1) Do not fail in case a bind address cannot be obtained
If netutil.ChooseBindAddress() fails looking up IP route tables
it will fail with an error in which case the kubeadm config
code will hard stop.
This scenario is possible if the Linux user intentionally disables
the WiFi from the distribution settings. In such a case the distro
could empty files such files as /proc/net/route and ChooseBindAddress()
will return an error.
For improved offline support, don't error on such scenarios but instead
show a warning. This is done by using the NoRoutesError type.
Also default the address to 0.0.0.0.
While doing that, prevent some commands like `init`, `join` and also
phases like `controlplane` and `certs` from using such an invalid
address.
Add unit tests for the new function for address verification.
2) Fallback to local client version
If there is no internet, label versions fail and this breaks
air-gapped setups unless the users pass an explicit version.
To work around that:
- Remain using 'release/stable-x.xx' as the default version.
- On timeout or any error different from status 404 return error
- On status 404 fallback to using the version of the client via
kubeadmVersion()
Add unit tests for kubeadmVersion().
Co-authored-by: Alexander Kanevskiy <alexander.kanevskiy@intel.com>
Automatic merge from submit-queue (batch tested with PRs 66793, 67405, 67068, 67501, 67484). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Remove images from the context of kubeletFailTempl
**What this PR does / why we need it**:
Since #66658 kubeletFailTempl no longer contains any images, thus we don't need to fill them
in its context.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
None
**Special notes for your reviewer**:
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
/area kubeadm
/kind cleanup
/assign @timothysc
/assign @fabriziopandini
**Release note**:
```release-note
NONE
```
kubeletFailTempl no longer contains any images, thus we don't need to fill them
in its context.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
GetCoreImage is a too generic function, that takes too many arguments. This
makes it prone to errors that may be difficult to trace. The solution is to
split it into the following couple of functions with a more targeted interface:
- GetKubeControlPlaneImage used to fetch Kubernetes control plane images or the
unified control plane image (if one is specified).
- GetEtcdImage is used to fetch the etcd image.
In addition to these, a couple of new utility functions are also created:
- GetKubeControlPlaneImageNoOverride used like GetKubeControlPlaneImage but
does not return the unified control plane image (even if it is set).
- GetGenericArchImage returns image path in the form of "prefix/image-goarch:tag"
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
Automatic merge from submit-queue (batch tested with PRs 63717, 64646, 64792, 64784, 64800). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Upload CRISocket information in kubeadm init/join
**What this PR does / why we need it**:
As a side-effect, `kubeadm join` will become blocking on the kubelet doing the TLS bootstrap. This partially also fixes problems when users run `kubeadm join` and it returns successfully without anything happening as the kubelet is actually unhealthy. If that happens now `kubeadm join` will exit with a non-zero code.
What this PR does is it uploads the CRISocket information to the Node API object as a workaround until we have something like https://github.com/kubernetes/kubernetes/issues/64460 in place that will solve this problem for real. This way we won't lose the CRISocket information which we would otherwise do.
This can be used for `kubeadm upgrade` or `kubeadm reset` in future releases.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
Depends on https://github.com/kubernetes/kubernetes/pull/64624
**Release note**:
```release-note
[action required] TODO
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 63322, 64718, 64708, 64775, 64777). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix kubeadm for v1alpha1 configs
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
**What this PR does / why we need it**:
This PR allows v1alpha1 configurations to still work when running `kubeadm init`.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#884
**Special notes for your reviewer**:
```release-note
NONE
```
This follows the pattern `kubectl` uses for logging.
There are two remaining glog.Infof call that cannot be removed easily.
One glog call comes from kubelet validation which calls features.SetFromMap.
The other comes from test/e2e during kernel validation.
Mostly fixeskubernetes/kubeadm#852
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
kubeadm now pulls container images before the init step if it cannot find them on the system
* This commit also cleans up a dependency cycle
Closes#825
Automatic merge from submit-queue (batch tested with PRs 63151, 63795, 63553, 64068, 64113). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Remove .AuthorizationModes in the v1alpha2 API
**What this PR does / why we need it**:
Now that we have https://github.com/kubernetes/kubernetes/pull/63879, we don't actually need to have `:AuthorizationModes` in our API anymore. This PR removes support for `.AuthorizationModes` in the v1alpha2 API, but keeps an upgrade path available (automatic conversion) from the v1alpha1 version.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Part of kubernetes/community#2131
**Special notes for your reviewer**:
Depends on:
- [x] https://github.com/kubernetes/kubernetes/pull/63879
- [x] https://github.com/kubernetes/kubernetes/pull/63917
**Release note**:
```release-note
[action required] kubeadm: Support for `.AuthorizationModes` in the kubeadm v1alpha2 API has been removed. Instead, you can use the `.APIServerExtraArgs` and `.APIServerExtraVolumes` fields to achieve the same effect. Files using the v1alpha1 API and setting this field will be automatically upgraded to this v1alpha2 API and the information will be preserved.
