-
Notifications
You must be signed in to change notification settings - Fork 473
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gardener components no longer use admin kubeconfig for local garden dev setup #3901
Conversation
…to dedicated file
…to dedicated file
…nto dedicated file
…to dedicated file
…er components On the way, I renamed "default-controller-manager" to "default-kube-controller-manager".
and use dedicated kubeconfigs
(First bug found due to improved local dev env :))
@vpnachev - an idea as follow-up of this PR to also make the gardenlet use the RBAC privileges in the seed that you plan to apply with #3763: In https://github.com/gardener/gardener/blob/master/hack/local-development/start-gardenlet,
It might have drawbacks, just brain-storming here. WDYT? |
Thanks for the suggestion! However, I am still thinking that it should be as it is today. Why
For now I will not add anything like this in #3763 as it has been prolonged too much and a lot of conflicts needs to be resolved. Such automation can be contributed later, if we find a suitable solution. |
@vpnachev My recommendation was only for the local development environment. Of course, in production code we should not have anything like this. I just think we should find a way to make sure to detect issues in the gardenlet's RBAC rules already when developing locally. We don't have to follow above approach (it was just some short brain-storming/food for thought), and we don't have to do anything now with #3763, but I think we should eventually have some solution for it. |
/assign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few minor nits and some questions regarding why is this enabled only for local-garden / $NODELESS
as opposed to other local environment types, e.g. remote-garden / $REMOTE
.
charts/gardener/controlplane/charts/application/templates/clusterrole-apiserver.yaml
Outdated
Show resolved
Hide resolved
charts/gardener/controlplane/charts/application/templates/clusterrole-controller-manager.yaml
Outdated
Show resolved
Hide resolved
charts/gardener/controlplane/charts/application/templates/clusterrole-apiserver.yaml
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
…ev setup (gardener#3901) * Extract ClusterRoleBinding/gardener.cloud:admin into dedicated file * Extract ClusterRoleBinding/gardener.cloud:apiserver:auth-delegator into dedicated file * Extract RoleBinding/gardener.cloud:apiserver:auth-reader into dedicated file * Extract ClusterRoleBinding/gardener.cloud:apiserver:admin into dedicated file * Extract ClusterRoleBinding/gardener.cloud:controller-manager:admin into dedicated file * Extract ClusterRole/gardener.cloud:system:admission-controller into dedicated file * Extract ClusterRoleBinding/gardener.cloud:admission-controller into dedicated file * Extract ClusterRole/gardener.cloud:system:gardener-scheduler into dedicated file * Extract ClusterRoleBinding/gardener.cloud:system:gardener-scheduler into dedicated file * Extract ClusterRole/gardener.cloud:system:seeds into dedicated file * Extract ClusterRoleBinding/gardener.cloud:system:seeds into dedicated file * Extract ClusterRole/gardener.cloud:system:seed-bootstrapper into dedicated file * Extract ClusterRoleBinding/gardener.cloud:system:seed-bootstrapper into dedicated file * Adapt local-garden cert generator to generate client certs for Gardener components On the way, I renamed "default-controller-manager" to "default-kube-controller-manager". * Generate client certificates for Gardener components for local-garden * Deploy ClusterRole{Binding}s for Gardener components for local garden and use dedicated kubeconfigs * Fix missing `s` in GAC's ClusterRole (First bug found due to improved local dev env :)) * Address PR review feedback of @stoyanr * Add disclaimer about admin privileges for remote garden
…ev setup (gardener#3901) * Extract ClusterRoleBinding/gardener.cloud:admin into dedicated file * Extract ClusterRoleBinding/gardener.cloud:apiserver:auth-delegator into dedicated file * Extract RoleBinding/gardener.cloud:apiserver:auth-reader into dedicated file * Extract ClusterRoleBinding/gardener.cloud:apiserver:admin into dedicated file * Extract ClusterRoleBinding/gardener.cloud:controller-manager:admin into dedicated file * Extract ClusterRole/gardener.cloud:system:admission-controller into dedicated file * Extract ClusterRoleBinding/gardener.cloud:admission-controller into dedicated file * Extract ClusterRole/gardener.cloud:system:gardener-scheduler into dedicated file * Extract ClusterRoleBinding/gardener.cloud:system:gardener-scheduler into dedicated file * Extract ClusterRole/gardener.cloud:system:seeds into dedicated file * Extract ClusterRoleBinding/gardener.cloud:system:seeds into dedicated file * Extract ClusterRole/gardener.cloud:system:seed-bootstrapper into dedicated file * Extract ClusterRoleBinding/gardener.cloud:system:seed-bootstrapper into dedicated file * Adapt local-garden cert generator to generate client certs for Gardener components On the way, I renamed "default-controller-manager" to "default-kube-controller-manager". * Generate client certificates for Gardener components for local-garden * Deploy ClusterRole{Binding}s for Gardener components for local garden and use dedicated kubeconfigs * Fix missing `s` in GAC's ClusterRole (First bug found due to improved local dev env :)) * Address PR review feedback of @stoyanr * Add disclaimer about admin privileges for remote garden
How to categorize this PR?
/area dev-productivity
/kind enhancement
What this PR does / why we need it:
Today, all Gardener components are using the admin kubeconfig for the local garden development setup. This has the downside that the RBAC rules which we maintain in
Which issue(s) this PR fixes:
Softly related to #1723 and #1724.
Special notes for your reviewer:
/squash
Release note: