kubeadm: clean up RBAC grants

2025-07-28 14:07:14 +00:00 · 2017-01-19 10:59:32 -05:00 · 2017-01-19 10:59:32 -05:00 · 083ffb6e93
commit 083ffb6e93
parent e3f79588f4
4 changed files with 20 additions and 22 deletions
--- a/cmd/kubeadm/app/master/apiclient.go
+++ b/cmd/kubeadm/app/master/apiclient.go
@ -73,11 +73,10 @@ func CreateClientAndWaitForAPI(file string) (*clientset.Clientset, error) {
 		cs, err := client.ComponentStatuses().List(v1.ListOptions{})
 		if err != nil {
 			if apierrs.IsForbidden(err) {
-				fmt.Print("\r[apiclient] Waiting for the API server to create RBAC policies")
+				fmt.Println("[apiclient] Waiting for API server authorization")
 			}
 			return false, nil
 		}
 		fmt.Println("\n[apiclient] RBAC policies created")
 		// TODO(phase2) must revisit this when we implement HA
 		if len(cs.Items) < 3 {
 			fmt.Println("[apiclient] Not all control plane components are ready yet")
--- a/cmd/kubeadm/app/master/manifests.go
+++ b/cmd/kubeadm/app/master/manifests.go
@ -369,7 +369,7 @@ func getControllerManagerCommand(cfg *kubeadmapi.MasterConfiguration) []string {
 		"--service-account-private-key-file="+kubeadmapi.GlobalEnvParams.HostPKIPath+"/apiserver-key.pem",
 		"--cluster-signing-cert-file="+kubeadmapi.GlobalEnvParams.HostPKIPath+"/ca.pem",
 		"--cluster-signing-key-file="+kubeadmapi.GlobalEnvParams.HostPKIPath+"/ca-key.pem",
-		"--insecure-experimental-approve-all-kubelet-csrs-for-group=kubeadm:kubelet-bootstrap",
+		"--insecure-experimental-approve-all-kubelet-csrs-for-group="+KubeletBootstrapGroup,
 	)
 	if cfg.CloudProvider != "" {
--- a/cmd/kubeadm/app/master/tokens.go
+++ b/cmd/kubeadm/app/master/tokens.go
@ -27,12 +27,19 @@ import (
 	"k8s.io/kubernetes/pkg/util/uuid"
 )
 const (
 	// TODO: prefix with kubeadm prefix
 	KubeletBootstrapUser = "kubeadm-node-csr"
 	KubeletBootstrapGroup = "kubeadm:kubelet-bootstrap"
 )
 func CreateTokenAuthFile(bt string) error {
 	tokenAuthFilePath := path.Join(kubeadmapi.GlobalEnvParams.HostPKIPath, "tokens.csv")
 	if err := os.MkdirAll(kubeadmapi.GlobalEnvParams.HostPKIPath, 0700); err != nil {
 		return fmt.Errorf("failed to create directory %q [%v]", kubeadmapi.GlobalEnvParams.HostPKIPath, err)
 	}
-	serialized := []byte(fmt.Sprintf("%s,kubeadm-node-csr,%s,kubeadm:kubelet-bootstrap\n", bt, uuid.NewUUID()))
+	serialized := []byte(fmt.Sprintf("%s,%s,%s,%s\n", bt, KubeletBootstrapUser, uuid.NewUUID(), KubeletBootstrapGroup))
 	// DumpReaderToFile create a file with mode 0600
 	if err := cmdutil.DumpReaderToFile(bytes.NewReader(serialized), tokenAuthFilePath); err != nil {
 		return fmt.Errorf("failed to save token auth file (%q) [%v]", tokenAuthFilePath, err)
--- a/cmd/kubeadm/app/phases/apiconfig/clusterroles.go
+++ b/cmd/kubeadm/app/phases/apiconfig/clusterroles.go
@ -38,7 +38,7 @@ func CreateBootstrapRBACClusterRole(clientset *clientset.Clientset) error {
 			Name:     "system:node-bootstrapper",
 		},
 		Subjects: []rbac.Subject{
-			rbac.Subject{Kind: "Group", Name: "kubeadm:kubelet-bootstrap"},
+			{Kind: "Group", Name: master.KubeletBootstrapGroup},
 		},
 	}
 	if _, err := clientset.Rbac().ClusterRoleBindings().Create(&clusterRoleBinding); err != nil {
@ -76,7 +76,7 @@ func CreateKubeDNSRBACClusterRole(clientset *clientset.Clientset) error {
 		RoleRef: rbac.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
 			Kind:     "ClusterRole",
-			Name:     "kubeadm:" + master.KubeDNS,
+			Name:     clusterRole.Name,
 		},
 		Subjects: []rbac.Subject{subject},
 	}
@ -88,32 +88,24 @@ func CreateKubeDNSRBACClusterRole(clientset *clientset.Clientset) error {
 	return nil
 }
-// CreateKubeProxyClusterRoleBinding creates the necessary ClusterRole for kube-dns
+// CreateKubeProxyClusterRoleBinding grants the system:node-proxier role to the nodes group,
 // since kubelet credentials are used to run the kube-proxy
 // TODO: give the kube-proxy its own credential and stop requiring this
 func CreateKubeProxyClusterRoleBinding(clientset *clientset.Clientset) error {
 	systemKubeProxySubject := rbac.Subject{
 		Kind:      "User",
 		Name:      "system:kube-proxy",
 		Namespace: api.NamespaceSystem,
 	}
 	systemNodesSubject := rbac.Subject{
 		Kind:      "Group",
 		Name:      "system:nodes",
 		Namespace: api.NamespaceSystem,
 	}
 	clusterRoleBinding := rbac.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: "system:node-proxier",
+			Name: "kubeadm:node-proxier",
 		},
 		RoleRef: rbac.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
 			Kind:     "ClusterRole",
 			Name:     "system:node-proxier",
 		},
-		Subjects: []rbac.Subject{systemKubeProxySubject, systemNodesSubject},
+		Subjects: []rbac.Subject{
 			{Kind: "Group", Name: "system:nodes"},
 		},
 	}
-	if _, err := clientset.Rbac().ClusterRoleBindings().Update(&clusterRoleBinding); err != nil {
+	if _, err := clientset.Rbac().ClusterRoleBindings().Create(&clusterRoleBinding); err != nil {
 		return err
 	}
 	fmt.Println("[apiconfig] Created kube-proxy RBAC rules")