Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not use the admin kubeconfig for the supervisor and core controllers #7616

Merged
merged 4 commits into from
May 31, 2023
Merged

Do not use the admin kubeconfig for the supervisor and core controllers #7616

merged 4 commits into from
May 31, 2023

Conversation

brandond
Copy link
Member

@brandond brandond commented May 26, 2023
edited
Loading

Proposed Changes

  • Create a new kubeconfig with a dedicated user, and use that for the core controllers (supervisor, deploy, helm).
  • Create separate Kubernetes clients for each controller so that their access and managed resources can be tracked.

Types of Changes

enhancement

Verification

Check audit logs - note that actions taken by the K3s supervisor, deploy controller, and helm controller no longer appear to come from the system:admin user, and instead use the system:k3s-supervisor username, and an appropriate user-agent.

Testing

Linked Issues

User-Facing Change

The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user.

Further Comments

@brandond
Use distinct clients for supervisor, deploy, and helm controllers
8e44afb 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Create new kubeconfig for supervisor use
4ecfa03 
Only actual admin actions should use the admin kubeconfig; everything done by the supervisor/deploy/helm controllers will now use a distinct account for audit purposes.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond brandond requested a review from a team as a code owner May 26, 2023 21:06
@brandond
Fix test file list
980ed82 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Add ADR
5fe07ea 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Copy link
Member Author

Added an ADR @cwayne18

@codecov
Copy link

codecov bot commented May 27, 2023

Codecov Report

Patch coverage: 70.12% and project coverage change: -0.05 ⚠️

Comparison is base (fe554fe) 47.57% compared to head (5fe07ea) 47.52%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #7616      +/-   ##
==========================================
- Coverage   47.57%   47.52%   -0.05%     
==========================================
  Files         140      140              
  Lines       14284    14323      +39     
==========================================
+ Hits         6795     6807      +12     
- Misses       6411     6432      +21     
- Partials     1078     1084       +6
Flag Coverage Δ
inttests 44.88% <70.12%> (-0.04%) ⬇️
unittests 19.85% <26.31%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/cli/cmds/server.go 100.00% <ø> (ø)
pkg/daemons/config/types.go 84.44% <ø> (ø)
pkg/daemons/control/deps/deps.go 58.10% <45.45%> (-0.23%) ⬇️
pkg/util/client.go 48.14% <50.00%> (+0.77%) ⬆️
pkg/server/server.go 56.89% <74.50%> (-0.09%) ⬇️
pkg/cli/etcdsnapshot/etcd_snapshot.go 50.26% <100.00%> (ø)
pkg/daemons/control/server.go 71.91% <100.00%> (ø)
pkg/server/context.go 64.70% <100.00%> (+3.73%) ⬆️

... and 8 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@brandond brandond merged commit 6124737 into k3s-io:master May 31, 2023
This was referenced Jun 8, 2023
Merged
Merged
Merged
@cguertin14 cguertin14 mentioned this pull request Jun 28, 2023
Merged
@brandond brandond mentioned this pull request Mar 29, 2024
Merged
@brandond brandond deleted the component-rbac branch June 6, 2024 21:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briandowns briandowns briandowns approved these changes

@galal-hussein galal-hussein galal-hussein approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@brandond @galal-hussein @briandowns