The [node authorization service] is an experimental service which in the absence of a kops-apiserver provides the distribution of tokens to the worker nodes. Bootstrap tokens provide worker nodes a short-time credential to request access kubeconfig certificate. A gist of the flow is;
- a secret of type
bootstrap.kubernetes.io/token
is created on behalf of a node in the kube-system namespace. - the token is distributed to the node by some means and then used as the bearer token of the initial request to the kubernetes api.
- the token itself is bound to the cluster role which grants permission to generate a CSR, an additional cluster role provides access for the controller to auto-approve this CSR requests as well.
- two certificates are generated by the kubelet using bootstrap process, one for the kubelet api and the other a client certificate to the kubelet itself.
- the client certificate by default is added into the system:nodes rbac group (note, if you are using PSP this is automatically bound by kops on your behalf).
- the kubelet at this point has a server certificate and the client api certificate and good to go.
The node authorization service is run on the master as a daemonset, by default dns is node-authorizer-internal.dns_zone:10443 and added via same mechanism at the internal kube-apiserver i.e. annotations on the kube-apiserver pods which is picked up the dns-controller and added to the dns zone.
When the node authorization service is enabled a systemd (node-authorizer.service) unit is added on the worker nodes. This runs the node-authorizer in client mode and connects to the authorization service requesting a bootstrap token.
The node authorizer currently supports two authorizers; aws and alwaysallow. The latter is self-explanatory, as for the aws authorizer, in order for a request to be authorized the following checks are performed.
- the worker node retrieves the pkcs7 signed instance document from the metadata service; this is unique for each instance and available only to them.
- the client connects using a client certificate which is first checked and passes the instance document to the authorization service.
- the signed instance document is validated against the public certificates from AWS.
- we check the node exists and is running.
- we check the node is running in our region.
- we check the node is running in our vpc.
- we check the node is tagged with the correct kubernetes tag.
- we check the ip address of the client requesting the document is the same the instance document.
- we check that the node has not already registered.
Assuming all the conditions are met a secret token is generated and returned to the client to continue the providing of the worker node.
Enabling the node authorization service is as follows; firstly you must enable the feature flag as node authorization is still experimental; export KOPS_FEATURE_FLAGS=EnableNodeAuthorization
# in the cluster spec
nodeAuthorization:
# enable the service under the node authorization section, please review the settings in the components.go
nodeAuthorizer: {}
Note, by default this will also switch on the Node authorization and RBAC mode. We would also suggest turning on the NodeRestriction admission controller.