Source file src/k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go

Documentation: k8s.io/kubernetes/cmd/kubeadm/app/phases/bootstraptoken/node

     1  /*
     2  Copyright 2017 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package node
    18  
    19  import (
    20  	"fmt"
    21  
    22  	rbac "k8s.io/api/rbac/v1"
    23  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    24  	clientset "k8s.io/client-go/kubernetes"
    25  
    26  	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
    27  	"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
    28  )
    29  
    30  // AllowBootstrapTokensToPostCSRs creates RBAC rules in a way the makes Node Bootstrap Tokens able to post CSRs
    31  func AllowBootstrapTokensToPostCSRs(client clientset.Interface) error {
    32  	fmt.Println("[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials")
    33  
    34  	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
    35  		ObjectMeta: metav1.ObjectMeta{
    36  			Name: constants.NodeKubeletBootstrap,
    37  		},
    38  		RoleRef: rbac.RoleRef{
    39  			APIGroup: rbac.GroupName,
    40  			Kind:     "ClusterRole",
    41  			Name:     constants.NodeBootstrapperClusterRoleName,
    42  		},
    43  		Subjects: []rbac.Subject{
    44  			{
    45  				Kind: rbac.GroupKind,
    46  				Name: constants.NodeBootstrapTokenAuthGroup,
    47  			},
    48  		},
    49  	})
    50  }
    51  
    52  // AllowBoostrapTokensToGetNodes creates RBAC rules to allow Node Bootstrap Tokens to list nodes
    53  func AllowBoostrapTokensToGetNodes(client clientset.Interface) error {
    54  	fmt.Println("[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes")
    55  
    56  	if err := apiclient.CreateOrUpdateClusterRole(client, &rbac.ClusterRole{
    57  		ObjectMeta: metav1.ObjectMeta{
    58  			Name: constants.GetNodesClusterRoleName,
    59  		},
    60  		Rules: []rbac.PolicyRule{
    61  			{
    62  				Verbs:     []string{"get"},
    63  				APIGroups: []string{""},
    64  				Resources: []string{"nodes"},
    65  			},
    66  		},
    67  	}); err != nil {
    68  		return err
    69  	}
    70  
    71  	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
    72  		ObjectMeta: metav1.ObjectMeta{
    73  			Name: constants.GetNodesClusterRoleName,
    74  		},
    75  		RoleRef: rbac.RoleRef{
    76  			APIGroup: rbac.GroupName,
    77  			Kind:     "ClusterRole",
    78  			Name:     constants.GetNodesClusterRoleName,
    79  		},
    80  		Subjects: []rbac.Subject{
    81  			{
    82  				Kind: rbac.GroupKind,
    83  				Name: constants.NodeBootstrapTokenAuthGroup,
    84  			},
    85  		},
    86  	})
    87  }
    88  
    89  // AutoApproveNodeBootstrapTokens creates RBAC rules in a way that makes Node Bootstrap Tokens' CSR auto-approved by the csrapprover controller
    90  func AutoApproveNodeBootstrapTokens(client clientset.Interface) error {
    91  	fmt.Println("[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token")
    92  
    93  	// Always create this kubeadm-specific binding though
    94  	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
    95  		ObjectMeta: metav1.ObjectMeta{
    96  			Name: constants.NodeAutoApproveBootstrapClusterRoleBinding,
    97  		},
    98  		RoleRef: rbac.RoleRef{
    99  			APIGroup: rbac.GroupName,
   100  			Kind:     "ClusterRole",
   101  			Name:     constants.CSRAutoApprovalClusterRoleName,
   102  		},
   103  		Subjects: []rbac.Subject{
   104  			{
   105  				Kind: rbac.GroupKind,
   106  				Name: constants.NodeBootstrapTokenAuthGroup,
   107  			},
   108  		},
   109  	})
   110  }
   111  
   112  // AutoApproveNodeCertificateRotation creates RBAC rules in a way that makes Node certificate rotation CSR auto-approved by the csrapprover controller
   113  func AutoApproveNodeCertificateRotation(client clientset.Interface) error {
   114  	fmt.Println("[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster")
   115  
   116  	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
   117  		ObjectMeta: metav1.ObjectMeta{
   118  			Name: constants.NodeAutoApproveCertificateRotationClusterRoleBinding,
   119  		},
   120  		RoleRef: rbac.RoleRef{
   121  			APIGroup: rbac.GroupName,
   122  			Kind:     "ClusterRole",
   123  			Name:     constants.NodeSelfCSRAutoApprovalClusterRoleName,
   124  		},
   125  		Subjects: []rbac.Subject{
   126  			{
   127  				Kind: rbac.GroupKind,
   128  				Name: constants.NodesGroup,
   129  			},
   130  		},
   131  	})
   132  }
   133  

View as plain text