Merge pull request #106883 from calvin0327/move-well-know-systemConstant
kubeadm: move well-known system constants to constants.go
This commit is contained in:
		| @@ -26,6 +26,7 @@ import ( | ||||
|  | ||||
| 	bootstraptokenv1 "k8s.io/kubernetes/cmd/kubeadm/app/apis/bootstraptoken/v1" | ||||
| 	"k8s.io/kubernetes/cmd/kubeadm/app/apis/output" | ||||
| 	"k8s.io/kubernetes/cmd/kubeadm/app/constants" | ||||
| ) | ||||
|  | ||||
| // Funcs returns the fuzzer functions for the kubeadm apis. | ||||
| @@ -42,5 +43,5 @@ func fuzzBootstrapToken(obj *output.BootstrapToken, c fuzz.Continue) { | ||||
| 	obj.Description = "" | ||||
| 	obj.TTL = &metav1.Duration{Duration: time.Hour * 24} | ||||
| 	obj.Usages = []string{"authentication", "signing"} | ||||
| 	obj.Groups = []string{"system:bootstrappers:kubeadm:default-node-token"} | ||||
| 	obj.Groups = []string{constants.NodeBootstrapTokenAuthGroup} | ||||
| } | ||||
|   | ||||
| @@ -160,24 +160,52 @@ const ( | ||||
| 	// SchedulerKubeConfigFileName defines the file name for the scheduler's kubeconfig file | ||||
| 	SchedulerKubeConfigFileName = "scheduler.conf" | ||||
|  | ||||
| 	// Some well-known users and groups in the core Kubernetes authorization system | ||||
| 	// Some well-known users, groups, roles and clusterrolebindings in the core Kubernetes authorization system | ||||
|  | ||||
| 	// ControllerManagerUser defines the well-known user the controller-manager should be authenticated as | ||||
| 	ControllerManagerUser = "system:kube-controller-manager" | ||||
| 	// SchedulerUser defines the well-known user the scheduler should be authenticated as | ||||
| 	SchedulerUser = "system:kube-scheduler" | ||||
| 	// NodesUserPrefix defines the user name prefix as requested by the Node authorizer. | ||||
| 	NodesUserPrefix = "system:node:" | ||||
| 	// SystemPrivilegedGroup defines the well-known group for the apiservers. This group is also superuser by default | ||||
| 	// (i.e. bound to the cluster-admin ClusterRole) | ||||
| 	SystemPrivilegedGroup = "system:masters" | ||||
| 	// NodesGroup defines the well-known group for all nodes. | ||||
| 	NodesGroup = "system:nodes" | ||||
| 	// NodesUserPrefix defines the user name prefix as requested by the Node authorizer. | ||||
| 	NodesUserPrefix = "system:node:" | ||||
| 	// NodeBootstrapTokenAuthGroup specifies which group a Node Bootstrap Token should be authenticated in | ||||
| 	NodeBootstrapTokenAuthGroup = "system:bootstrappers:kubeadm:default-node-token" | ||||
| 	// KubeProxyClusterRoleName sets the name for the kube-proxy ClusterRole | ||||
| 	KubeProxyClusterRoleName = "system:node-proxier" | ||||
| 	// NodeBootstrapperClusterRoleName defines the name of the auto-bootstrapped ClusterRole for letting someone post a CSR | ||||
| 	NodeBootstrapperClusterRoleName = "system:node-bootstrapper" | ||||
| 	// CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR | ||||
| 	// Starting from v1.8, CSRAutoApprovalClusterRoleName is automatically created by the API server on startup | ||||
| 	CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:nodeclient" | ||||
| 	// NodeSelfCSRAutoApprovalClusterRoleName is a role defined in default 1.8 RBAC policies for automatic CSR approvals for automatically rotated node certificates | ||||
| 	NodeSelfCSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient" | ||||
| 	// NodesClusterRoleBinding defines the well-known ClusterRoleBinding which binds the too permissive system:node | ||||
