Update Filed this as an issue on Google's Issue Tracker.
I'm running a GKE cluster on 1.18.12-gke.1201 and unsuccessfully trying to authenticate (a 3rd-party service) using a Bootstrap token.
Questions:
- Does GKE 1.18+ support Bootstrap Token auth? How may I confirm this?
- If it does, how may I revise the Secret to reflect GKE's RBAC
IIUC, 1.18+ should support Bootstrap Tokens but it's unclear to me whether --enable-bootstrap-token-auth is enabled on GKE clusters (how could I determine this?)
I'm using a script that generates Bootstrap Token Secrets and then a 3rd-party solution that exchanges these for CSRs, that I can approve and create a certificate|key pair for the solution.
Generating these Secrets against MicroK8s clusters works so I'm confident the Secrets are valid.
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1C...
server: https://XX.XX.XX.XX
name: gke
contexts:
- context:
cluster: gke
namespace: kube-system
user: tls-bootstrap-token-user
name: tls-bootstrap-token-user@kubernetes
current-context: tls-bootstrap-token-user@kubernetes
kind: Config
preferences: {}
users:
- name: tls-bootstrap-token-user
user:
token: 8ziv0n.1t3jxk2d9tdr5xnp
However, I've been unsuccessful exchanging these for CSRs when using GKE. I'm reliant upon the 3rd-party solution to create the CSR for me. Is there a way to run this process manually?
The Secret-generating script includes:
apiVersion: v1
kind: Secret
metadata:
name: bootstrap-token-${token_id}
namespace: kube-system
type: bootstrap.kubernetes.io/token
stringData:
auth-extra-groups: system:bootstrappers:kubeadm:default-node-token
expiration: ${expiration}
token-id: ${token_id}
token-secret: ${token_secret}
usage-bootstrap-authentication: "true"
usage-bootstrap-signing: "true"
If I understand correctly, this assume the existence of system:bootstrappers but the GKE cluster does not have system:bootstrappers but it appears to have system:node-bootstrapper:
kubectl get clusterrolebindings | grep bootstrapper
kubelet-bootstrap ClusterRole/system:node-bootstrapper
kubelet-bootstrap-node-bootstrapper ClusterRole/system:node-bootstrapper
And these:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node-bootstrapper
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubelet
And:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node-bootstrapper
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubelet-bootstrap
Should I be able to revise the Bootstrap Token to reference system:node-bootstrapper?
Update -- still no success
I tried creating an RBAC group (krustlet-bootstrapper):
kubectl create clusterrolebinding krustlet-bootstrapper
--clusterrole=system:node-bootstrapper
--group=krustlet-bootstrapper
kubectl create clusterrolebinding krustlet-authenticated
--clusterrole=system:authenticated
--group=krustlet-bootstrapper
And:
apiVersion: v1
kind: Secret
metadata:
name: bootstrap-token-${token_id}
namespace: kube-system
type: bootstrap.kubernetes.io/token
stringData:
auth-extra-groups: krustlet-bootstrapper
expiration: ${expiration}
token-id: ${token_id}
token-secret: ${token_secret}
usage-bootstrap-authentication: "true"
usage-bootstrap-signing: "true"
The system:node-bootstrapper role appears to have the appropriate permissions:
kubectl get clusterrole/system:node-bootstrapper --output=jsonpath="{.rules}" | jq .
[
{
"apiGroups": [
"certificates.k8s.io"
],
"resources": [
"certificatesigningrequests"
],
"verbs": [
"create",
"get",
"list",
"watch"
]
}
]
But I continue to get 401s when trying to bootstrap using it from the VM.
I suspect Bootstrap Tokens either aren't enabled on GKE or this method is more locked down that is customary.
