Skip to content

Commit 8eb0b39

Browse files
author
Kubernetes Submit Queue
authored
Merge pull request kubernetes#53144 from mikedanese/kubelet-revoke
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. gce: revoke kubelet binding permissions and move the binding addon to EnsureExists, so new clusters will pickup the new binding and old clusters will keep the old binding. The binding is no longer required now that we are migrating to node authorizer. fixes kubernetes#53151
2 parents 3b4424c + 3f7e1cc commit 8eb0b39

File tree

6 files changed

+21
-1
lines changed

6 files changed

+21
-1
lines changed

cluster/addons/rbac/kube-apiserver-kubelet-api-admin-binding.yaml renamed to cluster/addons/rbac/kubelet-api-auth/kube-apiserver-kubelet-api-admin-binding.yaml

File renamed without changes.

cluster/addons/rbac/kubelet-api-admin-role.yaml renamed to cluster/addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml

File renamed without changes.

cluster/addons/rbac/kubelet-certificate-management.yaml renamed to cluster/addons/rbac/kubelet-cert-rotation/kubelet-certificate-management.yaml

File renamed without changes.

cluster/addons/rbac/legacy-kubelet-user-disable/kubelet-binding.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# This is required so that old clusters don't remove required bindings for 1.5
2+
# kubelets to function.
3+
apiVersion: rbac.authorization.k8s.io/v1
4+
kind: ClusterRoleBinding
5+
metadata:
6+
name: kubelet-cluster-admin
7+
labels:
8+
kubernetes.io/cluster-service: "true"
9+
addonmanager.kubernetes.io/mode: EnsureExists
10+
roleRef:
11+
apiGroup: rbac.authorization.k8s.io
12+
kind: ClusterRole
13+
name: system:node
14+
subjects:

cluster/addons/rbac/kubelet-binding.yaml renamed to cluster/addons/rbac/legacy-kubelet-user/kubelet-binding.yaml

File renamed without changes.

cluster/gce/gci/configure-helper.sh

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1768,7 +1768,13 @@ function start-kube-addons {
17681768
local -r dst_dir="/etc/kubernetes/addons"
17691769

17701770
# prep addition kube-up specific rbac objects
1771-
setup-addon-manifests "addons" "rbac"
1771+
setup-addon-manifests "addons" "rbac/kubelet-api-auth"
1772+
setup-addon-manifests "addons" "rbac/kubelet-cert-rotation"
1773+
if [[ "${REGISTER_MASTER_KUBELET:-false}" == "true" ]]; then
1774+
setup-addon-manifests "addons" "rbac/legacy-kubelet-user"
1775+
else
1776+
setup-addon-manifests "addons" "rbac/legacy-kubelet-user-disabled"
1777+
fi
17721778

17731779
if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
17741780
setup-addon-manifests "addons" "podsecuritypolicies"

0 commit comments

Comments
 (0)