mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-01-15 14:26:57 +00:00
d5a930bed4
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Avoid copying aggregated admin/edit/view roles during bootstrap Fixes #63760 At apiserver startup, prior to reconciling cluster roles, the following roles (if they exist) are copied: * admin -> system:aggregate-to-admin * edit -> system:aggregate-to-edit * view -> system:aggregate-to-view This was added in 1.9 as part of role aggregation to ensure custom permissions added to the admin/edit/view roles were preserved, prior to making the admin/edit/view roles aggregated (since the permissions of an aggregated role are controller-managed) When starting multiple members of a new HA cluster simultaneously, the following race can occur: * t=0, server 1,2,3 start up * t=1, server 1 finds no admin/edit/view roles exist, begins role reconciliation and creates the aggregated `admin` role * t=2, server 2 finds and copies the `admin` role created by server 1 to `system:aggregate-to-admin` If this race is encountered, it results in `system:aggregate-to-admin` being an aggregated role, and its permissions subject to being overwritten by the aggregating controller. To prevent this from happening, the permission-preserving copy should only copy over roles that are not yet aggregated. To correct this in clusters that have already encountered it, role reconciliation should remove aggregation from a role that is not expected to be aggregated at all. ```release-note corrects a race condition in bootstrapping aggregated cluster roles in new HA clusters ```