Standardize the naming conventions for karmada system roles

Signed-off-by: zhzhuang-zju <[email protected]>

artifacts/deploy/bootstrap-token-configuration.yaml

@@ -13,10 +13,13 @@ data:
     kind: Config
 
 ---
+# Define a role with permission to get the cluster-info configmap
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: karmada:bootstrap-signer-clusterinfo
+  labels:
+    karmada.io/bootstrapping: rbac-defaults
+  name: system:karmada:bootstrap-signer-clusterinfo
   namespace: kube-public
 rules:
 - apiGroups:
@@ -29,25 +32,33 @@ rules:
   - get
 
 ---
+# An anonymous user can get `cluster-info` configmap, which is used to obtain the control plane API server's server
+# address and `certificate-authority-data` during the `karmadactl register` process.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: karmada:bootstrap-signer-clusterinfo
+  labels:
+    karmada.io/bootstrapping: rbac-defaults
+  name: system:karmada:bootstrap-signer-clusterinfo
   namespace: kube-public
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: karmada:bootstrap-signer-clusterinfo
+  name: system:karmada:bootstrap-signer-clusterinfo
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: User
   name: system:anonymous
 
 ---
+# Group `system:bootstrappers:karmada:default-cluster-token` is the user group of the bootstrap token
+# used by `karmadactl register` when registering a new pull mode cluster.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: karmada:agent-bootstrap
+  labels:
+    karmada.io/bootstrapping: rbac-defaults
+  name: system:karmada:agent-bootstrap
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -58,91 +69,104 @@ subjects:
   name: system:bootstrappers:karmada:default-cluster-token
 
 ---
+# Define a ClusterRole with permissions to automatically approve the agent CSRs when the agentcsrapproving controller is enabled by karmada-controller-manager.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "true"
   labels:
-    kubernetes.io/bootstrapping: rbac-defaults
-  name: system:certificates.k8s.io:certificatesigningrequests:agent
+    karmada.io/bootstrapping: rbac-defaults
+  name: system:karmada:certificatesigningrequest:autoapprover
 rules:
   - apiGroups:
       - certificates.k8s.io
     resources:
-      - certificatesigningrequests/agent
+      - certificatesigningrequests/clusteragent
     verbs:
       - create
 
 ---
-# When the agentcsrapproving controller is enabled by the karmada-controller-manager, it can automatically approve the agent CSRs requested by the user group system:bootstrappers:karmada:default-cluster-token.
+# Group `system:bootstrappers:karmada:default-cluster-token` is the user group of the bootstrap token
+# used by `karmadactl register` when registering a new pull mode cluster.
+# When the `agentcsrapproving` controller is enabled by the karmada-controller-manager,
+# it can automatically approve the agent CSRs requested by the user group system:bootstrappers:karmada:default-cluster-token.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: karmada:agent-autoapprove-bootstrap
+  labels:
+    karmada.io/bootstrapping: rbac-defaults
+  name: system:karmada:agent-autoapprove-bootstrap
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:certificates.k8s.io:certificatesigningrequests:agent
+  name: system:karmada:certificatesigningrequest:autoapprover
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
   name: system:bootstrappers:karmada:default-cluster-token
 
 ---
+# Define a ClusterRole with permissions to automatically approve the agent CSRs
+# where the user name and group of requester match those in the CSRs when the agentcsrapproving controller is enabled by karmada-controller-manager.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "true"
   labels:
-    kubernetes.io/bootstrapping: rbac-defaults
-  name: system:certificates.k8s.io:certificatesigningrequests:selfagent
+    karmada.io/bootstrapping: rbac-defaults
+  name: system:karmada:certificatesigningrequest:selfautoapprover
 rules:
   - apiGroups:
       - certificates.k8s.io
     resources:
-      - certificatesigningrequests/selfagent
+      - certificatesigningrequests/selfclusteragent
     verbs:
       - create
 
