HomePhabricator

Add RBAC rules to allow using certificate signers

Description

Add RBAC rules to allow using certificate signers

Kubernetes 1.18 will disallow signing certificates without having access
to the used certificate signer. I've granted access to both the legacy
unknown one and the new kubernetes.io/kube-apiserver-client. The Python
Kubernetes library does not support specifying the signer yet so only
the default one (legacy-unknown) will be used for now.

We should move to the new kubernetes.io/kube-apiserver-client as soon as
there is a version of the Python Kubernetes library that supports it and
to the stable certificates/v1 api as soon as we're on k8s 1.19 and on a
version of the Python library that supports it. The beta api and support
for the old signer will be removed in 1.22.

Bump up the version of the Python library, nice to be on the latest
version even though we aren't using any new features.

Note that this was tested and the cassettes were built against 1.19, not
1.18, since Minikube is failing to start 1.18 on my laptop.

Bug: T280300
Change-Id: Ib3b912d3aae64567b207cf81c017adcb51b130c5

Details

Provenance
MajavahAuthored on Apr 16 2021, 7:56 AM
Parents
rLTMK292b6bccfc87: rbac: add the ability for tools to run "kubectl top pods"
Branches
Unknown
Tags
Unknown
References
refs/changes/44/680244/1
ChangeId
Ib3b912d3aae64567b207cf81c017adcb51b130c5