Merge pull request #106883 from calvin0327/move-well-know-systemConstant

kubeadm: move well-known system constants to constants.go

cmd/kubeadm/app/apis/output/fuzzer/fuzzer.go

@@ -26,6 +26,7 @@ import (
 
 	bootstraptokenv1 "k8s.io/kubernetes/cmd/kubeadm/app/apis/bootstraptoken/v1"
 	"k8s.io/kubernetes/cmd/kubeadm/app/apis/output"
+	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
 )
 
 // Funcs returns the fuzzer functions for the kubeadm apis.
@@ -42,5 +43,5 @@ func fuzzBootstrapToken(obj *output.BootstrapToken, c fuzz.Continue) {
 	obj.Description = ""
 	obj.TTL = &metav1.Duration{Duration: time.Hour * 24}
 	obj.Usages = []string{"authentication", "signing"}
-	obj.Groups = []string{"system:bootstrappers:kubeadm:default-node-token"}
+	obj.Groups = []string{constants.NodeBootstrapTokenAuthGroup}
 }

cmd/kubeadm/app/constants/constants.go

@@ -160,24 +160,52 @@ const (
 	// SchedulerKubeConfigFileName defines the file name for the scheduler's kubeconfig file
 	SchedulerKubeConfigFileName = "scheduler.conf"
 
-	// Some well-known users and groups in the core Kubernetes authorization system
+	// Some well-known users, groups, roles and clusterrolebindings in the core Kubernetes authorization system
 
 	// ControllerManagerUser defines the well-known user the controller-manager should be authenticated as
 	ControllerManagerUser = "system:kube-controller-manager"
 	// SchedulerUser defines the well-known user the scheduler should be authenticated as
 	SchedulerUser = "system:kube-scheduler"
+	// NodesUserPrefix defines the user name prefix as requested by the Node authorizer.
+	NodesUserPrefix = "system:node:"
 	// SystemPrivilegedGroup defines the well-known group for the apiservers. This group is also superuser by default
 	// (i.e. bound to the cluster-admin ClusterRole)
 	SystemPrivilegedGroup = "system:masters"
 	// NodesGroup defines the well-known group for all nodes.
 	NodesGroup = "system:nodes"
-	// NodesUserPrefix defines the user name prefix as requested by the Node authorizer.
+	// NodeBootstrapTokenAuthGroup specifies which group a Node Bootstrap Token should be authenticated in
-	NodesUserPrefix = "system:node:"
+	NodeBootstrapTokenAuthGroup = "system:bootstrappers:kubeadm:default-node-token"
+	// KubeProxyClusterRoleName sets the name for the kube-proxy ClusterRole
+	KubeProxyClusterRoleName = "system:node-proxier"
+	// NodeBootstrapperClusterRoleName defines the name of the auto-bootstrapped ClusterRole for letting someone post a CSR
+	NodeBootstrapperClusterRoleName = "system:node-bootstrapper"
+	// CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR
+	// Starting from v1.8, CSRAutoApprovalClusterRoleName is automatically created by the API server on startup
+	CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
+	// NodeSelfCSRAutoApprovalClusterRoleName is a role defined in default 1.8 RBAC policies for automatic CSR approvals for automatically rotated node certificates
+	NodeSelfCSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient"
 	// NodesClusterRoleBinding defines the well-known ClusterRoleBinding which binds the too permissive system:node
 	// ClusterRole to the system:nodes group. Since kubeadm is using the Node Authorizer, this ClusterRoleBinding's
 	// system:nodes group subject is removed if present.
 	NodesClusterRoleBinding = "system:node"
 