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @liztio
Automatic merge from submit-queue (batch tested with PRs 63272, 63782, 63715, 63811, 63803). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Stop installing kubeadm types in the generic, legacy scheme
**What this PR does / why we need it**:
Right now the kubeadm API types are (wrongly from a correctness perspective) installed in the "catch-all" and now legacy `pkg/api/legacyscheme`. Instead, we should use our own, kubeadm-specific `scheme` where our API types are registered. Doing this also cuts one dependency on the internal core API types.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Part of https://github.com/kubernetes/community/pull/2131
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @sttts @liztio
Automatic merge from submit-queue (batch tested with PRs 63735, 62807). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm-init: update note about failing containers
**What this PR does / why we need it**:
This PR was merged before all requested changes
were applied:
kubernetes/pull/59731
Update the note about failing containers as requested here:
https://github.com/kubernetes/kubernetes/pull/59731#pullrequestreview-119517427
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
NONE
**Special notes for your reviewer**:
NONE
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 63049, 59731). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add instructions on how to debug a crashed pod
When I was using `kubeadm init`, I ran into an issue where I had passed an
invalid flag through the kubeadm config file. The flag was being passed into
apiserver and preventing it from launching with a "unknown flag" error.
The flag in question is (other flags elided for clarity):
```
admission-control: ...,GenericAdmissionWebhook,...
```
Since this prevented the apiserver from coming up, the setup timed out
and gave me the error message I just modified.
It would be better if the config was vetted more thoroughly, but I think
documenting the backup strategy for viewing logs in case of failure is
also valuable.
**What this PR does / why we need it**:
This PR extends an error message in kubeadm to make it clear a potential step forward for new cluster users.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes#59731
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: Demote controlplane passthrough flags to phases alpha
After a discussion in sig cluster lifecycle we agreed that the passthrough flags should live in phases alpha, and not be 1st class flags. They already exist in the alpha command, so just removing from here.
**What this PR does / why we need it**:
We introduced some flags as 1st class flags in #58080 and decided as a sig that the flags should only live in the `alpha` command. This PR removes the flags from the `init` command so they only exist in the `alpha` command
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
relates to kubernetes/kubernetes/pull/58080
fixes kubernetes/kubeadm/issues/676
**Special notes for your reviewer**:
This is a cosmetic change, and doesn't alter any functionality of the program, only the avenue in which a user access functionality in the program.
**Release note**:
```release-note
kubeadm: Demote controlplane passthrough flags to alpha flags
```
Automatic merge from submit-queue (batch tested with PRs 60148, 60022, 59125, 60068, 60154). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Refactor kubeadm join command generation
**What this PR does / why we need it**:
Creation of the `kubeadm join` command is implemented in three different points of kubeadm:
- `kubeadm init`
- `kubeadm token create`
- `kubeadm phase bootstrap-token create`
This PR refactor above points in order to share a common function for creating the `kubeadm join` command.
**Which issue(s) this PR fixes**:
Fixes [#567](https://github.com/kubernetes/kubeadm/issues/567)
**Special notes for your reviewer**:
While implementing the PR, I changed the order of parameters in `kubeadm join` from:
```
kubeadm join --token 8df4zm.5jyv2nrxb18y84jq 172.31.0.101:6443 --discovery-token-ca-cert-hash sha256:b62e1f70c1c6afebe36bc971b15b90f7e453f1c0fe2ddc4d92e07512f1143194
```
to
```
kubeadm join 172.31.0.101:6443 --token 8df4zm.5jyv2nrxb18y84jq --discovery-token-ca-cert-hash sha256:b62e1f70c1c6afebe36bc971b15b90f7e453f1c0fe2ddc4d92e07512f1143194
```
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add criSocket to kubeadm MasterConfiguration manifest
**What this PR does / why we need it**:
Adds a criSocket field to the MasterConfiguration manifest used by kubeadm. This field configures the cri socket that kubeadm uses during preflight checks.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes # kubernetes/kubeadm#679
**Special notes for your reviewer**:
kubeadm does not allow the use of --config and the --cri-socket flag together. When using kubeadm to create a cluster that will not be using docker, the preflight checks fail since this is not configurable. This PR adds the criSocket to the MasterConfiguration manifest and uses that value within the MasterConfiguration if it was provided.
Storing the value of the criSocket within the MasterConfiguration manifest will also make joining additional masters with the proposed 'kubeadm join --master' command by not requiring operators to remember to include an additional flag. This may not be the case if we instead relaxed the constraint of using additional flags when using the --config flag is set.
**Release note**:
/area kubeadm
/assign @luxas
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
```release-note
kubeadm: add criSocket field to MasterConfiguration manifiest
```
After a discussion in sig cluster lifecycle we agreed that the passthrough flags should live in phases alpha, and not be 1st class flags.
Relates to kubernetes/kubernetes/pull/58080
Closes kubernetes/kubeadm/issues/676
Automatic merge from submit-queue (batch tested with PRs 59767, 56454, 59237, 59730, 55479). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm: add configuration option to not taint master
**What this PR does / why we need it**:
Although tainting the master is normally a good and proper thing to do in some situations (docker for mac in our case, but I suppose minikube and such as well) having a single host configuration is desirable.
In linuxkit we have a [workaround](443e47c408/projects/kubernetes/kubernetes/kubeadm-init.sh (L19...L22)) to remove the taint after initialisation. With the change here we could simply populate `/etc/kubeadm/kubeadm.yaml` with `noTaintMaster: true` instead and have it never be tainted in the first place.
I have only added this to the config file and not to the CLI since AIUI the latter is somewhat deprecated.
The code also arranges to _remove_ an existing taint if it is unwanted. I'm unsure if this behaviour is correct or desirable, I think a reasonable argument could be made for leaving an existing taint in place too.
Signed-off-by: Ian Campbell <ijc@docker.com>
**Release note**:
Since the requirement for this option is rather niche and not best practice in the majority of cases I'm not sure if it warrants mentioning in the release notes? If it were then perhaps
```release-note
`kubeadm init` can now omit the tainting of the master node if configured to do so in `kubeadm.yaml`.
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Feature Gate - Kubeadm Audit Logging
Fixeskubernetes/kubeadm#623
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
**What this PR does / why we need it**:
This PR enables [Auditing](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/) behind a featureGate. A user can supply their own audit policy with configuration option as well as a place for the audit logs to live. If no policy is supplied a default policy will be provided. The default policy will log all Metadata level policy logs. It is the example provided in the documentation.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixeskubernetes/kubeadm#623
**Special notes for your reviewer**:
**Release note**:
```release-note
kubeadm: Enable auditing behind a feature gate.
```
Although tainting the master is normally a good and proper thing to do in some
situations (docker for mac in our case, but I suppose minikube and such as
well) having a single host configuration is desirable.
In linuxkit we have a [workaround](443e47c408/projects/kubernetes/kubernetes/kubeadm-init.sh (L19...L22))
to remove the taint after initialisation. With the change here we could simply
populate /etc/kubeadm/kubeadm.yaml` with `noTaintMaster: true` instead and have
it never be tainted in the first place.
I have only added this to the config file and not to the CLI since AIUI the
latter is somewhat deprecated.
The code also arranges to _remove_ an existing taint if it is unwanted. I'm
unsure if this behaviour is correct or desirable, I think a reasonable argument
could be made for leaving an existing taint in place too.
Signed-off-by: Ian Campbell <ijc@docker.com>
When I was using `kubeadm init`, I ran into an issue where I had passed an
invalid flag through the kubeadm config file. The flag was being passed into
apiserver and preventing it from launching with a "unknown flag" error.
The flag in question is (other flags elided for clarity):
```
admission-control: ...,GenericAdmissionWebhook,...
```
Since this prevented the apiserver from coming up, the setup timed out
and gave me the error message I just modified.
It would be better if the config was vetted more thoroughly, but I think
documenting the backup strategy for viewing logs in case of failure is
also valuable.
Audit logs are configurable via the MasterConfiguration file.
All options are ignored unless the FeatureGate is enabled.
Fixeskubernetes/kubeadm#623
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
This makes it possible to override / add flag values to the k8s api server, controller manager and scheduler components on `kubeadm init` and `kubeadm alpha controlplane <component>`
Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
With new flag `--ignore-checks-errors` user is able to
decrease severity of each individual check to warning.
Old flag `--skip-preflight-checks` now acts as
`--ignore-checks-errors=all` and will produce warnings.
Fixes: kubernetes/kubeadm#480
Automatic merge from submit-queue (batch tested with PRs 55648, 55274, 54982, 51955, 55639). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kubeadm:Clean up no longer used k8sVersion param
**What this PR does / why we need it**:
cleanup for kubeadm.
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
**Special notes for your reviewer**:
/cc @luxas
**Release note**:
```release-note
NONE
```
~~`kubeadm join` now requires the `--discovery-token-ca-cert-hash` argument to be set, or the `--discovery-token-unsafe-skip-ca-verification` flag to be set for opting out of the CA pinning feature.~~
This patch contains wording, punctuation and capitalization fixes
for stdout messages in most kubeadm 'cmd' files.
Also includes changes in '/phases' and '/upgrade' for
consistency.
Signed-off-by: Lubomir I. Ivanov <lubomirivanov@vmware.com>
Automatic merge from submit-queue (batch tested with PRs 54644, 53072). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix kubeadm swallowed errors
**What this PR does / why we need it**: Fixes nine swallowed errors in kubeadm, and adds descriptive error returns to Init.Run().
**Special notes for your reviewer**: I've resubmitted this PR after it required a rebase. Previously, I submitted this PR as https://github.com/kubernetes/kubernetes/pull/52591
```release-note NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix broken url
**What this PR does / why we need it**:
I install kubernetes with kubeadm. after kubeadm init, need to install podnetwork with addons. but the output of 'kubeadm init' is to broken url. fix it is available.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```
NONE
```
completion.go:
- use single space instead of double space after full stop
config.go:
- add full stop after output messages
- bring a WARNING into a new sentence
init.go:
- add full stop after output messages
- change 'couldn't' to 'could not'
- capitalize 'Kubernetes'
- reformat a sentence near '[externalca]'
join.go:
- add full stop after output messages
reset.go:
- add full stop after output messages
- capitalize 'Docker'
reset_test.go:
- use semi-colon near 'file/dir'
- change 'dir' to 'directory'
- change 'temp' to 'temporary'
token.go:
- break sentence into two
version.go:
- capitalize output string
- single-quote the list of output options
- fix typo in comment near RunVersion()
Signed-off-by: Lubomir I. Ivanov <lubomirivanov@vmware.com>
As of 1.8.0 kubelet in kubeadm configuration ships with enabled feature
of node certificate autorotation, it makes sense to enable automatic
certificate rotation csr signing. It will help to avoid issues like
described in #53231 and #53237.
It was planned for 1.9 cleanup to remove that warning, as change was
done few release cycles ago and users should be already aware of it.
Closes: kubernetes/kubeadm#346
Automatic merge from submit-queue
kubeadm: add `kubeadm phase addons` command
**What this PR does / why we need it**:
Adds the `addons` phase command to `kubeadm`
fixes: https://github.com/kubernetes/kubeadm/issues/418
/cc @luxas
Automatic merge from submit-queue (batch tested with PRs 51682, 51546, 51369, 50924, 51827)
kubeadm: Detect kubelet readiness and error out if the kubelet is unhealthy
**What this PR does / why we need it**:
In order to improve the UX when the kubelet is unhealthy or stopped, or whatever, kubeadm now polls the kubelet's API after 40 and 60 seconds, and then performs an exponential backoff for a total of 155 seconds.
If the kubelet endpoint is not returning `ok` by then, kubeadm gives up and exits.
This will miligate at least 60% of our "[apiclient] Created API client, waiting for control plane to come up" issues in the kubeadm issue tracker 🎉, as kubeadm now informs the user what's wrong and also doesn't deadlock like before.
Demo:
```
lucas@THEGOPHER:~/luxas/kubernetes$ sudo ./kubeadm init --skip-preflight-checks
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[init] Using Kubernetes version: v1.7.4
[init] Using Authorization modes: [Node RBAC]
[preflight] Skipping pre-flight checks
[kubeadm] WARNING: starting in 1.8, tokens expire after 24 hours by default (if you require a non-expiring token use --token-ttl 0)
[certificates] Generated ca certificate and key.
[certificates] Generated apiserver certificate and key.
[certificates] apiserver serving cert is signed for DNS names [thegopher kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.1.115]
[certificates] Generated apiserver-kubelet-client certificate and key.
[certificates] Generated sa key and public key.
[certificates] Generated front-proxy-ca certificate and key.
[certificates] Generated front-proxy-client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "scheduler.conf"
[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml"
[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"
[init] Waiting for the kubelet to boot up the control plane as Static Pods from directory "/etc/kubernetes/manifests"
[init] This often takes around a minute; or longer if the control plane images have to be pulled.
