diff --git a/cmd/kubeadm/app/cmd/init.go b/cmd/kubeadm/app/cmd/init.go index 591dff1dc31..556a18122e9 100644 --- a/cmd/kubeadm/app/cmd/init.go +++ b/cmd/kubeadm/app/cmd/init.go @@ -370,7 +370,7 @@ func (i *Init) Run(out io.Writer) error { // Create the default node bootstrap token tokenDescription := "The default bootstrap token generated by 'kubeadm init'." - if err := nodebootstraptokenphase.UpdateOrCreateToken(client, i.cfg.Token, false, i.cfg.TokenTTL.Duration, kubeadmconstants.DefaultTokenUsages, []string{kubeadmconstants.V18NodeBootstrapTokenAuthGroup}, tokenDescription); err != nil { + if err := nodebootstraptokenphase.UpdateOrCreateToken(client, i.cfg.Token, false, i.cfg.TokenTTL.Duration, kubeadmconstants.DefaultTokenUsages, []string{kubeadmconstants.NodeBootstrapTokenAuthGroup}, tokenDescription); err != nil { return err } // Create RBAC rules that makes the bootstrap tokens able to post CSRs diff --git a/cmd/kubeadm/app/cmd/token.go b/cmd/kubeadm/app/cmd/token.go index 945ff215ef4..a4ac2a61c98 100644 --- a/cmd/kubeadm/app/cmd/token.go +++ b/cmd/kubeadm/app/cmd/token.go @@ -120,7 +120,7 @@ func NewCmdToken(out io.Writer, errW io.Writer) *cobra.Command { createCmd.Flags().StringSliceVar(&usages, "usages", kubeadmconstants.DefaultTokenUsages, "The ways in which this token can be used. Valid options: [signing,authentication].") createCmd.Flags().StringSliceVar(&extraGroups, - "groups", []string{kubeadmconstants.V18NodeBootstrapTokenAuthGroup}, + "groups", []string{kubeadmconstants.NodeBootstrapTokenAuthGroup}, fmt.Sprintf("Extra groups that this token will authenticate as when used for authentication. Must match %q.", bootstrapapi.BootstrapGroupPattern)) createCmd.Flags().StringVar(&description, "description", "", "A human friendly description of how this token is used.") diff --git a/cmd/kubeadm/app/constants/BUILD b/cmd/kubeadm/app/constants/BUILD index 5b6884926ab..1e7597d46fa 100644 --- a/cmd/kubeadm/app/constants/BUILD +++ b/cmd/kubeadm/app/constants/BUILD @@ -32,5 +32,4 @@ go_test( name = "go_default_test", srcs = ["constants_test.go"], library = ":go_default_library", - deps = ["//pkg/util/version:go_default_library"], ) diff --git a/cmd/kubeadm/app/constants/constants.go b/cmd/kubeadm/app/constants/constants.go index c706466a9b3..5e947811999 100644 --- a/cmd/kubeadm/app/constants/constants.go +++ b/cmd/kubeadm/app/constants/constants.go @@ -170,11 +170,8 @@ const ( // KubeConfigVolumeName specifies the name for the Volume that is used for injecting the kubeconfig to talk securely to the api server for a control plane component if applicable KubeConfigVolumeName = "kubeconfig" - // V17NodeBootstrapTokenAuthGroup specifies which group a Node Bootstrap Token should be authenticated in, in v1.7 - V17NodeBootstrapTokenAuthGroup = "system:bootstrappers" - - // V18NodeBootstrapTokenAuthGroup specifies which group a Node Bootstrap Token should be authenticated in, in v1.8 - V18NodeBootstrapTokenAuthGroup = "system:bootstrappers:kubeadm:default-node-token" + // NodeBootstrapTokenAuthGroup specifies which group a Node Bootstrap Token should be authenticated in + NodeBootstrapTokenAuthGroup = "system:bootstrappers:kubeadm:default-node-token" // DefaultCIImageRepository points to image registry where CI uploads images from ci-cross build job DefaultCIImageRepository = "gcr.io/kubernetes-ci-images" @@ -212,10 +209,6 @@ var ( // TODO: Remove this when the v1.9 cycle starts and we bump the minimum supported version to v1.8.0 MinimumCSRAutoApprovalClusterRolesVersion = version.MustParseSemantic("v1.8.0-alpha.3") - // UseEnableBootstrapTokenAuthFlagVersion defines the first version where the API server supports the --enable-bootstrap-token-auth flag instead of the old and deprecated