+	// KubeletBaseConfigMapRolePrefix defines the base kubelet configuration ConfigMap.
+	// TODO: Remove once UnversionedKubeletConfigMap graduates to GA:
+	// https://github.com/kubernetes/kubeadm/issues/1582
+	KubeletBaseConfigMapRolePrefix = "kubeadm:kubelet-config-"
+	// KubeletBaseConfigMapRolePrefix defines the base kubelet configuration ConfigMap.
+	KubeletBaseConfigMapRole = "kubeadm:kubelet-config"
+	// KubeProxyClusterRoleBindingName sets the name for the kube-proxy CluterRoleBinding
+	KubeProxyClusterRoleBindingName = "kubeadm:node-proxier"
+	// NodeKubeletBootstrap defines the name of the ClusterRoleBinding that lets kubelets post CSRs
+	NodeKubeletBootstrap = "kubeadm:kubelet-bootstrap"
+	// GetNodesClusterRoleName defines the name of the ClusterRole and ClusterRoleBinding to get nodes
+	GetNodesClusterRoleName = "kubeadm:get-nodes"
+	// NodeAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve node CSRs
+	NodeAutoApproveBootstrapClusterRoleBinding = "kubeadm:node-autoapprove-bootstrap"
+	// NodeAutoApproveCertificateRotationClusterRoleBinding defines name of the ClusterRoleBinding that makes the csrapprover approve node auto rotated CSRs
+	NodeAutoApproveCertificateRotationClusterRoleBinding = "kubeadm:node-autoapprove-certificate-rotation"
+
 	// APICallRetryInterval defines how long kubeadm should wait before retrying a failed API operation
 	APICallRetryInterval = 500 * time.Millisecond
 	// DiscoveryRetryInterval specifies how long kubeadm should wait before retrying to connect to the control-plane when doing discovery
@@ -269,14 +297,6 @@ const (
 	// KubeletBaseConfigurationConfigMapKey specifies in what ConfigMap key the initial remote configuration of kubelet should be stored
 	KubeletBaseConfigurationConfigMapKey = "kubelet"
 
-	// KubeletBaseConfigMapRolePrefix defines the base kubelet configuration ConfigMap.
-	// TODO: Remove once UnversionedKubeletConfigMap graduates to GA:
-	// https://github.com/kubernetes/kubeadm/issues/1582
-	KubeletBaseConfigMapRolePrefix = "kubeadm:kubelet-config-"
-
-	// KubeletBaseConfigMapRolePrefix defines the base kubelet configuration ConfigMap.
-	KubeletBaseConfigMapRole = "kubeadm:kubelet-config"
-
 	// KubeletRunDirectory specifies the directory where the kubelet runtime information is stored.
 	KubeletRunDirectory = "/var/lib/kubelet"
 
@@ -323,9 +343,6 @@ const (
 	// KubeConfigVolumeName specifies the name for the Volume that is used for injecting the kubeconfig to talk securely to the api server for a control plane component if applicable
 	KubeConfigVolumeName = "kubeconfig"
 
-	// NodeBootstrapTokenAuthGroup specifies which group a Node Bootstrap Token should be authenticated in
-	NodeBootstrapTokenAuthGroup = "system:bootstrappers:kubeadm:default-node-token"
-
 	// DefaultCIImageRepository points to image registry where CI uploads images from ci build job
 	DefaultCIImageRepository = "gcr.io/k8s-staging-ci-images"
 

cmd/kubeadm/app/phases/addons/proxy/proxy.go

@@ -39,13 +39,6 @@ import (
 )
 
 const (
-	// KubeProxyClusterRoleName sets the name for the kube-proxy ClusterRole
-	// TODO: This k8s-generic, well-known constant should be fetchable from another source, not be in this package
-	KubeProxyClusterRoleName = "system:node-proxier"
-
-	// KubeProxyClusterRoleBindingName sets the name for the kube-proxy CluterRoleBinding
-	KubeProxyClusterRoleBindingName = "kubeadm:node-proxier"
-
 	// KubeProxyServiceAccountName describes the name of the ServiceAccount for the kube-proxy addon
 	KubeProxyServiceAccountName = "kube-proxy"
 
@@ -163,12 +156,12 @@ func createKubeProxyAddon(cfg *kubeadmapi.ClusterConfiguration, client clientset
 func createClusterRoleBindings(client clientset.Interface) error {
 	if err := apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: KubeProxyClusterRoleBindingName,
+			Name: constants.KubeProxyClusterRoleBindingName,
 		},
 		RoleRef: rbac.RoleRef{
 			APIGroup: rbac.GroupName,
 			Kind:     "ClusterRole",
-			Name:     KubeProxyClusterRoleName,
+			Name:     constants.KubeProxyClusterRoleName,
 		},
 		Subjects: []rbac.Subject{
 			{

cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go

@@ -27,39 +27,18 @@ import (
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
 )
 
