Grant kubelets system:node role in 1.8

This is an interim measure until we fully support the NodeAuthorizer and dynamic kubelet bootstrapping. Issue #3551
2017-10-22 15:49:04 -04:00 · 2017-10-22 15:49:04 -04:00 · 4bd997496d
parent d550332183
commit 4bd997496d
3 changed files with 65 additions and 2 deletions
--- a/ROADMAP.md
+++ b/ROADMAP.md
@ -1,5 +1,29 @@
 # ROADMAP

+# 1.9
+
+## Must-have features
+
+* Support for k8s 1.9
+
+## Other features
+
+* Use NodeAuthorizer / bootstrap kubeconfigs  [#3551](https://github.com/kubernetes/kops/issues/3551)
+
+
+# HISTORICAL
+
+# 1.8
+
+## Must-have features
+
+* Support for k8s 1.8
+
+## Other features
+
+* Improved GCE support
+* Support for API aggregation
+
 # 1.7

 ## Must-have features
@ -18,8 +42,6 @@
 * RBAC policies for all components
 * bringing rolling-update out of alpha

-# HISTORICAL
-
 ## 1.6

 ### Must-have features
--- a/upup/models/cloudup/resources/addons/rbac.addons.k8s.io/k8s-1.8.yaml
+++ b/upup/models/cloudup/resources/addons/rbac.addons.k8s.io/k8s-1.8.yaml
@ -0,0 +1,21 @@
+# Source: https://raw.githubusercontent.com/kubernetes/kubernetes/master/cluster/addons/rbac/kubelet-binding.yaml
+# The GKE environments don't have kubelets with certificates that
+# identify the system:nodes group.  They use the kubelet identity
+# TODO: remove this once new nodes are granted individual identities and the
+# NodeAuthorizer is enabled.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubelet-cluster-admin
+  labels:
+    k8s-addon: rbac.addons.k8s.io
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:node
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: kubelet
--- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
+++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
@ -149,6 +149,26 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri
 		}
 	}

+	{
+		key := "rbac.addons.k8s.io"
+		version := "1.8.0"
+
+		{
+			location := key + "/k8s-1.8.yaml"
+			id := "k8s-1.8"
+
+			addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
+				Name:              fi.String(key),
+				Version:           fi.String(version),
+				Selector:          map[string]string{"k8s-addon": key},
+				Manifest:          fi.String(location),
+				KubernetesVersion: ">=1.8.0",
+				Id:                id,
+			})
+			manifests[key+"-"+id] = "addons/" + location
+		}
+	}
+
 	{
 		key := "limit-range.addons.k8s.io"
 		version := "1.5.0"