1e879c69ec
Automatic merge from submit-queue (batch tested with PRs 43546, 43544) Default to enabling legacy ABAC policy in non-test kube-up.sh environments Fixes https://github.com/kubernetes/kubernetes/issues/43541 In 1.5, we unconditionally stomped the abac policy file if KUBE_USER was set, and unconditionally used ABAC mode pointing to that file. In 1.6, unless the user opts out (via `ENABLE_LEGACY_ABAC=false`), we want the same legacy policy included as a fallback to RBAC. This PR: * defaults legacy ABAC **on** in normal deployments * defaults legacy ABAC **on** in upgrade E2Es (ensures combination of ABAC and RBAC works properly for upgraded clusters) * defaults legacy ABAC **off** in non-upgrade E2Es (ensures e2e tests 1.6+ run with tightened permissions, and that default RBAC roles cover the required core components) GKE changes to drive the `ENABLE_LEGACY_ABAC` envvar were made by @cjcullen out of band ```release-note `kube-up.sh` using the `gce` provider enables both RBAC authorization and the permissive legacy ABAC policy that makes all service accounts superusers. To opt out of the permissive ABAC policy, export the environment variable `ENABLE_LEGACY_ABAC=false` before running `cluster/kube-up.sh`. ``` |
||
|---|---|---|
| .. | ||
| mounter | ||
| configure-helper.sh | ||
| configure.sh | ||
| health-monitor.sh | ||
| helper.sh | ||
| master-helper.sh | ||
| master.yaml | ||
| node-helper.sh | ||
| node.yaml | ||
| README.md | ||
Container-VM Image
Container-VM Image is a container-optimized OS image for the Google Cloud Platform (GCP). It is primarily for running Google services on GCP. Unlike the open preview version of container-vm, the new Container-VM Image is based on the open source ChromiumOS project, allowing us greater control over the build management, security compliance, and customizations for GCP.