Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strip tokens from kubeadm-config config map #53559

Merged
merged 1 commit into from
Oct 11, 2017
Merged

Strip tokens from kubeadm-config config map #53559

merged 1 commit into from
Oct 11, 2017
+8 −0

Conversation

fabriziopandini
Copy link
Member

@fabriziopandini fabriziopandini commented Oct 7, 2017
edited by luxas
Loading

What this PR does / why we need it:
When kubeadm 1.8 create a cluster stores a kubeadm-config config map with all the info used for initialising the cluster.
This PR removes the kubeadm join token - which is a sensitive information - from this config map.

Which issue this PR fixes
#485

Special notes for your reviewer:
This fixes all the subcommands that touch kubeadm-config config map, namely:

  • kubeadm init
  • kubeadm config upload
  • kubeadm upgrade
kubeadm: Strip bootstrap tokens from the `kubeadm-config` ConfigMap

@k8s-ci-robot
Copy link
Contributor

@fabriziopandini: Adding do-not-merge/release-note-label-needed because the release note process has not been followed.

One of the following labels is required "release-note", "release-note-action-required", or "release-note-none".
Please see: https://github.com/kubernetes/community/blob/master/contributors/devel/pull-requests.md#write-release-notes-if-needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 7, 2017
@fabriziopandini
Copy link
Member Author

/test pull-kubernetes-e2e-kubeadm-gce

@fabriziopandini
Copy link
Member Author

@pipejakob could you kindly help me in investigate pull-kubernetes-e2e-kubeadm-gce test failure? If I got it right from the error log it seems that there is no jq utility in the test environment...

@fabriziopandini
Copy link
Member Author

/test pull-kubernetes-e2e-kubeadm-gce

@luxas
Copy link
Member

luxas commented Oct 9, 2017

FWIW; the kubeadm e2e job is broken due to some test-infra bazel stuff; but CI jobs are passing, so please ignore the PR job e2e failure above. Currently the job fails fast and doesn't even start testing anything. We're looking into it and working on it.

See: #53570

luxas
luxas approved these changes Oct 9, 2017
View reviewed changes
Copy link
Member

@luxas luxas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

I'll let @jbeda and/or @mattmoyer sign this off fully.

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 9, 2017
@mattmoyer
Copy link
Contributor

/lgtm

Does this code path cover the upgrade migration as well? If folks upgrade from 1.8.0 to 1.8.x with this change, will the existing kubeadm-config ConfigMap get cleaned up?

I think we should include a release note so folks can clean up manually if they have an existing token stored there from 1.8.0.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 9, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabriziopandini, luxas, mattmoyer

Associated issue: 485

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@fabriziopandini
Copy link
Member Author

@mattmoyer when you upgrade the 'kubead-config' is first read and then updated. During the update the token is cleaned up automatically.

So init/update paths are fully covered.

What is not covered are the clusters already created/upgraded with 1.8.0; all those clusters will be fixed when upgrading to 1.8.1 or grather; before the upgrade happens, there is a potential risk only for clusters created with tokenTTL=0. WDYT?

@mattmoyer
Copy link
Contributor

So init/update paths are fully covered.

Great!

[...] there is a potential risk only for clusters created with tokenTTL=0. WDYT?

Maybe a small note under known issues that mentions the exposure in 1.8.0 clusters would be appropriate?

We can move discussion over to kubernetes/kubeadm#485.

@mattmoyer mattmoyer mentioned this pull request Oct 10, 2017
Merged
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Oct 11, 2017
@k8s-ci-robot
Copy link
Contributor

@fabriziopandini: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-e2e-kubeadm-gce c266f76 link /test pull-kubernetes-e2e-kubeadm-gce

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 53204, 53364, 53559, 53589, 53088). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 95c2609 into kubernetes:master Oct 11, 2017
@fabriziopandini fabriziopandini deleted the kubeadm485 branch October 12, 2017 13:53
k8s-github-robot pushed a commit that referenced this pull request Oct 13, 2017
Merge pull request #53660 from mattmoyer/automated-cherry-pick-of-#53…
2c3e41c 
…559-upstream-release-1.8

Automatic merge from submit-queue.

Automated cherry pick of #53559

Cherry pick of #53559 on release-1.8.

#53559: Strip tokens from `kubeadm-config` config map
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luxas luxas luxas approved these changes

Assignees

@mikedanese mikedanese

@mattmoyer mattmoyer

@luxas luxas

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@fabriziopandini @k8s-ci-robot @luxas @mattmoyer @k8s-github-robot @mikedanese