Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm: add KEP 4214 for separate super-user kubeconfig #4218

Merged
merged 1 commit into from
Oct 11, 2023
Merged

kubeadm: add KEP 4214 for separate super-user kubeconfig #4218

merged 1 commit into from
Oct 11, 2023

Conversation

neolit123
Copy link
Member

@neolit123 neolit123 commented Sep 18, 2023
edited
Loading

  • One-line PR description:

Create two separate files instead -
admin.conf containing a regular Kubernetes cluster-admin credential and a super-admin.conf
containing a cluster-admin credential bound to the system:masters group.

  • Other comments:
    ONE

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Sep 18, 2023
@k8s-ci-robot k8s-ci-robot added kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Sep 18, 2023
@neolit123 neolit123 added kind/feature Categorizes issue or PR as related to a new feature. and removed cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory labels Sep 18, 2023
@neolit123 neolit123 added this to the v1.29 milestone Sep 18, 2023
@neolit123 neolit123 requested a review from chendave September 18, 2023 09:11
@k8s-ci-robot k8s-ci-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Sep 18, 2023
@neolit123 neolit123 added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Sep 18, 2023
@chendave
Copy link
Member

/cc

@neolit123 neolit123 mentioned this pull request Sep 23, 2023
Closed
@neolit123 neolit123 force-pushed the 1.29-add-kep-for-separate-kubeconfig-system-masters branch from ee53fd3 to 757a788 Compare September 27, 2023 14:32
chendave
chendave reviewed Sep 28, 2023
View reviewed changes
Copy link
Member

@chendave chendave left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall.

/lgtm

keps/sig-cluster-lifecycle/kubeadm/4214-separate-super-user-kubeconfig/kep.yaml Show resolved Hide resolved
keps/sig-cluster-lifecycle/kubeadm/4214-separate-super-user-kubeconfig/README.md Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 28, 2023
pacoxu
pacoxu approved these changes Oct 7, 2023
View reviewed changes
Copy link
Member

@pacoxu pacoxu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall LGTM

keps/sig-cluster-lifecycle/kubeadm/4214-separate-super-user-kubeconfig/README.md Show resolved Hide resolved
keps/sig-cluster-lifecycle/kubeadm/4214-separate-super-user-kubeconfig/README.md Show resolved Hide resolved
@pacoxu
Copy link
Member

pacoxu commented Oct 9, 2023

/lgtm

SataQiu
SataQiu approved these changes Oct 9, 2023
View reviewed changes
Copy link
Member

@SataQiu SataQiu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

keps/sig-cluster-lifecycle/kubeadm/4214-separate-super-user-kubeconfig/README.md Outdated Show resolved Hide resolved
keps/sig-cluster-lifecycle/kubeadm/4214-separate-super-user-kubeconfig/README.md Outdated Show resolved Hide resolved
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123, pacoxu, SataQiu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sftim
Copy link
Contributor

sftim commented Oct 9, 2023

Can we annotate, or label, the kubeadm-managed ClusterRole and ClusterRoleBinding with something that clearly marks them as deployed by kubeadm?

@neolit123
Copy link
Member Author

Can we annotate, or label, the kubeadm-managed ClusterRole and ClusterRoleBinding with something that clearly marks them as deployed by kubeadm?

the clusterrole is "cluster-admin". that is a stock one and preferred over adding a new clusterrole.
"kubeadm:cluster-admins" is the name of the group and clusterrolebinding, as these are of kubeadm origin.

@sftim
Copy link
Contributor

sftim commented Oct 9, 2023
edited
Loading

Can we annotate, or label, the kubeadm-managed ClusterRole and ClusterRoleBinding with something that clearly marks them as deployed by kubeadm?

the clusterrole is "cluster-admin". that is a stock one and preferred over adding a new clusterrole. "kubeadm:cluster-admins" is the name of the group and clusterrolebinding, as these are of kubeadm origin.

Sure. But I'm asking for a label or annotation. Otherwise, we have to start teaching heuristics to other tools. An annotation is almost 100% unambiguous.

(Heuristics like: look for a : in the name; see if the first part of the name is kubeadm or starts with kube; …)

@neolit123
Copy link
Member Author

Sure. But I'm asking for a label or annotation. Otherwise, we have to start teaching heuristics to other tools. An annotation is almost 100% unambiguous.

(Heuristics like: look for a : in the name; see if the first part of the name is kubeadm or starts with kube; …)

it's an already established pattern for kubeadm and other k8s components, so tools should already know about it.
overall i'm -1, to introduce new ways to "label" RBAC objects.

@sftim
Copy link
Contributor

sftim commented Oct 9, 2023
edited
Loading

overall i'm -1, to introduce new ways to "label" RBAC objects

What I wish I could document:
To know if an object is managed by Kubernetes and is therefore not part of your platform customizations, FIXME”. And we can't write the FIXME. I know that might be a great deal of coordination work but it's also not a lot of code.

The fact it's RBAC isn't relevant to me. It's that each different tool has its own heuristic and that's more things to code. Anyway, I get the sense this would want its own KEP.

@neolit123 neolit123 force-pushed the 1.29-add-kep-for-separate-kubeconfig-system-masters branch from 757a788 to d0aceb2 Compare October 10, 2023 13:45
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 10, 2023
@neolit123 neolit123 force-pushed the 1.29-add-kep-for-separate-kubeconfig-system-masters branch from d0aceb2 to dec4a58 Compare October 11, 2023 13:44
@pacoxu
Copy link
Member

pacoxu commented Oct 11, 2023

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 11, 2023
@neolit123
Copy link
Member Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 11, 2023
@k8s-ci-robot k8s-ci-robot merged commit 61a31ed into kubernetes:master Oct 11, 2023
@neolit123 neolit123 mentioned this pull request Oct 17, 2023
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SataQiu SataQiu SataQiu approved these changes

@chendave chendave chendave left review comments

@pacoxu pacoxu pacoxu approved these changes

Assignees

@pacoxu pacoxu

@chendave chendave

@SataQiu SataQiu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
v1.29
Development

Successfully merging this pull request may close these issues.
6 participants
@neolit123 @chendave @pacoxu @k8s-ci-robot @sftim @SataQiu