Merge branch 'improvement/implement-super-admin-identity' into q/129.0

Author: bert-e

CHANGELOG.md

@@ -4,6 +4,9 @@
 
 ### Enhancements
 
+- Implement super-admin user and bind admin to built-in cluster-admins role
+  (PR[#4418](https://github.com/scality/metalk8s/pull/4418))
+
 - Bump Kubernetes version to
   [1.29.8](https://github.com/kubernetes/kubernetes/releases/tag/v1.29.8)
   (PR[#4417](https://github.com/scality/metalk8s/pull/4417))

buildchain/buildchain/salt_tree.py

@@ -477,6 +477,7 @@ def task(self) -> types.TaskDict:
     Path("salt/metalk8s/kubectl/configured.sls"),
     Path("salt/metalk8s/kubectl/init.sls"),
     Path("salt/metalk8s/kubectl/installed.sls"),
+    Path("salt/metalk8s/kubernetes/admin/deployed.sls"),
     Path("salt/metalk8s/kubernetes/apiserver/certs/etcd-client.sls"),
     Path("salt/metalk8s/kubernetes/apiserver/certs/front-proxy-client.sls"),
     Path("salt/metalk8s/kubernetes/apiserver/certs/init.sls"),

pillar/metalk8s/roles/master.sls

@@ -11,6 +11,8 @@ certificates:
     files:
       admin:
         watched: True
+      super-admin:
+        watched: True
       controller-manager:
         watched: True
       kubelet:

salt/metalk8s/defaults.yaml

@@ -251,6 +251,12 @@ certificates:
     days_remaining: 90
     days_valid: 365
     files:
+      super-admin:
+        path: /etc/kubernetes/super-admin.conf
+        renew:
+          sls:
+            - metalk8s.kubernetes.apiserver.kubeconfig
+        watched: False
       admin:
         path: /etc/kubernetes/admin.conf
         renew:

salt/metalk8s/deployed/core.sls

@@ -2,6 +2,7 @@ include:
   - metalk8s.kubernetes.kube-proxy.deployed
   - metalk8s.kubernetes.cni.calico.deployed
   - metalk8s.kubernetes.coredns.deployed
+  - metalk8s.kubernetes.admin.deployed
   - metalk8s.repo.deployed
   - metalk8s.salt.master.deployed
   - metalk8s.backup.deployed

salt/metalk8s/kubernetes/admin/deployed.sls

@@ -0,0 +1,15 @@
+Deploy admin user ClusterRoleBinding:
+  metalk8s_kubernetes.object_present:
+    - manifest:
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRoleBinding
+        metadata:
+          name: kubeadm:cluster-admin
+        roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: ClusterRole
+          name: cluster-admin
+        subjects:
+        - kind: Group
+          name: kubeadm:cluster-admins
+          apiGroup: rbac.authorization.k8s.io

salt/metalk8s/kubernetes/apiserver/kubeconfig.sls

@@ -13,14 +13,33 @@ include:
 
 {%- set apiserver = 'https://' ~ apiserver_ip ~ ':6443' %}
 
+Create kubeconfig file for super-admin:
+  metalk8s_kubeconfig.managed:
+    - name: {{ certificates.kubeconfig.files["super-admin"].path }}
+    - ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
+    - signing_policy: {{ kube_api.cert.client_signing_policy }}
+    - client_cert_info:
+        CN: "kubernetes-super-admin"
+        O: "system:masters"
+    - apiserver: {{ apiserver }}
+    - cluster: {{ kubernetes.cluster }}
+    - days_valid: {{
+        certificates.kubeconfig.files["super-admin"].days_valid |
+        default(certificates.kubeconfig.days_valid) }}
+    - days_remaining: {{
+        certificates.kubeconfig.files["super-admin"].days_remaining |
+        default(certificates.kubeconfig.days_remaining) }}
+    - require:
+      - metalk8s_package_manager: Install m2crypto
+
 Create kubeconfig file for admin:
   metalk8s_kubeconfig.managed:
     - name: {{ certificates.kubeconfig.files.admin.path }}
     - ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
     - signing_policy: {{ kube_api.cert.client_signing_policy }}
     - client_cert_info:
         CN: "kubernetes-admin"
-        O: "system:masters"
+        O: "kubeadm:cluster-admins"
     - apiserver: {{ apiserver }}
     - cluster: {{ kubernetes.cluster }}
     - days_valid: {{

salt/tests/unit/formulas/config.yaml

@@ -531,6 +531,7 @@ metalk8s:
                       # Client
                       - /etc/kubernetes/pki/etcd/salt-master-etcd-client.crt
                       # Kubeconfig
+                      - /etc/kubernetes/super-admin.conf
                       - /etc/kubernetes/admin.conf
                       # Server
                       - /etc/kubernetes/pki/apiserver.crt

salt/tests/unit/formulas/data/base_pillar.yaml

@@ -144,6 +144,8 @@ certificates:
         watched: true
   kubeconfig:
     files:
+      super-admin:
+        watched: true
       admin:
         watched: true
       controller-manager: