mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-21 10:51:29 +00:00
Merge pull request #106883 from calvin0327/move-well-know-systemConstant
kubeadm: move well-known system constants to constants.go
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
f11dbaea2f
@ -26,6 +26,7 @@ import (
|
||||
|
||||
bootstraptokenv1 "k8s.io/kubernetes/cmd/kubeadm/app/apis/bootstraptoken/v1"
|
||||
"k8s.io/kubernetes/cmd/kubeadm/app/apis/output"
|
||||
"k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
||||
)
|
||||
|
||||
// Funcs returns the fuzzer functions for the kubeadm apis.
|
||||
@ -42,5 +43,5 @@ func fuzzBootstrapToken(obj *output.BootstrapToken, c fuzz.Continue) {
|
||||
obj.Description = ""
|
||||
obj.TTL = &metav1.Duration{Duration: time.Hour * 24}
|
||||
obj.Usages = []string{"authentication", "signing"}
|
||||
obj.Groups = []string{"system:bootstrappers:kubeadm:default-node-token"}
|
||||
obj.Groups = []string{constants.NodeBootstrapTokenAuthGroup}
|
||||
}
|
||||
|
||||
@ -160,24 +160,52 @@ const (
|
||||
// SchedulerKubeConfigFileName defines the file name for the scheduler's kubeconfig file
|
||||
SchedulerKubeConfigFileName = "scheduler.conf"
|
||||
|
||||
// Some well-known users and groups in the core Kubernetes authorization system
|
||||
// Some well-known users, groups, roles and clusterrolebindings in the core Kubernetes authorization system
|
||||
|
||||
// ControllerManagerUser defines the well-known user the controller-manager should be authenticated as
|
||||
ControllerManagerUser = "system:kube-controller-manager"
|
||||
// SchedulerUser defines the well-known user the scheduler should be authenticated as
|
||||
SchedulerUser = "system:kube-scheduler"
|
||||
// NodesUserPrefix defines the user name prefix as requested by the Node authorizer.
|
||||
NodesUserPrefix = "system:node:"
|
||||
// SystemPrivilegedGroup defines the well-known group for the apiservers. This group is also superuser by default
|
||||
// (i.e. bound to the cluster-admin ClusterRole)
|
||||
SystemPrivilegedGroup = "system:masters"
|
||||
// NodesGroup defines the well-known group for all nodes.
|
||||
NodesGroup = "system:nodes"
|
||||
// NodesUserPrefix defines the user name prefix as requested by the Node authorizer.
|
||||
NodesUserPrefix = "system:node:"
|
||||
// NodeBootstrapTokenAuthGroup specifies which group a Node Bootstrap Token should be authenticated in
|
||||
NodeBootstrapTokenAuthGroup = "system:bootstrappers:kubeadm:default-node-token"
|
||||
// KubeProxyClusterRoleName sets the name for the kube-proxy ClusterRole
|
||||
KubeProxyClusterRoleName = "system:node-proxier"
|
||||
// NodeBootstrapperClusterRoleName defines the name of the auto-bootstrapped ClusterRole for letting someone post a CSR
|
||||
NodeBootstrapperClusterRoleName = "system:node-bootstrapper"
|
||||
// CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR
|
||||
// Starting from v1.8, CSRAutoApprovalClusterRoleName is automatically created by the API server on startup
|
||||
CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
|
||||
// NodeSelfCSRAutoApprovalClusterRoleName is a role defined in default 1.8 RBAC policies for automatic CSR approvals for automatically rotated node certificates
|
||||
NodeSelfCSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient"
|
||||
// NodesClusterRoleBinding defines the well-known ClusterRoleBinding which binds the too permissive system:node
|
||||
// ClusterRole to the system:nodes group. Since kubeadm is using the Node Authorizer, this ClusterRoleBinding's
|
||||
// system:nodes group subject is removed if present.
|
||||
NodesClusterRoleBinding = "system:node"
|
||||
|
||||
// KubeletBaseConfigMapRolePrefix defines the base kubelet configuration ConfigMap.
|
||||
// TODO: Remove once UnversionedKubeletConfigMap graduates to GA:
|
||||
// https://github.com/kubernetes/kubeadm/issues/1582
|
||||
KubeletBaseConfigMapRolePrefix = "kubeadm:kubelet-config-"
|
||||
// KubeletBaseConfigMapRolePrefix defines the base kubelet configuration ConfigMap.
|
||||
KubeletBaseConfigMapRole = "kubeadm:kubelet-config"
|
||||
// KubeProxyClusterRoleBindingName sets the name for the kube-proxy CluterRoleBinding
|
||||
KubeProxyClusterRoleBindingName = "kubeadm:node-proxier"
|
||||
// NodeKubeletBootstrap defines the name of the ClusterRoleBinding that lets kubelets post CSRs
|
||||
NodeKubeletBootstrap = "kubeadm:kubelet-bootstrap"
|
||||
// GetNodesClusterRoleName defines the name of the ClusterRole and ClusterRoleBinding to get nodes
|
||||
GetNodesClusterRoleName = "kubeadm:get-nodes"
|
||||
// NodeAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve node CSRs
|
||||
NodeAutoApproveBootstrapClusterRoleBinding = "kubeadm:node-autoapprove-bootstrap"
|
||||
// NodeAutoApproveCertificateRotationClusterRoleBinding defines name of the ClusterRoleBinding that makes the csrapprover approve node auto rotated CSRs
|
||||
NodeAutoApproveCertificateRotationClusterRoleBinding = "kubeadm:node-autoapprove-certificate-rotation"
|
||||
|
||||
// APICallRetryInterval defines how long kubeadm should wait before retrying a failed API operation
|
||||
APICallRetryInterval = 500 * time.Millisecond
|
||||
// DiscoveryRetryInterval specifies how long kubeadm should wait before retrying to connect to the control-plane when doing discovery
|
||||
@ -269,14 +297,6 @@ const (
|
||||
// KubeletBaseConfigurationConfigMapKey specifies in what ConfigMap key the initial remote configuration of kubelet should be stored
|
||||
KubeletBaseConfigurationConfigMapKey = "kubelet"
|
||||
|
||||
// KubeletBaseConfigMapRolePrefix defines the base kubelet configuration ConfigMap.
|
||||
// TODO: Remove once UnversionedKubeletConfigMap graduates to GA:
|
||||
// https://github.com/kubernetes/kubeadm/issues/1582
|
||||
KubeletBaseConfigMapRolePrefix = "kubeadm:kubelet-config-"
|
||||
|
||||
// KubeletBaseConfigMapRolePrefix defines the base kubelet configuration ConfigMap.
|
||||
KubeletBaseConfigMapRole = "kubeadm:kubelet-config"
|
||||
|
||||
// KubeletRunDirectory specifies the directory where the kubelet runtime information is stored.
|
||||
KubeletRunDirectory = "/var/lib/kubelet"
|
||||
|
||||
@ -323,9 +343,6 @@ const (
|
||||
// KubeConfigVolumeName specifies the name for the Volume that is used for injecting the kubeconfig to talk securely to the api server for a control plane component if applicable
|
||||
KubeConfigVolumeName = "kubeconfig"
|
||||
|
||||
// NodeBootstrapTokenAuthGroup specifies which group a Node Bootstrap Token should be authenticated in
|
||||
NodeBootstrapTokenAuthGroup = "system:bootstrappers:kubeadm:default-node-token"
|
||||
|
||||
// DefaultCIImageRepository points to image registry where CI uploads images from ci build job
|
||||
DefaultCIImageRepository = "gcr.io/k8s-staging-ci-images"
|
||||
|
||||
|
||||
@ -39,13 +39,6 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
// KubeProxyClusterRoleName sets the name for the kube-proxy ClusterRole
|
||||
// TODO: This k8s-generic, well-known constant should be fetchable from another source, not be in this package
|
||||
KubeProxyClusterRoleName = "system:node-proxier"
|
||||
|
||||
// KubeProxyClusterRoleBindingName sets the name for the kube-proxy CluterRoleBinding
|
||||
KubeProxyClusterRoleBindingName = "kubeadm:node-proxier"
|
||||
|
||||
// KubeProxyServiceAccountName describes the name of the ServiceAccount for the kube-proxy addon
|
||||
KubeProxyServiceAccountName = "kube-proxy"
|
||||
|
||||
@ -163,12 +156,12 @@ func createKubeProxyAddon(cfg *kubeadmapi.ClusterConfiguration, client clientset
|
||||
func createClusterRoleBindings(client clientset.Interface) error {
|
||||
if err := apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: KubeProxyClusterRoleBindingName,
|
||||
Name: constants.KubeProxyClusterRoleBindingName,
|
||||
},
|
||||
RoleRef: rbac.RoleRef{
|
||||
APIGroup: rbac.GroupName,
|
||||
Kind: "ClusterRole",
|
||||
Name: KubeProxyClusterRoleName,
|
||||
Name: constants.KubeProxyClusterRoleName,
|
||||
},
|
||||
Subjects: []rbac.Subject{
|
||||
{
|
||||
|
||||
@ -27,39 +27,18 @@ import (
|
||||
"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
|
||||
)
|
||||
|
||||
const (
|
||||
// NodeBootstrapperClusterRoleName defines the name of the auto-bootstrapped ClusterRole for letting someone post a CSR
|
||||
