Skip to content

Commit

Permalink
Support super-admin config for Kubeadm v1.29
Browse files Browse the repository at this point in the history
Signed-off-by: killianmuldoon <[email protected]>
  • Loading branch information
killianmuldoon committed Nov 7, 2023
1 parent bd9abfc commit 57dd6a3
Show file tree
Hide file tree
Showing 4 changed files with 43 additions and 0 deletions.
4 changes: 4 additions & 0 deletions controlplane/kubeadm/internal/controllers/fakes_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,10 @@ func (f fakeWorkloadCluster) AllowBootstrapTokensToGetNodes(_ context.Context) e
return nil
}

func (f fakeWorkloadCluster) AddClusterAdminRoleBinding(_ context.Context, _ semver.Version) error {
return nil
}

func (f fakeWorkloadCluster) ReconcileKubeletRBACRole(_ context.Context, _ semver.Version) error {
return nil
}
Expand Down
5 changes: 5 additions & 0 deletions controlplane/kubeadm/internal/controllers/upgrade.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,11 @@ func (r *KubeadmControlPlaneReconciler) upgradeControlPlane(
return ctrl.Result{}, errors.Wrap(err, "failed to set role and role binding for kubeadm")
}

// Ensure kubeadm clusterRole & Bindings for v1.29+ as per https://github.com/kubernetes/kubernetes/pull/121305
if err := workloadCluster.AddClusterAdminRoleBinding(ctx, parsedVersion); err != nil {
return ctrl.Result{}, errors.Wrap(err, "failed to set role and role binding for kubeadm")
}

if err := workloadCluster.UpdateKubernetesVersionInKubeadmConfigMap(ctx, parsedVersion); err != nil {
return ctrl.Result{}, errors.Wrap(err, "failed to update the kubernetes version in the kubeadm config map")
}
Expand Down
1 change: 1 addition & 0 deletions controlplane/kubeadm/internal/workload_cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ type WorkloadCluster interface {
RemoveNodeFromKubeadmConfigMap(ctx context.Context, nodeName string, version semver.Version) error
ForwardEtcdLeadership(ctx context.Context, machine *clusterv1.Machine, leaderCandidate *clusterv1.Machine) error
AllowBootstrapTokensToGetNodes(ctx context.Context) error
AddClusterAdminRoleBinding(ctx context.Context, version semver.Version) error

// State recovery tasks.
ReconcileEtcdMembers(ctx context.Context, nodeNames []string, version semver.Version) ([]string, error)
Expand Down
33 changes: 33 additions & 0 deletions controlplane/kubeadm/internal/workload_cluster_rbac.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,14 @@ const (
// GetNodesClusterRoleName defines the name of the ClusterRole and ClusterRoleBinding to get nodes.
GetNodesClusterRoleName = "kubeadm:get-nodes"

// SuperAdminKubeConfigFileName defines name for the kubeconfig aimed to be used by the super-admin of the cluster.
SuperAdminKubeConfigFileName = "super-admin.conf"

// ClusterAdminsGroupAndClusterRoleBinding is the name of the Group used for kubeadm generated cluster
// admin credentials and the name of the ClusterRoleBinding that binds the same Group to the "cluster-admin"
// built-in ClusterRole.
ClusterAdminsGroupAndClusterRoleBinding = "kubeadm:cluster-admins"

// NodesGroup defines the well-known group for all nodes.
NodesGroup = "system:nodes"

Expand Down Expand Up @@ -66,6 +74,31 @@ func (w *Workload) EnsureResource(ctx context.Context, obj client.Object) error
return nil
}

// AddClusterAdminRoleBinding creates ClusterRoleBinding rules to use the kubeadm:cluster-admins Cluster Role created in Kubeadm v1.29.
func (w *Workload) AddClusterAdminRoleBinding(ctx context.Context, version semver.Version) error {
// If the upgrade is not to a Cluster of version v1.29.0 or higher this is a no-op
if !version.GTE(semver.MustParse("1.29.0")) {
return nil
}
return w.EnsureResource(ctx, &rbacv1.ClusterRoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: ClusterAdminsGroupAndClusterRoleBinding,
},
RoleRef: rbacv1.RoleRef{
APIGroup: rbacv1.GroupName,
Kind: "ClusterRole",
Name: "cluster-admin",
},
Subjects: []rbacv1.Subject{
{
Kind: rbacv1.GroupKind,
Name: ClusterAdminsGroupAndClusterRoleBinding,
},
},
},
)
}

// AllowBootstrapTokensToGetNodes creates RBAC rules to allow Node Bootstrap Tokens to list nodes.
func (w *Workload) AllowBootstrapTokensToGetNodes(ctx context.Context) error {
if err := w.EnsureResource(ctx, &rbacv1.ClusterRole{
Expand Down

0 comments on commit 57dd6a3

Please sign in to comment.