Auto-create openshift-node and given nodes read on node-config

Other config variants will be stored in this location. The new namespace
ensures clean security isolation.

Author: smarterclayton

pkg/cmd/server/bootstrappolicy/constants.go

@@ -4,6 +4,7 @@ package bootstrappolicy
 const (
 	DefaultOpenShiftSharedResourcesNamespace = "openshift"
 	DefaultOpenShiftInfraNamespace           = "openshift-infra"
+	DefaultOpenShiftNodeNamespace            = "openshift-node"
 )
 
 // users
@@ -98,11 +99,13 @@ const (
 
 	OpenshiftSharedResourceViewRoleName = "shared-resource-viewer"
 
-	NodeBootstrapRoleName = "system:node-bootstrapper"
+	NodeBootstrapRoleName    = "system:node-bootstrapper"
+	NodeConfigReaderRoleName = "system:node-config-reader"
 )
 
 // RoleBindings
 const (
+	// Legacy roles that must continue to have a plural form
 	SelfAccessReviewerRoleBindingName = SelfAccessReviewerRoleName + "s"
 	SelfProvisionerRoleBindingName    = SelfProvisionerRoleName + "s"
 	DeployerRoleBindingName           = DeployerRoleName + "s"
@@ -128,10 +131,14 @@ const (
 	RegistryViewerRoleBindingName     = RegistryViewerRoleName + "s"
 	RegistryEditorRoleBindingName     = RegistryEditorRoleName + "s"
 
+	OpenshiftSharedResourceViewRoleBindingName = OpenshiftSharedResourceViewRoleName + "s"
+
+	// Roles beyond this point should not be pluralized
+	NodeConfigReaderRoleBindingName = NodeConfigReaderRoleName
+
+	// Bindings
 	BuildStrategyDockerRoleBindingName          = BuildStrategyDockerRoleName + "-binding"
 	BuildStrategyCustomRoleBindingName          = BuildStrategyCustomRoleName + "-binding"
 	BuildStrategySourceRoleBindingName          = BuildStrategySourceRoleName + "-binding"
 	BuildStrategyJenkinsPipelineRoleBindingName = BuildStrategyJenkinsPipelineRoleName + "-binding"
-
-	OpenshiftSharedResourceViewRoleBindingName = OpenshiftSharedResourceViewRoleName + "s"
 )

pkg/cmd/server/bootstrappolicy/namespace_policy.go

@@ -67,6 +67,10 @@ func buildNamespaceRolesAndBindings() (map[string][]rbac.Role, map[string][]rbac
 		DefaultOpenShiftSharedResourcesNamespace,
 		newOriginRoleBinding(OpenshiftSharedResourceViewRoleBindingName, OpenshiftSharedResourceViewRoleName, DefaultOpenShiftSharedResourcesNamespace).Groups(AuthenticatedGroup).BindingOrDie())
 
+	addNamespaceRoleBinding(namespaceRoleBindings,
+		DefaultOpenShiftNodeNamespace,
+		newOriginRoleBinding(NodeConfigReaderRoleBindingName, NodeConfigReaderRoleName, DefaultOpenShiftNodeNamespace).Groups(NodesGroup).BindingOrDie())
+
 	return namespaceRoles, namespaceRoleBindings
 }
 

pkg/cmd/server/bootstrappolicy/policy.go

@@ -664,6 +664,15 @@ func GetOpenshiftBootstrapClusterRoles() []rbac.ClusterRole {
 				// TODO: expose other things like /healthz on the node once we figure out non-resource URL policy across systems
 			},
 		},
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: NodeConfigReaderRoleName,
+			},
+			Rules: []rbac.PolicyRule{
+				// Allow the reader to read config maps in a given namespace with a given name.
+				rbac.NewRule("get").Groups(kapiGroup).Resources("configmaps").RuleOrDie(),
+			},
+		},
 		{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: NodeRoleName,

pkg/cmd/server/bootstrappolicy/web_console_role_test.go

@@ -42,6 +42,7 @@ var rolesToHide = sets.NewString(
 	"system:node",
 	"system:node-admin",
 	"system:node-bootstrapper",
+	"system:node-config-reader",
 	"system:node-problem-detector",
 	"system:node-proxier",
 	"system:node-reader",

pkg/cmd/server/start/bootstrap_node.go

@@ -278,7 +278,7 @@ func (o NodeOptions) loadBootstrap(hostnames []string, nodeConfigDir string) err
 	}
 
