Merge pull request #123654 from LiorLieberman/fix-kubeadam-with-structured-authz
[structured authz][kubeadam] avoid setting default authorization-mode when structured authz is wanted
This commit is contained in:
Kubernetes Prow Robot
@@ -229,7 +229,10 @@ func getAPIServerCommand(cfg *kubeadmapi.ClusterConfiguration, localAPIEndpoint
|
|||||||
cfg.APIServer.ExtraArgs = []kubeadmapi.Arg{}
|
cfg.APIServer.ExtraArgs = []kubeadmapi.Arg{}
|
||||||
}
|
}
|
||||||
authzVal, _ := kubeadmapi.GetArgValue(cfg.APIServer.ExtraArgs, "authorization-mode", -1)
|
authzVal, _ := kubeadmapi.GetArgValue(cfg.APIServer.ExtraArgs, "authorization-mode", -1)
|
||||||
defaultArguments = kubeadmapi.SetArgValues(defaultArguments, "authorization-mode", getAuthzModes(authzVal), 1)
|
_, hasStructuredAuthzVal := kubeadmapi.GetArgValue(cfg.APIServer.ExtraArgs, "authorization-config", -1)
|
||||||
|
if hasStructuredAuthzVal == -1 {
|
||||||
|
defaultArguments = kubeadmapi.SetArgValues(defaultArguments, "authorization-mode", getAuthzModes(authzVal), 1)
|
||||||
|
}
|
||||||
command = append(command, kubeadmutil.ArgumentsToCommand(defaultArguments, cfg.APIServer.ExtraArgs)...)
|
command = append(command, kubeadmutil.ArgumentsToCommand(defaultArguments, cfg.APIServer.ExtraArgs)...)
|
||||||
|
|
||||||
return command
|
return command
|
||||||
|
|||||||
@@ -514,6 +514,103 @@ func TestGetAPIServerCommand(t *testing.T) {
|
|||||||
"--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"),
|
"--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "authorization-config extra-args",
|
||||||
|
cfg: &kubeadmapi.ClusterConfiguration{
|
||||||
|
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
|
||||||
|
CertificatesDir: testCertsDir,
|
||||||
|
APIServer: kubeadmapi.APIServer{
|
||||||
|
ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
|
||||||
|
ExtraArgs: []kubeadmapi.Arg{
|
||||||
|
{Name: "authorization-config", Value: "/path/to/authorization/config/file"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
|
||||||
|
expected: []string{
|
||||||
|
"kube-apiserver",
|
||||||
|
"--enable-admission-plugins=NodeRestriction",
|
||||||
|
"--service-cluster-ip-range=bar",
|
||||||
|
"--service-account-key-file=" + filepath.Join(testCertsDir, "sa.pub"),
|
||||||
|
"--service-account-signing-key-file=" + filepath.Join(testCertsDir, "sa.key"),
|
||||||
|
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
|
||||||
|
"--client-ca-file=" + filepath.Join(testCertsDir, "ca.crt"),
|
||||||
|
"--tls-cert-file=" + filepath.Join(testCertsDir, "apiserver.crt"),
|
||||||
|
"--tls-private-key-file=" + filepath.Join(testCertsDir, "apiserver.key"),
|
||||||
|
"--kubelet-client-certificate=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.crt"),
|
||||||
|
"--kubelet-client-key=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.key"),
|
||||||
|
"--enable-bootstrap-token-auth=true",
|
||||||
|
"--secure-port=123",
|
||||||
|
"--allow-privileged=true",
|
||||||
|
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
|
||||||
|
"--proxy-client-cert-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.crt"),
|
||||||
|
"--proxy-client-key-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.key"),
|
||||||
|
"--requestheader-username-headers=X-Remote-User",
|
||||||
|
"--requestheader-group-headers=X-Remote-Group",
|
||||||
|
"--requestheader-extra-headers-prefix=X-Remote-Extra-",
|
||||||
|
"--requestheader-client-ca-file=" + filepath.Join(testCertsDir, "front-proxy-ca.crt"),
|
||||||
|
"--requestheader-allowed-names=front-proxy-client",
|
||||||
|
"--authorization-config=/path/to/authorization/config/file",
|
||||||
|
"--advertise-address=1.2.3.4",
|
||||||
|
fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
|
||||||
|
"--etcd-cafile=" + filepath.Join(testCertsDir, "etcd/ca.crt"),
|
||||||
|
"--etcd-certfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.crt"),
|
||||||
|
"--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
// Note that we do not block it at this level but api server would fail to start.
|
||||||
|
name: "authorization-config and authorization-mode extra-args",
|
||||||
|
cfg: &kubeadmapi.ClusterConfiguration{
|
||||||
|
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
|
||||||
|
CertificatesDir: testCertsDir,
|
||||||
|
APIServer: kubeadmapi.APIServer{
|
||||||
|
ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
|
||||||
|
ExtraArgs: []kubeadmapi.Arg{
|
||||||
|
{Name: "authorization-config", Value: "/path/to/authorization/config/file"},
|
||||||
|
{Name: "authorization-mode", Value: strings.Join([]string{
|
||||||
|
kubeadmconstants.ModeNode,
|
||||||
|
kubeadmconstants.ModeRBAC,
|
||||||
|
kubeadmconstants.ModeWebhook,
|
||||||
|
}, ",")},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
|
||||||
|
expected: []string{
|
||||||
|
"kube-apiserver",
|
||||||
|
"--enable-admission-plugins=NodeRestriction",
|
||||||
|
"--service-cluster-ip-range=bar",
|
||||||
|
"--service-account-key-file=" + filepath.Join(testCertsDir, "sa.pub"),
|
||||||
|
"--service-account-signing-key-file=" + filepath.Join(testCertsDir, "sa.key"),
|
||||||
|
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
|
||||||
|
"--client-ca-file=" + filepath.Join(testCertsDir, "ca.crt"),
|
||||||
|
"--tls-cert-file=" + filepath.Join(testCertsDir, "apiserver.crt"),
|
||||||
|
"--tls-private-key-file=" + filepath.Join(testCertsDir, "apiserver.key"),
|
||||||
|
"--kubelet-client-certificate=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.crt"),
|
||||||
|
"--kubelet-client-key=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.key"),
|
||||||
|
"--enable-bootstrap-token-auth=true",
|
||||||
|
"--secure-port=123",
|
||||||
|
"--allow-privileged=true",
|
||||||
|
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
|
||||||
|
"--proxy-client-cert-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.crt"),
|
||||||
|
"--proxy-client-key-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.key"),
|
||||||
|
"--requestheader-username-headers=X-Remote-User",
|
||||||
|
"--requestheader-group-headers=X-Remote-Group",
|
||||||
|
"--requestheader-extra-headers-prefix=X-Remote-Extra-",
|
||||||
|
"--requestheader-client-ca-file=" + filepath.Join(testCertsDir, "front-proxy-ca.crt"),
|
||||||
|
"--requestheader-allowed-names=front-proxy-client",
|
||||||
|
"--authorization-config=/path/to/authorization/config/file",
|
||||||
|
"--authorization-mode=Node,RBAC,Webhook",
|
||||||
|
"--advertise-address=1.2.3.4",
|
||||||
|
fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
|
||||||
|
"--etcd-cafile=" + filepath.Join(testCertsDir, "etcd/ca.crt"),
|
||||||
|
"--etcd-certfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.crt"),
|
||||||
|
"--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"),
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, rt := range tests {
|
for _, rt := range tests {
|
||||||
|
|||||||
Reference in New Issue
Block a user