Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove default binding of system:node role to system:nodes group #49638

Merged
merged 1 commit into from
Jul 28, 2017
Merged

Remove default binding of system:node role to system:nodes group #49638

merged 1 commit into from
Jul 28, 2017
+8 −59

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Jul 26, 2017
edited
Loading

part of kubernetes/enhancements#279

deprecation of this automatic binding announced in 1.7 in #46076

RBAC: the `system:node` role is no longer automatically granted to the `system:nodes` group in new clusters. It is recommended that nodes be authorized using the `Node` authorization mode instead. Installations that wish to continue giving all members of the `system:nodes` group the `system:node` role (which grants broad read access, including all secrets and configmaps) must create an installation-specific `ClusterRoleBinding`.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 26, 2017
@k8s-github-robot k8s-github-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jul 26, 2017
@liggitt
Copy link
Member Author

liggitt commented Jul 26, 2017

cc @kubernetes/sig-auth-pr-reviews

@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Jul 26, 2017
@liggitt liggitt force-pushed the remove-nodes-binding branch from da9e0a0 to 139f268 Compare July 26, 2017 14:02
@ericchiang ericchiang added the release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. label Jul 26, 2017
@liggitt liggitt removed the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jul 26, 2017
@liggitt liggitt force-pushed the remove-nodes-binding branch from 139f268 to d65610b Compare July 26, 2017 17:53
@ericchiang
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 26, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ericchiang, liggitt

Associated issue: 279

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@smarterclayton
Copy link
Contributor

Communicated to cluster-lifecycle?

@fejta-bot
Copy link

/retest
Automated flake /retester experiment. Please send feedback to fejta

@ericchiang
Copy link
Contributor

@smarterclayton thanks. Sent a notice to the cluster lifecycle mailing list https://groups.google.com/forum/#!topic/kubernetes-sig-cluster-lifecycle/1OIjHX-A3sI

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 49619, 49598, 47267, 49597, 49638)

@k8s-github-robot k8s-github-robot merged commit 3d3d392 into kubernetes:master Jul 28, 2017
@liggitt liggitt mentioned this pull request Jul 28, 2017
Merged
k8s-github-robot pushed a commit that referenced this pull request Jul 31, 2017
Merge pull request #49812 from liggitt/local-up-node-authorizer
a1c0510 
Automatic merge from submit-queue

Enable node authorizer in local-up-cluster

Fixes #49822 

Enables the Node authorization mode to ensure the kubelet credential we create has permission to do kubelet-related things. Matches the default authorizers in gce/gke and CI clusters.

Related to the deprecation of the automatic binding of the `system:nodes` group to the `system:node` role on new deployments (#49638)

```release-note
`hack/local-up-cluster.sh` now enables the Node authorizer by default. Authorization modes can be overridden with the `AUTHORIZATION_MODE` environment variable, and the `ENABLE_RBAC` environment variable is no longer used.
```
@liggitt liggitt deleted the remove-nodes-binding branch August 1, 2017 02:55
@ericchiang ericchiang mentioned this pull request Sep 6, 2017
Closed
@liggitt liggitt mentioned this pull request Sep 28, 2017
Closed
@NeQuissimus NeQuissimus mentioned this pull request Sep 30, 2017
Merged
8 tasks
@KashifSaadat KashifSaadat mentioned this pull request Oct 6, 2017
Closed
@fauzigo fauzigo mentioned this pull request Jan 25, 2018
Closed
@ericchiang ericchiang mentioned this pull request Mar 9, 2018
Closed
@qiujian16 qiujian16 mentioned this pull request Mar 9, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ericchiang ericchiang

@erictune erictune

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@liggitt @ericchiang @k8s-github-robot @smarterclayton @fejta-bot @erictune @k8s-ci-robot