Add configurable groups to bootstrap tokens. #50933
Conversation
k8s-ci-robot
added
kind/feature
k8s-github-robot
added
size/L
mattmoyer
force-pushed
the
bootstrap-token-groups
branch
from
e57e1b8 to
a90b80d
Compare
There was a problem hiding this comment.
Thanks @mattmoyer 🎉!
I left a couple of review comments below, please fix them.
In particular, I think we should have a regex that only allows [:a-z] (possibly [0-9]?) after system:bootstrappers. We should also think about a maximum length of this group... 255 chars max just as it is a nice number :)?
@liggitt do we have a max length on groups in RBAC already or pre-made validation funcs for a group?
@mattmoyer also I want the cmd/kubeadm, pkg and plugin changes in separate commits for cleanliness.
| @@ -79,6 +80,7 @@ func tokenErrorf(s *api.Secret, format string, i ...interface{}) { | |||
| // token-id: ( token id ) | |||
| // # Required key usage. | |||
| // usage-bootstrap-authentication: true | |||
| // auth-groups: "group1,group2" | |||
There was a problem hiding this comment.
system:bootstrappers:custom-group1.system:bootstrappers:custom-group1 for clarity
| continue | ||
| } | ||
|
|
||
| if !strings.HasPrefix(group, bootstrapapi.BootstrapGroupPrefix) { |
There was a problem hiding this comment.
Should we use a regexp here instead in order to match things better?
This allows things I don't really like:
system:bootstrappers:system:bootstrappers:*(not sure if anything will happen with this, but seems scary)system:bootstrappers:<script> alert("whoa, some JS inlined here!") </script>
you get the idea ;)
There was a problem hiding this comment.
We don't do any kind of validation like this with other authenticators. It seems more sane to either keep these arbitrary strings or define some some subset of characters the group can use, instead of defending against some possible injections. If you don't trust the value you should sanitize it anyway and shouldn't trust a regexp.
There was a problem hiding this comment.
I propose to just allow [a-z0-9-:]*, should cover at least 95% of the cases IMO
There was a problem hiding this comment.
I didn't want to add any restrictions that might be surprising, but I don't think some basic restrictions would be that hard to work with. Maybe something like \Asystem:bootstrappers:[a-zA-Z0-9:-]{1,255}\z?
Is it okay to just put a little ValidateBootstrapGroupName(name string) error function into pkg/bootstrap/api/validate.go alongside the constants in types.go? Exporting the regex as a const feels weirder to me than just exporting a function.
There was a problem hiding this comment.
Exporting the regex as a const feels weirder to me than just exporting a function.
Please export both :)
I think that's what most other APIs do; often a helpers.go file is there besides types.go
| Data: map[string][]byte{ | ||
| bootstrapapi.BootstrapTokenGroupsKey: []byte( | ||
| bootstrapapi.BootstrapDefaultGroup + "," + | ||
| bootstrapapi.BootstrapGroupPrefix + "foo" + "," + |
There was a problem hiding this comment.
nit: weird formatting here?
I think this should be written as it would be in a real BT; as system:bootstrappers,system:bootstrappers:foo,system:bootstrappers:bar
If we ever change this prefix it's very reasonable to have to change this unit test.
Cases I want to see covered here:
system:bootstrappersonlysystem:bootstrappers:fooonlysystem:bootstrappers:foo,system:bootstrappers:barsystem:bootstrappers,system:bootstrappers:foo,system:bootstrappers:bar(what you have here)system:bootstrappers:(should not be allowed??)system:bootstrappers:should not be allowedsystem:bootstrappers:<script> alert("scary?!") </script>system:bootstrappers:foo:must not end with:
etc etc add here whatever you can think of that is useful
| ObjectMeta: metav1.ObjectMeta{Name: "test"}, | ||
| Data: map[string][]byte{}, | ||
| }, | ||
| expectResult: []string{bootstrapapi.BootstrapDefaultGroup}, |
There was a problem hiding this comment.
nit: I'm a fan of using hard-coded strings in unit tests sometimes. It seems like some of these could use hard-coding as we want things to be in a certain way. If some constant is changed (unexpectedly), the unit test will fail, and I'm in favor of failing in that case than letting things silently pass
There was a problem hiding this comment.