| 	// ClusterRole to the system:nodes group. Since kubeadm is using the Node Authorizer, this ClusterRoleBinding's | ||||
| 	// system:nodes group subject is removed if present. | ||||
| 	NodesClusterRoleBinding = "system:node" | ||||
|  | ||||
| 	// KubeletBaseConfigMapRolePrefix defines the base kubelet configuration ConfigMap. | ||||
| 	// TODO: Remove once UnversionedKubeletConfigMap graduates to GA: | ||||
| 	// https://github.com/kubernetes/kubeadm/issues/1582 | ||||
| 	KubeletBaseConfigMapRolePrefix = "kubeadm:kubelet-config-" | ||||
| 	// KubeletBaseConfigMapRolePrefix defines the base kubelet configuration ConfigMap. | ||||
| 	KubeletBaseConfigMapRole = "kubeadm:kubelet-config" | ||||
| 	// KubeProxyClusterRoleBindingName sets the name for the kube-proxy CluterRoleBinding | ||||
| 	KubeProxyClusterRoleBindingName = "kubeadm:node-proxier" | ||||
| 	// NodeKubeletBootstrap defines the name of the ClusterRoleBinding that lets kubelets post CSRs | ||||
| 	NodeKubeletBootstrap = "kubeadm:kubelet-bootstrap" | ||||
| 	// GetNodesClusterRoleName defines the name of the ClusterRole and ClusterRoleBinding to get nodes | ||||
| 	GetNodesClusterRoleName = "kubeadm:get-nodes" | ||||
| 	// NodeAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve node CSRs | ||||
| 	NodeAutoApproveBootstrapClusterRoleBinding = "kubeadm:node-autoapprove-bootstrap" | ||||
| 	// NodeAutoApproveCertificateRotationClusterRoleBinding defines name of the ClusterRoleBinding that makes the csrapprover approve node auto rotated CSRs | ||||
| 	NodeAutoApproveCertificateRotationClusterRoleBinding = "kubeadm:node-autoapprove-certificate-rotation" | ||||
|  | ||||
| 	// APICallRetryInterval defines how long kubeadm should wait before retrying a failed API operation | ||||
| 	APICallRetryInterval = 500 * time.Millisecond | ||||
| 	// DiscoveryRetryInterval specifies how long kubeadm should wait before retrying to connect to the control-plane when doing discovery | ||||
| @@ -269,14 +297,6 @@ const ( | ||||
| 	// KubeletBaseConfigurationConfigMapKey specifies in what ConfigMap key the initial remote configuration of kubelet should be stored | ||||
| 	KubeletBaseConfigurationConfigMapKey = "kubelet" | ||||
|  | ||||
| 	// KubeletBaseConfigMapRolePrefix defines the base kubelet configuration ConfigMap. | ||||
| 	// TODO: Remove once UnversionedKubeletConfigMap graduates to GA: | ||||
| 	// https://github.com/kubernetes/kubeadm/issues/1582 | ||||
| 	KubeletBaseConfigMapRolePrefix = "kubeadm:kubelet-config-" | ||||
|  | ||||
| 	// KubeletBaseConfigMapRolePrefix defines the base kubelet configuration ConfigMap. | ||||
| 	KubeletBaseConfigMapRole = "kubeadm:kubelet-config" | ||||
|  | ||||
| 	// KubeletRunDirectory specifies the directory where the kubelet runtime information is stored. | ||||
| 	KubeletRunDirectory = "/var/lib/kubelet" | ||||
|  | ||||
| @@ -323,9 +343,6 @@ const ( | ||||
| 	// KubeConfigVolumeName specifies the name for the Volume that is used for injecting the kubeconfig to talk securely to the api server for a control plane component if applicable | ||||
| 	KubeConfigVolumeName = "kubeconfig" | ||||
|  | ||||
| 	// NodeBootstrapTokenAuthGroup specifies which group a Node Bootstrap Token should be authenticated in | ||||
| 	NodeBootstrapTokenAuthGroup = "system:bootstrappers:kubeadm:default-node-token" | ||||
|  | ||||
