Right now, cluster maintenance is as cluster-admin on the control plane. This should only be used when absolutely needed.
Add admin accounts for <project>.admin group members.
Right now, cluster maintenance is as cluster-admin on the control plane. This should only be used when absolutely needed.
Add admin accounts for <project>.admin group members.
Change 589454 had a related patch set uploaded (by Bstorm; owner: Bstorm):
[labs/tools/maintain-kubeusers@master] admins: Introduce admin user creation for projects
Change 589454 merged by jenkins-bot:
[labs/tools/maintain-kubeusers@master] admins: Introduce admin user creation for projects
Mentioned in SAL (#wikimedia-cloud) [2020-05-15T20:48:33Z] <bstorm_> found an error in the new version of maintain-kubeusers, removing the deployment for now T246059
Change 596763 had a related patch set uploaded (by Bstorm; owner: Bstorm):
[labs/tools/maintain-kubeusers@master] admins: Fixed critical typo
Change 596763 merged by jenkins-bot:
[labs/tools/maintain-kubeusers@master] admins: Fixed critical typo
Change 596770 had a related patch set uploaded (by Bstorm; owner: Bstorm):
[labs/tools/maintain-kubeusers@master] admins: Another bugfix -- duplicate names of clusterrolebindings
Change 596770 merged by jenkins-bot:
[labs/tools/maintain-kubeusers@master] admins: Another bugfix -- duplicate names of clusterrolebindings
Change 596781 had a related patch set uploaded (by Bstorm; owner: Bstorm):
[labs/tools/maintain-kubeusers@master] admins: mount the NFS home dirs in the container
Change 596781 merged by jenkins-bot:
[labs/tools/maintain-kubeusers@master] admins: mount the NFS home dirs in the container
Ok, after much fussing, this provides view access by default and using impersonation allows assuming other privs even cluster-admin. Therefore, it is effectively similar to sudo access in the cluster.
Added documentation here https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin/Kubernetes#Admin_accounts
Mentioned in SAL (#wikimedia-cloud) [2020-05-26T18:45:36Z] <bstorm_> upgrading maintain-kubeusers to match what is in toolsbeta T246059 T211096
Change 598863 had a related patch set uploaded (by Bstorm; owner: Bstorm):
[labs/tools/maintain-kubeusers@master] contexts: context should be correct for project
Mentioned in SAL (#wikimedia-cloud) [2020-05-26T22:03:53Z] <bstorm_> created paws.admin group and kubernetes admin accounts on the new k8s cluster T211096 T246059
Mentioned in SAL (#wikimedia-cloud) [2020-05-26T22:05:51Z] <bstorm_> temporarily deleted the deployment for maintain-kubeusers pending patch to fix context creation for new admin accounts T211096 T246059
Change 598863 merged by jenkins-bot:
[labs/tools/maintain-kubeusers@master] contexts: context should be correct for project
Mentioned in SAL (#wikimedia-cloud) [2020-05-26T22:34:39Z] <bstorm_> restored the deployment for maintain-kubeusers so anyone added to the paws.admin group will have admin on the cluster now that the bug is fixed T211096 T246059