-
Notifications
You must be signed in to change notification settings - Fork 39.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #46921 from liggitt/kubemark-node-auth
Automatic merge from submit-queue (batch tested with PRs 46441, 43987, 46921, 46823, 47276) Enable Node authorizer and NodeRestriction admission in kubemark xref kubernetes/enhancements#279 We want to ensure scale testing covers use of the authorizer/admission pair that partitions nodes. This includes enabling the authorizer, which populates a graph of existing nodes and pods. Kubemark is still running all nodes with a single credential, so a follow-up step is to generate unique credentials per node (or enable TLS bootstrapping) and remove the temporary rolebinding added in this PR so the node authorizer is the one authorizing each call by a hollow node.
- Loading branch information
Showing
3 changed files
with
20 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18 changes: 18 additions & 0 deletions
18
test/kubemark/resources/manifests/addons/kubemark-rbac-bindings/kubelet-binding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# The Kubemark environment currently gives all kubelets a single shared credential. | ||
# | ||
# TODO: give each kubelet a credential in the system:nodes group with username system:node:<nodeName>, | ||
# to exercise the Node authorizer and admission, then remove this binding | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: kubelet-node | ||
labels: | ||
kubernetes.io/cluster-service: "true" | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: system:node | ||
subjects: | ||
- apiGroup: rbac.authorization.k8s.io | ||
kind: User | ||
name: kubelet |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters