Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keps/../kubeadm: 4214: revisit test plan and risks/mitigations #4302

Merged
merged 1 commit into from
Oct 19, 2023
Merged

keps/../kubeadm: 4214: revisit test plan and risks/mitigations #4302

merged 1 commit into from
Oct 19, 2023

Conversation

neolit123
Copy link
Member

@neolit123 neolit123 commented Oct 19, 2023
edited
Loading

Update notes about Risk and Mitigations:

  • As a mistaken existing implementation detail "admin.conf" is not shared across control plane nodes, by using the "kubeadm-certs" Secret. Instead on "kubeadm join --control-plane" a new "admin.conf" is signed by using the shared in "kubeadm-certs" CA.
  • Re-place upgrade clusters must apply the "kubeadm:cluster-admins" ClusterRoleBinding if they wish the "admin.conf" files on joining control plane nodes to have "cluster-admin" level access.

Update Test Plan:

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 19, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 19, 2023
@neolit123
keps/../kubeadm: 4214: revisit test plan and risks/mitigations
95f1f4d 
Update notes about Risk and Mitigations:
- As a mistaken existing implementation detail "admin.conf"
is not shared across control plane nodes, by using the "kubeadm-certs"
Secret. Instead on "kubeadm join --control-plane" a new "admin.conf"
is signed by using the shared in "kubeadm-certs" CA.
- Re-place upgrade clusters must apply the "kubeadm:cluster-admins"
ClusterRoleBinding if they wish the "admin.conf" files on joining
control plane nodes to have "cluster-admin" level access.

Update Test Plane:
- Don't add integration tests, instead add an e2e test using kinder
that will do kubeadm init/join/upgrade and verify certificates
stored in kubeconfig files nad RBAC.
@neolit123 neolit123 force-pushed the 1.29-add-kep-for-separate-kubeconfig-system-masters branch from 6a0315d to 95f1f4d Compare October 19, 2023 10:14
@neolit123 neolit123 mentioned this pull request Oct 19, 2023
Closed
@neolit123
Copy link
Member Author

Re-place upgrade clusters must apply the "kubeadm:cluster-admins" ClusterRoleBinding if they wish the "admin.conf" files on joining control plane nodes to have "cluster-admin" level access.

i pinged the #cluster-api slack about this:
https://kubernetes.slack.com/archives/C8TSNPY4T/p1697710479089779

@neolit123 neolit123 requested review from pacoxu, chendave and SataQiu and removed request for justinsb and fabriziopandini October 19, 2023 10:18
SataQiu
SataQiu reviewed Oct 19, 2023
View reviewed changes
Copy link
Member

@SataQiu SataQiu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold

feel free to cancel hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 19, 2023
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 19, 2023
@killianmuldoon killianmuldoon mentioned this pull request Oct 19, 2023
Closed
14 tasks
@neolit123
Copy link
Member Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 19, 2023
@k8s-ci-robot k8s-ci-robot merged commit 4ec371d into kubernetes:master Oct 19, 2023
@k8s-ci-robot k8s-ci-robot added this to the v1.29 milestone Oct 19, 2023
This was referenced Nov 1, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SataQiu SataQiu SataQiu left review comments

@pacoxu pacoxu Awaiting requested review from pacoxu

@chendave chendave Awaiting requested review from chendave

Assignees

@SataQiu SataQiu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.29
Development

Successfully merging this pull request may close these issues.
3 participants
@neolit123 @k8s-ci-robot @SataQiu