[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Node authentication changes (role/rolebinding update required)

TL;DR: If you have an existing dev cluster and policy in etcd, run these commands after updating to master:

oadm policy reconcile-cluster-roles --confirm
oadm policy reconcile-cluster-role-bindings --confirm

Authentication/authorization to the Kubelet API in OpenShift has changed with https://github.com/openshift/origin/pull/4873.

Previously, a client certificate gained you full access to the Kubelet API. Now, the same authn/authz chain used in the master API applies to the Kubelet API. This means that OAuth and service account tokens can now be used to authenticate Kubelet API calls. It also requires running the above commands when upgrading to make sure the newly defined roles and default permissions are in place.

You can grant access to parts of the Kubelet API using OpenShift policy commands. The following roles grant access to /metrics and /stats endpoints on the nodes:

The following roles grant full access to the kubelet API:

You can add those roles to any user or group with the normal policy commands. For example:

oadm policy add-cluster-role-to-user system:node-reader bob

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]