1431be0f50
Magnumclients older than 2.9.0 (<=2.80) can not create certificates for RBAC enabled clients. Affects only k8s_fedora_atomic. This patch adds the relevant reno. Change-Id: Idab265a41b1bf2da83d29eb942b9f4568ee4cf99
21 lines
1.1 KiB
YAML
21 lines
1.1 KiB
YAML
---
|
|
features:
|
|
- |
|
|
k8s_fedora_atomic clusters are deployed with RBAC support. Along with RBAC
|
|
Node authorization is added so the appropriate certificates are generated.
|
|
upgrade:
|
|
- |
|
|
Using the queens (>=2.9.0) python-magnumclient, when a user executes
|
|
openstack coe cluster config, the client certificate has admin as Common
|
|
Name (CN) and system:masters for Organization which are required for
|
|
authorization with RBAC enabled clusters. This change in the client is
|
|
backwards compatible, so old clusters (without RBAC enabled) can be
|
|
reached with certificates generated by the new client. However, old
|
|
magnum clients will generate certificates that will not be able to contact
|
|
RBAC enabled clusters. This issue affects only k8s_fedora_atomic clusters
|
|
and clients <=2.8.0, note that 2.8.0 is still a queens release but only
|
|
2.9.0 includes the relevant patch. Finally, users can always generate and
|
|
sign the certificates using this [0] procedure even with old clients since
|
|
only the cluster config command is affected.
|
|
[0] https://docs.openstack.org/magnum/latest/user/index.html#interfacing-with-a-secure-cluster
|