diff --git a/artifacts/deploy/bootstrap-token-configuration.yaml b/artifacts/deploy/bootstrap-token-configuration.yaml index 31b9c117781a..840c1602deb2 100644 --- a/artifacts/deploy/bootstrap-token-configuration.yaml +++ b/artifacts/deploy/bootstrap-token-configuration.yaml @@ -1,22 +1,22 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: cluster-info - namespace: kube-public -data: - kubeconfig: | - apiVersion: v1 - clusters: - - cluster: - certificate-authority-data: {{ca_crt}} - server: {{apiserver_address}} - kind: Config +#apiVersion: v1 +#kind: ConfigMap +#metadata: +# name: cluster-info +# namespace: kube-public +#data: +# kubeconfig: | +# apiVersion: v1 +# clusters: +# - cluster: +# certificate-authority-data: {{ca_crt}} +# server: {{apiserver_address}} +# kind: Config --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: karmada:bootstrap-signer-clusterinfo + name: system:karmada:bootstrap-signer-clusterinfo namespace: kube-public rules: - apiGroups: @@ -32,22 +32,24 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: karmada:bootstrap-signer-clusterinfo + name: system:karmada:bootstrap-signer-clusterinfo namespace: kube-public roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: karmada:bootstrap-signer-clusterinfo + name: system:karmada:bootstrap-signer-clusterinfo subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: system:anonymous --- +# Group `system:karmada:bootstrappers:default-cluster-token` is the user group of the bootstrap token +# used by `karmadactl register` when registering a new pull mode cluster. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: karmada:agent-bootstrap + name: system:karmada:agent-bootstrap roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -55,85 +57,90 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: system:bootstrappers:karmada:default-cluster-token + name: system:karmada:bootstrappers:default-cluster-token --- +# Define a ClusterRole with permissions to automatically approve the agent CSRs when the agentcsrapproving controller is enabled by karmada-controller-manager. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:certificates.k8s.io:certificatesigningrequests:agent + karmada.io/bootstrapping: rbac-defaults + name: system:karmada:certificatesigningrequest:autoapprover rules: - apiGroups: - certificates.k8s.io resources: - - certificatesigningrequests/agent + - certificatesigningrequests/clusteragent verbs: - create --- -# When the agentcsrapproving controller is enabled by the karmada-controller-manager, it can automatically approve the agent CSRs requested by the user group system:bootstrappers:karmada:default-cluster-token. +# Group `system:karmada:bootstrappers:default-cluster-token` is the user group of the bootstrap token +# used by `karmadactl register` when registering a new pull mode cluster. +# When the `agentcsrapproving` controller is enabled by the karmada-controller-manager, +# it can automatically approve the agent CSRs requested by the user group system:karmada:bootstrappers:default-cluster-token. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: karmada:agent-autoapprove-bootstrap + name: system:karmada:agent-autoapprove-bootstrap roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:certificates.k8s.io:certificatesigningrequests:agent + name: system:karmada:certificatesigningrequest:autoapprover subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: system:bootstrappers:karmada:default-cluster-token + name: system:karmada:bootstrappers:default-cluster-token --- +# Define a ClusterRole with permissions to automatically approve the agent CSRs +# where the user name and group of requester match those in the CSRs when the agentcsrapproving controller is enabled by karmada-controller-manager. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:certificates.k8s.io:certificatesigningrequests:selfagent + karmada.io/bootstrapping: rbac-defaults + name: system:karmada:certificatesigningrequest:selfautoapprover rules: - apiGroups: - certificates.k8s.io resources: - - certificatesigningrequests/selfagent + - certificatesigningrequests/selfclusteragent verbs: - create --- -# When the agentcsrapproving controller is enabled by the karmada-controller-manager, it can automatically approve the agent CSRs requested by the user group system:agents. +# Group `system:karmada:agents` is the user group used by the karmada-agent to access the Karmada API server. +# When the agentcsrapproving controller is enabled by the karmada-controller-manager, it can automatically approve +# the agent CSRs(csr.Subject.CommonName = agent username) requested by the user group system:karmada:agents. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: karmada:agent-autoapprove-certificate-rotation + name: system:karmada:agent-autoapprove-certificate-rotation roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:certificates.k8s.io:certificatesigningrequests:selfagent + name: system:karmada:certificatesigningrequest:selfautoapprover subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: system:agents + name: system:karmada:agents --- -# ClusterRole is not used for the connection between the karmada-agent and the control plane, +# ClusterRole `system:karmada:agent-rbac-generator` is not used for the connection between the karmada-agent and the control plane, # but is used by karmadactl register to generate the RBAC resources required by the karmada-agent. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:karmada:agent + name: system:karmada:agent-rbac-generator rules: - apiGroups: ['*'] resources: ['*'] verbs: ['*'] --- +# User `system:karmada:agent:rbac-generator` is specifically used during the `karmadactl register` process to generate restricted RBAC resources for the `karmada-agent`. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -141,8 +148,8 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:karmada:agent + name: system:karmada:agent-rbac-generator subjects: - apiGroup: rbac.authorization.k8s.io kind: User - name: system:agent:agent-rbac-generator + name: system:karmada:agent:rbac-generator diff --git a/charts/karmada/templates/_karmada_bootstrap_token_configuration.tpl b/charts/karmada/templates/_karmada_bootstrap_token_configuration.tpl index 495f00503d1e..a87bf78598a7 100644 --- a/charts/karmada/templates/_karmada_bootstrap_token_configuration.tpl +++ b/charts/karmada/templates/_karmada_bootstrap_token_configuration.tpl @@ -23,7 +23,7 @@ data: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: karmada:bootstrap-signer-clusterinfo + name: system:karmada:bootstrap-signer-clusterinfo namespace: kube-public {{- if "karmada.commonLabels" }} labels: @@ -42,7 +42,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: karmada:bootstrap-signer-clusterinfo + name: system:karmada:bootstrap-signer-clusterinfo namespace: kube-public {{- if "karmada.commonLabels" }} labels: @@ -51,7 +51,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: karmada:bootstrap-signer-clusterinfo + name: system:karmada:bootstrap-signer-clusterinfo subjects: - apiGroup: rbac.authorization.k8s.io kind: User @@ -60,7 +60,7 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: karmada:agent-bootstrap + name: system:karmada:agent-bootstrap {{- if "karmada.commonLabels" }} labels: {{- include "karmada.commonLabels" . | nindent 4 }} @@ -72,12 +72,12 @@ roleRef: subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: system:bootstrappers:karmada:default-cluster-token + name: system:karmada:bootstrappers:default-cluster-token --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:certificates.k8s.io:certificatesigningrequests:agent + name: system:karmada:certificatesigningrequest:autoapprover {{- if "karmada.commonLabels" }} labels: {{- include "karmada.commonLabels" . | nindent 4 }} @@ -86,14 +86,14 @@ rules: - apiGroups: - certificates.k8s.io resources: - - certificatesigningrequests/agent + - certificatesigningrequests/clusteragent verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: karmada:agent-autoapprove-bootstrap + name: system:karmada:agent-autoapprove-bootstrap {{- if "karmada.commonLabels" }} labels: {{- include "karmada.commonLabels" . | nindent 4 }} @@ -101,16 +101,16 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:certificates.k8s.io:certificatesigningrequests:agent + name: system:karmada:certificatesigningrequest:autoapprover subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: system:bootstrappers:karmada:default-cluster-token + name: system:karmada:bootstrappers:default-cluster-token --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:certificates.k8s.io:certificatesigningrequests:selfagent + name: system:karmada:certificatesigningrequest:selfautoapprover {{- if "karmada.commonLabels" }} labels: {{- include "karmada.commonLabels" . | nindent 4 }} @@ -119,14 +119,14 @@ rules: - apiGroups: - certificates.k8s.io resources: - - certificatesigningrequests/selfagent + - certificatesigningrequests/selfclusteragent verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: karmada:agent-autoapprove-certificate-rotation + name: system:karmada:agent-autoapprove-certificate-rotation {{- if "karmada.commonLabels" }} labels: {{- include "karmada.commonLabels" . | nindent 4 }} @@ -134,16 +134,16 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:certificates.k8s.io:certificatesigningrequests:selfagent + name: system:karmada:certificatesigningrequest:selfautoapprover subjects: - apiGroup: rbac.authorization.k8s.io kind: Group - name: system:agents + name: system:karmada:agents --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:karmada:agent + name: system:karmada:agent-rbac-generator {{- if "karmada.commonLabels" }} labels: {{- include "karmada.commonLabels" . | nindent 4 }} @@ -167,9 +167,9 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:karmada:agent + name: system:karmada:agent-rbac-generator subjects: - apiGroup: rbac.authorization.k8s.io kind: User - name: system:agent:agent-rbac-generator + name: system:karmada:agent:rbac-generator {{- end -}} diff --git a/pkg/karmadactl/cmdinit/bootstraptoken/agent/tlsbootstrap.go b/pkg/karmadactl/cmdinit/bootstraptoken/agent/tlsbootstrap.go index 6955f90f1094..5a370cae9f62 100644 --- a/pkg/karmadactl/cmdinit/bootstraptoken/agent/tlsbootstrap.go +++ b/pkg/karmadactl/cmdinit/bootstraptoken/agent/tlsbootstrap.go @@ -29,19 +29,19 @@ const ( // KarmadaAgentBootstrapperClusterRoleName defines the name of the auto-bootstrapped ClusterRole for letting someone post a CSR KarmadaAgentBootstrapperClusterRoleName = "system:node-bootstrapper" // KarmadaAgentBootstrap defines the name of the ClusterRoleBinding that lets Karmada Agent post CSRs - KarmadaAgentBootstrap = "karmada:agent-bootstrap" + KarmadaAgentBootstrap = "system:karmada:agent-bootstrap" // KarmadaAgentGroup defines the group of Karmada Agent - KarmadaAgentGroup = "system:agents" + KarmadaAgentGroup = "system:karmada:agents" // KarmadaAgentAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve agent CSRs - KarmadaAgentAutoApproveBootstrapClusterRoleBinding = "karmada:agent-autoapprove-bootstrap" + KarmadaAgentAutoApproveBootstrapClusterRoleBinding = "system:karmada:agent-autoapprove-bootstrap" // KarmadaAgentAutoApproveCertificateRotationClusterRoleBinding defines name of the ClusterRoleBinding that makes the csrapprover approve agent auto rotated CSRs - KarmadaAgentAutoApproveCertificateRotationClusterRoleBinding = "karmada:agent-autoapprove-certificate-rotation" + KarmadaAgentAutoApproveCertificateRotationClusterRoleBinding = "system:karmada:agent-autoapprove-certificate-rotation" // CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR - CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:agent" + CSRAutoApprovalClusterRoleName = "system:karmada:certificatesigningrequest:autoapprover" // KarmadaAgentSelfCSRAutoApprovalClusterRoleName is a role for automatic CSR approvals for automatically rotated agent certificates - KarmadaAgentSelfCSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:selfagent" + KarmadaAgentSelfCSRAutoApprovalClusterRoleName = "system:karmada:certificatesigningrequest:selfautoapprover" // KarmadaAgentBootstrapTokenAuthGroup specifies which group a Karmada Agent Bootstrap Token should be authenticated in - KarmadaAgentBootstrapTokenAuthGroup = "system:bootstrappers:karmada:default-cluster-token" + KarmadaAgentBootstrapTokenAuthGroup = "system:karmada:bootstrappers:default-cluster-token" ) // AllowBootstrapTokensToPostCSRs creates RBAC rules in a way the makes Karmada Agent Bootstrap Tokens able to post CSRs @@ -64,7 +64,7 @@ func AutoApproveKarmadaAgentBootstrapTokens(clientSet kubernetes.Interface) erro csrAutoApprovalClusterRole := utils.ClusterRoleFromRules(CSRAutoApprovalClusterRoleName, []rbacv1.PolicyRule{ { APIGroups: []string{"certificates.k8s.io"}, - Resources: []string{"certificatesigningrequests/agent"}, + Resources: []string{"certificatesigningrequests/clusteragent"}, Verbs: []string{"create"}, }, }, nil, nil) @@ -89,7 +89,7 @@ func AutoApproveAgentCertificateRotation(clientSet kubernetes.Interface) error { karmadaAgentSelfCSRAutoApprovalClusterRole := utils.ClusterRoleFromRules(KarmadaAgentSelfCSRAutoApprovalClusterRoleName, []rbacv1.PolicyRule{ { APIGroups: []string{"certificates.k8s.io"}, - Resources: []string{"certificatesigningrequests/selfagent"}, + Resources: []string{"certificatesigningrequests/selfclusteragent"}, Verbs: []string{"create"}, }, }, nil, nil) diff --git a/pkg/karmadactl/cmdinit/bootstraptoken/clusterinfo/clusterinfo.go b/pkg/karmadactl/cmdinit/bootstraptoken/clusterinfo/clusterinfo.go index 57241a165cb0..65d44e4f687d 100644 --- a/pkg/karmadactl/cmdinit/bootstraptoken/clusterinfo/clusterinfo.go +++ b/pkg/karmadactl/cmdinit/bootstraptoken/clusterinfo/clusterinfo.go @@ -34,7 +34,7 @@ import ( const ( // BootstrapSignerClusterRoleName sets the name for the ClusterRole that allows access to ConfigMaps in the kube-public ns - BootstrapSignerClusterRoleName = "karmada:bootstrap-signer-clusterinfo" + BootstrapSignerClusterRoleName = "system:karmada:bootstrap-signer-clusterinfo" ) // CreateBootstrapConfigMapIfNotExists creates the kube-public ConfigMap if it doesn't exist already diff --git a/pkg/karmadactl/cmdinit/karmada/rbac.go b/pkg/karmadactl/cmdinit/karmada/rbac.go index b24f324baa90..abf8e5b61f78 100644 --- a/pkg/karmadactl/cmdinit/karmada/rbac.go +++ b/pkg/karmadactl/cmdinit/karmada/rbac.go @@ -28,9 +28,9 @@ import ( const ( karmadaViewClusterRole = "karmada-view" karmadaEditClusterRole = "karmada-edit" - karmadaAgentRBACGeneratorClusterRole = "system:karmada:agent" + karmadaAgentRBACGeneratorClusterRole = "system:karmada:agent-rbac-generator" karmadaAgentRBACGeneratorClusterRoleBinding = "system:karmada:agent-rbac-generator" - agentRBACGenerator = "system:agent:agent-rbac-generator" + agentRBACGenerator = "system:karmada:agent:rbac-generator" ) // grantProxyPermissionToAdmin grants the proxy permission to "system:admin" diff --git a/pkg/karmadactl/register/register.go b/pkg/karmadactl/register/register.go index a9a1fd29ad76..2bbcd31b5aaa 100644 --- a/pkg/karmadactl/register/register.go +++ b/pkg/karmadactl/register/register.go @@ -81,11 +81,11 @@ const ( // CACertPath defines default location of CA certificate on Linux CACertPath = "/etc/karmada/pki/ca.crt" // ClusterPermissionPrefix defines the common name of karmada agent certificate - ClusterPermissionPrefix = "system:agent:" + ClusterPermissionPrefix = "system:karmada:agent:" // ClusterPermissionGroups defines the organization of karmada agent certificate - ClusterPermissionGroups = "system:agents" + ClusterPermissionGroups = "system:karmada:agents" // AgentRBACGenerator defines the common name of karmada agent rbac generator certificate - AgentRBACGenerator = "system:agent:agent-rbac-generator" + AgentRBACGenerator = "system:karmada:agent:rbac-generator" // KarmadaAgentBootstrapKubeConfigFileName defines the file name for the kubeconfig that the karmada-agent will use to do // the TLS bootstrap to get itself an unique credential KarmadaAgentBootstrapKubeConfigFileName = "bootstrap-karmada-agent.conf" @@ -904,6 +904,7 @@ func (o *CommandRegisterOption) constructKubeConfig(bootstrapClient *kubeclient. } klog.V(1).Infof(fmt.Sprintf("Waiting for the client certificate of csr %s to be issued", csrName)) + klog.V(1).Infof("Approve the CSR %s manually by executing `kubectl certificate approve %s` on the control plane", csrName, csrName) return false, nil }) if err != nil { diff --git a/pkg/karmadactl/util/bootstraptoken/bootstraptoken.go b/pkg/karmadactl/util/bootstraptoken/bootstraptoken.go index f0d6458e1240..2dcf9fb323a6 100644 --- a/pkg/karmadactl/util/bootstraptoken/bootstraptoken.go +++ b/pkg/karmadactl/util/bootstraptoken/bootstraptoken.go @@ -61,7 +61,7 @@ var ( // DefaultUsages is the default usages of bootstrap token DefaultUsages = bootstrapapi.KnownTokenUsages // DefaultGroups is the default groups of bootstrap token - DefaultGroups = []string{"system:bootstrappers:karmada:default-cluster-token"} + DefaultGroups = []string{"system:karmada:bootstrappers:default-cluster-token"} ) // BootstrapToken describes one bootstrap token, stored as a Secret in the cluster