flag. - // TODO: Remove this when the v1.9 cycle starts and we bump the minimum supported version to v1.8.0 - UseEnableBootstrapTokenAuthFlagVersion = version.MustParseSemantic("v1.8.0-beta.0") - // MinimumKubeletVersion specifies the minimum version of kubelet which kubeadm supports MinimumKubeletVersion = version.MustParseSemantic("v1.8.0") ) @@ -253,11 +246,3 @@ func CreateTempDirForKubeadm(dirName string) (string, error) { } return tempDir, nil } - -// GetNodeBootstrapTokenAuthGroup gets the bootstrap token auth group conditionally based on version -func GetNodeBootstrapTokenAuthGroup(k8sVersion *version.Version) string { - if k8sVersion.AtLeast(UseEnableBootstrapTokenAuthFlagVersion) { - return V18NodeBootstrapTokenAuthGroup - } - return V17NodeBootstrapTokenAuthGroup -} diff --git a/cmd/kubeadm/app/constants/constants_test.go b/cmd/kubeadm/app/constants/constants_test.go index 70f491b72fa..29cffa2abbd 100644 --- a/cmd/kubeadm/app/constants/constants_test.go +++ b/cmd/kubeadm/app/constants/constants_test.go @@ -18,8 +18,6 @@ package constants import ( "testing" - - "k8s.io/kubernetes/pkg/util/version" ) func TestGetStaticPodDirectory(t *testing.T) { @@ -112,48 +110,3 @@ func TestAddSelfHostedPrefix(t *testing.T) { } } } - -func TestGetNodeBootstrapTokenAuthGroup(t *testing.T) { - var tests = []struct { - k8sVersion, expected string - }{ - { - k8sVersion: "v1.7.0", - expected: "system:bootstrappers", - }, - { - k8sVersion: "v1.7.8", - expected: "system:bootstrappers", - }, - { - k8sVersion: "v1.8.0-alpha.3", - expected: "system:bootstrappers", - }, - { - k8sVersion: "v1.8.0-beta.0", - expected: "system:bootstrappers:kubeadm:default-node-token", - }, - { - k8sVersion: "v1.8.0-rc.1", - expected: "system:bootstrappers:kubeadm:default-node-token", - }, - { - k8sVersion: "v1.8.0", - expected: "system:bootstrappers:kubeadm:default-node-token", - }, - { - k8sVersion: "v1.8.9", - expected: "system:bootstrappers:kubeadm:default-node-token", - }, - } - for _, rt := range tests { - actual := GetNodeBootstrapTokenAuthGroup(version.MustParseSemantic(rt.k8sVersion)) - if actual != rt.expected { - t.Errorf( - "failed GetNodeBootstrapTokenAuthGroup:\n\texpected: %s\n\t actual: %s", - rt.expected, - actual, - ) - } - } -} diff --git a/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go b/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go index a076613499d..d8a63b60595 100644 --- a/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go +++ b/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go @@ -63,7 +63,7 @@ func AllowBootstrapTokensToPostCSRs(client clientset.Interface, k8sVersion *vers Subjects: []rbac.Subject{ { Kind: rbac.GroupKind, - Name: constants.GetNodeBootstrapTokenAuthGroup(k8sVersion), + Name: constants.NodeBootstrapTokenAuthGroup, }, }, }) @@ -87,7 +87,7 @@ func AutoApproveNodeBootstrapTokens(client clientset.Interface, k8sVersion *vers Subjects: []rbac.Subject{ { Kind: "Group", - Name: constants.GetNodeBootstrapTokenAuthGroup(k8sVersion), + Name: constants.NodeBootstrapTokenAuthGroup, }, }, }) diff --git a/cmd/kubeadm/app/phases/controlplane/manifests.go b/cmd/kubeadm/app/phases/controlplane/manifests.go index 7d2784d8bea..b10822c441c 100644 --- a/cmd/kubeadm/app/phases/controlplane/manifests.go +++ b/cmd/kubeadm/app/phases/controlplane/manifests.go @@ -148,6 +148,7 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, k8sVersion *versio "tls-private-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerKeyName), "kubelet-client-certificate": filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerKubeletClientCertName), "kubelet-client-key": filepath.Join(cfg.CertificatesDir, kubeadmconstants.APIServerKubeletClientKeyName), + "enable-bootstrap-token-auth": "true", "secure-port": fmt.Sprintf("%d", cfg.API.BindPort), "allow-privileged": "true", "kubelet-preferred-address-types": "InternalIP,ExternalIP,Hostname", @@ -164,13 +165,6 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, k8sVersion *versio command := []string{"kube-apiserver"} - // Note: Mutating defaultArguments dynamically must happen before the BuildArgumentListFromMap call below - if k8sVersion.AtLeast(kubeadmconstants.UseEnableBootstrapTokenAuthFlagVersion) { - defaultArguments["enable-bootstrap-token-auth"] = "true" - } else { - defaultArguments["experimental-bootstrap-token-auth"] = "true" - } - command = append(command, kubeadmutil.BuildArgumentListFromMap(defaultArguments, cfg.APIServerExtraArgs)...) command = append(command, getAuthzParameters(cfg.AuthorizationModes)...) diff --git a/cmd/kubeadm/app/phases/controlplane/manifests_test.go b/cmd/kubeadm/app/phases/controlplane/manifests_test.go index fd12218cdb1..ce37d20d241 100644 --- a/cmd/kubeadm/app/phases/controlplane/manifests_test.go +++ b/cmd/kubeadm/app/phases/controlplane/manifests_test.go @@ -41,7 +41,7 @@ func TestGetStaticPodSpecs(t *testing.T) { // Creates a Master Configuration cfg := &kubeadmapi.MasterConfiguration{ - KubernetesVersion: "v1.7.0", + KubernetesVersion: "v1.8.0", } // Executes GetStaticPodSpecs @@ -113,7 +113,7 @@ func TestCreateStaticPodFilesAndWrappers(t *testing.T) { // Creates a Master Configuration cfg := &kubeadmapi.MasterConfiguration{ - KubernetesVersion: "v1.7.0", + KubernetesVersion: "v1.8.0", } // Execute createStaticPodFunction @@ -143,7 +143,7 @@ func TestGetAPIServerCommand(t *testing.T) { API: kubeadmapi.API{BindPort: 123, AdvertiseAddress: "1.2.3.4"}, Networking: kubeadmapi.Networking{ServiceSubnet: "bar"}, CertificatesDir: testCertsDir, - KubernetesVersion: "v1.7.0", + KubernetesVersion: "v1.8.0", }, expected: []string{ "kube-apiserver", @@ -156,10 +156,10 @@ func TestGetAPIServerCommand(t *testing.T) { "--tls-private-key-file=" + testCertsDir + "/apiserver.key", "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt", "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key", + "--enable-bootstrap-token-auth=true", "--secure-port=123", "--allow-privileged=true", "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", - "--experimental-bootstrap-token-auth=true", "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt", "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key", "--requestheader-username-headers=X-Remote-User", @@ -211,7 +211,7 @@ func TestGetAPIServerCommand(t *testing.T) { API: kubeadmapi.API{BindPort: 123, AdvertiseAddress: "4.3.2.1"}, Networking: kubeadmapi.Networking{ServiceSubnet: "bar"}, CertificatesDir: testCertsDir, - KubernetesVersion: "v1.7.1", + KubernetesVersion: "v1.8.1", }, expected: []string{ "kube-apiserver", @@ -224,10 +224,10 @@ func TestGetAPIServerCommand(t *testing.T) { "--tls-private-key-file=" + testCertsDir + "/apiserver.key", "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt", "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key", + "--enable-bootstrap-token-auth=true", "--secure-port=123", "--allow-privileged=true", "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", - "--experimental-bootstrap-token-auth=true", "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt", "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key", "--requestheader-username-headers=X-Remote-User", @@ -246,7 +246,7 @@ func TestGetAPIServerCommand(t *testing.T) { Networking: kubeadmapi.Networking{ServiceSubnet: "bar"}, Etcd: kubeadmapi.Etcd{CertFile: "fiz", KeyFile: "faz"}, CertificatesDir: testCertsDir, - KubernetesVersion: "v1.7.2", + KubernetesVersion: "v1.8.0", }, expected: []string{ "kube-apiserver", @@ -259,10 +259,10 @@ func