Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove self-deletion permissions from kubelets #71021

Merged
merged 1 commit into from
Nov 16, 2018
Merged

Remove self-deletion permissions from kubelets #71021

merged 1 commit into from
Nov 16, 2018

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Nov 14, 2018
edited
Loading

What type of PR is this?
/kind cleanup

What this PR does / why we need it:

Removes the ability of kubelets to delete their own Node API objects. Kubelets stopped doing this in 1.11, which means a 1.13 API server no longer needs to grant them this permission.

This closes a method by which a kubelet on a compromised node could delete and recreate its Node object, effectively removing any taints the cluster administrator had added to the Node object.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
xref kubernetes/community#911
xref kubernetes/enhancements#279

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

kubelets are no longer allowed to delete their own Node API object. Prior to 1.11, in rare circumstances related to cloudprovider node ID changes, kubelets would attempt to delete/recreate their Node object at startup. Kubelets older than 1.11 are not supported running against a v1.13+ API server. If an unsupported legacy kubelet encounters this situation, a cluster admin can remove the Node object:
* `kubectl delete node/<nodeName>`
or grant self-deletion permission explicitly:
* `kubectl create clusterrole self-deleting-nodes --verb=delete --resource=nodes`
* `kubectl create clusterrolebinding self-deleting-nodes --clusterrole=self-deleting-nodes --group=system:nodes`

@kubernetes/sig-auth-pr-reviews
@kubernetes/sig-node-pr-reviews

@liggitt liggitt requested a review from mikedanese November 14, 2018 05:51
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Nov 14, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 14, 2018
@k8s-ci-robot k8s-ci-robot requested review from dims and krousey November 14, 2018 05:51
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Nov 14, 2018
@liggitt
Copy link
Member Author

liggitt commented Nov 14, 2018

/milestone v1.13
/priority important-soon
/sig auth

@k8s-ci-robot k8s-ci-robot added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Nov 14, 2018
@k8s-ci-robot k8s-ci-robot added this to the v1.13 milestone Nov 14, 2018
@k8s-ci-robot k8s-ci-robot removed the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Nov 14, 2018
krmayankk
krmayankk reviewed Nov 14, 2018
View reviewed changes
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -107,7 +107,7 @@ func NodeRules() []rbacv1.PolicyRule {
// Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object.
rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
rbacv1helpers.NewRule("update", "patch", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what binary is this code part of ?

Copy link
Member Author

@liggitt liggitt Nov 14, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the kube-apiserver, which uses it in the node authorizer and to populate the default system:node cluster role

@liggitt
Copy link
Member Author

liggitt commented Nov 14, 2018

/retest

@enj
Copy link
Member

enj commented Nov 14, 2018

LGTM 🎉

@liggitt
Copy link
Member Author

liggitt commented Nov 15, 2018

/assign @mikedanese

@mikedanese
Copy link
Member

We might need to add some legacy RBAC addons to make sure GKE continues to work... I'll discuss with @cjcullen .

/lgtm
/approve

@liggitt liggitt removed the sig/testing Categorizes an issue or PR as relevant to SIG Testing. label Nov 15, 2018
@k8s-ci-robot k8s-ci-robot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Nov 15, 2018
@liggitt
Copy link
Member Author

liggitt commented Nov 15, 2018

bot looks stuck. tagging based on #71021 (comment)

@liggitt liggitt added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 15, 2018
@k8s-ci-robot k8s-ci-robot merged commit 1a54fd4 into kubernetes:master Nov 16, 2018
@liggitt liggitt deleted the node-self-deletion branch November 16, 2018 21:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krmayankk krmayankk krmayankk left review comments

@mikedanese mikedanese Awaiting requested review from mikedanese

@dims dims Awaiting requested review from dims

@krousey krousey Awaiting requested review from krousey

Assignees

@mikedanese mikedanese

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/security cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.13
Development

Successfully merging this pull request may close these issues.
5 participants
@liggitt @k8s-ci-robot @enj @mikedanese @krmayankk