Set controller authn/authz kubeconfigs

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

manifests/ccm.yaml

@@ -78,3 +78,30 @@ subjects:
 - kind: User
   name: k3s-cloud-controller-manager
   namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: k3s-cloud-controller-manager-auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: User
+  name: k3s-cloud-controller-manager
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k3s-cloud-controller-manager-authentication-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: User
+  name: k3s-cloud-controller-manager
+  namespace: kube-system

pkg/daemons/control/server.go

@@ -93,6 +93,8 @@ func Server(ctx context.Context, cfg *config.Control) error {
 func controllerManager(ctx context.Context, cfg *config.Control, runtime *config.ControlRuntime) error {
 	argsMap := map[string]string{
 		"kubeconfig":                       runtime.KubeConfigController,
+		"authorization-kubeconfig":         runtime.KubeConfigController,
+		"authentication-kubeconfig":        runtime.KubeConfigController,
 		"service-account-private-key-file": runtime.ServiceKey,
 		"allocate-node-cidrs":              "true",
 		"cluster-cidr":                     util.JoinIPNets(cfg.ClusterIPRanges),
@@ -126,10 +128,12 @@ func controllerManager(ctx context.Context, cfg *config.Control, runtime *config
 
 func scheduler(ctx context.Context, cfg *config.Control, runtime *config.ControlRuntime) error {
 	argsMap := map[string]string{
-		"kubeconfig":   runtime.KubeConfigScheduler,
-		"bind-address": localhostIP.String(),
-		"secure-port":  "10259",
-		"profiling":    "false",
+		"kubeconfig":                runtime.KubeConfigScheduler,
+		"authorization-kubeconfig":  runtime.KubeConfigScheduler,
+		"authentication-kubeconfig": runtime.KubeConfigScheduler,
+		"bind-address":              localhostIP.String(),
+		"secure-port":               "10259",
+		"profiling":                 "false",
 	}
 	if cfg.NoLeaderElect {
 		argsMap["leader-elect"] = "false"
@@ -290,6 +294,8 @@ func cloudControllerManager(ctx context.Context, cfg *config.Control, runtime *c
 		"cluster-cidr":                 util.JoinIPNets(cfg.ClusterIPRanges),
 		"configure-cloud-routes":       "false",
 		"kubeconfig":                   runtime.KubeConfigCloudController,
+		"authorization-kubeconfig":     runtime.KubeConfigCloudController,
+		"authentication-kubeconfig":    runtime.KubeConfigCloudController,
 		"node-status-update-frequency": "1m0s",
 		"bind-address":                 "127.0.0.1",
 		"port":                         "0",

pkg/deploy/zz_generated_bindata.go

@@ -90,7 +90,7 @@ func (fi bindataFileInfo) Sys() interface{} {
 	return nil
 }
 
-var _ccmYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x9c\x93\xc1\xab\xdb\x30\x0c\xc6\xef\xfe\x2b\x4c\x2f\x85\x81\x5b\xc6\x2e\x23\xc7\xed\xb0\x7b\x61\xbb\x2b\xb6\xd6\x7a\x75\x2c\x23\xc9\x29\xdb\x5f\x3f\xd2\xf4\x3d\x4a\xf2\x5a\x92\xde\x44\x90\x7e\xdf\xa7\xc8\x1f\x94\xf8\x0b\x59\x22\xe5\xc6\x72\x0b\x7e\x07\x55\x4f\xc4\xf1\x1f\x68\xa4\xbc\x3b\x7f\x95\x5d\xa4\x7d\xff\xd9\x9c\x63\x0e\x8d\xfd\x9e\xaa\x28\xf2\x81\x12\x9a\x0e\x15\x02\x28\x34\xc6\xda\x0c\x1d\x36\xf6\xfc\x45\x9c\x4f\x54\x83\xf3\x94\x95\x29\x25\x64\xd7\x41\x86\x23\xb2\xe1\x9a\x50\x1a\xe3\x2c\x94\xf8\x83\xa9\x16\x19\x06\x9d\xf5\x44\x1c\x62\xbe\xd7\x33\xd6\x32\x0a\x55\xf6\x78\x6b\x4a\x08\x82\x62\xac\xed\x91\xdb\xdb\xb7\x23\xea\x08\x60\x04\xc5\x6b\x59\x4b\x18\xca\x99\xc6\x66\x33\x47\x62\x8f\x59\x27\xc8\x3b\x54\x01\xf5\xa7\xd5\xd0\x4c\x61\x6a\x73\xfb\x69\xbb\x62\x76\x2f\x0a\x5a\x27\x88\xd1\xcb\x22\x88\x20\xf7\xd1\x4f\x3d\xa4\x28\xfa\xf1\x56\x43\x79\x59\x8d\x07\xef\xa9\x3e\xfa\x7b\x8b\x40\x65\x78\x74\xa2\x98\xb5\xa7\x54\xbb\x47\xb7\x7d\x37\xfe\x9a\x5d\xcc\xa1\x50\x7c\x76\xe6\x99\xd0\x65\x76\x77\xe7\xcc\xeb\x29\xf9\x16\x73\x88\xf9\xb8\x3a\x2c\x94\xf0\x80\xbf\x87\xee\xb7\x35\x9f\x28\x1b\x6b\xe7\xf1\x5c\xa4\x23\xb5\xfd\x83\x5e\xaf\xb9\x1c\x11\x3f\x05\x79\xd9\xec\xd8\x24\x05\xfc\xd0\x59\x5b\x74\xf2\x57\x14\x3b\xf3\x3f\x00\x00\xff\xff\x37\xa3\x5f\x88\x54\x04\x00\x00")
+var _ccmYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xcc\x94\x41\x8f\x13\x31\x0c\x85\xef\xf9\x15\xd1\x5e\x56\x42\x4a\x57\x88\x0b\x9a\x23\x1c\xb8\xaf\x04\x77\x37\x79\x74\x43\x33\x71\x14\x3b\xb3\xc0\xaf\x47\xe9\x2c\x68\x99\xa1\x55\x5b\x40\x70\x8b\x2a\xfb\x7b\xcf\xcf\xf5\x50\x89\x1f\x50\x25\x72\x1e\x6c\xdd\x92\xdf\x50\xd3\x07\xae\xf1\x2b\x69\xe4\xbc\xd9\xbf\x96\x4d\xe4\xbb\xe9\xa5\xd9\xc7\x1c\x06\xfb\x36\x35\x51\xd4\x7b\x4e\x30\x23\x94\x02\x29\x0d\xc6\xda\x4c\x23\x06\xbb\x7f\x25\xce\x27\x6e\xc1\x79\xce\x5a\x39\x25\x54\x37\x52\xa6\x1d\xaa\xa9\x2d\x41\x06\xe3\x2c\x95\xf8\xae\x72\x2b\xd2\x1b\x9d\xf5\xcc\x35\xc4\xfc\x5c\xcf\x58\x5b\x21\xdc\xaa\xc7\x53\x51\x02\x09\xc4\x58\x3b\xa1\x6e\x9f\x7e\xdb\x41\x67\x40\x05\x29\x0e\xcf\x56\x42\x7f\xae\x34\x6e\x6e\xd6\x48\x4c\xc8\xba\x40\x3e\x43\x15\x52\xff\x70\x31\x34\x73\x58\xda\xbc\x7d\x71\x7b\x41\xef\x9d\x28\x69\x5b\x20\x66\x2f\x67\x41\x04\x75\x8a\x7e\xe9\x21\x45\xd1\x5f\x4f\xd5\x9f\x8f\x17\xe3\xc9\x7b\x6e\xc7\xd2\x3b\x0b\x54\xfa\x9f\x4e\x14\x59\x27\x4e\x6d\x3c\xb6\xdb\x1f\xc6\xaf\xb3\x8b\x1c\x0a\xc7\x53\x6b\x5e\x09\x3d\xae\xf6\xee\x9c\xb9\xfe\x4a\xde\xc4\x1c\x62\xde\x5d\x7c\x2c\x9c\x70\x8f\x8f\xbd\xfa\xfb\x98\x27\x94\x8d\xb5\xeb\xf3\x3c\x4b\x47\xda\xf6\x13\xbc\x1e\xee\x72\x46\xbc\x17\xd4\xf3\x7a\xe7\x22\x29\xe4\x7b\x65\xdb\xc2\xc9\x17\x51\x8c\xff\x24\x31\xd7\xf9\x2e\x20\x61\x47\xca\x7f\x34\xc0\x79\xaa\x61\x21\xf0\xbf\x24\xf7\x9b\x91\x21\x6b\xf4\x07\xb2\xab\xa0\x70\xca\xdc\x95\x91\xfe\x94\x25\x3e\x2b\x72\x9f\xcd\x51\x89\xfd\x63\x72\xd4\xc6\x5f\xc9\xf7\x5b\x00\x00\x00\xff\xff\xc2\xa7\x17\xb8\xee\x06\x00\x00")
 
 func ccmYamlBytes() ([]byte, error) {
 	return bindataRead(