make kubeadm use new sar approver

cmd/kube-controller-manager/app/options/options.go

@@ -197,7 +197,7 @@ func (s *CMServer) AddFlags(fs *pflag.FlagSet, allControllers []string, disabled
 	fs.DurationVar(&s.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", s.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.")
 	var dummy string
 	fs.MarkDeprecated("insecure-experimental-approve-all-kubelet-csrs-for-group", "This flag does nothing.")
-	fs.StringVar(&dummy, "insecure-experimental-approve-all-kubelet-csrs-for-group", s.ApproveAllKubeletCSRsForGroup, "This flag does nothing.")
+	fs.StringVar(&dummy, "insecure-experimental-approve-all-kubelet-csrs-for-group", "", "This flag does nothing.")
 	fs.BoolVar(&s.EnableProfiling, "profiling", true, "Enable profiling via web interface host:port/debug/pprof/")
 	fs.BoolVar(&s.EnableContentionProfiling, "contention-profiling", false, "Enable lock contention profiling, if profiling is enabled")
 	fs.StringVar(&s.ClusterName, "cluster-name", s.ClusterName, "The instance prefix for the cluster")

cmd/kubeadm/app/master/BUILD

@@ -22,7 +22,6 @@ go_library(
         "//cmd/kubeadm/app/constants:go_default_library",
         "//cmd/kubeadm/app/images:go_default_library",
         "//cmd/kubeadm/app/util/kubeconfig:go_default_library",
-        "//pkg/bootstrap/api:go_default_library",
         "//pkg/kubeapiserver/authorizer/modes:go_default_library",
         "//pkg/kubectl/cmd/util:go_default_library",
         "//pkg/util/version:go_default_library",

cmd/kubeadm/app/master/manifests.go

@@ -33,7 +33,6 @@ import (
 	kubeadmapiext "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha1"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/cmd/kubeadm/app/images"
-	bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api"
 	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 	cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 	"k8s.io/kubernetes/pkg/util/version"
@@ -419,16 +418,15 @@ func getControllerManagerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted
 	}
 
 	defaultArguments := map[string]string{
-		"address":                                                  "127.0.0.1",
-		"leader-elect":                                             "true",
-		"kubeconfig":                                               filepath.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.ControllerManagerKubeConfigFileName),
-		"root-ca-file":                                             filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
-		"service-account-private-key-file":                         filepath.Join(cfg.CertificatesDir, kubeadmconstants.ServiceAccountPrivateKeyName),
-		"cluster-signing-cert-file":                                filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
-		"cluster-signing-key-file":                                 filepath.Join(cfg.CertificatesDir, kubeadmconstants.CAKeyName),
-		"insecure-experimental-approve-all-kubelet-csrs-for-group": bootstrapapi.BootstrapGroup,
-		"use-service-account-credentials":                          "true",
-		"controllers":                                              "*,bootstrapsigner,tokencleaner",
+		"address":                          "127.0.0.1",
+		"leader-elect":                     "true",
+		"kubeconfig":                       filepath.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.ControllerManagerKubeConfigFileName),
+		"root-ca-file":                     filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
+		"service-account-private-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.ServiceAccountPrivateKeyName),
+		"cluster-signing-cert-file":        filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName),
+		"cluster-signing-key-file":         filepath.Join(cfg.CertificatesDir, kubeadmconstants.CAKeyName),
+		"use-service-account-credentials":  "true",
+		"controllers":                      "*,bootstrapsigner,tokencleaner",
 	}
 
 	command = getComponentBaseCommand(controllerManager)

cmd/kubeadm/app/master/manifests_test.go

@@ -676,7 +676,6 @@ func TestGetControllerManagerCommand(t *testing.T) {
 				"--service-account-private-key-file=" + testCertsDir + "/sa.key",
 				"--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
 				"--cluster-signing-key-file=" + testCertsDir + "/ca.key",
-				"--insecure-experimental-approve-all-kubelet-csrs-for-group=system:bootstrappers",
 				"--use-service-account-credentials=true",
 				"--controllers=*,bootstrapsigner,tokencleaner",
 			},
@@ -695,7 +694,6 @@ func TestGetControllerManagerCommand(t *testing.T) {
 				"--service-account-private-key-file=" + testCertsDir + "/sa.key",
 				"--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
 				"--cluster-signing-key-file=" + testCertsDir + "/ca.key",
-				"--insecure-experimental-approve-all-kubelet-csrs-for-group=system:bootstrappers",
 				"--use-service-account-credentials=true",
 				"--controllers=*,bootstrapsigner,tokencleaner",
 				"--cloud-provider=foo",
@@ -715,7 +713,6 @@ func TestGetControllerManagerCommand(t *testing.T) {
 				"--service-account-private-key-file=" + testCertsDir + "/sa.key",
 				"--cluster-signing-cert-file=" + testCertsDir + "/ca.crt",
 				"--cluster-signing-key-file=" + testCertsDir + "/ca.key",
-				"--insecure-experimental-approve-all-kubelet-csrs-for-group=system:bootstrappers",
 				"--use-service-account-credentials=true",
 				"--controllers=*,bootstrapsigner,tokencleaner",
 				"--allocate-node-cidrs=true",

cmd/kubeadm/app/phases/apiconfig/clusterroles.go

@@ -35,32 +35,16 @@ const (
 	// BootstrapSignerClusterRoleName sets the name for the ClusterRole that allows access to ConfigMaps in the kube-public ns
 	BootstrapSignerClusterRoleName = "system:bootstrap-signer-clusterinfo"
 
