mirror of https://github.com/k3s-io/k3s
915b772f9b
Automatic merge from submit-queue (batch tested with PRs 49861, 50933, 51380, 50688, 51305) Add configurable groups to bootstrap tokens. **What this PR does / why we need it**: This change adds support for authenticating bootstrap tokens into a configurable set of extra groups in addition to `system:bootstrappers`. Previously, bootstrap tokens could only ever authenticate to the `system:bootstrappers` group. Groups are specified as a comma-separated list in the `auth-extra-groups` key of the `bootstrap.kubernetes.io/token` Secret, and must begin with the prefix `system:bootstrapper:` (and match a validation regex that checks against our normal convention). Whether or not any extra groups are configured, `system:bootstrappers` will still be added. This also adds a `--groups` flag for `kubeadm token create`, which sets the `auth-extra-groups` key on the resulting Secret. The default is to not set the key. `kubeadm token list` is also updated to include a `EXTRA GROUPS` output column. **Which issue this PR fixes**: fixes #49306 **Special notes for your reviewer**: The use case for this is in https://github.com/kubernetes/kubernetes/issues/49306. Comments on the feature itself are probably better over there. It will be part of how HA/self-hosting kubeadm bootstraps new master nodes (post 1.8). **Release note**: ```release-note Add support for configurable groups for bootstrap token authentication. ``` cc @luxas @kubernetes/sig-cluster-lifecycle-api-reviews @kubernetes/sig-auth-api-reviews /kind feature |
||
|---|---|---|
| .. | ||
| clicheck | ||
| cloud-controller-manager | ||
| gendocs | ||
| genkubedocs | ||
| genman | ||
| genswaggertypedocs | ||
| genutils | ||
| genyaml | ||
| gke-certificates-controller | ||
| hyperkube | ||
| importverifier | ||
| kube-apiserver | ||
| kube-controller-manager | ||
| kube-proxy | ||
| kubeadm | ||
| kubectl | ||
| kubelet | ||
| kubemark | ||
| linkcheck | ||
| BUILD | ||
| OWNERS | ||