feat: embed the kubeadm config (#205)

src/initramfs/cmd/init/main.go

@@ -110,7 +110,7 @@ func root() (err error) {
 	)
 
 	// Start the services common to all master nodes.
-	if data.Services.Kubeadm.Init != nil {
+	if data.IsMaster() {
 		log.Println("starting master services")
 		systemservices.Start(
 			&services.Trustd{},

src/initramfs/cmd/init/pkg/security/cis/cis.go

@@ -8,14 +8,8 @@ import (
 	"math/rand"
 	"time"
 
-	"github.com/autonomy/dianemo/src/initramfs/cmd/init/pkg/constants"
-
 	"k8s.io/api/core/v1"
-	"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
-	"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/scheme"
-	kubeadmapiv1beta1 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta1"
-	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
-	configutil "k8s.io/kubernetes/cmd/kubeadm/app/util/config"
+	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 )
 
 const disabled = "false"
@@ -42,14 +36,11 @@ resources:
 // EnforceAuditingRequirements enforces CIS requirements for auditing.
 // TODO(andrewrynhard): Enable audit-log-maxbackup.
 // TODO(andrewrynhard): Enable audit-log-maxsize.
-func EnforceAuditingRequirements(cfg *kubeadm.InitConfiguration) error {
+func EnforceAuditingRequirements(cfg *kubeadmapi.InitConfiguration) error {
 	if err := ioutil.WriteFile("/var/etc/kubernetes/audit-policy.yaml", []byte(auditPolicy), 0400); err != nil {
 		return err
 	}
 	maxAge := int32(30)
-	if cfg.FeatureGates == nil {
-		cfg.FeatureGates = make(map[string]bool)
-	}
 	cfg.FeatureGates["Auditing"] = true
 	cfg.ClusterConfiguration.AuditPolicyConfiguration.Path = "/etc/kubernetes/audit-policy.yaml"
 	cfg.ClusterConfiguration.AuditPolicyConfiguration.LogDir = "/etc/kubernetes/logs"
@@ -59,7 +50,7 @@ func EnforceAuditingRequirements(cfg *kubeadm.InitConfiguration) error {
 }
 
 // EnforceSecretRequirements enforces CIS requirements for secrets.
-func EnforceSecretRequirements(cfg *kubeadm.InitConfiguration) error {
+func EnforceSecretRequirements(cfg *kubeadmapi.InitConfiguration) error {
 	random := func(min, max int) int {
 		return rand.Intn(max-min) + min
 	}
@@ -93,23 +84,20 @@ func EnforceSecretRequirements(cfg *kubeadm.InitConfiguration) error {
 		return err
 	}
 	cfg.APIServerExtraArgs["experimental-encryption-provider-config"] = "/etc/kubernetes/encryptionconfig.yaml"
-	vol := kubeadm.HostPathMount{
+	vol := kubeadmapi.HostPathMount{
 		Name:      "encryptionconfig",
 		HostPath:  "/etc/kubernetes/encryptionconfig.yaml",
 		MountPath: "/etc/kubernetes/encryptionconfig.yaml",
 		Writable:  false,
 		PathType:  v1.HostPathFile,
 	}
-	if cfg.APIServerExtraVolumes == nil {
-		cfg.APIServerExtraVolumes = make([]kubeadm.HostPathMount, 0)
-	}
 	cfg.APIServerExtraVolumes = append(cfg.APIServerExtraVolumes, vol)
 
 	return nil
 }
 
 // EnforceTLSRequirements enforces CIS requirements for TLS.
-func EnforceTLSRequirements(cfg *kubeadm.InitConfiguration) error {
+func EnforceTLSRequirements(cfg *kubeadmapi.InitConfiguration) error {
 	// nolint: lll
 	cfg.APIServerExtraArgs["tls-cipher-suites"] = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
 
