Merge pull request #25530 from kubernetes/revert-25296-gcpauthz

Revert "Add configuration for GCP webhook authorization."
2025-07-29 22:46:12 +00:00 · 2016-05-12 13:06:32 +02:00 · 2016-05-12 13:06:32 +02:00 · 2682208b8b
commit 2682208b8b
parent 2706df102b bfb49d0a97
2 changed files with 2 additions and 37 deletions
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@ -791,7 +791,7 @@ EOF
    CLOUD_CONFIG=/etc/gce.conf
  fi

-  if [[ -n "${CLOUD_CONFIG:-}" ]]; then
+  if [[ -n ${CLOUD_CONFIG:-} ]]; then
  cat <<EOF >>/etc/salt/minion.d/grains.conf
  cloud_config: ${CLOUD_CONFIG}
 EOF
@ -799,29 +799,6 @@ EOF
    rm -f /etc/gce.conf
  fi

-  if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then
-    cat <<EOF >>/etc/salt/minion.d/grains.conf
-  webhook_authorization_config: /etc/gcp_authz.config
-EOF
-    cat <<EOF >/etc/gcp_authz.config
-clusters:
-  - name: gcp-authorization-server
-    cluster:
-      server: ${GCP_AUTHZ_URL}
-users:
-  - name: kube-apiserver
-    user:
-      auth-provider:
-        name: gcp
-current-context: webhook
-contexts:
- context:
-    cluster: gcp-authorization-server
-    user: kube-apiserver
-  name: webhook
-EOF
-  fi
-
  # If the kubelet on the master is enabled, give it the same CIDR range
  # as a generic node.
  if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then
--- a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
+++ b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
@ -83,16 +83,6 @@
  {% set abac_policy_file = " --authorization-policy-file=/srv/kubernetes/abac-authz-policy.jsonl" -%}
 {% endif -%}

-{% set webhook_authorization_config = "" -%}
-{% set webhook_config_mount = "" -%}
-{% set webhook_config_volume = "" -%}
-{% if grains.webhook_authorization_config is defined -%}
-  {% set webhook_authorization_config = " --authorization-webhook-config-file=" + grains.webhook_authorization_config -%}
-  {% set webhook_config_mount = "{\"name\": \"webhookconfigmount\",\"mountPath\": \"" + grains.webhook_authorization_config + "\", \"readOnly\": false}," -%}
-  {% set webhook_config_volume = "{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"" + grains.webhook_authorization_config + "\"}}," -%}
-  {% set authz_mode = authz_mode + ",Webhook" -%}
-{% endif -%}
-
 {% set admission_control = "" -%}
 {% if pillar['admission_control'] is defined -%}
 {% set admission_control = "--admission-control=" + pillar['admission_control'] -%}
@ -109,7 +99,7 @@
 {% endif -%}

 {% set params = address + " " + etcd_servers + " " + etcd_servers_overrides + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + admission_control + " " + service_cluster_ip_range + " " + client_ca_file + basic_auth_file + " " + min_request_timeout -%}
-{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address  + " " + proxy_ssh_options + authz_mode + abac_policy_file + webhook_authorization_config-%}
+{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address  + " " + proxy_ssh_options + authz_mode + abac_policy_file -%}

 # test_args has to be kept at the end, so they'll overwrite any prior configuration
 {% if pillar['apiserver_test_args'] is defined -%}
@ -162,7 +152,6 @@
        ],
    "volumeMounts": [
        {{cloud_config_mount}}
-        {{webhook_config_mount}}
        {{additional_cloud_config_mount}}
        { "name": "srvkube",
        "mountPath": "{{srv_kube_path}}",
@ -190,7 +179,6 @@
 ],
 "volumes":[
  {{cloud_config_volume}}
-  {{webhook_config_volume}}
  {{additional_cloud_config_volume}}
  { "name": "srvkube",
    "hostPath": {