New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove self-deletion permissions from kubelets #71021

Merged
merged 1 commit into from Nov 16, 2018

Conversation

@liggitt
Copy link
Member

liggitt commented Nov 14, 2018

What type of PR is this?
/kind cleanup

What this PR does / why we need it:

Removes the ability of kubelets to delete their own Node API objects. Kubelets stopped doing this in 1.11, which means a 1.13 API server no longer needs to grant them this permission.

This closes a method by which a kubelet on a compromised node could delete and recreate its Node object, effectively removing any taints the cluster administrator had added to the Node object.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
xref kubernetes/community#911
xref kubernetes/enhancements#279

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

kubelets are no longer allowed to delete their own Node API object. Prior to 1.11, in rare circumstances related to cloudprovider node ID changes, kubelets would attempt to delete/recreate their Node object at startup. Kubelets older than 1.11 are not supported running against a v1.13+ API server. If an unsupported legacy kubelet encounters this situation, a cluster admin can remove the Node object:
* `kubectl delete node/<nodeName>`
or grant self-deletion permission explicitly:
* `kubectl create clusterrole self-deleting-nodes --verb=delete --resource=nodes`
* `kubectl create clusterrolebinding self-deleting-nodes --clusterrole=self-deleting-nodes --group=system:nodes`

@kubernetes/sig-auth-pr-reviews
@kubernetes/sig-node-pr-reviews

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Nov 14, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Nov 14, 2018

/milestone v1.13
/priority important-soon
/sig auth

@@ -107,7 +107,7 @@ func NodeRules() []rbacv1.PolicyRule {
// Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object.
rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
rbacv1helpers.NewRule("update", "patch", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),

This comment has been minimized.

@krmayankk

krmayankk Nov 14, 2018

Contributor

what binary is this code part of ?

This comment has been minimized.

@liggitt

liggitt Nov 14, 2018

Member

the kube-apiserver, which uses it in the node authorizer and to populate the default system:node cluster role

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Nov 14, 2018

/retest

@enj

This comment has been minimized.

Copy link
Member

enj commented Nov 14, 2018

LGTM 🎉

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Nov 15, 2018

/assign @mikedanese

@mikedanese

This comment has been minimized.

Copy link
Member

mikedanese commented Nov 15, 2018

We might need to add some legacy RBAC addons to make sure GKE continues to work... I'll discuss with @cjcullen .

/lgtm
/approve

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Nov 15, 2018

bot looks stuck. tagging based on #71021 (comment)

@liggitt liggitt added the lgtm label Nov 15, 2018

@k8s-ci-robot k8s-ci-robot merged commit 1a54fd4 into kubernetes:master Nov 16, 2018

18 checks passed

cla/linuxfoundation liggitt authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-e2e-kubeadm-gce Skipped
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped
pull-kubernetes-local-e2e-containerized Skipped
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
tide In merge pool.
Details

@liggitt liggitt deleted the liggitt:node-self-deletion branch Nov 16, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment