From caa2e90802459cb7fb4e46e73e777249384f9e2e Mon Sep 17 00:00:00 2001 From: killianmuldoon Date: Tue, 7 Nov 2023 11:21:57 +0000 Subject: [PATCH] Support super-admin config for Kubeadm v1.29 Signed-off-by: killianmuldoon --- .../kubeadm/internal/controllers/upgrade.go | 6 +++ .../kubeadm/internal/workload_cluster_rbac.go | 46 +++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/controlplane/kubeadm/internal/controllers/upgrade.go b/controlplane/kubeadm/internal/controllers/upgrade.go index f51bce9d84b7..9e49eb005ba1 100644 --- a/controlplane/kubeadm/internal/controllers/upgrade.go +++ b/controlplane/kubeadm/internal/controllers/upgrade.go @@ -68,6 +68,12 @@ func (r *KubeadmControlPlaneReconciler) upgradeControlPlane( return ctrl.Result{}, errors.Wrap(err, "failed to set role and role binding for kubeadm") } + // Ensure kubeadm cluster role & bindings for v1.29+ + // as per https://github.com/kubernetes/kubernetes/pull/121305 + if err := workloadCluster.AllowBootstrapTokensToGetNodes(ctx); err != nil { + return ctrl.Result{}, errors.Wrap(err, "failed to set role and role binding for kubeadm") + } + if err := workloadCluster.UpdateKubernetesVersionInKubeadmConfigMap(ctx, parsedVersion); err != nil { return ctrl.Result{}, errors.Wrap(err, "failed to update the kubernetes version in the kubeadm config map") } diff --git a/controlplane/kubeadm/internal/workload_cluster_rbac.go b/controlplane/kubeadm/internal/workload_cluster_rbac.go index eb22e348051b..bdb522a4f404 100644 --- a/controlplane/kubeadm/internal/workload_cluster_rbac.go +++ b/controlplane/kubeadm/internal/workload_cluster_rbac.go @@ -22,6 +22,7 @@ import ( "github.com/blang/semver/v4" "github.com/pkg/errors" + rbac "k8s.io/api/rbac/v1" rbacv1 "k8s.io/api/rbac/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -35,6 +36,14 @@ const ( // GetNodesClusterRoleName defines the name of the ClusterRole and ClusterRoleBinding to get nodes. GetNodesClusterRoleName = "kubeadm:get-nodes" + // SuperAdminKubeConfigFileName defines name for the kubeconfig aimed to be used by the super-admin of the cluster. + SuperAdminKubeConfigFileName = "super-admin.conf" + + // ClusterAdminsGroupAndClusterRoleBinding is the name of the Group used for kubeadm generated cluster + // admin credentials and the name of the ClusterRoleBinding that binds the same Group to the "cluster-admin" + // built-in ClusterRole. + ClusterAdminsGroupAndClusterRoleBinding = "kubeadm:cluster-admins" + // NodesGroup defines the well-known group for all nodes. NodesGroup = "system:nodes" @@ -66,6 +75,43 @@ func (w *Workload) EnsureResource(ctx context.Context, obj client.Object) error return nil } +// AllowBootstrapTokensToGetNodes creates RBAC rules to allow Node Bootstrap Tokens to list nodes. +func (w *Workload) AddSeperateKubeletSuperAdmin(ctx context.Context) error { + if err := w.EnsureResource(ctx, &rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{ + Name: GetNodesClusterRoleName, + Namespace: metav1.NamespaceSystem, + }, + Rules: []rbacv1.PolicyRule{ + { + Verbs: []string{"get"}, + APIGroups: []string{""}, + Resources: []string{"nodes"}, + }, + }, + }); err != nil { + return err + } + + return w.EnsureResource(ctx, &rbac.ClusterRoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: ClusterAdminsGroupAndClusterRoleBinding, + }, + RoleRef: rbac.RoleRef{ + APIGroup: rbac.GroupName, + Kind: "ClusterRole", + Name: "cluster-admin", + }, + Subjects: []rbac.Subject{ + { + Kind: rbac.GroupKind, + Name: ClusterAdminsGroupAndClusterRoleBinding, + }, + }, + }, + ) +} + // AllowBootstrapTokensToGetNodes creates RBAC rules to allow Node Bootstrap Tokens to list nodes. func (w *Workload) AllowBootstrapTokensToGetNodes(ctx context.Context) error { if err := w.EnsureResource(ctx, &rbacv1.ClusterRole{