mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-28 21:55:48 +00:00
efdb735750
CreateOrRetain is supposed to operate on an object name which isn't necessarily the given object's name (for use in migrations), this restores that feature. Replace all uses of deprecated functions with their generic variants. Providing the context externally isn't useful right now, drop it from the new functions and use context.Background() where needed. Signed-off-by: Stephen Kitt <skitt@redhat.com>
133 lines
4.3 KiB
Go
133 lines
4.3 KiB
Go
/*
|
|
Copyright 2017 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package node
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
rbac "k8s.io/api/rbac/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
clientset "k8s.io/client-go/kubernetes"
|
|
|
|
"k8s.io/kubernetes/cmd/kubeadm/app/constants"
|
|
"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
|
|
)
|
|
|
|
// AllowBootstrapTokensToPostCSRs creates RBAC rules in a way the makes Node Bootstrap Tokens able to post CSRs
|
|
func AllowBootstrapTokensToPostCSRs(client clientset.Interface) error {
|
|
fmt.Println("[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials")
|
|
|
|
return apiclient.CreateOrUpdate(client.RbacV1().ClusterRoleBindings(), &rbac.ClusterRoleBinding{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: constants.NodeKubeletBootstrap,
|
|
},
|
|
RoleRef: rbac.RoleRef{
|
|
APIGroup: rbac.GroupName,
|
|
Kind: "ClusterRole",
|
|
Name: constants.NodeBootstrapperClusterRoleName,
|
|
},
|
|
Subjects: []rbac.Subject{
|
|
{
|
|
Kind: rbac.GroupKind,
|
|
Name: constants.NodeBootstrapTokenAuthGroup,
|
|
},
|
|
},
|
|
})
|
|
}
|
|
|
|
// AllowBootstrapTokensToGetNodes creates RBAC rules to allow Node Bootstrap Tokens to list nodes.
|
|
func AllowBootstrapTokensToGetNodes(client clientset.Interface) error {
|
|
fmt.Println("[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes")
|
|
|
|
if err := apiclient.CreateOrUpdate(client.RbacV1().ClusterRoles(), &rbac.ClusterRole{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: constants.GetNodesClusterRoleName,
|
|
},
|
|
Rules: []rbac.PolicyRule{
|
|
{
|
|
Verbs: []string{"get"},
|
|
APIGroups: []string{""},
|
|
Resources: []string{"nodes"},
|
|
},
|
|
},
|
|
}); err != nil {
|
|
return err
|
|
}
|
|
|
|
return apiclient.CreateOrUpdate(client.RbacV1().ClusterRoleBindings(), &rbac.ClusterRoleBinding{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: constants.GetNodesClusterRoleName,
|
|
},
|
|
RoleRef: rbac.RoleRef{
|
|
APIGroup: rbac.GroupName,
|
|
Kind: "ClusterRole",
|
|
Name: constants.GetNodesClusterRoleName,
|
|
},
|
|
Subjects: []rbac.Subject{
|
|
{
|
|
Kind: rbac.GroupKind,
|
|
Name: constants.NodeBootstrapTokenAuthGroup,
|
|
},
|
|
},
|
|
})
|
|
}
|
|
|
|
// AutoApproveNodeBootstrapTokens creates RBAC rules in a way that makes Node Bootstrap Tokens' CSR auto-approved by the csrapprover controller
|
|
func AutoApproveNodeBootstrapTokens(client clientset.Interface) error {
|
|
fmt.Println("[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token")
|
|
|
|
// Always create this kubeadm-specific binding though
|
|
return apiclient.CreateOrUpdate(client.RbacV1().ClusterRoleBindings(), &rbac.ClusterRoleBinding{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: constants.NodeAutoApproveBootstrapClusterRoleBinding,
|
|
},
|
|
RoleRef: rbac.RoleRef{
|
|
APIGroup: rbac.GroupName,
|
|
Kind: "ClusterRole",
|
|
Name: constants.CSRAutoApprovalClusterRoleName,
|
|
},
|
|
Subjects: []rbac.Subject{
|
|
{
|
|
Kind: rbac.GroupKind,
|
|
Name: constants.NodeBootstrapTokenAuthGroup,
|
|
},
|
|
},
|
|
})
|
|
}
|
|
|
|
// AutoApproveNodeCertificateRotation creates RBAC rules in a way that makes Node certificate rotation CSR auto-approved by the csrapprover controller
|
|
func AutoApproveNodeCertificateRotation(client clientset.Interface) error {
|
|
fmt.Println("[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster")
|
|
|
|
return apiclient.CreateOrUpdate(client.RbacV1().ClusterRoleBindings(), &rbac.ClusterRoleBinding{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: constants.NodeAutoApproveCertificateRotationClusterRoleBinding,
|
|
},
|
|
RoleRef: rbac.RoleRef{
|
|
APIGroup: rbac.GroupName,
|
|
Kind: "ClusterRole",
|
|
Name: constants.NodeSelfCSRAutoApprovalClusterRoleName,
|
|
},
|
|
Subjects: []rbac.Subject{
|
|
{
|
|
Kind: rbac.GroupKind,
|
|
Name: constants.NodesGroup,
|
|
},
|
|
},
|
|
})
|
|
}
|