[apiclient] All control plane components are healthy after 40.502199 seconds
[markmaster] Will mark node thegopher as master by adding a label and a taint
[markmaster] Master thegopher tainted and labelled with key/value: node-role.kubernetes.io/master=""
[bootstraptoken] Using token: 5776d5.91e7ed14f9e274df
[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstraptoken] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[uploadconfig] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[addons] Applied essential addon: kube-dns
[addons] Applied essential addon: kube-proxy
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run (as a regular user):
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
http://kubernetes.io/docs/admin/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join --token 5776d5.91e7ed14f9e274df 192.168.1.115:6443 --discovery-token-ca-cert-hash sha256:6f301ce8c3f5f6558090b2c3599d26d6fc94ffa3c3565ffac952f4f0c7a9b2a9
lucas@THEGOPHER:~/luxas/kubernetes$ sudo ./kubeadm reset
[preflight] Running pre-flight checks
[reset] Stopping the kubelet service
[reset] Unmounting mounted directories in "/var/lib/kubelet"
[reset] Removing kubernetes-managed containers
[reset] Deleting contents of stateful directories: [/var/lib/kubelet /etc/cni/net.d /var/lib/dockershim /var/run/kubernetes /var/lib/etcd]
[reset] Deleting contents of config directories: [/etc/kubernetes/manifests /etc/kubernetes/pki]
[reset] Deleting files: [/etc/kubernetes/admin.conf /etc/kubernetes/kubelet.conf /etc/kubernetes/controller-manager.conf /etc/kubernetes/scheduler.conf]
lucas@THEGOPHER:~/luxas/kubernetes$ sudo systemctl stop kubelet
lucas@THEGOPHER:~/luxas/kubernetes$ sudo ./kubeadm init --skip-preflight-checks
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[init] Using Kubernetes version: v1.7.4
[init] Using Authorization modes: [Node RBAC]
[preflight] Skipping pre-flight checks
[kubeadm] WARNING: starting in 1.8, tokens expire after 24 hours by default (if you require a non-expiring token use --token-ttl 0)
[certificates] Generated ca certificate and key.
[certificates] Generated apiserver certificate and key.
[certificates] apiserver serving cert is signed for DNS names [thegopher kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.1.115]
[certificates] Generated apiserver-kubelet-client certificate and key.
[certificates] Generated sa key and public key.
[certificates] Generated front-proxy-ca certificate and key.
[certificates] Generated front-proxy-client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "scheduler.conf"
[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml"
[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"
[init] Waiting for the kubelet to boot up the control plane as Static Pods from directory "/etc/kubernetes/manifests"
[init] This often takes around a minute; or longer if the control plane images have to be pulled.
[kubelet-check] It seems like the kubelet isn't running or healthy.
[kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10255/healthz' failed with error: Get http://localhost:10255/healthz: dial tcp 127.0.0.1:10255: getsockopt: connection refused.
[kubelet-check] It seems like the kubelet isn't running or healthy.
[kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10255/healthz' failed with error: Get http://localhost:10255/healthz: dial tcp 127.0.0.1:10255: getsockopt: connection refused.
[kubelet-check] It seems like the kubelet isn't running or healthy.
[kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10255/healthz' failed with error: Get http://localhost:10255/healthz: dial tcp 127.0.0.1:10255: getsockopt: connection refused.
[kubelet-check] It seems like the kubelet isn't running or healthy.
[kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10255/healthz/syncloop' failed with error: Get http://localhost:10255/healthz/syncloop: dial tcp 127.0.0.1:10255: getsockopt: connection refused.
[kubelet-check] It seems like the kubelet isn't running or healthy.
[kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10255/healthz/syncloop' failed with error: Get http://localhost:10255/healthz/syncloop: dial tcp 127.0.0.1:10255: getsockopt: connection refused.
[kubelet-check] It seems like the kubelet isn't running or healthy.
[kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10255/healthz/syncloop' failed with error: Get http://localhost:10255/healthz/syncloop: dial tcp 127.0.0.1:10255: getsockopt: connection refused.
[kubelet-check] It seems like the kubelet isn't running or healthy.
[kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10255/healthz' failed with error: Get http://localhost:10255/healthz: dial tcp 127.0.0.1:10255: getsockopt: connection refused.
[kubelet-check] It seems like the kubelet isn't running or healthy.
[kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10255/healthz/syncloop' failed with error: Get http://localhost:10255/healthz/syncloop: dial tcp 127.0.0.1:10255: getsockopt: connection refused.
[kubelet-check] It seems like the kubelet isn't running or healthy.
[kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10255/healthz' failed with error: Get http://localhost:10255/healthz: dial tcp 127.0.0.1:10255: getsockopt: connection refused.
Unfortunately, an error has occurred:
timed out waiting for the condition
This error is likely caused by that:
- The kubelet is not running
- The kubelet is unhealthy due to a misconfiguration of the node in some way (required cgroups disabled)
- There is no internet connection; so the kubelet can't pull the following control plane images:
- gcr.io/google_containers/kube-apiserver-amd64:v1.7.4
- gcr.io/google_containers/kube-controller-manager-amd64:v1.7.4
- gcr.io/google_containers/kube-scheduler-amd64:v1.7.4
You can troubleshoot this for example with the following commands if you're on a systemd-powered system:
- 'systemctl status kubelet'
- 'journalctl -xeu kubelet'
couldn't initialize a Kubernetes cluster
```
In this demo, I'm first starting kubeadm normally and everything works as usual.
