mirror of https://github.com/k3s-io/k3s
5995690396
Automatic merge from submit-queue Node authorizer This PR implements the authorization portion of https://github.com/kubernetes/community/blob/master/contributors/design-proposals/kubelet-authorizer.md and kubernetes/features#279: * Adds a new authorization mode (`Node`) that authorizes requests from nodes based on a graph of related pods,secrets,configmaps,pvcs, and pvs: * Watches pods, adds edges (secret -> pod, configmap -> pod, pvc -> pod, pod -> node) * Watches pvs, adds edges (secret -> pv, pv -> pvc) * When both Node and RBAC authorization modes are enabled, the default RBAC binding that grants the `system:node` role to the `system:nodes` group is not automatically created. * Tightens the `NodeRestriction` admission plugin to require identifiable nodes for requests from users in the `system:nodes` group. This authorization mode is intended to be used in combination with the `NodeRestriction` admission plugin, which limits the pods and nodes a node may modify. To enable in combination with RBAC authorization and the NodeRestriction admission plugin: * start the API server with `--authorization-mode=Node,RBAC --admission-control=...,NodeRestriction,...` * start kubelets with TLS boostrapping or with client credentials that place them in the `system:nodes` group with a username of `system:node:<nodeName>` ```release-note kube-apiserver: a new authorization mode (`--authorization-mode=Node`) authorizes nodes to access secrets, configmaps, persistent volume claims and persistent volumes related to their pods. * Nodes must use client credentials that place them in the `system:nodes` group with a username of `system:node:<nodeName>` in order to be authorized by the node authorizer (the credentials obtained by the kubelet via TLS bootstrapping satisfy these requirements) * When used in combination with the `RBAC` authorization mode (`--authorization-mode=Node,RBAC`), the `system:node` role is no longer automatically granted to the `system:nodes` group. ``` ```release-note RBAC: the automatic binding of the `system:node` role to the `system:nodes` group is deprecated and will not be created in future releases. It is recommended that nodes be authorized using the new `Node` authorization mode instead. Installations that wish to continue giving all members of the `system:nodes` group the `system:node` role (which grants broad read access, including all secrets and configmaps) must create an installation-specific ClusterRoleBinding. ``` Follow-up: - [ ] enable e2e CI environment with admission and authorizer enabled (blocked by kubelet TLS bootstrapping enablement in https://github.com/kubernetes/kubernetes/pull/40760) - [ ] optionally enable this authorizer and admission plugin in kubeadm - [ ] optionally enable this authorizer and admission plugin in kube-up |
||
|---|---|---|
| .. | ||
| boilerplate | ||
| cmd/teststale | ||
| e2e-internal | ||
| gen-swagger-doc | ||
| jenkins | ||
| lib | ||
| make-rules | ||
| testdata | ||
| verify-flags | ||
| .linted_packages | ||
| BUILD | ||
| OWNERS | ||
| autogenerated_placeholder.txt | ||
| benchmark-go.sh | ||
| build-cross.sh | ||
| build-go.sh | ||
| build-ui.sh | ||
| cherry_pick_pull.sh | ||
| dev-build-and-push.sh | ||
| dev-build-and-up.sh | ||
| dev-push-hyperkube.sh | ||
| e2e-node-test.sh | ||
| e2e.go | ||
| e2e_test.go | ||
| federated-ginkgo-e2e.sh | ||
| generate-bindata.sh | ||
| generate-docs.sh | ||
| get-build.sh | ||
| ginkgo-e2e.sh | ||
| godep-restore.sh | ||
| godep-save.sh | ||
| grab-profiles.sh | ||
| install-etcd.sh | ||
| list-feature-tests.sh | ||
| local-up-cluster.sh | ||
| lookup_pull.py | ||
| print-workspace-status.sh | ||
| run-in-gopath.sh | ||
| test-cmd.sh | ||
| test-go.sh | ||
| test-integration.sh | ||
| test-update-storage-objects.sh | ||
| update-all.sh | ||
| update-api-reference-docs.sh | ||
| update-bazel.sh | ||
| update-codecgen.sh | ||
| update-codegen.sh | ||
| update-federation-api-reference-docs.sh | ||
| update-federation-generated-swagger-docs.sh | ||
| update-federation-openapi-spec.sh | ||
| update-federation-swagger-spec.sh | ||
| update-generated-docs.sh | ||
| update-generated-protobuf-dockerized.sh | ||
| update-generated-protobuf.sh | ||
| update-generated-runtime-dockerized.sh | ||
| update-generated-runtime.sh | ||
| update-generated-swagger-docs.sh | ||
| update-godep-licenses.sh | ||
| update-gofmt.sh | ||
| update-openapi-spec.sh | ||
| update-staging-client-go.sh | ||
| update-staging-godeps.sh | ||
| update-swagger-spec.sh | ||
| update-translations.sh | ||
| update_owners.py | ||
| verify-all.sh | ||
| verify-api-groups.sh | ||
| verify-api-reference-docs.sh | ||
| verify-bazel.sh | ||
| verify-boilerplate.sh | ||
| verify-cli-conventions.sh | ||
| verify-codecgen.sh | ||
| verify-codegen.sh | ||
| verify-description.sh | ||
| verify-federation-api-reference-docs.sh | ||
| verify-federation-generated-swagger-docs.sh | ||
| verify-federation-openapi-spec.sh | ||
| verify-federation-swagger-spec.sh | ||
| verify-flags-underscore.py | ||
| verify-generated-docs.sh | ||
| verify-generated-protobuf.sh | ||
| verify-generated-runtime.sh | ||
| verify-generated-swagger-docs.sh | ||
| verify-godep-licenses.sh | ||
| verify-godeps.sh | ||
| verify-gofmt.sh | ||
| verify-golint.sh | ||
| verify-govet.sh | ||
| verify-import-boss.sh | ||
| verify-linkcheck.sh | ||
| verify-no-vendor-cycles.sh | ||
| verify-openapi-spec.sh | ||
| verify-pkg-names.sh | ||
| verify-readonly-packages.sh | ||
| verify-staging-client-go.sh | ||
| verify-staging-godeps.sh | ||
| verify-staging-imports.sh | ||
| verify-swagger-spec.sh | ||
| verify-symbols.sh | ||
| verify-test-images.sh | ||
| verify-test-owners.sh | ||