Make it possible to authenticate a Bootstrap Token in different groups #49306
Assignees
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
sig/cluster-lifecycle
Categorizes an issue or PR as relevant to SIG Cluster Lifecycle.
Milestone
Comments
k8s-ci-robot
added
kind/feature
|
@mattmoyer will take ownership over implementing this 🎉 |
|
/assign @mattmoyer |
|
cc @mikedanese I think the spirit of this feature overlaps a bit with the improvements to the CSR verification improvements you mentioned today. |
k8s-github-robot
pushed a commit
that referenced
this issue
Aug 28, 2017
Automatic merge from submit-queue (batch tested with PRs 49861, 50933, 51380, 50688, 51305) Add configurable groups to bootstrap tokens. **What this PR does / why we need it**: This change adds support for authenticating bootstrap tokens into a configurable set of extra groups in addition to `system:bootstrappers`. Previously, bootstrap tokens could only ever authenticate to the `system:bootstrappers` group. Groups are specified as a comma-separated list in the `auth-extra-groups` key of the `bootstrap.kubernetes.io/token` Secret, and must begin with the prefix `system:bootstrapper:` (and match a validation regex that checks against our normal convention). Whether or not any extra groups are configured, `system:bootstrappers` will still be added. This also adds a `--groups` flag for `kubeadm token create`, which sets the `auth-extra-groups` key on the resulting Secret. The default is to not set the key. `kubeadm token list` is also updated to include a `EXTRA GROUPS` output column. **Which issue this PR fixes**: fixes #49306 **Special notes for your reviewer**: The use case for this is in #49306. Comments on the feature itself are probably better over there. It will be part of how HA/self-hosting kubeadm bootstraps new master nodes (post 1.8). **Release note**: ```release-note Add support for configurable groups for bootstrap token authentication. ``` cc @luxas @kubernetes/sig-cluster-lifecycle-api-reviews @kubernetes/sig-auth-api-reviews /kind feature
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature
It should be possible to set
auth-groupsor a similar key on a Bootstrap Token Secret to get the BootstrapTokenAuthenticator add those group(s) when authenticating.This has many benefits, but primarily that it's possible to give different Bootstrap Tokens different identities.
For example, you may want to have one Bootstrap Token only for adding normal nodes to the cluster, but have some Bootstrap Tokens to be able to add masters to the cluster, etc.
This mechanism will also imply that the "default" BT (where
auth-groupsisn't set) has no specific privileges in the cluster. The sysadmin must explicitely assign the BT some groups in order give it privileges.auth-groupstakes a comma-separated list of groups to use for authentication. The group must have thesystem:bootstrappers:prefix so that it is easily distinguishable from other groups. (And to avoid having someone assigning its bootstrap tokensystem:mastersfor instance)This is part of getting Bootstrap Tokens to beta in v1.8
@kubernetes/sig-auth-feature-requests @kubernetes/sig-cluster-lifecycle-feature-requests
The text was updated successfully, but these errors were encountered: