diff --git a/cmd/nfd-master/main.go b/cmd/nfd-master/main.go index 520752441e..61078e3859 100644 --- a/cmd/nfd-master/main.go +++ b/cmd/nfd-master/main.go @@ -59,10 +59,6 @@ func main() { // Check deprecated flags flags.Visit(func(f *flag.Flag) { switch f.Name { - case "featurerules-controller": - klog.InfoS("-featurerules-controller is deprecated, use '-crd-controller' flag instead") - case "crd-controller": - klog.InfoS("-crd-controller is deprecated, will be removed in a future release along with the deprecated gRPC API") case "extra-label-ns": args.Overrides.ExtraLabelNs = overrides.ExtraLabelNs case "deny-label-ns": diff --git a/docs/deployment/helm.md b/docs/deployment/helm.md index 717fbf7061..a469c41b11 100644 --- a/docs/deployment/helm.md +++ b/docs/deployment/helm.md @@ -158,10 +158,6 @@ Chart parameters are available. | `imagePullSecrets` | array | [] | ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. [More info](https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod). | | `nameOverride` | string | | Override the name of the chart | | `fullnameOverride` | string | | Override a default fully qualified app name | -| `tls.enable` | bool | false | Specifies whether to use TLS for communications between components. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release. | -| `tls.certManager` | bool | false | If enabled, requires [cert-manager](https://cert-manager.io/docs/) to be installed and will automatically create the required TLS certificates. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release | -| `tls.certManager.certManagerCertificate.issuerName` | string | | If specified, it will use a pre-existing issuer instead for the required TLS certificates. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release. | -| `tls.certManager.certManagerCertificate.issuerKind` | string | | Specifies on what kind of issuer is used, can be either ClusterIssuer or Issuer (default). Requires `tls.certManager.certManagerCertificate.issuerName` to be set. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release | | `featureGates.NodeFeatureAPI` | bool | true | Enable the [NodeFeature](../usage/custom-resources.md#nodefeature) CRD API for communicating node features. This will automatically disable the gRPC communication. | | `featureGates.NodeFeatureGroupAPI` | bool | false | Enable the [NodeFeatureGroup](../usage/custom-resources.md#nodefeaturegroup) CRD API. | | `featureGates.DisableAutoPrefix` | bool | false | Enable [DisableAutoPrefix](../reference/feature-gates.md#disableautoprefix) feature gate. Disables automatic prefixing of unprefixed labels, annotations and extended resources. | @@ -181,7 +177,6 @@ API's you need to install the prometheus operator in your cluster. | `master.*` | dict | | NFD master deployment configuration | | `master.enable` | bool | true | Specifies whether nfd-master should be deployed | | `master.hostNetwork` | bool | false | Specifies whether to enable or disable running the container in the host's network namespace | -| `master.port` | integer | | Specifies the TCP port that nfd-master listens for incoming requests. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release | | `master.metricsPort` | integer | 8081 | Port on which to expose metrics from components to prometheus operator | | `master.healthPort` | integer | 8082 | Port on which to expose the grpc health endpoint, will be also used for the probes | | `master.instance` | string | | Instance name. Used to separate annotation namespaces for multiple parallel deployments | @@ -189,8 +184,6 @@ API's you need to install the prometheus operator in your cluster. | `master.extraLabelNs` | array | [] | List of allowed extra label namespaces | | `master.resourceLabels` | array | [] | List of labels to be registered as extended resources | | `master.enableTaints` | bool | false | Specifies whether to enable or disable node tainting | -| `master.crdController` | bool | null | Specifies whether the NFD CRD API controller is enabled. If not set, controller will be enabled if `master.instance` is empty. | -| `master.featureRulesController` | bool | null | DEPRECATED: use `master.crdController` instead | | `master.replicaCount` | integer | 1 | Number of desired pods. This is a pointer to distinguish between explicit zero and not specified | | `master.podSecurityContext` | dict | {} | [PodSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) holds pod-level security attributes and common container settings | | `master.securityContext` | dict | {} | Container [security settings](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | @@ -198,8 +191,6 @@ API's you need to install the prometheus operator in your cluster. | `master.serviceAccount.annotations` | dict | {} | Annotations to add to the service account | | `master.serviceAccount.name` | string | | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | `master.rbac.create` | bool | true | Specifies whether to create [RBAC][rbac] configuration for nfd-master | -| `master.service.type` | string | ClusterIP | NFD master service type. