Add reno for RBAC and client incompatibility
Magnumclients older than 2.9.0 (<=2.80) can not create certificates for RBAC enabled clients. Affects only k8s_fedora_atomic. This patch adds the relevant reno. Change-Id: Idab265a41b1bf2da83d29eb942b9f4568ee4cf99
This commit is contained in:
parent
57b9457006
commit
1431be0f50
@ -0,0 +1,20 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
k8s_fedora_atomic clusters are deployed with RBAC support. Along with RBAC
|
||||
Node authorization is added so the appropriate certificates are generated.
|
||||
upgrade:
|
||||
- |
|
||||
Using the queens (>=2.9.0) python-magnumclient, when a user executes
|
||||
openstack coe cluster config, the client certificate has admin as Common
|
||||
Name (CN) and system:masters for Organization which are required for
|
||||
authorization with RBAC enabled clusters. This change in the client is
|
||||
backwards compatible, so old clusters (without RBAC enabled) can be
|
||||
reached with certificates generated by the new client. However, old
|
||||
magnum clients will generate certificates that will not be able to contact
|
||||
RBAC enabled clusters. This issue affects only k8s_fedora_atomic clusters
|
||||
and clients <=2.8.0, note that 2.8.0 is still a queens release but only
|
||||
2.9.0 includes the relevant patch. Finally, users can always generate and
|
||||
sign the certificates using this [0] procedure even with old clients since
|
||||
only the cluster config command is affected.
|
||||
[0] https://docs.openstack.org/magnum/latest/user/index.html#interfacing-with-a-secure-cluster
|
Loading…
Reference in New Issue
Block a user