Ack, that makes sense to me.
| } | ||
|
|
||
| if !strings.HasPrefix(group, bootstrapapi.BootstrapGroupPrefix) { | ||
| return nil, fmt.Errorf("group does not start with %q", bootstrapapi.BootstrapGroupPrefix) |
There was a problem hiding this comment.
nit: field 'auth-groups' on bootstrap token is invalid, does not start with %q
There was a problem hiding this comment.
This gets wrapped by the tokenError helper above, so the actual warning message is:
Bootstrap secret %s/%s matching bearer token has invalid value for key auth-groups: group does not start with "system:bootstrappers:".
| @@ -80,6 +88,11 @@ const ( | |||
| // authenticate as. The full username given is "system:bootstrap:<token-id>". | |||
| BootstrapUserPrefix = "system:bootstrap:" | |||
|
|
|||
| // BootstrapGroup is the group bootstrapping bearer tokens authenticate in. | |||
| BootstrapGroup = "system:bootstrappers" | |||
There was a problem hiding this comment.
Have you looked up and replaced all occurances of this const? I think there should be some more places...
There was a problem hiding this comment.
This was all I could find.
| @@ -138,6 +139,9 @@ var ( | |||
| // DefaultTokenUsages specifies the default functions a token will get | |||
| DefaultTokenUsages = []string{"signing", "authentication"} | |||
|
|
|||
| // DefaultTokenGroups specifies the default groups a token will get | |||
| DefaultTokenGroups = []string{bootstrapapi.BootstrapDefaultGroup} | |||
There was a problem hiding this comment.
See NodeBootstrapTokenAuthGroup above. Should use that one; and it should be changed to something like:
system:bootstrappers:kubeadm:nodesystem:bootstrappers:kubeadm:default-node
@ericchiang @liggitt @mikedanese any preference here?
There was a problem hiding this comment.
The fewer imports that kubeadm has on k8s.io/kubernetes the easier it's going to be split out. Constants seem like a good candidate for things to just copy/paste and not add another import.
There was a problem hiding this comment.
Isn't it: the less deps the rest of the kubernetes/kubernetes code has on cmd/kubeadm; the easier it will be to split out? We already vendor bootstrapapi quite naturally, as we're the only user of it currently (AFAIK)
There was a problem hiding this comment.
I ended up not needing the import. I think we should discuss the NodeBootstrapTokenAuthGroup change in a second PR because that potentially breaks some upgraded clusters if I'm understanding correctly.
cmd/kubeadm/app/cmd/token.go
Outdated
| @@ -208,8 +212,18 @@ func RunCreateToken(out io.Writer, client clientset.Interface, token string, tok | |||
| } | |||
| } | |||
|
|
|||
| // validate groups | |||
| for _, group := range groups { | |||
There was a problem hiding this comment.
Please add a TODO that as soon as kubernetes/client-go#114 is fixed; we should get rid of this.
This should also be synced with what we do below and splitted out to its own func.
| for _, group := range groups { | ||
| if group == bootstrapapi.BootstrapDefaultGroup { | ||
| // allow the default group even though it doesn't strictly match the prefix | ||
| continue |
There was a problem hiding this comment.
Would have expected this to behave like system:authenticated and always be added. E.g. if I specify "foo,bar" I get ["system:bootstrappers","system:bootstrappers:foo","system:bootstrappers:bar"]
There was a problem hiding this comment.
Ah, I can do that. Maybe rename auth-groups to extra-auth-groups to make it clear that they're an addition?
There was a problem hiding this comment.
I did this sort of halfway. I made it so system:bootstrappers is always added for bootstrap tokens, but I still made it so the serialized values in the auth-extra-groups key includes the full prefix, so if you set the key to "system:bootstrappers:foo,system:bootstrappers:bar" you get three groups:
system:bootstrapperssystem:bootstrappers:foosystem:bootstrappers:bar
@ericchiang does that work for you? I prefer for the serialized value to be very explicit so there's just validation but not transformation happening in the authenticator.
mattmoyer
force-pushed
the
bootstrap-token-groups
branch
from
a90b80d to
a42ed5e
Compare
|
Thanks for the reviews, everyone. I believe I've addressed the initial round of comments, so please take another look. |
| @@ -79,6 +80,7 @@ func tokenErrorf(s *api.Secret, format string, i ...interface{}) { | |||
| // token-id: ( token id ) | |||
| // # Required key usage. | |||
| // usage-bootstrap-authentication: true | |||
| // auth-extra-groups: "system:bootstrappers:custom-group1.system:bootstrappers:custom-group1" | |||
There was a problem hiding this comment.