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release | -| `master.service.port` | integer | 8080 | NFD master service port. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release | | `master.resources.limits` | dict | {memory: 4Gi} | NFD master pod [resources limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits) | | `master.resources.requests` | dict | {cpu: 100m, memory: 128Mi} | NFD master pod [resources requests](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits). See `[0]` for more info | | `master.tolerations` | dict | _Schedule to control-plane node_ | NFD master pod [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | diff --git a/docs/deployment/kustomize.md b/docs/deployment/kustomize.md index c7b1ca9391..37ea5729e1 100644 --- a/docs/deployment/kustomize.md +++ b/docs/deployment/kustomize.md @@ -59,11 +59,6 @@ scenarios under - [`prune`](https://github.com/kubernetes-sigs/node-feature-discovery/blob/{{site.release}}/deployment/overlays/prune): clean up the cluster after uninstallation, see [Removing feature labels](uninstallation.md#removing-feature-labels) -- [`samples/cert-manager`](https://github.com/kubernetes-sigs/node-feature-discovery/blob/{{site.release}}/deployment/overlays/samples/cert-manager): - an example for supplementing the default deployment with cert-manager for TLS - authentication, see - [Automated TLS certificate management using cert-manager](tls.md) - for details - [`samples/custom-rules`](https://github.com/kubernetes-sigs/node-feature-discovery/blob/{{site.release}}/deployment/overlays/samples/custom-rules): an example for spicing up the default deployment with a separately managed configmap of custom labeling rules, see diff --git a/docs/deployment/metrics.md b/docs/deployment/metrics.md index acf8c8a718..61d3baaca3 100644 --- a/docs/deployment/metrics.md +++ b/docs/deployment/metrics.md @@ -1,7 +1,7 @@ --- title: "Metrics" layout: default -sort: 7 +sort: 6 --- # Metrics diff --git a/docs/deployment/tls.md b/docs/deployment/tls.md deleted file mode 100644 index 15e4db541b..0000000000 --- a/docs/deployment/tls.md +++ /dev/null @@ -1,181 +0,0 @@ ---- -title: "TLS authentication" -layout: default -sort: 5 ---- - -# Communication security with TLS -{: .no_toc} - -## Table of contents -{: .no_toc .text-delta} - -1. TOC -{:toc} - ---- - -> **DEPRECATED**: this section only applies when the gRPC API is used, i.e. -> when the NodeFeature API is disabled (via the `-feature-gates -> NodeFeatureAPI=false` flag) on both nfd-master and nfd-worker. The gRPC API -> is deprecated and will be removed in a future release. - -NFD supports mutual TLS authentication between the nfd-master and nfd-worker -instances. That is, nfd-worker and nfd-master both verify that the other end -presents a valid certificate. - -TLS authentication is enabled by specifying `-ca-file`, `-key-file` and -`-cert-file` args, on both the nfd-master and nfd-worker instances. The -template specs provided with NFD contain (commented out) example configuration -for enabling TLS authentication. - -The Common Name (CN) of the nfd-master certificate must match the DNS name of -the nfd-master Service of the cluster. By default, nfd-master only check that -the nfd-worker has been signed by the specified root certificate (-ca-file). - -Additional hardening can be enabled by specifying `-verify-node-name` in -nfd-master args, in which case nfd-master verifies that the NodeName presented -by nfd-worker matches the Common Name (CN) or a Subject Alternative Name (SAN) -of its certificate. - -## Automated TLS certificate management using cert-manager - -[cert-manager](https://cert-manager.io/) can be used to automate certificate -management between nfd-master and the nfd-worker pods. - -The NFD source code repository contains an example kustomize overlay and helm -chart that can be used to deploy NFD with cert-manager supplied certificates -enabled. - -To install `cert-manager` itself, you can run: - -```bash -kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml -``` - -Alternatively, you can