| 	// DefaultCIImageRepository points to image registry where CI uploads images from ci build job | ||||
| 	DefaultCIImageRepository = "gcr.io/k8s-staging-ci-images" | ||||
|  | ||||
|   | ||||
| @@ -39,13 +39,6 @@ import ( | ||||
| ) | ||||
|  | ||||
| const ( | ||||
| 	// KubeProxyClusterRoleName sets the name for the kube-proxy ClusterRole | ||||
| 	// TODO: This k8s-generic, well-known constant should be fetchable from another source, not be in this package | ||||
| 	KubeProxyClusterRoleName = "system:node-proxier" | ||||
|  | ||||
| 	// KubeProxyClusterRoleBindingName sets the name for the kube-proxy CluterRoleBinding | ||||
| 	KubeProxyClusterRoleBindingName = "kubeadm:node-proxier" | ||||
|  | ||||
| 	// KubeProxyServiceAccountName describes the name of the ServiceAccount for the kube-proxy addon | ||||
| 	KubeProxyServiceAccountName = "kube-proxy" | ||||
|  | ||||
| @@ -163,12 +156,12 @@ func createKubeProxyAddon(cfg *kubeadmapi.ClusterConfiguration, client clientset | ||||
| func createClusterRoleBindings(client clientset.Interface) error { | ||||
| 	if err := apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{ | ||||
| 		ObjectMeta: metav1.ObjectMeta{ | ||||
| 			Name: KubeProxyClusterRoleBindingName, | ||||
| 			Name: constants.KubeProxyClusterRoleBindingName, | ||||
| 		}, | ||||
| 		RoleRef: rbac.RoleRef{ | ||||
| 			APIGroup: rbac.GroupName, | ||||
| 			Kind:     "ClusterRole", | ||||
| 			Name:     KubeProxyClusterRoleName, | ||||
| 			Name:     constants.KubeProxyClusterRoleName, | ||||
| 		}, | ||||
| 		Subjects: []rbac.Subject{ | ||||
| 			{ | ||||
|   | ||||
| @@ -27,39 +27,18 @@ import ( | ||||
| 	"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient" | ||||
| ) | ||||
|  | ||||
| const ( | ||||
| 	// NodeBootstrapperClusterRoleName defines the name of the auto-bootstrapped ClusterRole for letting someone post a CSR | ||||
| 	// TODO: This value should be defined in an other, generic authz package instead of here | ||||
| 	NodeBootstrapperClusterRoleName = "system:node-bootstrapper" | ||||
| 	// NodeKubeletBootstrap defines the name of the ClusterRoleBinding that lets kubelets post CSRs | ||||
| 	NodeKubeletBootstrap = "kubeadm:kubelet-bootstrap" | ||||
| 	// GetNodesClusterRoleName defines the name of the ClusterRole and ClusterRoleBinding to get nodes | ||||
| 	GetNodesClusterRoleName = "kubeadm:get-nodes" | ||||
|  | ||||
| 	// CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR | ||||
| 	// TODO: This value should be defined in an other, generic authz package instead of here | ||||
| 	// Starting from v1.8, CSRAutoApprovalClusterRoleName is automatically created by the API server on startup | ||||
| 	CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:nodeclient" | ||||
| 	// NodeSelfCSRAutoApprovalClusterRoleName is a role defined in default 1.8 RBAC policies for automatic CSR approvals for automatically rotated node certificates | ||||
| 	NodeSelfCSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient" | ||||
| 	// NodeAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve node CSRs | ||||
| 	NodeAutoApproveBootstrapClusterRoleBinding = "kubeadm:node-autoapprove-bootstrap" | ||||
| 	// NodeAutoApproveCertificateRotationClusterRoleBinding defines name of the ClusterRoleBinding that makes the csrapprover approve node auto rotated CSRs | ||||
| 	NodeAutoApproveCertificateRotationClusterRoleBinding = "kubeadm:node-autoapprove-certificate-rotation" | ||||