TestGetAPIServerCommand(t *testing.T) { "--tls-private-key-file=" + testCertsDir + "/apiserver.key", "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt", "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key", + "--enable-bootstrap-token-auth=true", "--secure-port=123", "--allow-privileged=true", "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", - "--experimental-bootstrap-token-auth=true", "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt", "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key", "--requestheader-username-headers=X-Remote-User", @@ -283,7 +283,7 @@ func TestGetAPIServerCommand(t *testing.T) { Networking: kubeadmapi.Networking{ServiceSubnet: "bar"}, Etcd: kubeadmapi.Etcd{CertFile: "fiz", KeyFile: "faz"}, CertificatesDir: testCertsDir, - KubernetesVersion: "v1.7.3", + KubernetesVersion: "v1.8.3", }, expected: []string{ "kube-apiserver", @@ -296,10 +296,10 @@ func TestGetAPIServerCommand(t *testing.T) { "--tls-private-key-file=" + testCertsDir + "/apiserver.key", "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt", "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key", + "--enable-bootstrap-token-auth=true", fmt.Sprintf("--secure-port=%d", 123), "--allow-privileged=true", "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", - "--experimental-bootstrap-token-auth=true", "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt", "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key", "--requestheader-username-headers=X-Remote-User", @@ -320,7 +320,7 @@ func TestGetAPIServerCommand(t *testing.T) { Networking: kubeadmapi.Networking{ServiceSubnet: "bar"}, Etcd: kubeadmapi.Etcd{CertFile: "fiz", KeyFile: "faz"}, CertificatesDir: testCertsDir, - KubernetesVersion: "v1.7.0", + KubernetesVersion: "v1.8.0", }, expected: []string{ "kube-apiserver", @@ -333,10 +333,10 @@ func TestGetAPIServerCommand(t *testing.T) { "--tls-private-key-file=" + testCertsDir + "/apiserver.key", "--kubelet-client-certificate=" + testCertsDir + "/apiserver-kubelet-client.crt", "--kubelet-client-key=" + testCertsDir + "/apiserver-kubelet-client.key", + "--enable-bootstrap-token-auth=true", fmt.Sprintf("--secure-port=%d", 123), "--allow-privileged=true", "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", - "--experimental-bootstrap-token-auth=true", "--proxy-client-cert-file=/var/lib/certs/front-proxy-client.crt", "--proxy-client-key-file=/var/lib/certs/front-proxy-client.key", "--requestheader-username-headers=X-Remote-User", diff --git a/cmd/kubeadm/app/phases/upgrade/BUILD b/cmd/kubeadm/app/phases/upgrade/BUILD index 731da4a1dd5..7bc1421aa46 100644 --- a/cmd/kubeadm/app/phases/upgrade/BUILD +++ b/cmd/kubeadm/app/phases/upgrade/BUILD @@ -8,7 +8,6 @@ go_library( "health.go", "policy.go", "postupgrade.go", - "postupgrade_v17_v18.go", "prepull.go", "selfhosted.go", "staticpods.go", @@ -32,14 +31,12 @@ go_library( "//cmd/kubeadm/app/util/apiclient:go_default_library", "//cmd/kubeadm/app/util/config:go_default_library", "//pkg/api:go_default_library", - "//pkg/bootstrap/api:go_default_library", "//pkg/util/version:go_default_library", "//pkg/version:go_default_library", "//vendor/k8s.io/api/apps/v1beta2:go_default_library", "//vendor/k8s.io/api/core/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", - "//vendor/k8s.io/apimachinery/pkg/fields:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library", "//vendor/k8s.io/client-go/kubernetes:go_default_library", diff --git a/cmd/kubeadm/app/phases/upgrade/policy_test.go b/cmd/kubeadm/app/phases/upgrade/policy_test.go index bdbd9fb707e..9b81609000b 100644 --- a/cmd/kubeadm/app/phases/upgrade/policy_test.go +++ b/cmd/kubeadm/app/phases/upgrade/policy_test.go @@ -64,7 +64,7 @@ func TestEnforceVersionPolicies(t *testing.T) { newK8sVersion: "v1.8.3", expectedSkippableErrs: 1, }, - { // new version must be higher than v1.7.0 + { // new version must be higher than v1.8.0 vg: &fakeVersionGetter{ clusterVersion: "v1.8.3", kubeletVersion: "v1.8.3", diff --git a/cmd/kubeadm/app/phases/upgrade/postupgrade.go b/cmd/kubeadm/app/phases/upgrade/postupgrade.go index 2ae532fbbc1..b2c18df2d88 100644 --- a/cmd/kubeadm/app/phases/upgrade/postupgrade.go +++ b/cmd/kubeadm/app/phases/upgrade/postupgrade.go @@ -40,22 +40,6 @@ func PerformPostUpgradeTasks(client clientset.Interface, cfg *kubeadmapi.MasterC errs = append(errs, err) } - // Handle Bootstrap Tokens graduating to from alpha to beta in the v1.7 -> v1.8 upgrade - // That transition requires two minor changes - - // Remove the old ClusterRoleBinding for approving if it already exists due to the reasons outlined in the comment below - if err := deleteOldApprovalClusterRoleBindingIfExists(client, k8sVersion); err != nil { - errs = append(errs, err) - } - // Upgrade the Bootstrap Tokens' authentication group - if err := upgradeBootstrapTokens(client, k8sVersion); err != nil { - errs = append(errs, err) - } - // Upgrade the cluster-info RBAC rules - if err := deleteWronglyNamedClusterInfoRBACRules(client, k8sVersion); err != nil { - errs = append(errs, err) - } - // Create/update RBAC rules that makes the bootstrap tokens able to post CSRs if err := nodebootstraptoken.AllowBootstrapTokensToPostCSRs(client, k8sVersion); err != nil { errs = append(errs, err) diff --git a/cmd/kubeadm/app/phases/upgrade/postupgrade_v17_v18.go b/cmd/kubeadm/app/phases/upgrade/postupgrade_v17_v18.go deleted file mode 100644 index 8a584bdb0ef..00000000000 --- a/cmd/kubeadm/app/phases/upgrade/postupgrade_v17_v18.go +++ /dev/null @@ -1,152 +0,0 @@ -/* -Copyright 2017 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package upgrade - -import ( - "bytes" - "fmt" - - apierrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/fields" - "k8s.io/apimachinery/pkg/util/errors" - clientset "k8s.io/client-go/kubernetes" - "k8s.io/kubernetes/cmd/kubeadm/app/constants" - "k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/clusterinfo" - nodebootstraptoken "k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node" - "k8s.io/kubernetes/pkg/api" - bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api" - "k8s.io/kubernetes/pkg/util/version" -) - -const ( - oldClusterInfoRole = "system:bootstrap-signer-clusterinfo" -) - -// deleteOldApprovalClusterRoleBindingIfExists exists because the roleRef of the NodeAutoApproveBootstrapClusterRoleBinding changed between -// v1.7 and v1.8, and roleRef updates are not possible. So in order to change that binding's roleRef, we have to delete it if it already exists -// TODO: When the v1.9 cycle starts, we can remove this logic, as the kubeadm v1.9 CLI doesn't support upgrading from v1.7 -func deleteOldApprovalClusterRoleBindingIfExists(client clientset.Interface, k8sVersion *version.Version) error { - - // Gate this upgrade behavior for new clusters above v1.9.0-alpha.3 where this change took place - if k8sVersion.AtLeast(constants.MinimumCSRAutoApprovalClusterRolesVersion) { - - err := client.RbacV1().ClusterRoleBindings().Delete(nodebootstraptoken.NodeAutoApproveBootstrapClusterRoleBinding, &metav1.DeleteOptions{}) - // If the binding was not found, happily continue - if apierrors.IsNotFound(err) { - return nil - } - // If an unexpected error occurred, return it - if err != nil { - return err - } - } - // The binding was successfully deleted - return nil -} - -// deleteWronglyNamedClusterInfoRBACRules exists because the cluster-info Role's name changed from "system:bootstrap-signer-clusterinfo" in v1.7 to -// "kubeadm:bootstrap-signer-clusterinfo" in v1.8. It