In the second case, I'm explicitely stopping the kubelet so it doesn't run, and skipping preflight checks, so that kubeadm doesn't even try to exec `systemctl start kubelet` like it does usually.
That obviously results in a non-working system, but now kubeadm tells the user what's the problem instead of waiting forever.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes: https://github.com/kubernetes/kubeadm/issues/377
**Special notes for your reviewer**:
**Release note**:
```release-note
kubeadm: Detect kubelet readiness and error out if the kubelet is unhealthy
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @pipejakob
cc @justinsb @kris-nova @lukemarsden as well as you wanted this feature :)
We allow a kubeadm user to use an external CA by checking to see if ca.key is missing and skipping cert checks and kubeconfig generation if ca.key is missing.
Automatic merge from submit-queue (batch tested with PRs 49861, 50933, 51380, 50688, 51305)
Add configurable groups to bootstrap tokens.
**What this PR does / why we need it**:
This change adds support for authenticating bootstrap tokens into a configurable set of extra groups in addition to `system:bootstrappers`. Previously, bootstrap tokens could only ever authenticate to the `system:bootstrappers` group.
Groups are specified as a comma-separated list in the `auth-extra-groups` key of the `bootstrap.kubernetes.io/token` Secret, and must begin with the prefix `system:bootstrapper:` (and match a validation regex that checks against our normal convention). Whether or not any extra groups are configured, `system:bootstrappers` will still be added.
This also adds a `--groups` flag for `kubeadm token create`, which sets the `auth-extra-groups` key on the resulting Secret. The default is to not set the key.
`kubeadm token list` is also updated to include a `EXTRA GROUPS` output column.
**Which issue this PR fixes**: fixes#49306
**Special notes for your reviewer**:
The use case for this is in https://github.com/kubernetes/kubernetes/issues/49306. Comments on the feature itself are probably better over there. It will be part of how HA/self-hosting kubeadm bootstraps new master nodes (post 1.8).
**Release note**:
```release-note
Add support for configurable groups for bootstrap token authentication.
```
cc @luxas @kubernetes/sig-cluster-lifecycle-api-reviews @kubernetes/sig-auth-api-reviews
/kind feature
Automatic merge from submit-queue
kubeadm: Implement 'kubeadm config'
**What this PR does / why we need it**:
Implements a `kubeadm config` command for viewing the current kubeadm configuration stored as a ConfigMap in the cluster and creating that configuration for v1.7- users. kubeadm v1.8+ handles the creation of this ConfigMap at init time, but v1.7 users have to create it themselves with this command in order to be able to preserve the same config after the upgrade.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes: https://github.com/kubernetes/kubeadm/issues/406
**Special notes for your reviewer**:
**Release note**:
```release-note
Adds a new `kubeadm config` command that lets users tell `kubeadm upgrade` what kubeadm configuration to use and lets users view the current state.
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
Automatic merge from submit-queue (batch tested with PRs 51039, 50512, 50546, 50965, 50467)
kubeadm: Get kube-dns based on the kubernetes version
**What this PR does / why we need it**:
Makes the kube-dns version used dependent on the kubernetes version. This is required for upgrades as we have to be able to handle one kube-dns version per branch for instance...
Currently a no-op though, as both v1.7 and v1.8 seem to use 1.14.4
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Dependency for https://github.com/kubernetes/kubernetes/pull/48899 (kubeadm upgrades)
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews
@kubernetes/dns-maintainers FYI; next time you bump DNS version, please update this func instead of the constant there...
Automatic merge from submit-queue (batch tested with PRs 50967, 50505, 50706, 51033, 51028)
kubeadm: Tell the user when a static pod is created
**What this PR does / why we need it**:
Prints a line to notify the user of the static pod creation in order to be consistent with the other phases (one line per phase and optionally per component).
Now the phase command `controlplane all` and `etcd local` also actually outputs something.
Also renamed `[token]` to `[bootstraptoken]` to match the output below and `s/mode/modes/`
`kubeadm init` output now:
```console
$ ./kubeadm init
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[init] Using Kubernetes version: v1.7.4
[init] Using Authorization modes: [Node RBAC]
[preflight] Running pre-flight checks
[preflight] WARNING: docker service is not enabled, please run 'systemctl enable docker.service'
[preflight] Starting the kubelet service
[kubeadm] WARNING: starting in 1.8, tokens expire after 24 hours by default (if you require a non-expiring token use --token-ttl 0)
[certificates] Generated ca certificate and key.
[certificates] Generated apiserver certificate and key.
