Add namespace for (cluster)role(binding) cloud-provider.

[grayluck]

What this PR does / why we need it:
Add namespace for (cluster)role(binding) cloud-provider.
Change the addonmanager mode to be from reconcile to EnsureExists.

Needs to be cherrypicked together with #59686.

Special notes for your reviewer:
/assign @bowei @tallclair
/sig auth

Release note:

Role, ClusterRole and their bindings for cloud-provider is put under system namespace. Their addonmanager mode switches to EnsureExists.

Manual tested. Cluster can be created succesfully using kube-up.sh with desired (cluster)role(binding)s.

[tallclair]

This is unreleased code, right?

[grayluck]

@tallclair PR#59686 is released in 1.10 and 1.11, confirmably. So it's already affecting some of the clusters by not namespacing the roles.
It's fine to have two sets of (cluster)roles and (cluster)rolebindings if those affected clusters get upgraded.

[bowei]

/ok-to-test

[bowei]

make sure you test with all of the versions

[k8s-ci-robot]

@grayluck:

In response to this:

/meow

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[grayluck]

/undo meow

[tallclair]

What does the addon manager do with the old roles in this case? You can test it by SSHing to the master, and manually swapping out the manifest (/etc/kubernetes/manifests, I think).

[grayluck]

Here's what happened:

e2e-test-yankaiz-master loadbalancing # alias kk="kubectl -n kube-system"

e2e-test-yankaiz-master loadbalancing # kk get clusterrolebindings system:cloud-provider gce:cloud-provider
NAME                    KIND
system:cloud-provider   ClusterRoleBinding.v1.rbac.authorization.k8s.io
gce:cloud-provider      ClusterRoleBinding.v1.rbac.authorization.k8s.io

e2e-test-yankaiz-master loadbalancing # kk get clusterroles system:cloud-provider gce:cloud-provider
NAME                    KIND
system:cloud-provider   ClusterRole.v1.rbac.authorization.k8s.io
gce:cloud-provider      ClusterRole.v1.rbac.authorization.k8s.io

e2e-test-yankaiz-master loadbalancing # kk auth can-i create events --as=system:serviceaccount:kube-system:cloud-provider
yes

Everything looks working perfectly.

[grayluck]

Sure. I will test the rest of the versions in cherrypicks.

[tallclair]

I thought we discussed using the gce: prefix instead of system:, but can't find the reference...
@mikedanese

[grayluck]

I forgot to push my local change.. But the test still shows that gce:cloud-provider works with previous roles/bindings.

[tallclair]

/lgtm

[tallclair]

/retest

[grayluck]

/hold cancel

[tallclair]

We discussed putting the deprecation notice in an annotation, and keeping Reconcile so the annotation is populated.

[grayluck]

Sorry Tim I can't find an example annotation to denote deprecation. But I did find an related (closed without fixes) issue: #38269.

[tallclair]

Actually, I'm not sure there's any reason we need to keep the old ClusterRoleBinding. The new one grants a superset of the permissions.

I think we just need to keep the old cluster role incase someone was binding it to a different service account.

[grayluck]

lol Good point. No, there's no reason to keep the bindings. Only the old roles need to be remained.

[tallclair]

Techinically there's a slight risk to this, as it would clobber another role of the same name. I think it's probably ok given the gce: prefix.

[grayluck]

It's not that likely that a cluster user has a role named gce:cloud-provider. Since we didn't get any reports reporting issue about roles named cloud-provider in Reconcile mode clobbering exist roles, I assume gce:cloud-provider is even safer than cloud-provider to have Reconcile.

[bowei]

where is the change to remove the old role binding?

[grayluck]

Re bowei@ The old bindings has been removed from cloud-provider-binding.yaml.
Talked with Tim for advice about deprecation annotations.
Added to the old (cluster)role.
PTAL Misters

[grayluck]

/test pull-kubernetes-e2e-gke

[tallclair]

nit: We don't really want anyone to use the gce:cloud-provider role either... in generaly I would say that things in the kube-system namespace should not be used. I guess this is more of a concern with the cluster-scoped role, but the same holds true.

Also, consider declaring what release this will be removed in (probably 1.14)

[grayluck]

Let's do 1.16 since the minor comes every quarter. This gives the deprecated role 1 year before removed.

[tallclair]

/lgtm
thanks!

[grayluck]

/test pull-kubernetes-e2e-gke

[bowei]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bowei, grayluck, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cluster/gce/OWNERS [bowei]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

[bowei]

/milestone v1.12

[grayluck]

Thanks Bowei!

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 65251, 67255, 67224, 67297, 68105). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.