| ) | ||||
|  | ||||
| // AllowBootstrapTokensToPostCSRs creates RBAC rules in a way the makes Node Bootstrap Tokens able to post CSRs | ||||
| func AllowBootstrapTokensToPostCSRs(client clientset.Interface) error { | ||||
| 	fmt.Println("[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials") | ||||
|  | ||||
| 	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{ | ||||
| 		ObjectMeta: metav1.ObjectMeta{ | ||||
| 			Name: NodeKubeletBootstrap, | ||||
| 			Name: constants.NodeKubeletBootstrap, | ||||
| 		}, | ||||
| 		RoleRef: rbac.RoleRef{ | ||||
| 			APIGroup: rbac.GroupName, | ||||
| 			Kind:     "ClusterRole", | ||||
| 			Name:     NodeBootstrapperClusterRoleName, | ||||
| 			Name:     constants.NodeBootstrapperClusterRoleName, | ||||
| 		}, | ||||
| 		Subjects: []rbac.Subject{ | ||||
| 			{ | ||||
| @@ -76,7 +55,7 @@ func AllowBoostrapTokensToGetNodes(client clientset.Interface) error { | ||||
|  | ||||
| 	if err := apiclient.CreateOrUpdateClusterRole(client, &rbac.ClusterRole{ | ||||
| 		ObjectMeta: metav1.ObjectMeta{ | ||||
| 			Name:      GetNodesClusterRoleName, | ||||
| 			Name:      constants.GetNodesClusterRoleName, | ||||
| 			Namespace: metav1.NamespaceSystem, | ||||
| 		}, | ||||
| 		Rules: []rbac.PolicyRule{ | ||||
| @@ -92,13 +71,13 @@ func AllowBoostrapTokensToGetNodes(client clientset.Interface) error { | ||||
|  | ||||
| 	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{ | ||||
| 		ObjectMeta: metav1.ObjectMeta{ | ||||
| 			Name:      GetNodesClusterRoleName, | ||||
| 			Name:      constants.GetNodesClusterRoleName, | ||||
| 			Namespace: metav1.NamespaceSystem, | ||||
| 		}, | ||||
| 		RoleRef: rbac.RoleRef{ | ||||
| 			APIGroup: rbac.GroupName, | ||||
| 			Kind:     "ClusterRole", | ||||
| 			Name:     GetNodesClusterRoleName, | ||||
| 			Name:     constants.GetNodesClusterRoleName, | ||||
| 		}, | ||||
| 		Subjects: []rbac.Subject{ | ||||
| 			{ | ||||
| @@ -116,12 +95,12 @@ func AutoApproveNodeBootstrapTokens(client clientset.Interface) error { | ||||
| 	// Always create this kubeadm-specific binding though | ||||
| 	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{ | ||||
| 		ObjectMeta: metav1.ObjectMeta{ | ||||
| 			Name: NodeAutoApproveBootstrapClusterRoleBinding, | ||||
| 			Name: constants.NodeAutoApproveBootstrapClusterRoleBinding, | ||||
| 		}, | ||||
| 		RoleRef: rbac.RoleRef{ | ||||
| 			APIGroup: rbac.GroupName, | ||||
| 			Kind:     "ClusterRole", | ||||
| 			Name:     CSRAutoApprovalClusterRoleName, | ||||
| 			Name:     constants.CSRAutoApprovalClusterRoleName, | ||||
| 		}, | ||||
| 		Subjects: []rbac.Subject{ | ||||
| 			{ | ||||
| @@ -138,12 +117,12 @@ func AutoApproveNodeCertificateRotation(client clientset.Interface) error { | ||||
|  | ||||
| 	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{ | ||||
| 		ObjectMeta: metav1.ObjectMeta{ | ||||
| 			Name: NodeAutoApproveCertificateRotationClusterRoleBinding, | ||||
| 			Name: constants.NodeAutoApproveCertificateRotationClusterRoleBinding, | ||||
| 		}, | ||||
| 		RoleRef: rbac.RoleRef{ | ||||
| 			APIGroup: rbac.GroupName, | ||||
| 			Kind:     "ClusterRole", | ||||
| 			Name:     NodeSelfCSRAutoApprovalClusterRoleName, | ||||
| 			Name:     constants.NodeSelfCSRAutoApprovalClusterRoleName, | ||||
| 		}, | ||||
| 		Subjects: []rbac.Subject{ | ||||
| 			{ | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Kubernetes Prow Robot
					Kubernetes Prow Robot