kubeadm-certs: fix wrong info about admin.conf #48095
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
the
sig/cluster-lifecycle
|
@neolit123: GitHub didn't allow me to request PR reviews from the following users: for, LGTM. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/kind bug |
k8s-ci-robot
added
kind/bug
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
Should this be cherry-picked to 1.31 and 1.30? I am not familiar with website cherry pick policy.
Link to kubernetes/kubeadm#2414.
/lgtm
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 355f73e373d5419f1bd3a67ea9963efacc476f35
|
| is a kubeadm managed group bound to the | ||
| [`cluster-admin`]((/docs/reference/access-authn-authz/rbac/#user-facing-roles)) ClusterRole. | ||
|
|
||
| Sharing the `super-admin.conf` or `admin.conf` with additional users is **not recommended**! |
There was a problem hiding this comment.
| Sharing the `super-admin.conf` or `admin.conf` with additional users is **not recommended**! | |
| {{< warning >}} | |
| Avoid sharing the `super-admin.conf` or `admin.conf` files; instead, create least privileged access | |
| - even for people who work as administrators - and use that least privilege alternative for anything | |
| other than break-glass (emergency) access. | |
| {{< /warning >}} |
content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
Outdated
Show resolved
Hide resolved
neolit123
force-pushed
the
1.32-fix-wrong-info-about-admin.conf
branch
from
9e90107 to
a9bd810
Compare
k8s-ci-robot
removed
the
lgtm
content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
Outdated
Show resolved
Hide resolved
This PR will update the doc for the current latest release (1.31) since it's targeting the main branch. If we also need to update the doc for v1.30 or any other release, we’ll need to create a separate pull request targeting the release-1.30 or release-1.xx branch. |
While the super-admin.conf change was introduced, looks like we forgot to update this particular section of the kubeadm-certs.md. https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/#generate-kubeconfig-files-for-control-plane-components The above section already has the right info.
neolit123
force-pushed
the
1.32-fix-wrong-info-about-admin.conf
branch
from
a9bd810 to
fa074af
Compare
ok, once this merges i can send cherry pick for release-1.30 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dipesh-rawat, pacoxu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
looking for another LGTM. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 6843dcb0cac2f7440e9329958b21cc49cf3eb32a
|
| `Subject: O = kubeadm:cluster-admins, CN = kubernetes-admin`. `kubeadm:cluster-admins` | ||
| is a group logically belonging to kubeadm. If your cluster uses RBAC |
There was a problem hiding this comment.
What does this mean? kubeadm is a CLI tool. Why there is a group belonging to a tool?
kubeadm:cluster-adminsis a group logically belonging to kubeadm.
There was a problem hiding this comment.
There was a problem hiding this comment.
The "kubeadm:cluster-admins is a group logically belonging to kubeadm" statement is confusing. You can say that this group is created and used by kubeadm. Having a group belonging to a CLI tool is confusing.
There was a problem hiding this comment.
group is a term from rbac.
| {{< warning >}} | ||
| Avoid sharing the `super-admin.conf` or `admin.conf` files. Instead, create least | ||
| privileged access even for people who work as administrators and use that least | ||
| privilege alternative for anything other than break-glass (emergency) access. |
There was a problem hiding this comment.
Okay. Please state what "least privilege alternative" means. Or else, this suggestion is not actionable.
There was a problem hiding this comment.
@sftim suggested this change.
While the super-admin.conf change was introduced, looks like we forgot to update this particular section of the kubeadm-certs.md.
https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/#generate-kubeconfig-files-for-control-plane-components
The above section already has the right info.