From 6f99791021f975613ceb99f9e1581616c16f5908 Mon Sep 17 00:00:00 2001 From: "Lubomir I. Ivanov" Date: Thu, 26 Mar 2020 22:02:55 +0200 Subject: [PATCH] kubeadm: add missing RBAC for getting nodes on "upgrade apply" b117a928 added a new check during "join" whether a Node with the same name exists in the cluster. When upgrading from 1.17 to 1.18 make sure the required RBAC by this check is added. Otherwise "kubeadm join" will complain that it lacks permissions to GET a Node. --- cmd/kubeadm/app/phases/upgrade/postupgrade.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cmd/kubeadm/app/phases/upgrade/postupgrade.go b/cmd/kubeadm/app/phases/upgrade/postupgrade.go index 98dc6520be3..59aa76ccd54 100644 --- a/cmd/kubeadm/app/phases/upgrade/postupgrade.go +++ b/cmd/kubeadm/app/phases/upgrade/postupgrade.go @@ -70,6 +70,11 @@ func PerformPostUpgradeTasks(client clientset.Interface, cfg *kubeadmapi.InitCon errs = append(errs, errors.Wrap(err, "error uploading crisocket")) } + // Create RBAC rules that makes the bootstrap tokens able to get nodes + if err := nodebootstraptoken.AllowBoostrapTokensToGetNodes(client); err != nil { + errs = append(errs, err) + } + // Create/update RBAC rules that makes the bootstrap tokens able to post CSRs if err := nodebootstraptoken.AllowBootstrapTokensToPostCSRs(client); err != nil { errs = append(errs, err)