 ---
-# When the agentcsrapproving controller is enabled by the karmada-controller-manager, it can automatically approve the agent CSRs requested by the user group system:agents.
+# Group `system:karmada:agents` is the user group used by the karmada-agent to access the Karmada API server.
+# When the agentcsrapproving controller is enabled by the karmada-controller-manager, it can automatically approve
+# the agent CSRs(csr.Subject.CommonName = agent username) requested by the user group system:karmada:agents.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: karmada:agent-autoapprove-certificate-rotation
+  labels:
+    karmada.io/bootstrapping: rbac-defaults
+  name: system:karmada:agent-autoapprove-certificate-rotation
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:certificates.k8s.io:certificatesigningrequests:selfagent
+  name: system:karmada:certificatesigningrequest:selfautoapprover
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
-  name: system:agents
+  name: system:karmada:agents
 
 ---
-# ClusterRole is not used for the connection between the karmada-agent and the control plane,
+# ClusterRole `system:karmada:agent-rbac-generator` is not used for the connection between the karmada-agent and the control plane,
 # but is used by karmadactl register to generate the RBAC resources required by the karmada-agent.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:karmada:agent
+  labels:
+    karmada.io/bootstrapping: rbac-defaults
+  name: system:karmada:agent-rbac-generator
 rules:
   - apiGroups: ['*']
     resources: ['*']
     verbs: ['*']
 
 ---
+# User `system:karmada:agent:rbac-generator` is specifically used during the `karmadactl register` process to generate restricted RBAC resources for the `karmada-agent`.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  labels:
+    karmada.io/bootstrapping: rbac-defaults
   name: system:karmada:agent-rbac-generator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:karmada:agent
+  name: system:karmada:agent-rbac-generator
 subjects:
   - apiGroup: rbac.authorization.k8s.io
     kind: User
-    name: system:agent:agent-rbac-generator
+    name: system:karmada:agent:rbac-generator

charts/karmada/templates/_karmada_bootstrap_token_configuration.tpl

@@ -23,7 +23,7 @@ data:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: karmada:bootstrap-signer-clusterinfo
+  name: system:karmada:bootstrap-signer-clusterinfo
   namespace: kube-public
   {{- if "karmada.commonLabels" }}
   labels:
@@ -42,7 +42,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: karmada:bootstrap-signer-clusterinfo
+  name: system:karmada:bootstrap-signer-clusterinfo
   namespace: kube-public
   {{- if "karmada.commonLabels" }}
   labels:
@@ -51,7 +51,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: karmada:bootstrap-signer-clusterinfo
+  name: system:karmada:bootstrap-signer-clusterinfo
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: User
@@ -60,7 +60,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: karmada:agent-bootstrap
+  name: system:karmada:agent-bootstrap
   {{- if "karmada.commonLabels" }}
   labels:
     {{- include "karmada.commonLabels" . | nindent 4 }}
@@ -77,7 +77,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:certificates.k8s.io:certificatesigningrequests:agent
+  name: system:karmada:certificatesigningrequest:autoapprover
   {{- if "karmada.commonLabels" }}
   labels:
     {{- include "karmada.commonLabels" . | nindent 4 }}
@@ -86,22 +86,22 @@ rules:
 - apiGroups:
   - certificates.k8s.io
   resources:
-  - certificatesigningrequests/agent
+  - certificatesigningrequests/clusteragent
   verbs:
   - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: karmada:agent-autoapprove-bootstrap
+  name: system:karmada:agent-autoapprove-bootstrap
   {{- if "karmada.commonLabels" }}
   labels:
     {{- include "karmada.commonLabels" . | nindent 4 }}
   {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:certificates.k8s.io:certificatesigningrequests:agent
+  name: system:karmada:certificatesigningrequest:autoapprover
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
@@ -110,7 +110,7 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:certificates.k8s.io:certificatesigningrequests:selfagent
+  name: system:karmada:certificatesigningrequest:selfautoapprover
   {{- if "karmada.commonLabels" }}
   labels:
     {{- include "karmada.commonLabels" . | nindent 4 }}
@@ -119,31 +119,31 @@ rules:
 - apiGroups:
   - certificates.k8s.io
   resources:
-  - certificatesigningrequests/selfagent
+  - certificatesigningrequests/selfclusteragent
   verbs:
   - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: karmada:agent-autoapprove-certificate-rotation
+  name: system:karmada:agent-autoapprove-certificate-rotation
   {{- if "karmada.commonLabels" }}
   labels:
     {{- include "karmada.commonLabels" . | nindent 4 }}
   {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:certificates.k8s.io:certificatesigningrequests:selfagent
+  name: system:karmada:certificatesigningrequest:selfautoapprover
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
-  name: system:agents
+  name: system:karmada:agents
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:karmada:agent
+  name: system:karmada:agent-rbac-generator
   {{- if "karmada.commonLabels" }}
   labels:
     {{- include "karmada.commonLabels" . | nindent 4 }}
@@ -167,9 +167,9 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:karmada:agent
+  name: system:karmada:agent-rbac-generator
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: User
-  name: system:agent:agent-rbac-generator
+  name: system:karmada:agent:rbac-generator
 {{- end -}}

pkg/karmadactl/cmdinit/bootstraptoken/agent/tlsbootstrap.go

@@ -29,17 +29,17 @@ const (
 	// KarmadaAgentBootstrapperClusterRoleName defines the name of the auto-bootstrapped ClusterRole for letting someone post a CSR
 	KarmadaAgentBootstrapperClusterRoleName = "system:node-bootstrapper"
 	// KarmadaAgentBootstrap defines the name of the ClusterRoleBinding that lets Karmada Agent post CSRs
-	KarmadaAgentBootstrap = "karmada:agent-bootstrap"
+	KarmadaAgentBootstrap = "system:karmada:agent-bootstrap"
 	// KarmadaAgentGroup defines the group of Karmada Agent
-	KarmadaAgentGroup = "system:agents"
+	KarmadaAgentGroup = "system:karmada:agents"
 	// KarmadaAgentAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve agent CSRs
-	KarmadaAgentAutoApproveBootstrapClusterRoleBinding = "karmada:agent-autoapprove-bootstrap"
+	KarmadaAgentAutoApproveBootstrapClusterRoleBinding = "system:karmada:agent-autoapprove-bootstrap"
 	// KarmadaAgentAutoApproveCertificateRotationClusterRoleBinding defines name of the ClusterRoleBinding that makes the csrapprover approve agent auto rotated CSRs
-	KarmadaAgentAutoApproveCertificateRotationClusterRoleBinding = "karmada:agent-autoapprove-certificate-rotation"
+	KarmadaAgentAutoApproveCertificateRotationClusterRoleBinding = "system:karmada:agent-autoapprove-certificate-rotation"
 	// CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR
-	CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:agent"
+	CSRAutoApprovalClusterRoleName = "system:karmada:certificatesigningrequest:autoapprover"
 	// KarmadaAgentSelfCSRAutoApprovalClusterRoleName is a role for automatic CSR approvals for automatically rotated agent certificates
-	KarmadaAgentSelfCSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:selfagent"
+	KarmadaAgentSelfCSRAutoApprovalClusterRoleName = "system:karmada:certificatesigningrequest:selfautoapprover"
 	// KarmadaAgentBootstrapTokenAuthGroup specifies which group a Karmada Agent Bootstrap Token should be authenticated in
 	KarmadaAgentBootstrapTokenAuthGroup = "system:bootstrappers:karmada:default-cluster-token"
 )
@@ -64,7 +64,7 @@ func AutoApproveKarmadaAgentBootstrapTokens(clientSet kubernetes.Interface) erro
 	csrAutoApprovalClusterRole := utils.ClusterRoleFromRules(CSRAutoApprovalClusterRoleName, []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{"certificates.k8s.io"},
-			Resources: []string{"certificatesigningrequests/agent"},
+			Resources: []string{"certificatesigningrequests/clusteragent"},
 			Verbs:     []string{"create"},
 		},
 	}, nil, nil)
@@ -89,7 +89,7 @@ func AutoApproveAgentCertificateRotation(clientSet kubernetes.Interface) error {
 	karmadaAgentSelfCSRAutoApprovalClusterRole := utils.ClusterRoleFromRules(KarmadaAgentSelfCSRAutoApprovalClusterRoleName, []rbacv1.PolicyRule{
 		{
 			APIGroups: []string{"certificates.k8s.io"},
-			Resources: []string{"certificatesigningrequests/selfagent"},
+			Resources: []string{"certificatesigningrequests/selfclusteragent"},
 			Verbs:     []string{"create"},
 		},
 	}, nil, nil)

pkg/karmadactl/cmdinit/bootstraptoken/clusterinfo/clusterinfo.go

@@ -34,7 +34,7 @@ import (
 
 const (
 	// BootstrapSignerClusterRoleName sets the name for the ClusterRole that allows access to ConfigMaps in the kube-public ns
-	BootstrapSignerClusterRoleName = "karmada:bootstrap-signer-clusterinfo"
+	BootstrapSignerClusterRoleName = "system:karmada:bootstrap-signer-clusterinfo"
 )
 
 // CreateBootstrapConfigMapIfNotExists creates the kube-public ConfigMap if it doesn't exist already

pkg/karmadactl/cmdinit/karmada/rbac.go

@@ -28,9 +28,9 @@ import (
 const (
 	karmadaViewClusterRole                      = "karmada-view"
 	karmadaEditClusterRole                      = "karmada-edit"
-	karmadaAgentRBACGeneratorClusterRole        = "system:karmada:agent"
+	karmadaAgentRBACGeneratorClusterRole        = "system:karmada:agent-rbac-generator"
 	karmadaAgentRBACGeneratorClusterRoleBinding = "system:karmada:agent-rbac-generator"
-	agentRBACGenerator                          = "system:agent:agent-rbac-generator"
+	agentRBACGenerator                          = "system:karmada:agent:rbac-generator"
 )
 
 // grantProxyPermissionToAdmin grants the proxy permission to "system:admin"

pkg/karmadactl/register/register.go

@@ -81,11 +81,11 @@ const (
 	// CACertPath defines default location of CA certificate on Linux
 	CACertPath = "/etc/karmada/pki/ca.crt"
 	// ClusterPermissionPrefix defines the common name of karmada agent certificate
-	ClusterPermissionPrefix = "system:agent:"
+	ClusterPermissionPrefix = "system:karmada:agent:"
 	// ClusterPermissionGroups defines the organization of karmada agent certificate
-	ClusterPermissionGroups = "system:agents"
+	ClusterPermissionGroups = "system:karmada:agents"
 	// AgentRBACGenerator defines the common name of karmada agent rbac generator certificate
-	AgentRBACGenerator = "system:agent:agent-rbac-generator"
+	AgentRBACGenerator = "system:karmada:agent:rbac-generator"
 	// KarmadaAgentBootstrapKubeConfigFileName defines the file name for the kubeconfig that the karmada-agent will use to do
 	// the TLS bootstrap to get itself an unique credential
 	KarmadaAgentBootstrapKubeConfigFileName = "bootstrap-karmada-agent.conf"
@@ -904,6 +904,7 @@ func (o *CommandRegisterOption) constructKubeConfig(bootstrapClient *kubeclient.
 		}
 
 		klog.V(1).Infof(fmt.Sprintf("Waiting for the client certificate of csr %s to be issued", csrName))
+		klog.V(1).Infof("Approve the CSR %s manually by executing `kubectl certificate approve %s` on the control plane", csrName, csrName)
 		return false, nil
 	})
 	if err != nil {