Is the "." separator supposed to be ","?
mattmoyer
force-pushed
the
bootstrap-token-groups
branch
2 times, most recently
from
654db9e to
e179db9
Compare
|
/retest |
|
@liggitt @ericchiang PTAL |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
This adds an `EXTRA GROUPS` column to the output of `kubeadm token list`. This displays any extra `system:bootstrappers:*` groups that are specified in the token's `auth-extra-groups` key. This is a followup to kubernetes#50933 which introduced the `auth-extra-groups` functionality.
This adds constants and validation for a new `auth-extra-groups` key on `bootstrap.kubernetes.io/token` secrets. This key allows a bootstrap token to authenticate to extra groups in addition to the `system:bootstrappers` group. Extra groups are always applied in addition to the `system:bootstrappers` group, must begin with a `system:bootstrappers:` prefix, are limited in length, and are limited to a restricted set of characters (alphanumeric, colons, and dashes without a trailing colon/dash).
This implements support for the new `auth-extra-groups` key in `bootstrap.kubernetes.io/token` secrets by adding extra groups to the user info returned for valid bootstrap tokens.
This adds support for creating a bootstrap token that authenticates with extra `system:bootstrappers:*` groups in addition to `system:bootstrappers`.
This adds an `EXTRA GROUPS` column to the output of `kubeadm token list`. This displays any extra `system:bootstrappers:*` groups that are specified in the token's `auth-extra-groups` key.
mattmoyer
force-pushed
the
bootstrap-token-groups
branch
from
e179db9 to
c7996a7
Compare
k8s-github-robot
removed
the
lgtm
|
Updated to address @liggitt's comments. PTAL. I also added a fourth commit that adds the extra group info to the output of |
|
/retest |
1 similar comment
|
/retest |
| @@ -246,7 +265,7 @@ func RunListTokens(out io.Writer, errW io.Writer, client clientset.Interface) er | |||
| } | |||
|
|
|||
| w := tabwriter.NewWriter(out, 10, 4, 3, ' ', 0) | |||
| fmt.Fprintln(w, "TOKEN\tTTL\tEXPIRES\tUSAGES\tDESCRIPTION") | |||
| fmt.Fprintln(w, "TOKEN\tTTL\tEXPIRES\tUSAGES\tDESCRIPTION\tEXTRA GROUPS") | |||
There was a problem hiding this comment.
nit: column headers shouldn't have whitespace in the titles
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/approve |
| // BootstrapGroupPattern is the valid regex pattern that all groups | ||
| // assigned to a bootstrap token by BootstrapTokenExtraGroupsKey must match. | ||
| // See also ValidateBootstrapGroupName(). | ||
| BootstrapGroupPattern = "system:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]" |
There was a problem hiding this comment.
Nit: usually for stuff like this we use a DNS-ish type of regexp. That means that any segment shouldn't start with a number or -. It is a bit strange to allow system:bootstrappers:-foo here, for example.
But I don't see any real problem to be honest so it is just a nit.
|
/approve Also don't forget to do the doc updates. This'll hit the bootstrap authn page and the kubeadm reference page. There might be a few more pages to reference this in. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ericchiang, jbeda, liggitt, luxas, mattmoyer Associated issue: 49306 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
/retest |
1 similar comment
|
/retest |
|
Failing test looks like #51429. |
|
/retest Review the full test history for this PR. |
1 similar comment
|
/retest Review the full test history for this PR. |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue (batch tested with PRs 49861, 50933, 51380, 50688, 51305) |
This has some changes I missed when I was updating the main kubeadm documention: - Bootstrap tokens are now beta, not alpha (kubernetes/enhancements#130) - The apiserver flag to enable the authenticator changedin 1.8 (kubernetes/kubernetes#51198) - Added `auth-extra-groups` documentaion (kubernetes/kubernetes#50933) - Updated the _Token Management with `kubeadm`_ section to link to the main kubeadm docs, since it was just duplicated information.
* Update bootstrap tokens doc for 1.8. This has some changes I missed when I was updating the main kubeadm documention: - Bootstrap tokens are now beta, not alpha (kubernetes/enhancements#130) - The apiserver flag to enable the authenticator changedin 1.8 (kubernetes/kubernetes#51198) - Added `auth-extra-groups` documentaion (kubernetes/kubernetes#50933) - Updated the _Token Management with `kubeadm`_ section to link to the main kubeadm docs, since it was just duplicated information. * Update bootstrap-tokens.md
* GC now supports non-core resources * Add two examples about how to analysis audits of kube-apiserver (#4264) * Deprecate system:nodes binding * [1.8] StatefulSet `initialized` annotation is now ignored. * inits the kubeadm upgrade docs addresses /issues/4689 * adds kubeadm upgrade cmd to ToC addresses /issues/4689 * add workload placement docs * ScaleIO - document udpate for 1.8 * Add documentation on storageClass.mountOptions and PV.mountOptions (#5254) * Add documentation on storageClass.mountOptions and PV.mountOptions * convert notes into callouts * Add docs for CustomResource validation add info about supported fields * advanced audit beta features (#5300) * Update job workload doc with backoff failure policy (#5319) Add to the Jobs documentation how to use the new backoffLimit field that limit the number of Pod failure before considering the Job as failed. * Documented additional AWS Service annotations (#4864) * Add device plugin doc under concepts/cluster-administration. (#5261) * Add device plugin doc under concepts/cluster-administration. * Update device-plugins.md * Update device-plugins.md Add meta description. Fix typo. Change bare metal deployment to manual deployment. * Update device-plugins.md Fix typo again. * Update page.version. (#5341) * Add documentation on storageClass.reclaimPolicy (#5171) * [Advanced audit] use new herf for audit-api (#5349) This tag contains all the changes in v1beta1 version. Update it now. * Added documentation around creating the InitializerConfiguration for the persistent volume label controller in the cloud-controller-manager (#5255) * Documentation for kubectl plugins (#5294) * Documentation for kubectl plugins * Update kubectl-plugins.md * Update kubectl-plugins.md * Updated CPU manager docs to match implementation. (#5332) * Noted limitation of alpha static cpumanager. * Updated CPU manager docs to match implementation. - Removed references to CPU pressure node condition and evictions. - Added note about new --cpu-manager-reconcile-period flag. - Added note about node allocatable requirements for static policy. - Noted limitation of alpha static cpumanager. * Move cpu-manager task link to rsc mgmt section. * init containers annotation removed in 1.8 (#5390) * Add documentation for TaintNodesByCondition (#5352) * Add documentation for TaintNodesByCondition * Update nodes.md * Update taint-and-toleration.md * Update daemonset.md * Update nodes.md * Update taint-and-toleration.md * Update daemonset.md * Fix deployments (#5421) * Document extended resources and OIR deprecation. (#5399) * Document extended resources and OIR deprecation. * Updated extended resources doc per reviews. * reverts extra spacing in _data/tasks.yml * addresses `kubeadm upgrade` review comments Feedback from @chenopis, @luxas, and @steveperry-53 addressed with this commit * HugePages documentation (#5419) * Update cpu-management-policies.md (#5407) Fixed the bad link. Modified "cpu" to "CPU". Added more 'yaml' as supplement. * Update RBAC docs for v1 (#5445) * Add user docs for pod priority and preemption (#5328) * Add user docs for pod priority and preemption * Update pod-priority-preemption.md * More updates * Update docs/admin/kubeadm.md for 1.8 (#5440) - Made a couple of minor wording changes (not strictly 1.8 related). - Did some reformatting (not strictly 1.8 related). - Updated references to the default token TTL (was infinite, now 24 hours). - Documented the new `--discovery-token-ca-cert-hash` and `--discovery-token-unsafe-skip-ca-verification` flags for `kubeadm join`. - Added references to the new `--discovery-token-ca-cert-hash` flag in all the default examples. - Added a new _Security model_ section that describes the security tradeoffs of the various discovery modes. - Documented the new `--groups` flag for `kubeadm token create`. - Added a note of caution under _Automating kubeadm_ that references the _Security model_ section. - Updated the component version table to drop 1.6 and add 1.8. - Update `_data/reference.yml` to try to get the sidebar fixed up and more consistent with `kubefed`. * Update StatefulSet Basics for 1.8 release (#5398) * addresses `kubeadm upgrade` review comments 2nd iteration review comments by @luxas * adds kubelet upgrade section to kubeadm upgrade * Fix a bulleted list on docs/admin/kubeadm.md. (#5458) I updated this doc yesterday and I was absolutely sure I fixed this, but I just saw that this commit got lost somehow. This was introduced recently in #5440. * Clarify the API to check for device plugins * Moving Flexvolume to separate out-of-tree section * addresses `kubeadm upgrade` review comments CC: @luxas * fixes kubeadm upgrade index * Update Stackdriver Logging documentation (#5495) * Re-update WordPress and MySQL PV doc to use apps/v1beta2 APIs (#5526) * Update statefulset concepts doc to use apps/v1beta2 APIs (#5420) * add document on kubectl's behavior regarding initializers (#5505) * Update docs/admin/kubeadm.md to cover self-hosting in 1.8. (#5497) This is a new beta feature in 1.8. * Update kubectl patch doc to use apps/v1beta2 APIs (#5422) * [1.8] Update "Run Applications" tasks to apps/v1beta2. (#5525) * Update replicated stateful application task for 1.8. * Update single instance stateful app task for 1.8. * Update stateless app task for 1.8. * Update kubectl patch task for 1.8. * fix the link of persistent storage (#5515) * update the admission-controllers.md index.md what-is-kubernetes.md link * fix the link of persistent storage * Add quota support for local ephemeral storage (#5493) * Add quota support for local ephemeral storage update the doc to this alpha feature * Update resource-quotas.md * Updated Deployments concepts doc (#5491) * Updated Deployments concepts doc * Addressed comments * Addressed more comments * Modify allocatable storage to ephemeral-storage (#5490) Update the doc to use ephemeral-storage instead of storage * Revamped concepts doc for ReplicaSet (#5463) * Revamped concepts doc for ReplicaSet * Minor changes to call out specific versions for selector defaulting and immutability * Addressed doc review comments * Remove petset documentations (#5395) * Update docs to use batch/v1beta1 cronjobs (#5475) * add federation job doc (#5485) * add federation job doc * Update job.md Edits for clarity and consistency * Update job.md Fixed a typo * update DaemonSet concept for 1.8 release (#5397) * update DaemonSet concept for 1.8 release * Update daemonset.md Fix typo. than -> then * Update bootstrap tokens doc for 1.8. (#5479) * Update bootstrap tokens doc for 1.8. This has some changes I missed when I was updating the main kubeadm documention: - Bootstrap tokens are now beta, not alpha (kubernetes/enhancements#130) - The apiserver flag to enable the authenticator changedin 1.8 (kubernetes/kubernetes#51198) - Added `auth-extra-groups` documentaion (kubernetes/kubernetes#50933) - Updated the _Token Management with `kubeadm`_ section to link to the main kubeadm docs, since it was just duplicated information. * Update bootstrap-tokens.md * Updated the Cassandra tutorial to use apps/v1beta2 (#5548) * add docs for AllowPrivilegeEscalation (#5448) Signed-off-by: Jess Frazelle <acidburn@microsoft.com> * Add local ephemeral storage alpha feature in managing compute resource (#5522) * Add local ephemeral storage alpha feature in managing compute resource Since 1.8, we add the local ephemeral storage alpha feature as one resource type to manage. Add this feature into the doc. * Update manage-compute-resources-container.md * Update manage-compute-resources-container.md * Update manage-compute-resources-container.md * Update manage-compute-resources-container.md * Update manage-compute-resources-container.md * Update manage-compute-resources-container.md * Added documentation for Metrics Server (#5560) * authorization: improve authorization debugging docs (#5549) * Document mount propagation (#5544) * Update /docs/setup/independent/create-cluster-kubeadm.md for 1.8. (#5524) This introduction needed a couple of small tweaks to cover the `--discovery-token-ca-cert-hash` flag added in kubernetes/kubernetes#49520 and some version bumps. * Add task doc for alpha dynamic kubelet configuration (#5523) * Fix input/output of selfsubjectaccess review (#5593) * Add docs for implementing resize (#5528) * Add