github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/hack
History
Kubernetes Submit Queue d50c027d0c Merge pull request #39537 from liggitt/legacy-policy 
Automatic merge from submit-queue (batch tested with PRs 39803, 39698, 39537, 39478)

include bootstrap admin in super-user group, ensure tokens file is correct on upgrades

Fixes https://github.com/kubernetes/kubernetes/issues/39532

Possible issues with cluster bring-up scripts:

- [x] known_tokens.csv and basic_auth.csv is not rewritten if the file already exists
  * new users (like the controller manager) are not available on upgrade
  * changed users (like the kubelet username change) are not reflected
  * group additions (like the addition of admin to the superuser group) don't take effect on upgrade
  * this PR updates the token and basicauth files line-by-line to preserve user additions, but also ensure new data is persisted
- [x] existing 1.5 clusters may depend on more permissive ABAC permissions (or customized ABAC policies). This PR adds an option to enable existing ABAC policy files for clusters that are upgrading

Follow-ups:
- [ ] both scripts are loading e2e role-bindings, which only be loaded in e2e tests, not in normal kube-up scenarios
- [ ] when upgrading, set the option to use existing ABAC policy files
- [ ] update bootstrap superuser client certs to add superuser group? ("We also have a certificate that "used to be" a super-user. On GCE, it has CN "kubecfg", on GKE it's "client"")
- [ ] define (but do not load by default) a relaxed set of RBAC roles/rolebindings matching legacy ABAC, and document how to load that for new clusters that do not want to isolate user permissions
 		2017-01-12 15:06:31 -08:00
..
boilerplate Enable auto-generating sources rules 2017-01-05 14:14:13 -08:00
cmd/teststale
e2e-internal Added e2e test for HA master that creates multizone workers. 2016-12-29 09:35:01 +01:00
gen-swagger-doc
jenkins Update OWNERS: Create test-infra-maintainers 2016-12-19 15:41:51 -08:00
lib allow generated changes in readonly package 2017-01-11 08:37:03 -05:00
make-rules Merge pull request #39038 from ncdc/fix-kubectl-get-list 2017-01-11 09:58:38 -08:00
testdata Adding test-federation-cmd.sh to test kubectl with federation apiserver 2017-01-04 11:17:05 -08:00
verify-flags Allow enabling ABAC authz 2017-01-11 17:20:51 -05:00
.linted_packages Refactor registry to use store vs. etcd 2017-01-12 09:23:38 -06:00
BUILD Enable auto-generating sources rules 2017-01-05 14:14:13 -08:00
OWNERS Add jbeda to OWNERS for build, cluster, hack 2016-09-27 14:53:16 -07:00
autogenerated_placeholder.txt
benchmark-go.sh unify newline format for benchmark-go.sh 2016-12-10 01:15:30 -08:00
benchmark-integration.sh
build-cross.sh
build-go.sh
build-ui.sh Cleanup non-rest apiserver handlers 2016-09-15 13:22:45 +02:00
cherry_pick_pull.sh hack/cherry_pick_pull.sh: cleanup patch files 2016-12-14 14:33:17 -08:00
dev-build-and-push.sh hack/dev-build-*: Run dev build instead of release build 2016-12-15 10:35:16 -07:00
dev-build-and-up.sh hack/dev-build-*: Run dev build instead of release build 2016-12-15 10:35:16 -07:00
dev-push-hyperkube.sh Rename build-tools/ back to build/ 2016-12-14 13:42:15 -08:00
e2e-node-test.sh
e2e.go hack/e2e.go / kops: Add --kops-admin-access to restrict API access 2016-12-12 23:25:13 -08:00
federated-ginkgo-e2e.sh
generate-bindata.sh Run bindata generation from KUBE_ROOT 2017-01-10 14:28:19 -05:00
generate-docs.sh spell check for test/* 2016-12-14 06:03:00 -08:00
get-build.sh
ginkgo-e2e.sh [Federation][init-11] Switch federation e2e tests to use the new federation control plane bootstrap via the `kubefed init` command. 2016-12-16 11:22:44 +05:30
godep-save.sh k8s.io/apimachinery scripts 2017-01-11 08:15:34 -05:00
grab-profiles.sh Make all useage of sort deterministic 2016-10-20 16:47:20 -04:00
install-etcd.sh
list-feature-tests.sh Make all useage of sort deterministic 2016-10-20 16:47:20 -04:00
local-up-cluster.sh Merge pull request #39577 from kargakis/fix-openshift-example 2017-01-10 22:24:11 -08:00
local-up-discovery.sh rename kubernetes-discovery to kube-aggregator 2017-01-10 12:27:42 -05:00
lookup_pull.py
run-in-gopath.sh
test-cmd.sh
test-go.sh
test-integration.sh choose a particular directory test-integration 2016-08-26 12:33:06 -04:00
test-update-storage-objects.sh Remove extensions/v1beta1 Job 2016-12-17 00:07:24 +01:00
update-all.sh Sync update-all with verfiy targets 2016-12-05 12:43:54 +01:00
update-api-reference-docs.sh update generation scripts to share API group version constants 2016-09-22 13:30:41 -04:00
update-bazel.sh Update to gazel v13 2017-01-05 14:14:06 -08:00
update-codecgen.sh Make all useage of sort deterministic 2016-10-20 16:47:20 -04:00
update-codegen.sh rename kubernetes-discovery to kube-aggregator 2017-01-10 12:27:42 -05:00
update-federation-api-reference-docs.sh Adding a script to update federation API reference docs 2016-08-31 13:21:42 -07:00
update-federation-generated-swagger-docs.sh Adding a script to update federation API reference docs 2016-08-31 13:21:42 -07:00
update-federation-openapi-spec.sh genericapiserver: move MasterCount and service options into master 2016-12-16 17:23:43 +01:00
update-federation-swagger-spec.sh Federation does not generate swagger spec correctly 2017-01-06 23:45:04 -05:00
update-generated-docs.sh
update-generated-protobuf-dockerized.sh spell check for test/* 2016-12-14 06:03:00 -08:00
update-generated-protobuf.sh Rename build-tools/ back to build/ 2016-12-14 13:42:15 -08:00
update-generated-runtime-dockerized.sh
update-generated-runtime.sh Rename build-tools/ back to build/ 2016-12-14 13:42:15 -08:00
update-generated-swagger-docs.sh Handle sudo cleanly with tmp dir in generation 2016-12-10 18:05:37 -05:00
update-godep-licenses.sh make godep licenses/copyright check case insensitive 2016-10-24 18:00:08 -07:00
update-gofmt.sh Merge pull request #31547 from mbohlool/fix2 2016-09-14 05:35:51 -07:00
update-munge-docs.sh remove verify-munge-docs.sh 2016-12-07 14:33:34 -08:00
update-openapi-spec.sh Fix race in service IP allocation repair loop 2016-12-26 21:59:27 -08:00
update-staging-client-go.sh add update-staging-client-go.sh and verify-staging-client-go.sh; 2016-10-29 14:20:39 -07:00
update-swagger-spec.sh update generation scripts to share API group version constants 2016-09-22 13:30:41 -04:00
update_owners.py Remove girishkalele from most places 2016-12-05 19:29:34 -05:00
verify-all.sh
verify-api-groups.sh add script to check for updates to the files for generation 2016-11-01 15:59:50 -04:00
verify-api-reference-docs.sh
verify-bazel.sh Update to gazel v13 2017-01-05 14:14:06 -08:00
verify-boilerplate.sh Add a build rule for the boilerplate unit test. 2017-01-01 22:54:32 -08:00
verify-cli-conventions.sh Tools for checking CLI conventions 2016-10-17 11:50:02 -02:00
verify-codecgen.sh add apiregistration types 2016-12-06 13:45:10 -05:00
verify-codegen.sh rename kubernetes-discovery to kube-aggregator 2017-01-10 12:27:42 -05:00
verify-description.sh
verify-federation-openapi-spec.sh Add verify script federation OpenAPI spec generation 2016-11-07 02:41:50 -08:00
verify-flags-underscore.py ignore BUILD in the flags-underscore.py validation 2016-10-21 17:32:33 -07:00
verify-generated-docs.sh
verify-generated-protobuf.sh utils: Use macOS copatible copying method 2016-10-18 11:09:38 +02:00
verify-generated-runtime.sh add update-staging-client-go.sh and verify-staging-client-go.sh; 2016-10-29 14:20:39 -07:00
verify-generated-swagger-docs.sh docs generation: Use macos compatible copy method 2016-10-18 11:11:03 +02:00
verify-godep-licenses.sh
verify-godeps.sh Move godeps to version v74 instead of v73 2016-11-03 00:43:06 -07:00
verify-gofmt.sh ignore staging in munge scripts 2016-08-24 13:09:13 -07:00
verify-golint.sh Use LC_ALL=C with sort 2016-10-19 09:47:21 -04:00
verify-govet.sh
verify-import-boss.sh
verify-linkcheck.sh
verify-openapi-spec.sh verify-openapi-spec.sh should not ignore extra file in the spec folder api/openapi-spec 2016-11-01 01:13:11 -07:00
verify-pkg-names.sh Fix spelling in package naming linter error message 2016-12-20 15:48:14 -05:00
verify-readonly-packages.sh Add more generated files as exceptions for readonly directories 2017-01-11 21:38:08 +01:00
verify-staging-client-go.sh add update-staging-client-go.sh and verify-staging-client-go.sh; 2016-10-29 14:20:39 -07:00
verify-staging-imports.sh add import cycle checking for staging to verify scripts 2017-01-05 10:25:20 -05:00
verify-swagger-spec.sh
verify-symbols.sh spell check for test/* 2016-12-14 06:03:00 -08:00
verify-test-images.sh Make all useage of sort deterministic 2016-10-20 16:47:20 -04:00
verify-test-owners.sh Disable verify-test-owners.sh and make `go vet` more obvious 2016-12-21 11:44:04 -08:00