Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🛡 Adapt generic {Worker,ControlPlane} actuators and terraformer library for elimination of static credentials #5163

Merged
merged 6 commits into from
Jan 11, 2022
Merged

🛡 Adapt generic {Worker,ControlPlane} actuators and terraformer library for elimination of static credentials #5163

merged 6 commits into from
Jan 11, 2022

Conversation

rfranzke
Copy link
Member

How to categorize this PR?

/area security
/kind enhancement
/merge squash

What this PR does / why we need it:
This PR adapts the generic {Worker,ControlPlane} actuators as well as the terraformer library for the elimination of static credentials (optionally).

While the terraformer doesn't use a kubeconfig to talk to the shoot cluster (hence, just static ServiceAccount token invalidation is required here), the generic actuators allow generating client certificate-based kubeconfigs for shoot control plane components (like cloud-controller-manager, machine-controller-manager, etc.). Those can now be optionally switched to the token requestor.

Which issue(s) this PR fixes:
Part of #4661
Part of #4878

Release note:

The `Terraformer` interface does now support a new `UseProjectedTokenMount` method for switching the `terraformer` pods to a projected `ServiceAccount` token. Set this to `true` only when running with Gardener >= `1.37`.
The `NewActuator` function of the generic `Worker` actuator now takes two additional parameters: `useTokenRequestor` (set this to `true` only when running with Gardener >= `1.36`), and `useProjectedTokenMount` (set this to `true` only when running with Gardener >= `1.37`). They allow switching to the token requestor and projected `ServiceAccount` tokens instead of relying on static credentials for the `machine-controller-manager`. Caution: Make sure to adapt your `Deployment`s similar to https://github.com/gardener/gardener/pull/5008/commits/e3cb8d84b9217667aaf5c5ce0ba60204ed4a4db3#diff-4ecb783d75e20fae3586a525a59b334f42474f9465af8defaac8e3da965cff3a when set to `true`.

The `NewActuator` function of the generic `ControlPlane` actuator now takes four additional parameters: `shootAccessSecrets` and `legacySecretNamesToCleanup`, and `exposureShootAccessSecrets` and `legacyExposureSecretNamesToCleanup` (use them only when running with Gardener >= `1.36`). They allow switching to the token requestor instead of relying on static client certificates for the control plane components like `cloud-controller-manager`. Caution: Make sure to adapt your `Deployment`s similar to https://github.com/gardener/gardener/pull/5008/commits/e3cb8d84b9217667aaf5c5ce0ba60204ed4a4db3#diff-4ecb783d75e20fae3586a525a59b334f42474f9465af8defaac8e3da965cff3a when set to `true`.

@rfranzke rfranzke requested a review from a team as a code owner December 14, 2021 15:35
@gardener-robot gardener-robot added area/security Security related kind/enhancement Enhancement, improvement, extension merge/squash size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Dec 14, 2021
@BeckerMax
Copy link
Contributor

/assign

BeckerMax
BeckerMax previously approved these changes Jan 10, 2022
View reviewed changes
Copy link
Contributor

@BeckerMax BeckerMax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm looks fine - one small question.
Will test it out out once the iaas-provider extensions revendors this.

extensions/pkg/controller/worker/genericactuator/machine_controller_manager.go Show resolved Hide resolved
@rfranzke rfranzke mentioned this pull request Jan 10, 2022
Merged
BeckerMax
BeckerMax approved these changes Jan 11, 2022
View reviewed changes
Copy link
Contributor

@BeckerMax BeckerMax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@rfranzke rfranzke merged commit fa624ab into gardener:master Jan 11, 2022
@rfranzke rfranzke deleted the enh/tr-extensions branch January 11, 2022 10:23
This was referenced Jan 24, 2022
Closed
Merged
krgostev pushed a commit to krgostev/gardener that referenced this pull request Apr 21, 2022
@rfranzke
🛡 Adapt generic {Worker,ControlPlane} actuators and terraformer
556e06e 
… library for elimination of static credentials (gardener#5163)

* Adapt generic `Worker` actuator for TokenRequestor

* Adapt generic `Worker` actuator for projected token mount

* Adapt generic `ControlPlane` actuator for TokenRequestor

* Adapt `terraformer` library for projected token mount

* Please compiler in provider-local package

The extension itself will be adapted separately with gardener#5193

* Address PR review feedback
krgostev pushed a commit to krgostev/gardener that referenced this pull request Jul 5, 2022
@rfranzke
🛡 Adapt generic {Worker,ControlPlane} actuators and terraformer
a442e94 
… library for elimination of static credentials (gardener#5163)

* Adapt generic `Worker` actuator for TokenRequestor

* Adapt generic `Worker` actuator for projected token mount

* Adapt generic `ControlPlane` actuator for TokenRequestor

* Adapt `terraformer` library for projected token mount

* Please compiler in provider-local package

The extension itself will be adapted separately with gardener#5193

* Address PR review feedback
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BeckerMax BeckerMax BeckerMax approved these changes

Assignees

@BeckerMax BeckerMax

Labels
area/security Security related kind/enhancement Enhancement, improvement, extension size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@rfranzke @BeckerMax @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3 @gardener-robot