Disable static tokens as of Kubernetes 1.18

kubernetes · Apr 5, 2020 · f6af815 · f6af815
1 parent b5f3114
commit f6af815
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 5 deletions.
diff --git a/nodeup/pkg/model/kube_apiserver.go b/nodeup/pkg/model/kube_apiserver.go
@@ -292,7 +292,9 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 	kubeAPIServer.ClientCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt")
 	kubeAPIServer.TLSCertFile = filepath.Join(b.PathSrvKubernetes(), "server.cert")
 	kubeAPIServer.TLSPrivateKeyFile = filepath.Join(b.PathSrvKubernetes(), "server.key")
-	kubeAPIServer.TokenAuthFile = filepath.Join(b.PathSrvKubernetes(), "known_tokens.csv")
+	if b.IsKubernetesLT("1.18") {
+		kubeAPIServer.TokenAuthFile = filepath.Join(b.PathSrvKubernetes(), "known_tokens.csv")
+	}
 
 	if !kubeAPIServer.DisableBasicAuth {
 		kubeAPIServer.BasicAuthFile = filepath.Join(b.PathSrvKubernetes(), "basic_auth.csv")

diff --git a/nodeup/pkg/model/secrets.go b/nodeup/pkg/model/secrets.go
@@ -124,7 +124,7 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 		c.AddTask(t)
 	}
 
-	if b.SecretStore != nil {
+	if b.IsKubernetesLT("1.18") && b.SecretStore != nil {
 		allTokens, err := b.allAuthTokens()
 		if err != nil {
 			return err

diff --git a/pkg/model/pki.go b/pkg/model/pki.go
@@ -348,9 +348,11 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		})
 	}
 
-	// Create auth tokens (though this is deprecated)
-	for _, x := range tokens.GetKubernetesAuthTokens_Deprecated() {
-		c.AddTask(&fitasks.Secret{Name: fi.String(x), Lifecycle: b.Lifecycle})
+	if b.IsKubernetesLT("1.18") {
+		// Create auth tokens (though this is deprecated)
+		for _, x := range tokens.GetKubernetesAuthTokens_Deprecated() {
+			c.AddTask(&fitasks.Secret{Name: fi.String(x), Lifecycle: b.Lifecycle})
+		}
 	}
 
 	{