 	// if there is no node-config.yaml and no server config map, generate one
-	glog.V(2).Infof("Generating a local configuration since no server config available")
+	glog.V(2).Infof("Generating a local configuration since no server config or cached config available")
 	nodeConfig, err := o.NodeArgs.BuildSerializeableNodeConfig()
 	if err != nil {
 		return err

test/integration/front_proxy_test.go

@@ -158,6 +158,7 @@ func TestFrontProxy(t *testing.T) {
 				"kube-system",
 				"openshift",
 				"openshift-infra",
+				"openshift-node",
 			),
 		},
 	} {

test/integration/master_routes_test.go

@@ -100,6 +100,7 @@ var expectedIndex = []string{
 	// "/healthz/poststarthook/extensions/third-party-resources",  // Do not enable this controller, we do not support it
 	"/healthz/poststarthook/generic-apiserver-start-informers",
 	"/healthz/poststarthook/kube-apiserver-autoregistration",
+	"/healthz/poststarthook/node.openshift.io-sharednamespace",
 	"/healthz/poststarthook/oauth.openshift.io-EnsureBootstrapOAuthClients",
 	"/healthz/poststarthook/project.openshift.io-projectauthorizationcache",
 	"/healthz/poststarthook/project.openshift.io-projectcache",

test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml

@@ -2177,6 +2177,21 @@ items:
     verbs:
     - create
     - get
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: ClusterRole
+  metadata:
+    annotations:
+      authorization.openshift.io/system-only: "true"
+      rbac.authorization.kubernetes.io/autoupdate: "true"
+    creationTimestamp: null
+    name: system:node-config-reader
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - configmaps
+    verbs:
+    - get
 - apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: ClusterRole
   metadata:

test/testdata/bootstrappolicy/bootstrap_namespace_role_bindings.yaml

@@ -123,5 +123,20 @@ items:
   subjects:
   - kind: Group
     name: system:authenticated
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: RoleBinding
+  metadata:
+    annotations:
+      rbac.authorization.kubernetes.io/autoupdate: "true"
+    creationTimestamp: null
+    name: system:node-config-reader
+    namespace: openshift-node
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: system:node-config-reader
+  subjects:
+  - kind: Group
+    name: system:nodes
 kind: List
 metadata: {}

test/testdata/bootstrappolicy/bootstrap_policy_file.yaml

@@ -2379,6 +2379,22 @@ items:
     verbs:
     - create
     - get
+- apiVersion: v1
+  kind: ClusterRole
+  metadata:
+    annotations:
+      authorization.openshift.io/system-only: "true"
+      openshift.io/reconcile-protect: "false"
+    creationTimestamp: null
+    name: system:node-config-reader
+  rules:
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - configmaps
+    verbs:
+    - get
 - apiVersion: v1
   kind: ClusterRole
   metadata:
@@ -7271,5 +7287,22 @@ items:
   - kind: SystemGroup
     name: system:authenticated
   userNames: null
+- apiVersion: v1
+  groupNames:
+  - system:nodes
+  kind: RoleBinding
+  metadata:
+    annotations:
+      openshift.io/reconcile-protect: "false"
+    creationTimestamp: null
+    name: system:node-config-reader
+    namespace: openshift-node
+  roleRef:
+    name: system:node-config-reader
+    namespace: openshift-node
+  subjects:
+  - kind: SystemGroup
+    name: system:nodes
+  userNames: null
 kind: List
 metadata: {}