refer to cert-manager documentation for other -installation methods such as the Helm chart they provide. - -When using the Helm chart to deploy NFD, override `values.yaml` to enable both the -`tls.enabled` and `tls.certManager` options. Note that if you do not enable -`tls.certManager`, helm will successfully install the application, but -deployment will wait until certificates are manually created, as demonstrated -below. - -See the sample installation commands in the Helm [Deployment](helm.md#deployment) -and [Configuration](helm.md#configuration) sections above for how to either override -individual values, or provide a yaml file with which to override default -values. - -## Manual TLS certificate management - -If you do not with to make use of cert-manager, the certificates can be -manually created and stored as secrets within the NFD namespace. - -Create a CA certificate - -```bash -openssl req -x509 -newkey rsa:4096 -keyout ca.key -nodes \ - -subj "/CN=nfd-ca" -days 10000 -out ca.crt -``` - -Create a common openssl config file. - -```bash -cat < nfd-common.conf -[ req ] -default_bits = 4096 -prompt = no -default_md = sha256 -req_extensions = req_ext -distinguished_name = dn - -[ dn ] -C = XX -ST = some-state -L = some-city -O = some-company -OU = node-feature-discovery - -[ req_ext ] -subjectAltName = @alt_names - -[ v3_ext ] -authorityKeyIdentifier=keyid,issuer:always -basicConstraints=CA:FALSE -keyUsage=keyEncipherment,dataEncipherment -extendedKeyUsage=serverAuth,clientAuth -subjectAltName=@alt_names -EOF -``` - -Now, create the nfd-master certificate. - -```bash -cat < nfd-master.conf -.include nfd-common.conf - -[ dn ] -CN = nfd-master - -[ alt_names ] -DNS.1 = nfd-master -DNS.2 = nfd-master.node-feature-discovery.svc.cluster.local -DNS.3 = localhost -EOF - -openssl req -new -newkey rsa:4096 -keyout nfd-master.key -nodes -out nfd-master.csr -config nfd-master.conf -``` - -Create certificates for nfd-worker and nfd-topology-updater - -```bash -cat < nfd-worker.conf -.include nfd-common.conf - -[ dn ] -CN = nfd-worker - -[ alt_names ] -DNS.1 = nfd-worker -DNS.2 = nfd-worker.node-feature-discovery.svc.cluster.local -EOF - -# Config for topology updater is identical except for the DN and alt_names -sed -e 's/worker/topology-updater/g' < nfd-worker.conf > nfd-topology-updater.conf - -openssl req -new -newkey rsa:4096 -keyout nfd-worker.key -nodes -out nfd-worker.csr -config nfd-worker.conf -openssl req -new -newkey rsa:4096 -keyout nfd-topology-updater.key -nodes -out nfd-topology-updater.csr -config nfd-topology-updater.conf -``` - -Now, sign the certificates with the CA created earlier. - -```bash -for cert in nfd-master nfd-worker nfd-topology-updater; do - echo signing $cert - openssl x509 -req -in $cert.csr -CA ca.crt -CAkey ca.key \ - -CAcreateserial -out $cert.crt -days 10000 \ - -extensions v3_ext -extfile $cert.conf -done -``` - -Finally, turn these certificates into secrets. - -```bash -for cert in nfd-master nfd-worker nfd-topology-updater; do - echo creating secret for $cert in node-feature-discovery namespace - cat < ****DEPRECATED**: Running NFD locally is deprecated and will be removed in a -> future release. It depends on the gRPC API which is deprecated and will be -> removed in a future release. To run NFD locally, disable the NodeFeature API -> with `-feature-gates NodeFeatureAPI=false` flag. - -You can run NFD locally, either directly on your host OS or in containers for -testing and development purposes. This may be useful e.g. for checking -features-detection. - ### NFD-Master When running as a standalone container labeling is expected to fail because -Kubernetes API is not available. Thus, it is recommended to use `-no-publish` -Also specify `-crd-controller=false` and `-feature-gates NodeFeatureAPI=false` -command line flags to disable CRD controller and enable gRPC. E.g. +Kubernetes API is not available. Thus, it is recommended to use `-no-publish`. ```bash $ export NFD_CONTAINER_IMAGE={{ site.container_image }} $ docker run --rm --name=nfd-test ${NFD_CONTAINER_IMAGE} nfd-master -no-publish -crd-controller=false -feature-gates NodeFeatureAPI=false 2019/02/01 14:48:21 Node Feature Discovery Master -2019/02/01 14:48:21 gRPC server serving on port: 8080 ``` ### NFD-Worker diff --git a/docs/reference/master-commandline-reference.md b/docs/reference/master-commandline-reference.md index 39dd71c718..b2ee963c00 100644 --- a/docs/reference/master-commandline-reference.md +++ b/docs/reference/master-commandline-reference.md @@ -47,18 +47,6 @@ The `-prune` flag is a sub-command like option for cleaning up the cluster. It causes nfd-master to remove all NFD related labels, annotations and extended resources from all Node objects of the cluster and exit. -### -port - -The `-port` flag specifies the TCP port that nfd-master listens for incoming requests. - -Default: 8080 - -Example: - -```bash -nfd-master -port=443 -``` - ### -metrics The `-metrics` flag specifies the port on which to expose @@ -89,91 +77,6 @@ Example: nfd-master -instance=network ``` -### -ca-file - -> **NOTE** the gRPC API is deprecated and will be removed in a future release. -> and this flag will be removed as well. - -The `-ca-file` is one of the three flags (together with `-cert-file` and -`-key-file`) controlling master-worker mutual TLS authentication on the -nfd-master side. This flag specifies the TLS root certificate that is used for -authenticating incoming connections. NFD-Worker side needs to have matching key -and cert files configured for the incoming requests to be accepted. - -Default: *empty* - -> **NOTE:** Must be specified together with `-cert-file` and `-key-file` - -Example: - -```bash -nfd-master -ca-file=/opt/nfd/ca.crt -cert-file=/opt/nfd/master.crt -key-file=/opt/nfd/master.key -``` - -### -cert-file - -> **NOTE** the gRPC API is deprecated and will be removed in a future release. -> and this flag will be removed as well. - -The `-cert-file` is one of the three flags (together with `-ca-file` and -`-key-file`) controlling master-worker mutual TLS authentication on the -nfd-master side. This flag specifies the TLS certificate presented for -authenticating outgoing traffic towards nfd-worker. - -Default: *empty* - -> **NOTE:** Must be specified together with `-ca-file` and `-key-file` - -Example: - -```bash -nfd-master -cert-file=/opt/nfd/master.crt -key-file=/opt/nfd/master.key -ca-file=/opt/nfd/ca.crt -``` - -### -key-file - -> **NOTE** the gRPC API is deprecated and will be removed in a future release. -> and this flag will be removed as well. - -The `-key-file` is one of the three flags (together with `-ca-file` and -`-cert-file`) controlling master-worker mutual TLS authentication on the -nfd-master side. This flag specifies the private key corresponding the given -certificate file (`-cert-file`) that is used for authenticating outgoing -traffic. - -Default: *empty* - -> **NOTE:** Must be specified together with `-cert-file` and `-ca-file` - -Example: - -```bash -nfd-master -key-file=/opt/nfd/master.key -cert-file=/opt/nfd/master.crt -ca-file=/opt/nfd/ca.crt -``` - -### -verify-node-name - -> **NOTE** the gRPC API is deprecated and will be removed in a future release. -> and this flag will be removed as well. - -The `-verify-node-name` flag controls the NodeName based authorization of -incoming requests and only has effect when mTLS authentication has been enabled -(with `-ca-file`, `-cert-file` and `-key-file`). If enabled, the worker node -name of the incoming must match with the CN or a SAN in its TLS certificate. Thus, -workers are only able to label the node they are running on (or the node whose -certificate they present). - -Node Name based authorization is disabled by default. - -Default: *false* - -Example: - -```bash -nfd-master -verify-node-name -ca-file=/opt/nfd/ca.crt \ - -cert-file=/opt/nfd/master.crt -key-file=/opt/nfd/master.key -``` - ### -enable-leader-election The `-enable-leader-election` flag enables leader election for NFD-Master. @@ -212,28 +115,6 @@ Example: nfd-master -no-publish ``` -### -crd-controller - -> **NOTE** This flag will be removed in a future release at the same time with -> the deprecated gRPC API. - -The `-crd-controller` flag specifies whether the NFD CRD API controller is -enabled or not. The controller is responsible for processing -[NodeFeature](../usage/custom-resources.md#nodefeature) and -[NodeFeatureRule](../usage/custom-resources.md#nodefeaturerule) objects. - -Default: *true* - -Example: - -```bash -nfd-master -crd-controller=false -``` - -### -featurerules-controller - -**DEPRECATED**: use [`-crd-controller`](#-crd-controller) instead. - ### -label-whitelist The `-label-whitelist` specifies a regular expression for filtering feature diff --git a/docs/reference/worker-commandline-reference.md b/docs/reference/worker-commandline-reference.md index 1c00f42a3c..ebc82e3a60 100644 --- a/docs/reference/worker-commandline-reference.md +++ b/docs/reference/worker-commandline-reference.md @@ -69,82 +69,6 @@ Example: nfd-worker -options='{"sources":{"cpu":{"cpuid":{"attributeWhitelist":["AVX","AVX2"]}}}}' ``` -### -server - -> **NOTE** the