kubeadm icon indicating copy to clipboard operation
kubeadm copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

track the rename of the "system:masters" group

Open neolit123 opened this issue 5 years ago • 15 comments

Kubernetes includes a stock "system:masters" group that have full access to cluster resources: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

kubeadm binds its administrator account to this group: https://github.com/kubernetes/kubernetes/blob/e45b8bfe0f45c276537bb8e927b2ae5af8466590/cmd/kubeadm/app/constants/constants.go#L168

this ticket is created with the assumption that the group name will be changed at some point (based on the efforts by wg-naming), potentially by introducing a new group that has the same level of access and deprecating the old group.

on the side of kubeadm we'd have to track this effort and adapt kubeadm to handle the introduction of the new group.

k/k issue: (NONE exists yet?) plan: TODO

neolit123 avatar Oct 09 '20 00:10 neolit123

@neolit123 -- do we have any updates on this one?

justaugustus avatar Dec 14 '20 18:12 justaugustus

@justaugustus no, this one is on sig-auth.

neolit123 avatar Dec 14 '20 19:12 neolit123

Ping @kubernetes/sig-auth-feature-requests

justaugustus avatar Feb 08 '21 18:02 justaugustus

Uh, I did not know we were planning on changing this group. I do not think we can ever safely stop supporting system:masters because it could break existing clusters. That string is considered special in many places in the k/k code.

enj avatar Feb 08 '21 20:02 enj

@kubernetes/sig-architecture-leads – @enj brings up a great point above. For reasons I think are obvious though we'd like to at least remove system:masters going forward, even if we need to maintain backwards compatibility. Thoughts?

celestehorgan avatar Apr 19 '21 17:04 celestehorgan

@celestehorgan @enj i'd request sig-auth to take the lead here propose a plan that can work (some sort of switch to help existing clusters + a more forward looking better name may be?)

dims avatar Apr 19 '21 17:04 dims

the topic for k8s core needs a kubernetes/kubernetes issue. this one is for kubeadm.

neolit123 avatar Apr 19 '21 17:04 neolit123

We discussed this extensively in a recent sig-auth meeting. I have the AI to distill the discussion into a k/k issue that outlines the available options. That would enable the creation of the KEP needed to address this (as best as we can).

enj avatar Apr 19 '21 17:04 enj

@enj @neolit123 -- How are we doing w/ discussions on next steps?

justaugustus avatar May 17 '21 17:05 justaugustus

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Aug 15 '21 18:08 k8s-triage-robot

i don't know if we have a k/k issue. /remove-lifecycle stale

neolit123 avatar Aug 15 '21 19:08 neolit123

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 13 '21 20:11 k8s-triage-robot

/lifecycle frozen

neolit123 avatar Nov 22 '21 14:11 neolit123

We discussed this extensively in a recent sig-auth meeting. I have the AI to distill the discussion into a k/k issue that outlines the available options. That would enable the creation of the KEP needed to address this (as best as we can).

Based on this, we have an action item open to create an issue for that or do we want to close it? @enj

ibihim avatar Apr 24 '23 16:04 ibihim

@ibihim please post a link to the new issue once it's created here.

neolit123 avatar Apr 24 '23 16:04 neolit123