Add reno for RBAC and client incompatibility

Magnumclients older than 2.9.0 (<=2.80) can not create
certificates for RBAC enabled clients. Affects only
k8s_fedora_atomic. This patch adds the relevant reno.

Change-Id: Idab265a41b1bf2da83d29eb942b9f4568ee4cf99
This commit is contained in:
Spyros Trigazis 2018-03-08 14:05:05 +01:00
parent 57b9457006
commit 1431be0f50
1 changed files with 20 additions and 0 deletions

View File

@ -0,0 +1,20 @@
---
features:
- |
k8s_fedora_atomic clusters are deployed with RBAC support. Along with RBAC
Node authorization is added so the appropriate certificates are generated.
upgrade:
- |
Using the queens (>=2.9.0) python-magnumclient, when a user executes
openstack coe cluster config, the client certificate has admin as Common
Name (CN) and system:masters for Organization which are required for
authorization with RBAC enabled clusters. This change in the client is
backwards compatible, so old clusters (without RBAC enabled) can be
reached with certificates generated by the new client. However, old
magnum clients will generate certificates that will not be able to contact
RBAC enabled clusters. This issue affects only k8s_fedora_atomic clusters
and clients <=2.8.0, note that 2.8.0 is still a queens release but only
2.9.0 includes the relevant patch. Finally, users can always generate and
sign the certificates using this [0] procedure even with old clients since
only the cluster config command is affected.
[0] https://docs.openstack.org/magnum/latest/user/index.html#interfacing-with-a-secure-cluster