kubeadm join: Error out if CA pinning isn't used or opted out of #55468
Conversation
k8s-ci-robot
added
the
release-note-none
k8s-ci-robot
added
size/XS
|
/assign @krousey |
|
ping @krousey |
yuexiao-wang
changed the title
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
| if len(cfg.DiscoveryFile) == 0 && len(cfg.DiscoveryTokenCACertHashes) == 0 && !cfg.DiscoveryTokenUnsafeSkipCAVerification { | ||
| fmt.Println("[validation] WARNING: using token-based discovery without DiscoveryTokenCACertHashes can be unsafe (see https://kubernetes.io/docs/admin/kubeadm/#kubeadm-join).") | ||
| fmt.Println("[validation] WARNING: Pass --discovery-token-unsafe-skip-ca-verification to disable this warning. This warning will become an error in Kubernetes 1.9.") | ||
| allErrs = append(allErrs, field.Invalid(fldPath, "", "using token-based discovery without DiscoveryTokenCACertHashes can be unsafe.")) |
There was a problem hiding this comment.
I think it would be helpful to still include a message like (set DiscoveryTokenUnsafeSkipCAVerification to continue). so the user knows how to bypass this check if they are willing to sacrifice some of the security validation.
I'm not sure if it would be better to refer to the CLI flag (--discovery-token-unsafe-skip-ca-verification) or the config parameter (DiscoveryTokenUnsafeSkipCAVerification). It seems like the rest of the errors refer to the config parameters.
There was a problem hiding this comment.
Thanks for review. The message has updated. PTAL
Signed-off-by: yuexiao-wang <wang.yuexiao@zte.com.cn>
|
/lgtm Thanks @yuexiao-wang! |
k8s-ci-robot
added
the
lgtm
|
I'm cool with this but @luxas wanted to cover it in the SIG meeting today. |
|
We should couple this with a fix for kubernetes/kubeadm#519. It would be great if this error said "Run with --discovery-token-unsafe-skip-ca-verification or get the correct CA verification argument with kubeadm token get --print-join-command" or some such. Also, this needs a release note. This is a change that users should be aware of. |
luxas
changed the title
k8s-ci-robot
added
release-note
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: luxas, mattmoyer, yuexiao-wang Associated issue: 534 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
Automatic merge from submit-queue (batch tested with PRs 55764, 55683, 55468, 54409, 55546). If you want to cherry-pick this change to another branch, please follow the instructions here. |
…join failure Since kubernetes/kubernetes#55468 merged, kubeadm now requires the user to specify either the `--discovery-token-ca-cert-hash` flag or the `--discovery-token-unsafe-skip-ca-verification` flag
kubeadm got a new option in version 1.8: --discovery-token-unsafe-skip-ca-verification See: kubernetes/kubernetes#49520 Since version 1.9, it became mandatory to either use it to skip verification, or to use --discovery-token-ca-cert-hash=... See: kubernetes/kubernetes#55468 Since kube-spawn is a developer tool used on one physical machine, use the former.
Signed-off-by: yuexiao-wang wang.yuexiao@zte.com.cn
What this PR does / why we need it:
convert the warning to an error in kubeadm
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes kubernetes/kubeadm#534
Special notes for your reviewer:
/cc @mattmoyer
Release note: