Open surajssd opened 3 years ago
Deprecation period is yet to be decided, to be discussed with the whole team.
Also only after this PR is merged: https://github.com/kinvolk/lokomotive/pull/618.
As part of this, we can also consider keeping old RBAC rules for at least one release. Then TLS bootstrapping can be re-enabled on the cluster and existing nodes will still be functional. That allows replacing them one by one by the user, which allows smooth transition to TLS bootstrapping, without a need to re-create the cluster. Then the release after that we can remove those things.
As part of this, we can also consider keeping old RBAC rules for at least one release. Then TLS bootstrapping can be re-enabled on the cluster and existing nodes will still be functional. That allows replacing them one by one by the user, which allows smooth transition to TLS bootstrapping, without a need to re-create the cluster. Then the release after that we can remove those things.
So I looked how this works in practice and here are my findings:
verifyCluster()
should probably be called after upgrading system components: https://github.com/kinvolk/lokomotive/issues/916Patch to keep existing kubeconfig
files working and allowing them to be used to migrate to TLS bootstrapping:
diff --git a/assets/charts/control-plane/kubernetes/templates/bootstrap-cluster-role-binding.yaml b/assets/charts/control-plane/kubernetes/templates/bootstrap-cluster-role-binding.yaml
index c6197364..9af5d8a8 100644
--- a/assets/charts/control-plane/kubernetes/templates/bootstrap-cluster-role-binding.yaml
+++ b/assets/charts/control-plane/kubernetes/templates/bootstrap-cluster-role-binding.yaml
@@ -7,6 +7,9 @@ subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
+- kind: Group
+ name: system:nodes
+ apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:node-bootstrapper
@@ -21,6 +24,9 @@ subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
+- kind: Group
+ name: system:nodes
+ apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
diff --git a/assets/charts/control-plane/kubernetes/templates/kubelet-nodes-cluster-role-binding.yaml b/assets/charts/control-plane/kubernetes/templates/kubelet-nodes-cluster-role-binding.yaml
index 26c32c97..5dfcc170 100644
--- a/assets/charts/control-plane/kubernetes/templates/kubelet-nodes-cluster-role-binding.yaml
+++ b/assets/charts/control-plane/kubernetes/templates/kubelet-nodes-cluster-role-binding.yaml
@@ -1,4 +1,3 @@
-{{- if not .Values.kubelet.enableTLSBootstrap }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@@ -11,4 +10,3 @@ subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
-{{- end }}
As runc update hit stable channel now, we can gracefully proceed with this.
Not sure why this was marked as blocked. I think we should be able to proceed with that.
Once the static kubelet kubeconfig is decided upon to be deprecated and TLS bootstrap becomes default remove this variable. While doing that remove following code: