Skip to content

k8s-bootstrap: add kubeadm:bootstrap-signer-clusterinfo RBAC for AKS#61

Merged
anson627 merged 1 commit into
Azure:mainfrom
chokevin:chokevin/add-clusterinfo-rbac
Apr 22, 2026
Merged

k8s-bootstrap: add kubeadm:bootstrap-signer-clusterinfo RBAC for AKS#61
anson627 merged 1 commit into
Azure:mainfrom
chokevin:chokevin/add-clusterinfo-rbac

Conversation

@chokevin
Copy link
Copy Markdown
Contributor

@chokevin chokevin commented Apr 22, 2026

Problem

The config k8s-bootstrap template provisions the kube-public/cluster-info
ConfigMap (which kubeadm reads during the discovery phase of kubeadm join)
but does not provision the Role+RoleBinding that authorizes reading it.

Stock kubeadm normally creates this RBAC during kubeadm init and binds the
RoleBinding to Group=system:anonymous, which works on self-managed clusters
where anonymous auth is enabled. On AKS, --anonymous-auth=false is set
cluster-wide, so:

  1. The discovery client authenticates with the bootstrap token, picking up
    identities system:bootstrappers and system:bootstrappers:kubeadm:default-node-token.
  2. There is no RoleBinding granting those groups get on
    kube-public/cluster-info.
  3. The API server returns 403, which kubeadm misleadingly surfaces as:
    [discovery] Error reading the cluster-info ConfigMap, will try again: Unauthorized.
  4. kubeadm join loops on discovery until the parent timeout fires.

Without manual kubectl patching, every fresh AKS cluster fails the very first
remote-node join attempt.

Fix

Add the Role+RoleBinding to the embedded config.yaml template, scoped to
kube-public, granting get on the cluster-info ConfigMap to the
bootstrap-token groups.

Verification

Reproduced on voice-agent-flex (westeurope): without the patch, joining
Standard_ND96isr_H200_v5 nodes from eastus2 via aks-flex-node v0.0.18 hangs
on discovery 403; with the patch, kubeadm join completes in seconds and the
node goes Ready.

Rendered output verified with KUBECONFIG=/dev/null go run ./cli config k8s-bootstrap.

go test ./... in cli/ passes.

Add kubeadm:bootstrap-signer-clusterinfo Role+RoleBinding
3536a9e 
The cluster-info ConfigMap in kube-public is read by kubeadm during the
discovery phase of `kubeadm join`. Stock kubeadm provisions a Role+RoleBinding
for it as part of `kubeadm init` and binds the RoleBinding to
`Group=system:anonymous` (so kubeadm clients can read the ConfigMap before
they have a bootstrap identity).

That binding is dead on AKS: AKS sets `--anonymous-auth=false` cluster-wide,
so the discovery client falls back to its bootstrap-token identity
(`system:bootstrappers:kubeadm:default-node-token` and `system:bootstrappers`)
and the API server returns 403 — surfaced by kubeadm as the misleading

  [discovery] Error reading the cluster-info ConfigMap, will try again: Unauthorized

Without this RBAC, every `kubeadm join` against an AKS cluster loops on
discovery until the parent timeout fires. Adding the Role+RoleBinding bound
to the bootstrap-token groups makes node join work on a fresh cluster with
no manual kubectl patching.

Verified end-to-end on voice-agent-flex (westeurope) joining
`Standard_ND96isr_H200_v5` nodes from eastus2 via aks-flex-node v0.0.18.
Copilot AI review requested due to automatic review settings April 22, 2026 03:50
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds the missing kubeadm discovery RBAC to the config k8s-bootstrap manifest so bootstrap-token identities (used on AKS where anonymous auth is disabled) can read kube-public/cluster-info during kubeadm join.

Changes:

  • Add a Role in kube-public granting get on the cluster-info ConfigMap.
  • Add a matching RoleBinding binding that Role to system:bootstrappers and system:bootstrappers:kubeadm:default-node-token (instead of system:anonymous).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@chokevin chokevin mentioned this pull request Apr 22, 2026
Open
@anson627 anson627 merged commit d75456e into Azure:main Apr 22, 2026
8 of 9 checks passed
@chokevin chokevin deleted the chokevin/add-clusterinfo-rbac branch April 22, 2026 17:49
@chokevin chokevin mentioned this pull request Apr 22, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@anson627 anson627 anson627 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chokevin @anson627