From 264cd648246f271122459bb86a8c8652089618c1 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Wed, 8 Nov 2023 11:05:56 -0600
Subject: [PATCH] Run RBAC hook correctly when running from authz config file

---
 pkg/controlplane/apiserver/config.go | 31 +++++++++++++++++++---------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/pkg/controlplane/apiserver/config.go b/pkg/controlplane/apiserver/config.go
index 898225d6df0..07a3260f1f5 100644
--- a/pkg/controlplane/apiserver/config.go
+++ b/pkg/controlplane/apiserver/config.go
@@ -147,12 +147,13 @@ func BuildGenericConfig(
 		return
 	}
 
-	genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, genericConfig.EgressSelector, versionedInformers)
+	var enablesRBAC bool
+	genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, enablesRBAC, err = BuildAuthorizer(s, genericConfig.EgressSelector, versionedInformers)
 	if err != nil {
 		lastErr = fmt.Errorf("invalid authorization config: %v", err)
 		return
 	}
-	if s.Authorization != nil && !sets.NewString(s.Authorization.Modes...).Has(modes.ModeRBAC) {
+	if s.Authorization != nil && !enablesRBAC {
 		genericConfig.DisabledPostStartHooks.Insert(rbacrest.PostStartHookName)
 	}
 
@@ -168,25 +169,35 @@ func BuildGenericConfig(
 	return
 }
 
-// BuildAuthorizer constructs the authorizer. If authorization is not set in s, it returns nil, nil, nil
-func BuildAuthorizer(s controlplaneapiserver.CompletedOptions, EgressSelector *egressselector.EgressSelector, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, error) {
+// BuildAuthorizer constructs the authorizer. If authorization is not set in s, it returns nil, nil, false, nil
+func BuildAuthorizer(s controlplaneapiserver.CompletedOptions, egressSelector *egressselector.EgressSelector, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, bool, error) {
 	authorizationConfig, err := s.Authorization.ToAuthorizationConfig(versionedInformers)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, false, err
 	}
 	if authorizationConfig == nil {
-		return nil, nil, nil
+		return nil, nil, false, nil
 	}
 
-	if EgressSelector != nil {
-		egressDialer, err := EgressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext())
+	if egressSelector != nil {
+		egressDialer, err := egressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext())
 		if err != nil {
-			return nil, nil, err
+			return nil, nil, false, err
 		}
 		authorizationConfig.CustomDial = egressDialer
 	}
 
-	return authorizationConfig.New()
+	enablesRBAC := false
+	for _, a := range authorizationConfig.AuthorizationConfiguration.Authorizers {
+		if string(a.Type) == modes.ModeRBAC {
+			enablesRBAC = true
+			break
+		}
+	}
+
+	authorizer, ruleResolver, err := authorizationConfig.New()
+
+	return authorizer, ruleResolver, enablesRBAC, err
 }
 
 // CreatePeerEndpointLeaseReconciler creates a apiserver endpoint lease reconciliation loop