b117a928a6
If a Node name in the cluster is already taken and this Node is Ready, prevent TLS bootsrap on "kubeadm join" and exit early. This change requires that a new ClusterRole is granted to the "system:bootstrappers:kubeadm:default-node-token" group to be able get Nodes in the cluster. The same group already has access to obtain objects such as the KubeletConfiguration and kubeadm's ClusterConfiguration. The motivation of this change is to prevent undefined behavior and the potential control-plane breakdown if such a cluster is racing to have two nodes with the same name for long periods of time. The following values are validated in the following precedence from lower to higher: - actual hostname - NodeRegistration.Name (or "--node-name") from JoinConfiguration - "--hostname-override" passed via kubeletExtraArgs If the user decides to not let kubeadm know about a custom node name and to instead override the hostname from a kubelet systemd unit file, kubeadm will not be able to detect the problem. |
||
|---|---|---|
| .. | ||
| addons | ||
| bootstraptoken | ||
| certs | ||
| controlplane | ||
| copycerts | ||
| etcd | ||
| kubeconfig | ||
| kubelet | ||
| markcontrolplane | ||
| patchnode | ||
| selfhosting | ||
| upgrade | ||
| uploadconfig | ||