@@ -120,7 +108,7 @@ func EnforceTLSRequirements(cfg *kubeadm.InitConfiguration) error {
 // TODO(andrewrynhard): Include any extra user specified plugins.
 // TODO(andrewrynhard): Enable PodSecurityPolicy.
 // TODO(andrewrynhard): Enable EventRateLimit.
-func EnforceAdmissionPluginsRequirements(cfg *kubeadm.InitConfiguration) error {
+func EnforceAdmissionPluginsRequirements(cfg *kubeadmapi.InitConfiguration) error {
 	// nolint: lll
 	cfg.APIServerExtraArgs["enable-admission-plugins"] = "AlwaysPullImages,SecurityContextDeny,DenyEscalatingExec,NamespaceLifecycle,ServiceAccount,NodeRestriction,LimitRanger,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota"
 
@@ -130,16 +118,7 @@ func EnforceAdmissionPluginsRequirements(cfg *kubeadm.InitConfiguration) error {
 // EnforceExtraRequirements enforces miscellaneous CIS requirements.
 // TODO(andrewrynhard): Enable anonymous-auth, see https://github.com/kubernetes/kubeadm/issues/798.
 // TODO(andrewrynhard): Enable kubelet-certificate-authority, see https://github.com/kubernetes/kubeadm/issues/118#issuecomment-407202481.
-func EnforceExtraRequirements(cfg *kubeadm.InitConfiguration) error {
-	if cfg.APIServerExtraArgs == nil {
-		cfg.APIServerExtraArgs = make(map[string]string)
-	}
-	if cfg.ControllerManagerExtraArgs == nil {
-		cfg.ControllerManagerExtraArgs = make(map[string]string)
-	}
-	if cfg.SchedulerExtraArgs == nil {
-		cfg.SchedulerExtraArgs = make(map[string]string)
-	}
+func EnforceExtraRequirements(cfg *kubeadmapi.InitConfiguration) error {
 	cfg.APIServerExtraArgs["profiling"] = disabled
 	cfg.ControllerManagerExtraArgs["profiling"] = disabled
 	cfg.SchedulerExtraArgs["profiling"] = disabled
@@ -150,57 +129,49 @@ func EnforceExtraRequirements(cfg *kubeadm.InitConfiguration) error {
 }
 
 // EnforceMasterRequirements enforces the CIS requirements for master nodes.
-func EnforceMasterRequirements() error {
-	cfg := &kubeadmapiv1beta1.InitConfiguration{}
-	internalCfg, err := configutil.ConfigFileAndDefaultsToInternalConfig(constants.KubeadmConfig, cfg)
-	if err != nil {
-		return err
-	}
+func EnforceMasterRequirements(cfg *kubeadmapi.InitConfiguration) error {
+	ensureFieldsAreNotNil(cfg)
 
-	if err := EnforceAuditingRequirements(internalCfg); err != nil {
+	if err := EnforceAuditingRequirements(cfg); err != nil {
 		return err
 	}
-	if err := EnforceSecretRequirements(internalCfg); err != nil {
+	if err := EnforceSecretRequirements(cfg); err != nil {
 		return err
 	}
-	if err := EnforceTLSRequirements(internalCfg); err != nil {
+	if err := EnforceTLSRequirements(cfg); err != nil {
 		return err
 	}
-	if err := EnforceAdmissionPluginsRequirements(internalCfg); err != nil {
-		return err
-	}
-	if err := EnforceExtraRequirements(internalCfg); err != nil {
-		return err
-	}
-
-	b, err := configutil.MarshalInitConfigurationToBytes(internalCfg, kubeadmapiv1beta1.SchemeGroupVersion)
-	if err != nil {
+	if err := EnforceAdmissionPluginsRequirements(cfg); err != nil {
 		return err
 	}
-
-	if err := ioutil.WriteFile(constants.KubeadmConfig, b, 0600); err != nil {
+	if err := EnforceExtraRequirements(cfg); err != nil {
 		return err
 	}
 
 	return nil
 }
 
 // EnforceWorkerRequirements enforces the CIS requirements for master nodes.
-func EnforceWorkerRequirements() error {
-	cfg := &kubeadmapiv1beta1.JoinConfiguration{}
-	internalCfg, err := configutil.JoinConfigFileAndDefaultsToInternalConfig(constants.KubeadmConfig, cfg)
-	if err != nil {
-		return err
-	}
+func EnforceWorkerRequirements(cfg *kubeadmapi.JoinConfiguration) error {
+	return nil
+}
 
