apiserver-key.pem',
- 'aggregator-proxy-client.pem',
- 'aggregator-proxy-client-key.pem',
+ 'front-proxy-client.pem',
+ 'front-proxy-client-key.pem',
'kube-scheduler.pem',
'kube-scheduler-key.pem',
'kube-controller-manager.pem',
diff --git a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
index f488cc61bff9d3f56ae151842a9065c6fc844408..f675f6eca0c0ea05871870aeac8b89ce89e859be 100644
--- a/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
+++ b/roles/kubernetes/secrets/tasks/sync_kube_master_certs.yml
@@ -32,7 +32,7 @@
sync_file_hosts: "{{ groups['kube-master'] }}"
sync_file_is_cert: true
sync_file_owner: kube
- with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "aggregator-proxy-client.pem"]
+ with_items: ["apiserver.pem", "kube-scheduler.pem", "kube-controller-manager.pem", "front-proxy-client.pem"]
- name: sync_kube_master_certs | Set facts for kube master components sync_file results
set_fact:
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 498b14365123b28137315eb61ba78c64d571a12e..efec7bd3dc59c64cc12d0210296c6f9f2263f038 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -122,6 +122,10 @@ kube_apiserver_port: 6443
kube_apiserver_insecure_bind_address: 127.0.0.1
kube_apiserver_insecure_port: 8080
+# Metrics server
+kube_api_requestheader_allowed_names: "front-proxy-client"
+kube_api_aggregator_routing: true
+
# Path used to store Docker data
docker_daemon_graph: "/var/lib/docker"