docs for implementing resize * Update admission-controllers.md * Added link to PVC section * minor typo fixes * Update NetworkPolicy concept guide with egress and CIDR changes (#5529) * update zookeeper tutorial for 1.8 release * add doc for hostpath type (#5503) * Federated Hpa feature doc (#5487) * Federated Hpa feature doc * Federated Hpa feature doc review fixes * Update hpa.md * Update hpa.md * update cloud controller manager docs for v1.8 * Update cronjob with defaults information (#5556) * Kubernetes 1.8 reference docs (#5632) * Kubernetes 1.8 reference docs * Kubectl reference docs for 1.8 * Update side bar with 1.8 kubectl and api ref docs links * remove petset.md * update on state of HostAlias in 1.8 with hostNetwork Pod support (#5644) * Fix cron job deletion section (#5655) * update imported docs (#5656) * Add documentation for certificate rotation. (#5639) * Link to using kubeadm page * fix the command output fix the command output * fix typo in api/resources reference: "Worloads" * Add documentation for certificate rotation. * Create TOC entry for cloud controller manager. (#5662) * Updates for new versions of API types * Followup 5655: fix link to garbage collection (#5666) * Temporarily redirect resources-reference to api-reference. (#5668) * Update config for 1.8 release. (#5661) * Update config for 1.8 release. * Address reviewer comments. * Switch references in HPA docs from alpha to beta (#5671) The HPA docs still referenced the alpha version. This switches them to talk about v2beta1, which is the appropriate version for Kubernetes 1.8 * Deprecate openstack heat (#5670) * Fix typo in pod preset conflict example Move container port definition to the correct line. * Highlight openstack-heat provider deprecation The openstack-heat provider for kube-up is being deprecated and will be removed in a future release. * Temporarily fix broken links by redirecting. (#5672) * Fix broken links. (#5675) * Fix render of code block (#5674) * Fix broken links. (#5677) * Add a small note about auto-bootstrapped CSR ClusterRoles (#5660) * Update kubeadm install doc for v1.8 (#5676) * add draft workloads api content for 1.8 (#5650) * add draft workloads api content for 1.8 * edits per review, add tables, for 1.8 workloads api doc * fix typo * Minor fixes to kubeadm 1.8 upgrade guide. (#5678) - The kubelet upgrade instructions should be done on every host, not just worker nodes. - We should just upgrade all packages, instead of calling out kubelet specifically. This will also upgrade kubectl, kubeadm, and kubernetes-cni, if installed. - Draining nodes should also ignore daemonsets, and master errors can be ignored. - Make sure that the new kubeadm download is chmoded correctly. - Add a step to run `kubeadm version` to verify after downloading. - Manually approve new kubelet CSRs if rotation is enabled (known issue). * Release 1.8 (#5680) * Fix versions for 1.8 API ref docs * Updates for 1.8 kubectl reference docs * Kubeadm /docs/admin/kubeadm.md cleanup, editing. (#5681) * Update docs/admin/kubeadm.md (mostly 1.8 related). This is Fabrizio's work, which I'm committing along with my edits (in a commit on top of this). * A few of my own edits to clarify and clean up some Markdown.
What this PR does / why we need it:
This change adds support for authenticating bootstrap tokens into a configurable set of extra groups in addition to
system:bootstrappers. Previously, bootstrap tokens could only ever authenticate to thesystem:bootstrappersgroup.Groups are specified as a comma-separated list in the
auth-extra-groupskey of thebootstrap.kubernetes.io/tokenSecret, and must begin with the prefixsystem:bootstrapper:(and match a validation regex that checks against our normal convention). Whether or not any extra groups are configured,system:bootstrapperswill still be added.This also adds a
--groupsflag forkubeadm token create, which sets theauth-extra-groupskey on the resulting Secret. The default is to not set the key.kubeadm token listis also updated to include aEXTRA GROUPSoutput column.Which issue this PR fixes: fixes #49306
Special notes for your reviewer:
The use case for this is in #49306. Comments on the feature itself are probably better over there. It will be part of how HA/self-hosting kubeadm bootstraps new master nodes (post 1.8).
Release note:
cc @luxas @kubernetes/sig-cluster-lifecycle-api-reviews @kubernetes/sig-auth-api-reviews
/kind feature