Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make the default system:admin client cert a system:masters #17414

Merged
merged 1 commit into from
Nov 23, 2017
Merged

make the default system:admin client cert a system:masters #17414

merged 1 commit into from
Nov 23, 2017

Conversation

deads2k
Copy link
Contributor

@deads2k deads2k commented Nov 21, 2017

The system:admin is a super user, add him to system:masters.

@sdodson does ansible wire this differently?

@derekwaynecarr @eparis per request.

@openshift-merge-robot openshift-merge-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 21, 2017
@openshift-ci-robot openshift-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Nov 21, 2017
@liggitt
Copy link
Contributor

liggitt commented Nov 21, 2017

cc @openshift/sig-security
/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 21, 2017
@openshift-merge-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, liggitt

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@eparis
Copy link
Member

eparis commented Nov 22, 2017

/retest

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

2 similar comments
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@deads2k deads2k force-pushed the server-53-cluster-admin branch from 79488cc to bad832c Compare November 22, 2017 17:35
@openshift-merge-robot openshift-merge-robot removed the lgtm Indicates that a PR is ready to be merged. label Nov 22, 2017
@openshift-ci-robot openshift-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 22, 2017
@deads2k deads2k added lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 22, 2017
@simo5
Copy link
Contributor

simo5 commented Nov 22, 2017

Why is this needed/requested ?

@deads2k
Copy link
Contributor Author

deads2k commented Nov 22, 2017

Why is this needed/requested ?

When debugging a cluster locally, trying to make requests to the apiserver, system:masters gets to bypass all rate limiting. Without this, you cannot debug or gather metrics because your request gets ratelimited and rejected server-side.

@simo5
Copy link
Contributor

simo5 commented Nov 22, 2017

well system:masters bypasses every access check, not just rate limiting afaik, is this ok ?

@deads2k
Copy link
Contributor Author

deads2k commented Nov 22, 2017

well system:masters bypasses every access check, not just rate limiting afaik, is this ok ?

Yes. The expectation (even before) was that system:admin was a super-user.

@deads2k
Copy link
Contributor Author

deads2k commented Nov 22, 2017

/retest

@deads2k
Copy link
Contributor Author

deads2k commented Nov 23, 2017

/reteat

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

1 similar comment
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 23, 2017
edited
Loading

@deads2k: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
ci/openshift-jenkins/extended_conformance_install_update bad832c link /test extended_conformance_install_update

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot
Copy link
Contributor

Automatic merge from submit-queue.

@openshift-merge-robot openshift-merge-robot merged commit 0ac576a into openshift:master Nov 23, 2017
@sdodson
Copy link
Member

sdodson commented Nov 24, 2017

@sdodson does ansible wire this differently?

I think this will be fine, if anything this will allow ansible to bypass rate limiting when it interacts with the API which would be nice.

@enj enj mentioned this pull request Dec 5, 2017
Closed
@deads2k deads2k deleted the server-53-cluster-admin branch January 24, 2018 14:37
@mrogers950 mrogers950 mentioned this pull request Feb 27, 2018
Closed
martinpitt added a commit to martinpitt/cockpit that referenced this pull request Mar 2, 2018
@martinpitt
bots: Work around GnuTLS bug with OpenShift kubeconfig
c9d40c2 
openshift/origin#17414 introduced a second
organization value `system:masters`. Apparently GnuTLS mis-handles
multiple RDNs by re-ordering them and then rejecting the client
certificate due to a mismatching subject.

When building the openshift-prerelease image (and only then), work
around this by regenerating the admin certificate with swapping the `O:`
fields around. This is an utter hack, but unblocks testing OpenShift 3.9
for now.

See openshift/origin#18715 for details.
larskarlitski pushed a commit to cockpit-project/cockpit that referenced this pull request Mar 2, 2018
@martinpitt @larskarlitski
bots: Work around GnuTLS bug with OpenShift kubeconfig
1eed47d 
openshift/origin#17414 introduced a second
organization value `system:masters`. Apparently GnuTLS mis-handles
multiple RDNs by re-ordering them and then rejecting the client
certificate due to a mismatching subject.

When building the openshift-prerelease image (and only then), work
around this by regenerating the admin certificate with swapping the `O:`
fields around. This is an utter hack, but unblocks testing OpenShift 3.9
for now.

See openshift/origin#18715 for details.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@liggitt liggitt

@legionus legionus

@mrogers950 mrogers950

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@deads2k @liggitt @openshift-merge-robot @openshift-bot @eparis @simo5 @openshift-ci-robot @sdodson @legionus @mrogers950