Tencent Kubernetes Engine (TKE) Kubernetes 1.34 Node Initialization Changes
Cluster Registration Method for the Kubelet of Worker Nodes
Original behavior: During node initialization, the control plane issues a kubeconfig certificate that is valid for a long time to the kubelet. Its validity period is initially 20 years (updated to 30 years later).
New behavior: During node initialization, the control plane issues a bootstrap token (valid for 24 hours) to the kubelet. Upon startup, the kubelet needs to use the bootstrap token to request a certificate from the apiserver for official use.
Certificate storage path: /var/lib/kubelet/pki/.
Resource Access Permissions Granted by the kubeconfig Used by Root Users
Original behavior: During node initialization, the control plane issues the /root/.kube/config file to the root user based on the TKE_ADMIN_KUBECONFIG allowlist. Since the issued configuration grants admin permissions, it allows access to all cluster resources, posing security risks.
Allowlisted: Issue a kubeconfig file with admin permissions that is valid for a long time.
Non-allowlisted: Issue a kubeconfig file with admin permissions that is valid for 12 hours.
New behavior (suitable for TKE 1.34 or later versions): The TKE_ADMIN_KUBECONFIG allowlist mechanism has been invalid. The control plane no longer issues a kubeconfig file with a fixed certificate. Instead, it creates a symbolic link in /root/.kube/config for the root user, which points to the kubeconfig file currently used by the kubelet. The permissions of the link match those of the kubelet, allowing operations only on resources of the current node.