// TODO: This value should be defined in an other, generic authz package instead of here
|
||||
NodeBootstrapperClusterRoleName = "system:node-bootstrapper"
|
||||
// NodeKubeletBootstrap defines the name of the ClusterRoleBinding that lets kubelets post CSRs
|
||||
NodeKubeletBootstrap = "kubeadm:kubelet-bootstrap"
|
||||
// GetNodesClusterRoleName defines the name of the ClusterRole and ClusterRoleBinding to get nodes
|
||||
GetNodesClusterRoleName = "kubeadm:get-nodes"
|
||||
|
||||
// CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR
|
||||
// TODO: This value should be defined in an other, generic authz package instead of here
|
||||
// Starting from v1.8, CSRAutoApprovalClusterRoleName is automatically created by the API server on startup
|
||||
CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
|
||||
// NodeSelfCSRAutoApprovalClusterRoleName is a role defined in default 1.8 RBAC policies for automatic CSR approvals for automatically rotated node certificates
|
||||
NodeSelfCSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient"
|
||||
// NodeAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve node CSRs
|
||||
NodeAutoApproveBootstrapClusterRoleBinding = "kubeadm:node-autoapprove-bootstrap"
|
||||
// NodeAutoApproveCertificateRotationClusterRoleBinding defines name of the ClusterRoleBinding that makes the csrapprover approve node auto rotated CSRs
|
||||
NodeAutoApproveCertificateRotationClusterRoleBinding = "kubeadm:node-autoapprove-certificate-rotation"
|
||||
)
|
||||
|
||||
// AllowBootstrapTokensToPostCSRs creates RBAC rules in a way the makes Node Bootstrap Tokens able to post CSRs
|
||||
func AllowBootstrapTokensToPostCSRs(client clientset.Interface) error {
|
||||
fmt.Println("[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials")
|
||||
|
||||
return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: NodeKubeletBootstrap,
|
||||
Name: constants.NodeKubeletBootstrap,
|
||||
},
|
||||
RoleRef: rbac.RoleRef{
|
||||
APIGroup: rbac.GroupName,
|
||||
Kind: "ClusterRole",
|
||||
Name: NodeBootstrapperClusterRoleName,
|
||||
Name: constants.NodeBootstrapperClusterRoleName,
|
||||
},
|
||||
Subjects: []rbac.Subject{
|
||||
{
|
||||
@ -76,7 +55,7 @@ func AllowBoostrapTokensToGetNodes(client clientset.Interface) error {
|
||||
|
||||
if err := apiclient.CreateOrUpdateClusterRole(client, &rbac.ClusterRole{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: GetNodesClusterRoleName,
|
||||
Name: constants.GetNodesClusterRoleName,
|
||||
Namespace: metav1.NamespaceSystem,
|
||||
},
|
||||
Rules: []rbac.PolicyRule{
|
||||
@ -92,13 +71,13 @@ func AllowBoostrapTokensToGetNodes(client clientset.Interface) error {
|
||||
|
||||
return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: GetNodesClusterRoleName,
|
||||
Name: constants.GetNodesClusterRoleName,
|
||||
Namespace: metav1.NamespaceSystem,
|
||||
},
|
||||
RoleRef: rbac.RoleRef{
|
||||
APIGroup: rbac.GroupName,
|
||||
Kind: "ClusterRole",
|
||||
Name: GetNodesClusterRoleName,
|
||||
Name: constants.GetNodesClusterRoleName,
|
||||
},
|
||||
Subjects: []rbac.Subject{
|
||||
{
|
||||
@ -116,12 +95,12 @@ func AutoApproveNodeBootstrapTokens(client clientset.Interface) error {
|
||||
// Always create this kubeadm-specific binding though
|
||||
return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: NodeAutoApproveBootstrapClusterRoleBinding,
|
||||
Name: constants.NodeAutoApproveBootstrapClusterRoleBinding,
|
||||
},
|
||||
RoleRef: rbac.RoleRef{
|
||||
APIGroup: rbac.GroupName,
|
||||
Kind: "ClusterRole",
|
||||
Name: CSRAutoApprovalClusterRoleName,
|
||||
Name: constants.CSRAutoApprovalClusterRoleName,
|
||||
},
|
||||
Subjects: []rbac.Subject{
|
||||
{
|
||||
@ -138,12 +117,12 @@ func AutoApproveNodeCertificateRotation(client clientset.Interface) error {
|
||||
|
||||
return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: NodeAutoApproveCertificateRotationClusterRoleBinding,
|
||||
Name: constants.NodeAutoApproveCertificateRotationClusterRoleBinding,
|
||||
},
|
||||
RoleRef: rbac.RoleRef{
|
||||
APIGroup: rbac.GroupName,
|
||||
Kind: "ClusterRole",
|
||||
Name: NodeSelfCSRAutoApprovalClusterRoleName,
|
||||
Name: constants.NodeSelfCSRAutoApprovalClusterRoleName,
|
||||
},
|
||||
Subjects: []rbac.Subject{
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user