github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1e879c69ec
kubernetes/cluster
History
Kubernetes Submit Queue 1e879c69ec Merge pull request #43544 from liggitt/legacy-abac-kube-up 
Automatic merge from submit-queue (batch tested with PRs 43546, 43544)

Default to enabling legacy ABAC policy in non-test kube-up.sh environments

Fixes https://github.com/kubernetes/kubernetes/issues/43541

In 1.5, we unconditionally stomped the abac policy file if KUBE_USER was set, and unconditionally used ABAC mode pointing to that file.

In 1.6, unless the user opts out (via `ENABLE_LEGACY_ABAC=false`), we want the same legacy policy included as a fallback to RBAC.

This PR:
* defaults legacy ABAC **on** in normal deployments
* defaults legacy ABAC **on** in upgrade E2Es (ensures combination of ABAC and RBAC works properly for upgraded clusters)
* defaults legacy ABAC **off** in non-upgrade E2Es (ensures e2e tests 1.6+ run with tightened permissions, and that default RBAC roles cover the required core components)

GKE changes to drive the `ENABLE_LEGACY_ABAC` envvar were made by @cjcullen out of band

```release-note
`kube-up.sh` using the `gce` provider enables both RBAC authorization and the permissive legacy ABAC policy that makes all service accounts superusers. To opt out of the permissive ABAC policy, export the environment variable `ENABLE_LEGACY_ABAC=false` before running `cluster/kube-up.sh`.
```
2017-03-23 14:13:18 -07:00
..
addons Merge pull request #43379 from crassirostris/fluentd-gcp-docs 2017-03-23 02:08:56 -07:00
aws AWS: Kill bash deployment 2017-02-27 14:39:25 -08:00
centos Keep ResourceQuota admission at the end of the chain 2017-03-21 01:53:11 -04:00
gce Merge pull request #43544 from liggitt/legacy-abac-kube-up 2017-03-23 14:13:18 -07:00
gke GCE will properly regenerate basic_auth.csv on kube-apiserver start. 2017-02-25 11:31:59 -08:00
images Bump CNI consumers to latest version 2017-03-22 16:03:13 -07:00
juju Keep ResourceQuota admission at the end of the chain 2017-03-21 01:53:11 -04:00
kubemark Correct CIDR range for kubemark 2017-02-28 19:26:32 +01:00
lib Add test shell stack traces 2017-01-25 13:34:16 -05:00
libvirt-coreos Keep ResourceQuota admission at the end of the chain 2017-03-21 01:53:11 -04:00
local Merge pull request #28469 from asalkeld/local-e2e 2016-09-11 05:44:47 -07:00
openstack-heat Keep ResourceQuota admission at the end of the chain 2017-03-21 01:53:11 -04:00
ovirt
photon-controller Keep ResourceQuota admission at the end of the chain 2017-03-21 01:53:11 -04:00
rackspace Keep ResourceQuota admission at the end of the chain 2017-03-21 01:53:11 -04:00
saltbase Merge pull request #43546 from calebamiles/wip-bump-cni-ref 2017-03-23 14:13:05 -07:00
skeleton Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
ubuntu Keep ResourceQuota admission at the end of the chain 2017-03-21 01:53:11 -04:00
vagrant Keep ResourceQuota admission at the end of the chain 2017-03-21 01:53:11 -04:00
vsphere Update generated for 2017 2017-01-01 23:11:09 -08:00
windows Fixed the issue with log rotation 2016-12-12 11:08:41 -05:00
BUILD Build release tarballs in bazel and add make bazel-release rule 2017-01-13 16:17:44 -08:00
clientbin.sh Refactor the common parts of cluster/kube{ctl,adm}.sh into a util script. 2017-01-26 21:29:49 -08:00
common.sh Default to enabling legacy ABAC policy in non-test GCE kube-up.sh environments 2017-03-22 22:20:09 -04:00
get-kube-binaries.sh Do not override KUBERNETES_RELEASE if already set 2017-03-17 15:29:21 -07:00
get-kube-local.sh Replace uses of --config with --pod-manifest-path 2017-02-07 14:32:37 -08:00
get-kube.sh Export KUBE_VERSION for consumption by get-kube-binaries.sh 2017-03-17 21:16:31 -07:00
kube-down.sh Automatically download missing kube binaries in kube-up/kube-down. 2016-12-13 14:59:13 -08:00
kube-push.sh Automatically download missing kube binaries in kube-up/kube-down. 2016-12-13 14:59:13 -08:00
kube-up.sh Automatically download missing kube binaries in kube-up/kube-down. 2016-12-13 14:59:13 -08:00
kube-util.sh Split federation-{up,down} from e2e-{up,down}. 2017-02-24 14:27:31 -08:00
kubeadm.sh Refactor the common parts of cluster/kube{ctl,adm}.sh into a util script. 2017-01-26 21:29:49 -08:00
kubectl.sh Fix failing kubectl skew tests 2017-03-08 16:08:47 -03:00
log-dump.sh Collect npd log in cluster e2e test. 2017-02-23 01:16:39 -08:00
options.md
OWNERS Updated top level owners file to match new format 2017-01-19 11:29:16 -08:00
README.md Fix typos and linted_packages sorting 2016-10-31 18:31:08 +01:00
restore-from-backup.sh Fix restore-from-backup.sh script 2017-03-21 11:58:13 +01:00
test-e2e.sh Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
test-network.sh Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
test-smoke.sh Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
update-storage-objects.sh Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
validate-cluster.sh Fixed cluster validation: added -q and project flags to gcloud. 2016-12-21 14:13:14 +01:00

README.md

Cluster Configuration

Deprecation Notice: This directory has entered maintenance mode and will not be accepting new providers. Please submit new automation deployments to kube-deploy. Deployments in this directory will continue to be maintained and supported at their current level of support.

The scripts and data in this directory automate creation and configuration of a Kubernetes cluster, including networking, DNS, nodes, and master components.

See the getting-started guides for examples of how to use the scripts.

cloudprovider/config-default.sh contains a set of tweakable definitions/parameters for the cluster.

The heavy lifting of configuring the VMs is done by SaltStack.

Analytics