• Kubernetes Submit Queue's avatar
    Merge pull request #46076 from liggitt/node-authorizer · 59956903
    Kubernetes Submit Queue authored
    Automatic merge from submit-queue
    
    Node authorizer
    
    This PR implements the authorization portion of https://github.com/kubernetes/community/blob/master/contributors/design-proposals/kubelet-authorizer.md and kubernetes/features#279:
    * Adds a new authorization mode (`Node`) that authorizes requests from nodes based on a graph of related pods,secrets,configmaps,pvcs, and pvs:
      * Watches pods, adds edges (secret -> pod, configmap -> pod, pvc -> pod, pod -> node)
      * Watches pvs, adds edges (secret -> pv, pv -> pvc)
      * When both Node and RBAC authorization modes are enabled, the default RBAC binding that grants the `system:node` role to the `system:nodes` group is not automatically created.
    * Tightens the `NodeRestriction` admission plugin to require identifiable nodes for requests from users in the `system:nodes` group.
    
    This authorization mode is intended to be used in combination with the `NodeRestriction` admission plugin, which limits the pods and nodes a node may modify. To enable in combination with RBAC authorization and the NodeRestriction admission plugin:
    * start the API server with `--authorization-mode=Node,RBAC --admission-control=...,NodeRestriction,...`
    * start kubelets with TLS boostrapping or with client credentials that place them in the `system:nodes` group with a username of `system:node:<nodeName>`
    
    ```release-note
    kube-apiserver: a new authorization mode (`--authorization-mode=Node`) authorizes nodes to access secrets, configmaps, persistent volume claims and persistent volumes related to their pods.
    * Nodes must use client credentials that place them in the `system:nodes` group with a username of `system:node:<nodeName>` in order to be authorized by the node authorizer (the credentials obtained by the kubelet via TLS bootstrapping satisfy these requirements)
    * When used in combination with the `RBAC` authorization mode (`--authorization-mode=Node,RBAC`), the `system:node` role is no longer automatically granted to the `system:nodes` group.
    ```
    
    ```release-note
    RBAC: the automatic binding of the `system:node` role to the `system:nodes` group is deprecated and will not be created in future releases. It is recommended that nodes be authorized using the new `Node` authorization mode instead. Installations that wish to continue giving all members of the `system:nodes` group the `system:node` role (which grants broad read access, including all secrets and configmaps) must create an installation-specific ClusterRoleBinding.
    ```
    
    Follow-up:
    - [ ] enable e2e CI environment with admission and authorizer enabled (blocked by kubelet TLS bootstrapping enablement in https://github.com/kubernetes/kubernetes/pull/40760)
    - [ ] optionally enable this authorizer and admission plugin in kubeadm
    - [ ] optionally enable this authorizer and admission plugin in kube-up
    59956903
Name
Last commit
Last update
.github Loading commit data...
Godeps Loading commit data...
api Loading commit data...
build Loading commit data...
cluster Loading commit data...
cmd Loading commit data...
docs Loading commit data...
examples Loading commit data...
federation Loading commit data...
hack Loading commit data...
hooks Loading commit data...
logo Loading commit data...
pkg Loading commit data...
plugin Loading commit data...
staging Loading commit data...
test Loading commit data...
third_party Loading commit data...
translations Loading commit data...
vendor Loading commit data...
.bazelrc Loading commit data...
.gazelcfg.json Loading commit data...
.generated_files Loading commit data...
.gitattributes Loading commit data...
.gitignore Loading commit data...
BUILD.bazel Loading commit data...
CHANGELOG.md Loading commit data...
CONTRIBUTING.md Loading commit data...
LICENSE Loading commit data...
Makefile Loading commit data...
Makefile.generated_files Loading commit data...
OWNERS Loading commit data...
OWNERS_ALIASES Loading commit data...
README.md Loading commit data...
Vagrantfile Loading commit data...
WORKSPACE Loading commit data...
code-of-conduct.md Loading commit data...
labels.yaml Loading commit data...