-const (
-	// NodeBootstrapperClusterRoleName defines the name of the auto-bootstrapped ClusterRole for letting someone post a CSR
-	// TODO: This value should be defined in an other, generic authz package instead of here
-	NodeBootstrapperClusterRoleName = "system:node-bootstrapper"
-	// NodeKubeletBootstrap defines the name of the ClusterRoleBinding that lets kubelets post CSRs
-	NodeKubeletBootstrap = "kubeadm:kubelet-bootstrap"
-	// GetNodesClusterRoleName defines the name of the ClusterRole and ClusterRoleBinding to get nodes
-	GetNodesClusterRoleName = "kubeadm:get-nodes"
-
-	// CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR
-	// TODO: This value should be defined in an other, generic authz package instead of here
-	// Starting from v1.8, CSRAutoApprovalClusterRoleName is automatically created by the API server on startup
-	CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
-	// NodeSelfCSRAutoApprovalClusterRoleName is a role defined in default 1.8 RBAC policies for automatic CSR approvals for automatically rotated node certificates
-	NodeSelfCSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient"
-	// NodeAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve node CSRs
-	NodeAutoApproveBootstrapClusterRoleBinding = "kubeadm:node-autoapprove-bootstrap"
-	// NodeAutoApproveCertificateRotationClusterRoleBinding defines name of the ClusterRoleBinding that makes the csrapprover approve node auto rotated CSRs
-	NodeAutoApproveCertificateRotationClusterRoleBinding = "kubeadm:node-autoapprove-certificate-rotation"
-)
-
 // AllowBootstrapTokensToPostCSRs creates RBAC rules in a way the makes Node Bootstrap Tokens able to post CSRs
 func AllowBootstrapTokensToPostCSRs(client clientset.Interface) error {
 	fmt.Println("[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials")
 
 	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: NodeKubeletBootstrap,
+			Name: constants.NodeKubeletBootstrap,
 		},
 		RoleRef: rbac.RoleRef{
 			APIGroup: rbac.GroupName,
 			Kind:     "ClusterRole",
-			Name:     NodeBootstrapperClusterRoleName,
+			Name:     constants.NodeBootstrapperClusterRoleName,
 		},
 		Subjects: []rbac.Subject{
 			{
@@ -76,7 +55,7 @@ func AllowBoostrapTokensToGetNodes(client clientset.Interface) error {
 
 	if err := apiclient.CreateOrUpdateClusterRole(client, &rbac.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      GetNodesClusterRoleName,
+			Name:      constants.GetNodesClusterRoleName,
 			Namespace: metav1.NamespaceSystem,
 		},
 		Rules: []rbac.PolicyRule{
@@ -92,13 +71,13 @@ func AllowBoostrapTokensToGetNodes(client clientset.Interface) error {
 
 	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      GetNodesClusterRoleName,
+			Name:      constants.GetNodesClusterRoleName,
 			Namespace: metav1.NamespaceSystem,
 		},
 		RoleRef: rbac.RoleRef{
 			APIGroup: rbac.GroupName,
 			Kind:     "ClusterRole",
-			Name:     GetNodesClusterRoleName,
+			Name:     constants.GetNodesClusterRoleName,
 		},
 		Subjects: []rbac.Subject{
 			{
@@ -116,12 +95,12 @@ func AutoApproveNodeBootstrapTokens(client clientset.Interface) error {
 	// Always create this kubeadm-specific binding though
 	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: NodeAutoApproveBootstrapClusterRoleBinding,
+			Name: constants.NodeAutoApproveBootstrapClusterRoleBinding,
 		},
 		RoleRef: rbac.RoleRef{
 			APIGroup: rbac.GroupName,
 			Kind:     "ClusterRole",
-			Name:     CSRAutoApprovalClusterRoleName,
+			Name:     constants.CSRAutoApprovalClusterRoleName,
 		},
 		Subjects: []rbac.Subject{
 			{
@@ -138,12 +117,12 @@ func AutoApproveNodeCertificateRotation(client clientset.Interface) error {
 
 	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: NodeAutoApproveCertificateRotationClusterRoleBinding,
+			Name: constants.NodeAutoApproveCertificateRotationClusterRoleBinding,
 		},
 		RoleRef: rbac.RoleRef{
 			APIGroup: rbac.GroupName,
 			Kind:     "ClusterRole",
-			Name:     NodeSelfCSRAutoApprovalClusterRoleName,
+			Name:     constants.NodeSelfCSRAutoApprovalClusterRoleName,
 		},
 		Subjects: []rbac.Subject{
 			{