gRPC API is deprecated and will be removed in a future release. -> and this flag will be removed as well. - -The `-server` flag specifies the address of the nfd-master endpoint where to -connect to. - -Default: localhost:8080 - -Example: - -```bash -nfd-worker -server=nfd-master.nfd.svc.cluster.local:443 -``` - -### -ca-file - -> **NOTE** the gRPC API is deprecated and will be removed in a future release. -> and this flag will be removed as well. - -The `-ca-file` is one of the three flags (together with `-cert-file` and -`-key-file`) controlling the mutual TLS authentication on the worker side. -This flag specifies the TLS root certificate that is used for verifying the -authenticity of nfd-master. - -Default: *empty* - -> **NOTE:** Must be specified together with `-cert-file` and `-key-file` - -Example: - -```bash -nfd-worker -ca-file=/opt/nfd/ca.crt -cert-file=/opt/nfd/worker.crt -key-file=/opt/nfd/worker.key -``` - -### -cert-file - -> **NOTE** the gRPC API is deprecated and will be removed in a future release. -> and this flag will be removed as well. - -The `-cert-file` is one of the three flags (together with `-ca-file` and -`-key-file`) controlling mutual TLS authentication on the worker side. This -flag specifies the TLS certificate presented for authenticating outgoing -requests. - -Default: *empty* - -> **NOTE:** Must be specified together with `-ca-file` and `-key-file` - -Example: - -```bash -nfd-workerr -cert-file=/opt/nfd/worker.crt -key-file=/opt/nfd/worker.key -ca-file=/opt/nfd/ca.crt -``` - -### -key-file - -> **NOTE** the gRPC API is deprecated and will be removed in a future release. -> and this flag will be removed as well. - -The `-key-file` is one of the three flags (together with `-ca-file` and -`-cert-file`) controlling the mutual TLS authentication on the worker side. -This flag specifies the private key corresponding the given certificate file -(`-cert-file`) that is used for authenticating outgoing requests. - -Default: *empty* - -> **NOTE:** Must be specified together with `-cert-file` and `-ca-file` - -Example: - -```bash -nfd-worker -key-file=/opt/nfd/worker.key -cert-file=/opt/nfd/worker.crt -ca-file=/opt/nfd/ca.crt -``` - ### -kubeconfig The `-kubeconfig` flag specifies the kubeconfig to use for connecting to the @@ -160,23 +84,6 @@ Example: nfd-worker -kubeconfig ${HOME}/.kube/config ``` -### -server-name-override - -> **NOTE** the gRPC API is deprecated and will be removed in a future release. -> and this flag will be removed as well. - -The `-server-name-override` flag specifies the common name (CN) which to -expect from the nfd-master TLS certificate. This flag is mostly intended for -development and debugging purposes. - -Default: *empty* - -Example: - -```bash -nfd-worker -server-name-override=localhost -``` - ### -feature-sources The `-feature-sources` flag specifies a comma-separated list of enabled feature diff --git a/pkg/nfd-master/nfd-api-controller.go b/pkg/nfd-master/nfd-api-controller.go index 4127a8b036..5ba38e588f 100644 --- a/pkg/nfd-master/nfd-api-controller.go +++ b/pkg/nfd-master/nfd-api-controller.go @@ -141,21 +141,18 @@ func newNfdController(config *restclient.Config, nfdApiControllerOptions nfdApiC if !nfdApiControllerOptions.DisableNodeFeature { c.updateAllNodes() } - // else: rules will be processed only when gRPC requests are received }, UpdateFunc: func(oldObject, newObject interface{}) { klog.V(2).InfoS("NodeFeatureRule updated", "nodefeaturerule", klog.KObj(newObject.(metav1.Object))) if !nfdApiControllerOptions.DisableNodeFeature { c.updateAllNodes() } - // else: rules will be processed only when gRPC requests are received }, DeleteFunc: func(object interface{}) { klog.V(2).InfoS("NodeFeatureRule deleted", "nodefeaturerule", klog.KObj(object.(metav1.Object))) if !nfdApiControllerOptions.DisableNodeFeature { c.updateAllNodes() } - // else: rules will be processed only when gRPC requests are received }, }); err != nil { return nil, err diff --git a/test/e2e/utils/rbac.go b/test/e2e/utils/rbac.go index 5e57fe4ecb..561cbf353e 100644 --- a/test/e2e/utils/rbac.go +++ b/test/e2e/utils/rbac.go @@ -273,8 +273,7 @@ func createClusterRoleTopologyUpdater(ctx context.Context, cs clientset.Interfac Name: "nfd-topology-updater-e2e", }, // the Topology Updater doesn't need to access any kube object: - // it reads from the podresources socket and it sends updates to the - // nfd-master using the gRPC interface. + // it reads from the podresources socket and it updates the noderesourcetopologies Rules: []rbacv1.PolicyRule{ { APIGroups: []string{""},