Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
82a0c4e1
Commit
82a0c4e1
authored
Dec 20, 2022
by
Brad Davidson
Committed by
Brad Davidson
Feb 10, 2023
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add ADR
Signed-off-by:
Brad Davidson
<
brad.davidson@rancher.com
>
(cherry picked from commit
c900089e
)
parent
478dae4d
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
64 additions
and
0 deletions
+64
-0
agent-join-token.md
docs/adrs/agent-join-token.md
+64
-0
No files found.
docs/adrs/agent-join-token.md
0 → 100644
View file @
82a0c4e1
# Support `kubeadm`-style Bootstrap Token Secrets
Date: 2022-12-20
## Status
Accepted
## Context
### K3s Token Types and Use
K3s currently supports two tokens that can be used to join nodes to the cluster:
*
`--token`
: This is the default token, and a random value is generated during initial cluster startup if not
specified by the user. This token is also used as the passphrase input to the PBKDF2 function used to generate
the encryption key for cluster bootstrap data. For this reason, all server nodes must use the same token value
once the cluster has been started, and the token value cannot be changed.
*
`--agent-token`
: By default, this is set to the same as the
`--token`
value. If set, this token can be used
to join new agents to the cluster, but not servers. This token value can be changed after the cluster has
beens started, but doing so requires coordinatating reconfiguration and restart of all of the servers in the
cluster.
Internally, these tokens are used as the password for HTTP Basic authentication to the K3s supervisor when the
agent bootstraps its configuration and certificates. Servers use a username of
`server`
, while agents
(including servers local agents) use
`node`
. Once nodes join the cluster they also populate a node password
secret that prevents other nodes from using the same node name, but this is unrelated to the token.
### Security Considerations
Users have requested the ability to generate single-use or limited-duration tokens that can be used to join
nodes to the cluster, but can be deleted or automatically expire in order to reduce the impact should the
token be compromised. Currently, compromise of the server token would require a complete rebuild of the
cluster in order to use a new token. Compromise of the agent token would require a coordinated restart of all
nodes in the cluster.
### Existing Work
`kubeadm`
includes a
`kubeadm token create`
command that creates secrets of type
`bootstrap.kubernetes.io/token`
, which is a core upstream type that is not restricted for use by kubeadm.
There are helpers for interacting with bootstrap token secrets in the
`k8s.io/cluster-bootstrap`
package, and
upstream Kubernetes includes two controllers (
`tokencleaner`
and
`bootstrapsigner`
) to support use of cluster
bootstrap secrets. The latter controller is not relevant for our use case, as it serves the same function as
existing K3s supervisor routes - making initial cluster CA certificates and a client kubeconfig available for
bootstrapping nodes. The
[
boostrap-tokens
](
https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/
)
documentation can be referenced for more information.
## Decision
*
K3s will allow joining agents to the cluster using bootstrap token secrets.
*
K3s will NOT allow joining servers to the cluster using bootstrap token secrets.
*
K3s will include a
`k3s token`
subcommand that allows for token create/list/delete operations, similar to
the the functionality offered by
`kubeadm`
.
*
K3s will enable the
`tokencleaner`
controller, in order to ensure that bootstrap token secrets are cleaned
up when their TTL expires.
*
K3s agent bootstrap functionality will allow a agent to connect the cluster using existing
[
Node
Authorization](https://kubernetes.io/docs/reference/access-authn-authz/node/) to authenticate to the
cluster during startup, even after its join token has been invalidated.
*
K3s agent bootstrap functionality will NOT allow an agent to connect to the cluster if it does not have a valid
token, and its Node object has been deleted from the cluster.
## Consequences
This will require additional documentation, CLI subcommands, and QA work to validate use of bootstrap token secret auth.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment