☂️ issue: Use dedicated bootstrap-tokens per shoot worker machine (instead of a long-valid shared token)

## Use dedicated bootstrap-tokens per shoot worker machine (instead of a long-valid shared token)

_Background:_
When a new node of a shoot cluster is created the kubelet needs to register with the shoot api server. The kubelet uses a bootstrap-token for authentication.

_New:_
In the proposed new flow the worker controller (here MCM)  creates a temporary bootstrap-token for each created vm. 
If the featureFlag `BootstrapTokenForVMs` is enabled a file with the content "<<BOOTSTRAP_TOKEN>>" is added to the operatingsystem-config. It is passed to the worker controller. The worker controller generates a temporary token for every new worker instance(node). It replaces the  "<<BOOTSTRAP_TOKEN>>" string with the created token and adds it to the user-data placed on the vm on startup.
The cloud-config-downloader(original user-data) will then refer to the new temporary bootstrap-token in the kubelet-bootstrap script.

See the depicted flow in the following graph:

![final_secure_bootstrap_token](https://user-images.githubusercontent.com/7465180/115367041-1ef68100-a1c6-11eb-82bf-242930d9c0a5.png)



For old flow see also https://github.com/gardener/gardener/blob/a62e5622facd20d70c069c17bf42947dbea427ef/docs/extensions/operatingsystemconfig.md#how-does-gardener-bootstrap-the-machines

**Steps:**

Adapt worker controller to add bootstrap-token on vm creation:
- [x]  MCM -> merged: https://github.com/gardener/machine-controller-manager/pull/351
- [x] Verify if there are other worker controllers needed to be adapted 
- [x] Adapt worker controller contract to include handling bootstrap-token

Test and adapt os-extensions to support passing the <<BOOTSTRAP_TOKEN>> unencoded
- [x]   gardenlinux -> https://github.com/gardener/gardener-extension-os-gardenlinux/pull/29
- [x]   suse-chost -> https://github.com/gardener/gardener-extension-os-suse-chost/pull/41
- [x] ubuntu -> https://github.com/gardener/gardener-extension-os-ubuntu/pull/42
- [x] flatcar -> https://github.com/gardener/gardener-extension-os-coreos/pull/24

Adapt g/g code to support new bootstrap-token:
- [x] PR opened: https://github.com/gardener/gardener/pull/3902

Next steps:
- [x] release all os-extensions.
- [x] After 3 g/g releases remove support for creating the token the old way and inform the users that with this g/g version a compatible version of the os-extension-provider and the infrastructure-extension is required.

For more information on why roll this out in multiple steps see: https://github.com/gardener/gardener/pull/3902#issuecomment-831064735

**How to categorize this issue?**
/area security
/kind enhancement
/priority 3



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

☂️ issue: Use dedicated bootstrap-tokens per shoot worker machine (instead of a long-valid shared token) #3898

BeckerMax
openedon Apr 20, 2021

Use dedicated bootstrap-tokens per shoot worker machine (instead of a long-valid shared token)

Assignees

Labels

Type

Projects

Milestone

Relationships

Development