-	b, err := kubeadmutil.MarshalToYamlForCodecs(internalCfg, kubeadm.SchemeGroupVersion, scheme.Codecs)
-	if err != nil {
-		return err
+func ensureFieldsAreNotNil(cfg *kubeadmapi.InitConfiguration) {
+	if cfg.APIServerExtraArgs == nil {
+		cfg.APIServerExtraArgs = make(map[string]string)
+	}
+	if cfg.ControllerManagerExtraArgs == nil {
+		cfg.ControllerManagerExtraArgs = make(map[string]string)
+	}
+	if cfg.SchedulerExtraArgs == nil {
+		cfg.SchedulerExtraArgs = make(map[string]string)
 	}
 
-	if err := ioutil.WriteFile(constants.KubeadmConfig, b, 0600); err != nil {
-		return err
+	if cfg.APIServerExtraVolumes == nil {
+		cfg.APIServerExtraVolumes = make([]kubeadmapi.HostPathMount, 0)
 	}
 
-	return nil
+	if cfg.FeatureGates == nil {
+		cfg.FeatureGates = make(map[string]bool)
+	}
 }

src/initramfs/cmd/init/pkg/system/services/blockd.go

@@ -52,7 +52,7 @@ func (t *Blockd) Start(data *userdata.UserData) error {
 		ID:          t.ID(data),
 		ProcessArgs: []string{"/blockd", "--userdata=" + constants.UserDataPath},
 	}
-	if data.Services.Kubeadm.Init == nil {
+	if data.IsWorker() {
 		args.ProcessArgs = append(args.ProcessArgs, "--generate=true")
 	}
 

src/initramfs/cmd/init/pkg/system/services/crt.go

@@ -29,7 +29,7 @@ const crioPolicy = `{
 
 // ID implements the Service interface.
 func (c *CRT) ID(data *userdata.UserData) string {
-	switch data.Services.Kubeadm.ContainerRuntime {
+	switch data.Services.Init.ContainerRuntime {
 	case constants.ContainerRuntimeDocker:
 		return "docker"
 	case constants.ContainerRuntimeCRIO:
@@ -41,7 +41,7 @@ func (c *CRT) ID(data *userdata.UserData) string {
 
 // PreFunc implements the Service interface.
 func (c *CRT) PreFunc(data *userdata.UserData) error {
-	switch data.Services.Kubeadm.ContainerRuntime {
+	switch data.Services.Init.ContainerRuntime {
 	case constants.ContainerRuntimeDocker:
 		if err := os.MkdirAll("/var/lib/docker", os.ModeDir); err != nil {
 			return fmt.Errorf("failed to create directory /var/lib/docker: %v", err)
@@ -98,7 +98,7 @@ func (c *CRT) Start(data *userdata.UserData) error {
 		env = []string{}
 	)
 
-	switch data.Services.Kubeadm.ContainerRuntime {
+	switch data.Services.Init.ContainerRuntime {
 	case constants.ContainerRuntimeDocker:
 		image = constants.DockerImage
 		args = runner.Args{
@@ -142,7 +142,7 @@ func (c *CRT) Start(data *userdata.UserData) error {
 		}
 		mounts = append(mounts, crioMounts...)
 	default:
-		return fmt.Errorf("unknown container runtime %q", data.Services.Kubeadm.ContainerRuntime)
+		return fmt.Errorf("unknown container runtime %q", data.Services.Init.ContainerRuntime)
 	}
 
 	if data.Services.CRT != nil && data.Services.CRT.Image != "" {