diff --git a/cmd/kube-controller-manager/app/options/options.go b/cmd/kube-controller-manager/app/options/options.go index 9db6f5355c4..7d81d8e276d 100644 --- a/cmd/kube-controller-manager/app/options/options.go +++ b/cmd/kube-controller-manager/app/options/options.go @@ -197,7 +197,7 @@ func (s *CMServer) AddFlags(fs *pflag.FlagSet, allControllers []string, disabled fs.DurationVar(&s.ClusterSigningDuration.Duration, "experimental-cluster-signing-duration", s.ClusterSigningDuration.Duration, "The length of duration signed certificates will be given.") var dummy string fs.MarkDeprecated("insecure-experimental-approve-all-kubelet-csrs-for-group", "This flag does nothing.") - fs.StringVar(&dummy, "insecure-experimental-approve-all-kubelet-csrs-for-group", s.ApproveAllKubeletCSRsForGroup, "This flag does nothing.") + fs.StringVar(&dummy, "insecure-experimental-approve-all-kubelet-csrs-for-group", "", "This flag does nothing.") fs.BoolVar(&s.EnableProfiling, "profiling", true, "Enable profiling via web interface host:port/debug/pprof/") fs.BoolVar(&s.EnableContentionProfiling, "contention-profiling", false, "Enable lock contention profiling, if profiling is enabled") fs.StringVar(&s.ClusterName, "cluster-name", s.ClusterName, "The instance prefix for the cluster") diff --git a/cmd/kubeadm/app/master/BUILD b/cmd/kubeadm/app/master/BUILD index 1ff50b59d7f..b8f889bc81c 100644 --- a/cmd/kubeadm/app/master/BUILD +++ b/cmd/kubeadm/app/master/BUILD @@ -22,7 +22,6 @@ go_library( "//cmd/kubeadm/app/constants:go_default_library", "//cmd/kubeadm/app/images:go_default_library", "//cmd/kubeadm/app/util/kubeconfig:go_default_library", - "//pkg/bootstrap/api:go_default_library", "//pkg/kubeapiserver/authorizer/modes:go_default_library", "//pkg/kubectl/cmd/util:go_default_library", "//pkg/util/version:go_default_library", diff --git a/cmd/kubeadm/app/master/manifests.go b/cmd/kubeadm/app/master/manifests.go index 6b6be424859..dfcfb6dad24 100644 --- a/cmd/kubeadm/app/master/manifests.go +++ b/cmd/kubeadm/app/master/manifests.go @@ -33,7 +33,6 @@ import ( kubeadmapiext "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha1" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" "k8s.io/kubernetes/cmd/kubeadm/app/images" - bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api" authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util" "k8s.io/kubernetes/pkg/util/version" @@ -419,16 +418,15 @@ func getControllerManagerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted } defaultArguments := map[string]string{ - "address": "127.0.0.1", - "leader-elect": "true", - "kubeconfig": filepath.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.ControllerManagerKubeConfigFileName), - "root-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName), - "service-account-private-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.ServiceAccountPrivateKeyName), - "cluster-signing-cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName), - "cluster-signing-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CAKeyName), - "insecure-experimental-approve-all-kubelet-csrs-for-group": bootstrapapi.BootstrapGroup, - "use-service-account-credentials": "true", - "controllers": "*,bootstrapsigner,tokencleaner", + "address": "127.0.0.1", + "leader-elect": "true", + "kubeconfig": filepath.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.ControllerManagerKubeConfigFileName), + "root-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName), + "service-account-private-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.ServiceAccountPrivateKeyName), + "cluster-signing-cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CACertName), + "cluster-signing-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.CAKeyName), + "use-service-account-credentials": "true", + "controllers": "*,bootstrapsigner,tokencleaner", } command = getComponentBaseCommand(controllerManager) diff --git a/cmd/kubeadm/app/master/manifests_test.go b/cmd/kubeadm/app/master/manifests_test.go index 8896f94fa83..7b34c3db0d8 100644 --- a/cmd/kubeadm/app/master/manifests_test.go +++ b/cmd/kubeadm/app/master/manifests_test.go @@ -676,7 +676,6 @@ func TestGetControllerManagerCommand(t *testing.T) { "--service-account-private-key-file=" + testCertsDir + "/sa.key", "--cluster-signing-cert-file=" + testCertsDir + "/ca.crt", "--cluster-signing-key-file=" + testCertsDir + "/ca.key", - "--insecure-experimental-approve-all-kubelet-csrs-for-group=system:bootstrappers", "--use-service-account-credentials=true", "--controllers=*,bootstrapsigner,tokencleaner", }, @@ -695,7 +694,6 @@ func TestGetControllerManagerCommand(t *testing.T) { "--service-account-private-key-file=" + testCertsDir + "/sa.key", "--cluster-signing-cert-file=" + testCertsDir + "/ca.crt", "--cluster-signing-key-file=" + testCertsDir + "/ca.key", - "--insecure-experimental-approve-all-kubelet-csrs-for-group=system:bootstrappers", "--use-service-account-credentials=true", "--controllers=*,bootstrapsigner,tokencleaner", "--cloud-provider=foo", @@ -715,7 +713,6 @@ func TestGetControllerManagerCommand(t *testing.T) { "--service-account-private-key-file=" + testCertsDir + "/sa.key", "--cluster-signing-cert-file=" + testCertsDir + "/ca.crt", "--cluster-signing-key-file=" + testCertsDir + "/ca.key", - "--insecure-experimental-approve-all-kubelet-csrs-for-group=system:bootstrappers", "--use-service-account-credentials=true", "--controllers=*,bootstrapsigner,tokencleaner", "--allocate-node-cidrs=true", diff --git a/cmd/kubeadm/app/phases/apiconfig/clusterroles.go b/cmd/kubeadm/app/phases/apiconfig/clusterroles.go index 795c4d272e8..08e8910da47 100644 --- a/cmd/kubeadm/app/phases/apiconfig/clusterroles.go +++ b/cmd/kubeadm/app/phases/apiconfig/clusterroles.go @@ -35,32 +35,16 @@ const ( // BootstrapSignerClusterRoleName sets the name for the ClusterRole that allows access to ConfigMaps in the kube-public ns BootstrapSignerClusterRoleName = "system:bootstrap-signer-clusterinfo" - // Constants - clusterRoleKind = "ClusterRole" - roleKind = "Role" - serviceAccountKind = "ServiceAccount" - rbacAPIGroup = "rbac.authorization.k8s.io" - anonymousUser = "system:anonymous" + clusterRoleKind = "ClusterRole" + roleKind = "Role" + serviceAccountKind = "ServiceAccount" + rbacAPIGroup = "rbac.authorization.k8s.io" + anonymousUser = "system:anonymous" + nodeAutoApproveBootstrap = "kubeadm:node-autoapprove-bootstrap" ) // TODO: Are there any unit tests that could be made for this file other than duplicating all values and logic in a separate file? -// CreateRBACRules creates the essential RBAC rules for a minimally set-up cluster -func CreateRBACRules(clientset *clientset.Clientset) error { - if err := CreateRoles(clientset); err != nil { - return err - } - if err := CreateRoleBindings(clientset); err != nil { - return err - } - if err := CreateClusterRoleBindings(clientset); err != nil { - return err - } - - fmt.Println("[apiconfig] Created RBAC rules") - return nil -} - // CreateServiceAccounts creates the necessary serviceaccounts that kubeadm uses/might use. func CreateServiceAccounts(clientset *clientset.Clientset) error { serviceAccounts := []v1.ServiceAccount{ @@ -86,8 +70,26 @@ func CreateServiceAccounts(clientset *clientset.Clientset) error { return nil } -// CreateRoles creates namespaces RBAC Roles -func CreateRoles(clientset *clientset.Clientset) error { +// CreateRBACRules creates the essential RBAC rules for a minimally set-up cluster +func CreateRBACRules(clientset *clientset.Clientset) error { + if err := createRoles(clientset); err != nil { + return err + } + if err := createRoleBindings(clientset); err != nil { + return err + } + if err := createClusterRoles(clientset); err != nil { + return err + } + if err := createClusterRoleBindings(clientset); err != nil { + return err + } + + fmt.Println("[apiconfig] Created RBAC rules") + return nil +} + +func createRoles(clientset *clientset.Clientset) error { roles := []rbac.Role{ { ObjectMeta: metav1.ObjectMeta{ @@ -107,8 +109,7 @@ func CreateRoles(clientset *clientset.Clientset) error { return nil } -// CreateRoleBindings creates all namespaced and necessary bindings between bootstrapped & kubeadm-created ClusterRoles and subjects kubeadm is using -func CreateRoleBindings(clientset *clientset.Clientset) error { +func createRoleBindings(clientset *clientset.Clientset) error { roleBindings := []rbac.RoleBinding{ { ObjectMeta: metav1.ObjectMeta{ @@ -137,8 +138,27 @@ func CreateRoleBindings(clientset *clientset.Clientset) error { return nil } -// CreateClusterRoleBindings creates all necessary bindings between bootstrapped & kubeadm-created ClusterRoles and subjects kubeadm is using -func CreateClusterRoleBindings(clientset *clientset.Clientset) error { +func createClusterRoles(clientset *clientset.Clientset) error { + clusterRoles := []rbac.ClusterRole{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: nodeAutoApproveBootstrap, + }, + Rules: []rbac.PolicyRule{ + rbac.NewRule("create").Groups("certificates.k8s.io").Resources("certificatesigningrequests/nodeclient").RuleOrDie(), + }, + }, + } + + for _, roleBinding := range clusterRoles { + if _, err := clientset.RbacV1beta1().ClusterRoles().Create(&roleBinding); err != nil { + return err + } + } + return nil +} + +func createClusterRoleBindings(clientset *clientset.Clientset) error { clusterRoleBindings := []rbac.ClusterRoleBinding{ { ObjectMeta: metav1.ObjectMeta{ @@ -156,6 +176,22 @@ func CreateClusterRoleBindings(clientset *clientset.Clientset) error { }, }, }, + { + ObjectMeta: metav1.ObjectMeta{ + Name: nodeAutoApproveBootstrap, + }, + RoleRef: rbac.RoleRef{ + APIGroup: rbacAPIGroup, + Kind: clusterRoleKind, + Name: nodeAutoApproveBootstrap, + }, + Subjects: []rbac.Subject{ + { + Kind: "Group", + Name: bootstrapapi.BootstrapGroup, + }, + }, + }, { ObjectMeta: metav1.ObjectMeta{ Name: "kubeadm:node-proxier",