-	// Constants
-	clusterRoleKind    = "ClusterRole"
-	roleKind           = "Role"
-	serviceAccountKind = "ServiceAccount"
-	rbacAPIGroup       = "rbac.authorization.k8s.io"
-	anonymousUser      = "system:anonymous"
+	clusterRoleKind          = "ClusterRole"
+	roleKind                 = "Role"
+	serviceAccountKind       = "ServiceAccount"
+	rbacAPIGroup             = "rbac.authorization.k8s.io"
+	anonymousUser            = "system:anonymous"
+	nodeAutoApproveBootstrap = "kubeadm:node-autoapprove-bootstrap"
 )
 
 // TODO: Are there any unit tests that could be made for this file other than duplicating all values and logic in a separate file?
 
-// CreateRBACRules creates the essential RBAC rules for a minimally set-up cluster
-func CreateRBACRules(clientset *clientset.Clientset) error {
-	if err := CreateRoles(clientset); err != nil {
-		return err
-	}
-	if err := CreateRoleBindings(clientset); err != nil {
-		return err
-	}
-	if err := CreateClusterRoleBindings(clientset); err != nil {
-		return err
-	}
-
-	fmt.Println("[apiconfig] Created RBAC rules")
-	return nil
-}
-
 // CreateServiceAccounts creates the necessary serviceaccounts that kubeadm uses/might use.
 func CreateServiceAccounts(clientset *clientset.Clientset) error {
 	serviceAccounts := []v1.ServiceAccount{
@@ -86,8 +70,26 @@ func CreateServiceAccounts(clientset *clientset.Clientset) error {
 	return nil
 }
 
-// CreateRoles creates namespaces RBAC Roles
-func CreateRoles(clientset *clientset.Clientset) error {
+// CreateRBACRules creates the essential RBAC rules for a minimally set-up cluster
+func CreateRBACRules(clientset *clientset.Clientset) error {
+	if err := createRoles(clientset); err != nil {
+		return err
+	}
+	if err := createRoleBindings(clientset); err != nil {
+		return err
+	}
+	if err := createClusterRoles(clientset); err != nil {
+		return err
+	}
+	if err := createClusterRoleBindings(clientset); err != nil {
+		return err
+	}
+
+	fmt.Println("[apiconfig] Created RBAC rules")
+	return nil
+}
+
+func createRoles(clientset *clientset.Clientset) error {
 	roles := []rbac.Role{
 		{
 			ObjectMeta: metav1.ObjectMeta{
@@ -107,8 +109,7 @@ func CreateRoles(clientset *clientset.Clientset) error {
 	return nil
 }
 
-// CreateRoleBindings creates all namespaced and necessary bindings between bootstrapped & kubeadm-created ClusterRoles and subjects kubeadm is using
-func CreateRoleBindings(clientset *clientset.Clientset) error {
+func createRoleBindings(clientset *clientset.Clientset) error {
 	roleBindings := []rbac.RoleBinding{
 		{
 			ObjectMeta: metav1.ObjectMeta{
@@ -137,8 +138,27 @@ func CreateRoleBindings(clientset *clientset.Clientset) error {
 	return nil
 }
 
-// CreateClusterRoleBindings creates all necessary bindings between bootstrapped & kubeadm-created ClusterRoles and subjects kubeadm is using
-func CreateClusterRoleBindings(clientset *clientset.Clientset) error {
+func createClusterRoles(clientset *clientset.Clientset) error {
+	clusterRoles := []rbac.ClusterRole{
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: nodeAutoApproveBootstrap,
+			},
+			Rules: []rbac.PolicyRule{
+				rbac.NewRule("create").Groups("certificates.k8s.io").Resources("certificatesigningrequests/nodeclient").RuleOrDie(),
+			},
+		},
+	}
+
+	for _, roleBinding := range clusterRoles {
+		if _, err := clientset.RbacV1beta1().ClusterRoles().Create(&roleBinding); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func createClusterRoleBindings(clientset *clientset.Clientset) error {
 	clusterRoleBindings := []rbac.ClusterRoleBinding{
 		{
 			ObjectMeta: metav1.ObjectMeta{
@@ -156,6 +176,22 @@ func CreateClusterRoleBindings(clientset *clientset.Clientset) error {
 				},
 			},
 		},
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: nodeAutoApproveBootstrap,
+			},
+			RoleRef: rbac.RoleRef{
+				APIGroup: rbacAPIGroup,
+				Kind:     clusterRoleKind,
+				Name:     nodeAutoApproveBootstrap,
+			},
+			Subjects: []rbac.Subject{
+				{
+					Kind: "Group",
+					Name: bootstrapapi.BootstrapGroup,
+				},
+			},
+		},
 		{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "kubeadm:node-proxier",