From 00b62df55483a8addb71af69db5ca413ac5f9863 Mon Sep 17 00:00:00 2001
From: Daniel Nardo <dnardo@google.com>
Date: Fri, 23 Jun 2017 16:16:23 -0700
Subject: [PATCH] Do not set CNI on a private master when enabling network
 policy.

---
 cluster/gce/gci/configure-helper.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index 95be26aae7c..d9d38a6dd5b 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -912,7 +912,11 @@ function start-kubelet {
     flags+=" --cni-bin-dir=/home/kubernetes/bin"
     if [[ "${NETWORK_POLICY_PROVIDER:-}" == "calico" ]]; then
       # Calico uses CNI always.
-      flags+=" --network-plugin=cni"
+      if [[ "${KUBERNETES_PRIVATE_MASTER:-}" == "true" ]]; then
+        flags+=" --network-plugin=${NETWORK_PROVIDER}"
+      else
+        flags+=" --network-plugin=cni"
+      fi
     else
       # Otherwise use the configured value.
       flags+=" --network-plugin=${NETWORK_PROVIDER}"