[certificates] apiserver serving cert is signed for DNS names [thegopher kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.1.115]
[certificates] Generated apiserver-kubelet-client certificate and key.
[certificates] Generated sa key and public key.
[certificates] Generated front-proxy-ca certificate and key.
[certificates] Generated front-proxy-client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "scheduler.conf"
[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml"
[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"
[init] Waiting for the kubelet to boot up the control plane as Static Pods from directory "/etc/kubernetes/manifests"
[apiclient] All control plane components are healthy after 40.002026 seconds
[markmaster] Master thegopher tainted and labelled with key/value: node-role.kubernetes.io/master=""
[bootstraptoken] Using token: cfe65e.d196614967c3ffe3
[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstraptoken] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[uploadconfig] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[addons] Applied essential addon: kube-dns
[addons] Applied essential addon: kube-proxy
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run (as a regular user):
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
http://kubernetes.io/docs/admin/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join --token cfe65e.d196614967c3ffe3 192.168.1.115:6443 --discovery-token-ca-cert-hash sha256:eb3461b9b707eafc214577f36ae8c351bbc4d595ab928fc84caf1325b69cb192
$ ./kubeadm alpha phase controlplane all
[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml"
$ ./kubeadm alpha phase etcd local
[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @fabriziopandini
Automatic merge from submit-queue (batch tested with PRs 47896, 50678, 50620, 50631, 51005)
kubeadm: Adds dry-run support for kubeadm using the `--dry-run` option
**What this PR does / why we need it**:
Adds dry-run support to kubeadm by creating a fake clientset that can get totally fake values (like in the init case), or delegate GETs/LISTs to a real API server but discard all edits like POST/PUT/PATCH/DELETE
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
fixes: https://github.com/kubernetes/kubeadm/issues/389
**Special notes for your reviewer**:
This PR depends on https://github.com/kubernetes/kubernetes/pull/50626, first three commits are from there
This PR is a dependency for https://github.com/kubernetes/kubernetes/pull/48899 (kubeadm upgrades)
I have some small things to fixup and I'll yet write unit tests, but PTAL if you think this is going in the right direction
**Release note**:
```release-note
kubeadm: Adds dry-run support for kubeadm using the `--dry-run` option
```
cc @kubernetes/sig-cluster-lifecycle-pr-reviews @kubernetes/sig-api-machinery-pr-reviews
Previously, kubeadm would use <ip>:<port> to construct a master
endpoint. This works fine for IPv4 addresses, but not for IPv6.
IPv6 requires the ip to be encased in brackets when being joined
to a port with a colon.
This patch updates kubeadm to support wrapping a v6 address with
[] to form the master endpoint url. Since this functionality is
needed in multiple areas, a dedicated util function was created.
Fixes: https://github.com/kubernetes/kubernetes/issues/48227
Automatic merge from submit-queue (batch tested with PRs 50626, 50683, 50679, 50684, 50460)
kubeadm: Centralize client create-or-update logic in one package
**What this PR does / why we need it**:
Moves all Create-or-Update logic into one package instead of duplicating that logic all around in the codebase.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
This PR depends on https://github.com/kubernetes/kubernetes/pull/50214.
Note that commit 2 is the only one that needs reviewing.
This PR is required for https://github.com/kubernetes/kubernetes/pull/48899 (kubeadm upgrade)
**Release note**:
```release-note
NONE
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @mattmoyer @fabriziopandini
Automatic merge from submit-queue
kubeadm: Implementing the controlplane phase
**What this PR does / why we need it:**
This contains implementation of controlplane phases in kubeadm, which is part of the wider effort of implementing phases in kubeadm, previously in alpha stage.
The original proposal for this activity can be found [here](https://github.com/kubernetes/kubeadm/pull/156/files) and related comments.
Kubeadm phase implementation checklist is defined [here](https://github.com/kubernetes/kubeadm/issues/267)
Common implementation guidelines and principles for all phases are defined [here](https://docs.google.com/document/d/1VQMyFIVMfRGQPP3oCUpfjiWtOr3pLxp4g7cP-hXQFXc/edit?usp=sharing)
This PR implements:
- [x] kubeadm phase controlplane: wip by @fabriziopandini
- [x] kubeadm phase controlplane all
- [x] kubeadm phase controlplane etcd
- [x] kubeadm phase controlplane apiserver
- [x] kubeadm phase controlplane scheduler
- [x] kubeadm phase controlplane controller-manager
**Which issue this PR fixes:**
https://github.com/kubernetes/kubeadm/issues/349
**Special notes for your reviewer:**
This PR implements the same approach of #49419, thus minimising rework/impacts on existing codebase.
