diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go index ca275dd4db705..e30bbfddd5c08 100644 --- a/pkg/kubeapiserver/authorizer/config.go +++ b/pkg/kubeapiserver/authorizer/config.go @@ -115,9 +115,6 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) { nodeAuthorizer := node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules()) authorizers = append(authorizers, nodeAuthorizer) - // Don't bind system:nodes to the system:node role - bootstrappolicy.AddClusterRoleBindingFilter(bootstrappolicy.OmitNodesGroupBinding) - case modes.ModeAlwaysAllow: authorizers = append(authorizers, authorizerfactory.NewAlwaysAllowAuthorizer()) case modes.ModeAlwaysDeny: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 185afe9f3ca33..bebac0735096a 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -366,38 +366,8 @@ func ClusterRoles() []rbac.ClusterRole { return roles } -// ClusterRoleBindingFilter can modify and return or omit (by returning nil) a role binding -type ClusterRoleBindingFilter func(*rbac.ClusterRoleBinding) *rbac.ClusterRoleBinding - -// AddClusterRoleBindingFilter adds the given filter to the list that is invoked when determing bootstrap roles to reconcile. -func AddClusterRoleBindingFilter(filter ClusterRoleBindingFilter) { - clusterRoleBindingFilters = append(clusterRoleBindingFilters, filter) -} - -// ClearClusterRoleBindingFilters removes any filters added using AddClusterRoleBindingFilter -func ClearClusterRoleBindingFilters() { - clusterRoleBindingFilters = nil -} - const systemNodeRoleName = "system:node" -var clusterRoleBindingFilters []ClusterRoleBindingFilter - -// OmitNodesGroupBinding is a filter that omits the deprecated binding for the system:nodes group to the system:node role. -var OmitNodesGroupBinding = ClusterRoleBindingFilter(func(binding *rbac.ClusterRoleBinding) *rbac.ClusterRoleBinding { - if binding.RoleRef.Name == systemNodeRoleName { - subjects := []rbac.Subject{} - for _, subject := range binding.Subjects { - if subject.Kind == rbac.GroupKind && subject.Name == user.NodesGroup { - continue - } - subjects = append(subjects, subject) - } - binding.Subjects = subjects - } - return binding -}) - // ClusterRoleBindings return default rolebindings to the default roles func ClusterRoleBindings() []rbac.ClusterRoleBinding { rolebindings := []rbac.ClusterRoleBinding{ @@ -409,27 +379,15 @@ func ClusterRoleBindings() []rbac.ClusterRoleBinding { rbac.NewClusterBinding("system:kube-dns").SAs("kube-system", "kube-dns").BindingOrDie(), rbac.NewClusterBinding("system:kube-scheduler").Users(user.KubeScheduler).BindingOrDie(), - // This default system:nodes binding is deprecated in 1.7 with the availability of the Node authorizer. - // If an admin wants to grant the system:node role (which cannot partition Node API access), they will need to create their own clusterrolebinding. - // TODO: Remove the subjects from this binding in 1.8 (leave the empty binding for tightening reconciliation), and remove AddClusterRoleBindingFilter() - rbac.NewClusterBinding(systemNodeRoleName).Groups(user.NodesGroup).BindingOrDie(), + // This default binding of the system:node role to the system:nodes group is deprecated in 1.7 with the availability of the Node authorizer. + // This leaves the binding, but with an empty set of subjects, so that tightening reconciliation can remove the subject. + { + ObjectMeta: metav1.ObjectMeta{Name: systemNodeRoleName}, + RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "ClusterRole", Name: systemNodeRoleName}, + }, } addClusterRoleBindingLabel(rolebindings) - retval := []rbac.ClusterRoleBinding{} - for i := range rolebindings { - binding := &rolebindings[i] - for _, filter := range clusterRoleBindingFilters { - binding = filter(binding) - if binding == nil { - break - } - } - if binding != nil { - retval = append(retval, *binding) - } - } - - return retval + return rolebindings } diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml index 5b666247fc8a8..87e8d85066c56 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml @@ -121,10 +121,7 @@ items: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:node - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:nodes + subjects: [] - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: diff --git a/test/integration/auth/BUILD b/test/integration/auth/BUILD index 66a36545be608..cd7291e93ffa7 100644 --- a/test/integration/auth/BUILD +++ b/test/integration/auth/BUILD @@ -49,7 +49,6 @@ go_test( "//plugin/pkg/admission/noderestriction:go_default_library", "//plugin/pkg/auth/authenticator/token/bootstrap:go_default_library", "//plugin/pkg/auth/authorizer/rbac:go_default_library", - "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library", "//test/e2e/lifecycle/bootstrap:go_default_library", "//test/integration:go_default_library", "//test/integration/framework:go_default_library", diff --git a/test/integration/auth/node_test.go b/test/integration/auth/node_test.go index 5f243de205352..f27b6f00bad1a 100644 --- a/test/integration/auth/node_test.go +++ b/test/integration/auth/node_test.go @@ -38,7 +38,6 @@ import ( informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" "k8s.io/kubernetes/pkg/kubeapiserver/authorizer" "k8s.io/kubernetes/plugin/pkg/admission/noderestriction" - "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy" "k8s.io/kubernetes/test/integration/framework" ) @@ -79,7 +78,6 @@ func TestNodeAuthorizer(t *testing.T) { if err != nil { t.Fatal(err) } - defer bootstrappolicy.ClearClusterRoleBindingFilters() // Set up NodeRestriction admission nodeRestrictionAdmission := noderestriction.NewPlugin(nodeidentifier.NewDefaultNodeIdentifier())