Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

track the rename of the "system:masters" group #2322

Open
neolit123 opened this issue Oct 9, 2020 · 15 comments
Open

track the rename of the "system:masters" group #2322

neolit123 opened this issue Oct 9, 2020 · 15 comments
Assignees
@neolit123
Labels
kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/auth Categorizes an issue or PR as relevant to SIG Auth. wg/naming Categorizes an issue or PR as relevant to WG Naming.
Milestone
Next

Comments

@neolit123
Copy link
Member

neolit123 commented Oct 9, 2020
edited
Loading

Kubernetes includes a stock "system:masters" group that have full access to cluster resources:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/

kubeadm binds its administrator account to this group:
https://github.com/kubernetes/kubernetes/blob/e45b8bfe0f45c276537bb8e927b2ae5af8466590/cmd/kubeadm/app/constants/constants.go#L168

this ticket is created with the assumption that the group name will be changed at some point (based on the efforts by wg-naming), potentially by introducing a new group that has the same level of access and deprecating the old group.

on the side of kubeadm we'd have to track this effort and adapt kubeadm to handle the introduction of the new group.

k/k issue: (NONE exists yet?)
plan: TODO
@neolit123 neolit123 added kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. wg/naming Categorizes an issue or PR as relevant to WG Naming. labels Oct 9, 2020
@neolit123 neolit123 added this to the Next milestone Oct 9, 2020
@neolit123 neolit123 self-assigned this Oct 9, 2020
@justaugustus
Copy link
Member

@neolit123 -- do we have any updates on this one?

@neolit123
Copy link
Member Author

@justaugustus
no, this one is on sig-auth.

@justaugustus
Copy link
Member

Ping @kubernetes/sig-auth-feature-requests

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. kind/feature Categorizes issue or PR as related to a new feature. labels Feb 8, 2021
@enj
Copy link
Member

enj commented Feb 8, 2021

Uh, I did not know we were planning on changing this group. I do not think we can ever safely stop supporting system:masters because it could break existing clusters. That string is considered special in many places in the k/k code.

@celestehorgan
Copy link

@kubernetes/sig-architecture-leads – @enj brings up a great point above. For reasons I think are obvious though we'd like to at least remove system:masters going forward, even if we need to maintain backwards compatibility. Thoughts?

@dims
Copy link
Member

dims commented Apr 19, 2021

@celestehorgan @enj i'd request sig-auth to take the lead here propose a plan that can work (some sort of switch to help existing clusters + a more forward looking better name may be?)

@neolit123
Copy link
Member Author

the topic for k8s core needs a kubernetes/kubernetes issue.
this one is for kubeadm.

@enj
Copy link
Member

enj commented Apr 19, 2021

We discussed this extensively in a recent sig-auth meeting. I have the AI to distill the discussion into a k/k issue that outlines the available options. That would enable the creation of the KEP needed to address this (as best as we can).

@justaugustus
Copy link
Member

@enj @neolit123 -- How are we doing w/ discussions on next steps?

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 15, 2021
@neolit123
Copy link
Member Author

neolit123 commented Aug 15, 2021
edited
Loading

i don't know if we have a k/k issue.
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 15, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 13, 2021
@neolit123
Copy link
Member Author

/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 22, 2021
@enj enj added this to SIG Auth Jan 9, 2023
@github-project-automation github-project-automation bot moved this to Needs Triage in SIG Auth Jan 9, 2023
@ibihim ibihim moved this from Needs Triage to Needs KEP in SIG Auth Apr 24, 2023
@ibihim
Copy link

ibihim commented Apr 24, 2023
edited
Loading

We discussed this extensively in a recent sig-auth meeting. I have the AI to distill the discussion into a k/k issue that outlines the available options. That would enable the creation of the KEP needed to address this (as best as we can).

Based on this, we have an action item open to create an issue for that or do we want to close it? @enj

@neolit123
Copy link
Member Author

@ibihim please post a link to the new issue once it's created here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neolit123 neolit123

Labels
kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/auth Categorizes an issue or PR as relevant to SIG Auth. wg/naming Categorizes an issue or PR as relevant to WG Naming.
Projects
SIG Auth
Status: Needs KEP
Milestone
Next
Development

No branches or pull requests
9 participants
@dims @neolit123 @justaugustus @enj @ibihim @celestehorgan @k8s-ci-robot @k8s-triage-robot and others