was incorrectly prefixed "system:" in v1.7 -// The old, incorrectly-named Role should be removed and roleRef updates on the binding are not possible. So in order to change that binding's roleRef, -// we have to delete it if it already exists -// TODO: When the v1.9 cycle starts, we can remove this logic, as the kubeadm v1.9 CLI doesn't support upgrading from v1.7 -func deleteWronglyNamedClusterInfoRBACRules(client clientset.Interface, k8sVersion *version.Version) error { - // Gate this upgrade behavior for new clusters above v1.8.0-beta.0 where this change took place - if k8sVersion.AtLeast(constants.UseEnableBootstrapTokenAuthFlagVersion) { - - if err := removeOldRole(client); err != nil { - return err - } - if err := removeOldRoleBinding(client); err != nil { - return err - } - } - // The binding was successfully deleted - return nil -} - -func removeOldRole(client clientset.Interface) error { - err := client.RbacV1().Roles(metav1.NamespacePublic).Delete(oldClusterInfoRole, &metav1.DeleteOptions{}) - // If the binding was not found, happily continue - if apierrors.IsNotFound(err) { - return nil - } - // If an unexpected error occurred, return it - if err != nil { - return err - } - // The role was successfully deleted - return nil -} - -func removeOldRoleBinding(client clientset.Interface) error { - err := client.RbacV1().RoleBindings(metav1.NamespacePublic).Delete(clusterinfo.BootstrapSignerClusterRoleName, &metav1.DeleteOptions{}) - // If the binding was not found, happily continue - if apierrors.IsNotFound(err) { - return nil - } - // If an unexpected error occurred, return it - if err != nil { - return err - } - // The binding was successfully removed - return nil -} - -// upgradeBootstrapTokens handles the transition from alpha bootstrap tokens to beta. There isn't much that is changing, -// but the group that a Bootstrap Token authenticates as changes from "system:bootstrappers" (alpha) in v1.7 to -// "system:bootstrappers:kubeadm:default-node-token" (beta). To handle this transition correctly, the RBAC bindings earlier -// bound to "system:bootstrappers" are now bound to "system:bootstrappers:kubeadm:default-node-token". To make v1.7 tokens -// still valid in v1.8; this code makes sure that all tokens that were used for authentication in v1.7 have the right group -// bound to it in v1.8. -// TODO: When the v1.9 cycle starts, we can remove this logic, as the kubeadm v1.9 CLI doesn't support upgrading from v1.7 -func upgradeBootstrapTokens(client clientset.Interface, k8sVersion *version.Version) error { - - // Gate this upgrade behavior for new clusters above v1.8.0-beta.0; where this BT change took place - if k8sVersion.AtLeast(constants.UseEnableBootstrapTokenAuthFlagVersion) { - - tokenSelector := fields.SelectorFromSet( - map[string]string{ - api.SecretTypeField: string(bootstrapapi.SecretTypeBootstrapToken), - }, - ) - listOptions := metav1.ListOptions{ - FieldSelector: tokenSelector.String(), - } - - secrets, err := client.CoreV1().Secrets(metav1.NamespaceSystem).List(listOptions) - if err != nil { - return fmt.Errorf("failed to list bootstrap tokens: %v", err) - } - - errs := []error{} - for _, secret := range secrets.Items { - // If this Bootstrap Token is used for authentication, the permissions it had in v1.7 should be preserved - if bytes.Equal(secret.Data[bootstrapapi.BootstrapTokenUsageAuthentication], []byte("true")) { - - secret.Data[bootstrapapi.BootstrapTokenExtraGroupsKey] = []byte(constants.GetNodeBootstrapTokenAuthGroup(k8sVersion)) - - // Update the Bootstrap Token Secret - if _, err := client.CoreV1().Secrets(metav1.NamespaceSystem).Update(&secret); err != nil { - errs = append(errs, err) - } - } - } - return errors.NewAggregate(errs) - } - return nil -}