Seed ClusterRoleBindings

[BugRoger]

For some, yet unknown reason, the kube-controller-manger goes insane when using the dedicated service account credentials via --use-service-account-credentials. It gets into a endless loop adding hundreds of invalid tokens to the created service accounts. This needs to be fixed but in the meantime, we run it without the individual service accounts. Unfortunately, the system:kube-controller-manager user is missing the roles to approve CSRs. To "fix"/hack add the admin role:

kubectl create clusterrolebinding hack-cmadmin --clusterrole=cluster-admin --user=system:kube-controller-manager

The bootstrap token rolled out to nodes is entangled with the kubelet-bootstrap user. It needs permissions to create the CSR for bootstrapping a node:

kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap

Now the nodes will create the CSR and hang until it is approved. In order to automatically approve the request the certificate-controller needs to have permissions:

cat <<EOF | kubectl create -f
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: approve-node-client-csr
rules:
- apiGroups: ["certificates.k8s.io"]
  resources: ["certificatesigningrequests/nodeclient"]
  verbs: ["create"]
EOF 

kubectl create clusterrolebinding auto-approve-csrs-for-group --clusterrole=approve-node-client-csr --group=system:bootstrappers

[BugRoger]

found out how to get the auto-signing working \o/

[databus23]

Does this mean this issue is obsolete?

[BugRoger]

No, we still need to seed this.

[BugRoger]

See ff00a76. After seeding this to the control-plane a few times I noticed this needs a Kluster-Client. :(

[databus23]

Ok, I see. Let me take this tomorrow.

[BugRoger]

Fixed