This change adds the `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join` and corresponding fields on the kubeadm NodeConfiguration struct. These flags configure enhanced TLS validation for token-based discovery.
The enhanced TLS validation works by pinning the public key hashes of the cluster CA. This is done by connecting to the `cluster-info` endpoint initially using an unvalidated/unsafe TLS connection. After the cluster info has been loaded, parsed, and validated with the existing symmetric signature/MAC scheme, the root CA is validated against the pinned public key set. A second request is made using validated/safe TLS using the newly-known CA and the result is validated to make sure the same `cluster-info` was returned from both requests.
This validation prevents a class of attacks where a leaked bootstrap token (such as from a compromised worker node) allows an attacker to impersonate the API server.
This change also update `kubeadm init` to print the correct `--discovery-token-ca-cert-hash` flag in the example `kubeadm join` command it prints at the end of initialization.
Automatic merge from submit-queue (batch tested with PRs 48572, 48838, 48931, 48783, 47090)
kubeadm: add a warning about the default token TTL changing in 1.8
**What this PR does / why we need it**:
This adds a warning to `kubeadm init` and `kubeadm token create` if they are run without the `--token-ttl` / `--ttl` flags. In 1.7 and before, the tokens generated by these commands defaulted to an infinite TTL (no expiration) in 1.8, they will generate a token with a 24 hour TTL.
The actual default change is in https://github.com/kubernetes/kubernetes/pull/48783. This change is separate so we can cherry pick the warning into the `release-1.7` branch.
**Which issue this PR fixes**: ref https://github.com/kubernetes/kubeadm/issues/343
**Special notes for your reviewer**:
This change is blocked on https://github.com/kubernetes/kubeadm/issues/343. These warnings should probably be removed in the 1.9 cycle.
**Release note**:
```release-note
Add a runtime warning about the kubeadm default token TTL changes in 1.8.
```
/assign @luxas
This adds a warning to `kubeadm init` and `kubeadm token create` if they are run without the `--token-ttl` / `--ttl` flags. In 1.7 and before, the tokens generated by these commands defaulted to an infinite TTL (no expiration) in 1.8, they will generate a token with a 24 hour TTL.
The actual default change is in https://github.com/kubernetes/kubernetes/pull/48783. This change is separate so we can cherry pick the warning into the release-1.7 branch.
This code was changed in ea196490a0 to validate that `--config` wasn't passed along with other flags. Unfortunately, the implementation was checking `PersistentFlags()`, which was not parsed at the point it was being validated. The result was that `--config` was _always_ rejected, not just when it was specified alongside other flags.
The fix is to use `Flags()` instead, which contains the expected data.
Allow to specify a node-name instead of relaying in `os.Hostname()`
This is useful where kubelet use the name given by the cloud-provider to
register the node.
Partially fix: kubernetes/kubeadm#64
Automatic merge from submit-queue
kubeadm: If `--config` is set, don't allow any other option as it won't have effect
If use config in kubeadm init, cann't get other values from other arguments.
`kubeadm init --config=../kubeadm.config --token 447ad3.96cda76e3206fca0 --apiserver-bind-port 6445`
So I think we need to allow get values from command and is prior than cofig file.
Automatic merge from submit-queue
kubeadm: Enable the Node Authorizer/Admission plugin in v1.7
**What this PR does / why we need it**:
This is similar to https://github.com/kubernetes/kubernetes/pull/46796, but for kubeadm.
Basically it was a part of https://github.com/kubernetes/kubernetes/pull/46796, but there were some other upgradability and compability concerns for kubeadm I took care of while working today.
Example:
```console
$ kubeadm init --kubernetes-version v1.7.0-beta.0
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[init] Using Kubernetes version: v1.7.0-beta.0
[init] Using Authorization mode: [RBAC Node]
...
$ sudo kubectl --kubeconfig=/etc/kubernetes/kubelet.conf get secret foo
Error from server (Forbidden): User "system:node:thegopher" cannot get secrets in the namespace "default".: "no path found to object" (get secrets foo)
$ echo '{"apiVersion":"v1","kind":"Node","metadata":{"name":"foo"}}' | sudo kubectl create -f - --kubeconfig=/etc/kubernetes/kubelet.conf
Error from server (Forbidden): error when creating "STDIN": nodes "foo" is forbidden: node thegopher cannot modify node foo
```
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
Depends on https://github.com/kubernetes/kubernetes/pull/46864 (uses that PR as a base, will rebase once it's merged)
Please only review the second commit. Will also fix tests in a minute.
**Release note**:
```release-note
kubeadm: Enable the Node Authorizer/Admission plugin in v1.7
```
@mikedanese @liggitt @pipejakob @roberthbailey @jbeda @timothysc
