Skip to content

kube-apiserver: Clean up (and delete from the cluster) stale kube-controller-manager and kube-scheduler RBAC roles #125728

New issue
New issue
Open
#134297
Open
kube-apiserver: Clean up (and delete from the cluster) stale kube-controller-manager and kube-scheduler RBAC roles#125728
#134297
Labels
kind/cleanupCategorizes issue or PR as related to cleaning up code, process, or technical debt.kind/featureCategorizes issue or PR as related to a new feature.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.sig/authCategorizes an issue or PR as relevant to SIG Auth.
@ialidzhikov

Description

@ialidzhikov
ialidzhikov
opened on Jun 26, 2024

What would you like to be added?

Clean up from source (and delete from the cluster) the following Roles and RoleBIndings:

kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go

Lines 106 to 122 in 442a69c

// TODO: Create util on Role+Binding for leader locking if more cases evolve.
addNamespaceRole(metav1.NamespaceSystem, rbacv1.Role{
// role for the leader locking on supplied configmap
ObjectMeta: metav1.ObjectMeta{Name: "system::leader-locking-kube-controller-manager"},
Rules: []rbacv1.PolicyRule{
rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(),
rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-controller-manager").RuleOrDie(),
},
})
addNamespaceRole(metav1.NamespaceSystem, rbacv1.Role{
// role for the leader locking on supplied configmap
ObjectMeta: metav1.ObjectMeta{Name: "system::leader-locking-kube-scheduler"},
Rules: []rbacv1.PolicyRule{
rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(),
rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-scheduler").RuleOrDie(),
},
})

kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go

Lines 128 to 131 in 442a69c

addNamespaceRoleBinding(metav1.NamespaceSystem,
rbacv1helpers.NewRoleBinding("system::leader-locking-kube-controller-manager", metav1.NamespaceSystem).Users(user.KubeControllerManager).SAs(metav1.NamespaceSystem, "kube-controller-manager").BindingOrDie())
addNamespaceRoleBinding(metav1.NamespaceSystem,
rbacv1helpers.NewRoleBinding("system::leader-locking-kube-scheduler", metav1.NamespaceSystem).Users(user.KubeScheduler).SAs(metav1.NamespaceSystem, "kube-scheduler").BindingOrDie())

We can delete them because leases is the only one supported resource lock type: see #80289

However in

kubernetes/pkg/registry/rbac/rest/storage_rbac.go

Line 59 in 00b9ead

const PostStartHookName = "rbac/bootstrap-roles"
I don't see any logic that on removal of these Roles and RoleBindings would delete the corresponding objects from the cluster.

Why is this needed?

Stop creating and clean up stale Roles and RoleBindings that are no longer needed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/cleanupCategorizes issue or PR as related to cleaning up code, process, or technical debt.kind/featureCategorizes issue or PR as related to a new feature.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.sig/authCategorizes an issue or PR as relevant to SIG Auth.

    Type

    No type

    Projects

    SIG Auth

    Status

    Closed / Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions