New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: delete bootstrap-kubelet.conf after TLS bootstrap #80676
kubeadm: delete bootstrap-kubelet.conf after TLS bootstrap #80676
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think this is mostly OK, but i recommend adding a ACTION REQUIRED:
prefix to the release note.
the boostrap credential can be bound to existing infrastructures, which was probably not a great idea in the first place, but we should visibly notify about such changes.
/lgtm
/hold
for other reviews.
if we really want to be on the safe side there should be a grace period of say 1 release while EDIT and of course another option is not add this change and leave it to user infrastructure to call |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
/hold cancel
Given that this is a security hole I'd be ok with a backport of this.
I don't think an action is required on the release note.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fabriziopandini, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-kubernetes-dependencies |
i'm -1 given the workaround is very simple:
i worry about somebody is copying or doing something with the bootstrap credentials. |
AFAIK there is no risk in backporting this fix
But I leave the final call on this on @timothysc / @neolit123 |
/retest |
1 similar comment
/retest |
/retest Review the full test history for this PR. Silence the bot with an |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/retest Review the full test history for this PR. Silence the bot with an |
the delete should be moved to defer here: otherwise it's possible for the token to be left behind when the function errors |
yep, +1 to use defer. |
Kubeadm deletes the file `/etc/kubernetes/bootstrap-kubelet.conf` as per kubernetes/kubernetes#80676
Kubeadm deletes the file `/etc/kubernetes/bootstrap-kubelet.conf` as per kubernetes/kubernetes#80676
Kubeadm deletes the file `/etc/kubernetes/bootstrap-kubelet.conf` as per kubernetes/kubernetes#80676
Kubeadm deletes the file `/etc/kubernetes/bootstrap-kubelet.conf` as per kubernetes/kubernetes#80676
Kubeadm deletes the file `/etc/kubernetes/bootstrap-kubelet.conf` as per kubernetes/kubernetes#80676
Kubeadm deletes the file `/etc/kubernetes/bootstrap-kubelet.conf` as per kubernetes/kubernetes#80676
What type of PR is this?
/kind bug
What this PR does / why we need it:
#66482 enabled
kubeadm join --discovery-file
with a discovery file with embedded credentials. This PR makes sure that kubeadm removes the bootstrap-kubelet.conf after completing the TLS bootstrap process, so copies of the above credentials won't be left around.Which issue(s) this PR fixes:
Fixes #kubernetes/kubeadm#1689
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
/sig cluster-lifecycle
/priority important-soon
/assign @timothysc
/assign @neolit123