From 1431be0f50b4b2269a5c91e89bc32556d8bdfe5f Mon Sep 17 00:00:00 2001 From: Spyros Trigazis Date: Thu, 8 Mar 2018 14:05:05 +0100 Subject: [PATCH] Add reno for RBAC and client incompatibility Magnumclients older than 2.9.0 (<=2.80) can not create certificates for RBAC enabled clients. Affects only k8s_fedora_atomic. This patch adds the relevant reno. Change-Id: Idab265a41b1bf2da83d29eb942b9f4568ee4cf99 --- ...ient-incompatibility-fdfeab326dfda3bf.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 releasenotes/notes/RBAC-and-client-incompatibility-fdfeab326dfda3bf.yaml diff --git a/releasenotes/notes/RBAC-and-client-incompatibility-fdfeab326dfda3bf.yaml b/releasenotes/notes/RBAC-and-client-incompatibility-fdfeab326dfda3bf.yaml new file mode 100644 index 0000000000..0b75b58131 --- /dev/null +++ b/releasenotes/notes/RBAC-and-client-incompatibility-fdfeab326dfda3bf.yaml @@ -0,0 +1,20 @@ +--- +features: + - | + k8s_fedora_atomic clusters are deployed with RBAC support. Along with RBAC + Node authorization is added so the appropriate certificates are generated. +upgrade: + - | + Using the queens (>=2.9.0) python-magnumclient, when a user executes + openstack coe cluster config, the client certificate has admin as Common + Name (CN) and system:masters for Organization which are required for + authorization with RBAC enabled clusters. This change in the client is + backwards compatible, so old clusters (without RBAC enabled) can be + reached with certificates generated by the new client. However, old + magnum clients will generate certificates that will not be able to contact + RBAC enabled clusters. This issue affects only k8s_fedora_atomic clusters + and clients <=2.8.0, note that 2.8.0 is still a queens release but only + 2.9.0 includes the relevant patch. Finally, users can always generate and + sign the certificates using this [0] procedure even with old clients since + only the cluster config command is affected. + [0] https://docs.openstack.org/magnum/latest/user/index.html#interfacing-with-a-secure-cluster