diff --git a/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go b/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go index 89d8cd4fc82..a8e8c8ce447 100644 --- a/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go +++ b/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go @@ -39,7 +39,6 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} { obj.API.AdvertiseAddress = "foo" obj.Networking.ServiceSubnet = "foo" obj.Networking.DNSDomain = "foo" - obj.AuthorizationModes = []string{"foo"} obj.CertificatesDir = "foo" obj.APIServerCertSANs = []string{"foo"} obj.Etcd.ServerCertSANs = []string{"foo"} diff --git a/cmd/kubeadm/app/apis/kubeadm/types.go b/cmd/kubeadm/app/apis/kubeadm/types.go index 8ffdfb2c497..f3b9df49138 100644 --- a/cmd/kubeadm/app/apis/kubeadm/types.go +++ b/cmd/kubeadm/app/apis/kubeadm/types.go @@ -45,10 +45,6 @@ type MasterConfiguration struct { // NodeName is the name of the node that will host the k8s control plane. // Defaults to the hostname if not provided. NodeName string - // AuthorizationModes is a set of authorization modes used inside the cluster. - // If not specified, defaults to Node and RBAC, meaning both the node - // authorizer and RBAC are enabled. - AuthorizationModes []string // NoTaintMaster will, if set, suppress the tainting of the // master node allowing workloads to be run on it (e.g. in // single node configurations). diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go index 814ad8b0ed7..9baad9d1d42 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go @@ -17,6 +17,9 @@ limitations under the License. package v1alpha1 import ( + "reflect" + "strings" + "k8s.io/apimachinery/pkg/conversion" "k8s.io/apimachinery/pkg/runtime" "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" @@ -41,6 +44,7 @@ func Convert_v1alpha1_MasterConfiguration_To_kubeadm_MasterConfiguration(in *Mas } UpgradeCloudProvider(in, out) + UpgradeAuthorizationModes(in, out) // We don't support migrating information from the .PrivilegedPods field which was removed in v1alpha2 return nil @@ -69,3 +73,14 @@ func UpgradeCloudProvider(in *MasterConfiguration, out *kubeadm.MasterConfigurat out.ControllerManagerExtraArgs["cloud-provider"] = in.CloudProvider } } + +func UpgradeAuthorizationModes(in *MasterConfiguration, out *kubeadm.MasterConfiguration) { + // If .AuthorizationModes was set to something else than the default, preserve the information via extraargs + if !reflect.DeepEqual(in.AuthorizationModes, strings.Split(DefaultAuthorizationModes, ",")) { + + if out.APIServerExtraArgs == nil { + out.APIServerExtraArgs = map[string]string{} + } + out.APIServerExtraArgs["authorization-mode"] = strings.Join(in.AuthorizationModes, ",") + } +} diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go index ca5fe1cc748..266f0033a9b 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go @@ -18,7 +18,6 @@ package v1alpha2 import ( "net/url" - "strings" "time" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -42,8 +41,6 @@ const ( DefaultKubernetesVersion = "stable-1.10" // DefaultAPIBindPort defines default API port DefaultAPIBindPort = 6443 - // DefaultAuthorizationModes defines default authorization modes - DefaultAuthorizationModes = "Node,RBAC" // DefaultCertificatesDir defines default certificate directory DefaultCertificatesDir = "/etc/kubernetes/pki" // DefaultImageRepository defines default image registry @@ -96,10 +93,6 @@ func SetDefaults_MasterConfiguration(obj *MasterConfiguration) { obj.Networking.DNSDomain = DefaultServiceDNSDomain } - if len(obj.AuthorizationModes) == 0 { - obj.AuthorizationModes = strings.Split(DefaultAuthorizationModes, ",") - } - if obj.CertificatesDir == "" { obj.CertificatesDir = DefaultCertificatesDir } diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go index 1a34dc7d8ae..dadaab24352 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go @@ -45,10 +45,6 @@ type MasterConfiguration struct { // NodeName is the name of the node that will host the k8s control plane. // Defaults to the hostname if not provided. NodeName string `json:"nodeName"` - // AuthorizationModes is a set of authorization modes used inside the cluster. - // If not specified, defaults to Node and RBAC, meaning both the node - // authorizer and RBAC are enabled. - AuthorizationModes []string `json:"authorizationModes,omitempty"` // NoTaintMaster will, if set, suppress the tainting of the // master node allowing workloads to be run on it (e.g. in // single node configurations). diff --git a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go index a4ad6f04c58..a038a723591 100644 --- a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go +++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go @@ -37,7 +37,6 @@ import ( kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util" tokenutil "k8s.io/kubernetes/cmd/kubeadm/app/util/token" apivalidation "k8s.io/kubernetes/pkg/apis/core/validation" - authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig" kubeletscheme "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/scheme" kubeletvalidation "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/validation" @@ -49,16 +48,9 @@ import ( "k8s.io/kubernetes/pkg/util/node" ) -// Describes the authorization modes that are enforced by kubeadm -var requiredAuthzModes = []string{ - authzmodes.ModeRBAC, - authzmodes.ModeNode, -} - // ValidateMasterConfiguration validates master configuration and collects all encountered errors func ValidateMasterConfiguration(c *kubeadm.MasterConfiguration) field.ErrorList { allErrs := field.ErrorList{} - allErrs = append(allErrs, ValidateAuthorizationModes(c.AuthorizationModes, field.NewPath("authorizationModes"))...) allErrs = append(allErrs, ValidateNetworking(&c.Networking, field.NewPath("networking"))...) allErrs = append(allErrs, ValidateCertSANs(c.APIServerCertSANs, field.NewPath("apiServerCertSANs"))...) allErrs = append(allErrs, ValidateCertSANs(c.Etcd.ServerCertSANs, field.NewPath("etcd").Child("serverCertSANs"))...) @@ -102,29 +94,6 @@ func ValidateNodeConfiguration(c *kubeadm.NodeConfiguration) field.ErrorList { return allErrs } -// ValidateAuthorizationModes validates authorization modes and collects all encountered errors -func ValidateAuthorizationModes(authzModes []string, fldPath *field.Path) field.ErrorList { - allErrs := field.ErrorList{} - found := map[string]bool{} - for _, authzMode := range authzModes { - if !authzmodes.IsValidAuthorizationMode(authzMode) { - allErrs = append(allErrs, field.Invalid(fldPath, authzMode, "invalid authorization mode")) - } - - if found[authzMode] { - allErrs = append(allErrs, field.Invalid(fldPath, authzMode, "duplicate authorization mode")) - continue - } - found[authzMode] = true - } - for _, requiredMode := range requiredAuthzModes { - if !found[requiredMode] { - allErrs = append(allErrs, field.Required(fldPath, fmt.Sprintf("authorization mode %s must be enabled", requiredMode))) - } - } - return allErrs -} - // ValidateDiscovery validates discovery related configuration and collects all encountered errors func ValidateDiscovery(c *kubeadm.NodeConfiguration) field.ErrorList { allErrs := field.ErrorList{} diff --git a/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go b/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go index a5427546775..8c51a354000 100644 --- a/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go +++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go @@ -104,34 +104,6 @@ func TestValidateTokenGroups(t *testing.T) { } } -func TestValidateAuthorizationModes(t *testing.T) { - var tests = []struct { - s []string - f *field.Path - expected bool - }{ - {[]string{""}, nil, false}, - {[]string{"rBAC"}, nil, false}, // mode not supported - {[]string{"rBAC", "Webhook"}, nil, false}, // mode not supported - {[]string{"RBAC", "Webhook"}, nil, false}, // mode Node required - {[]string{"Node", "RBAC", "Webhook", "Webhook"}, nil, false}, // no duplicates allowed - {[]string{"not valid"}, nil, false}, // invalid mode - {[]string{"Node", "RBAC"}, nil, true}, // supported - {[]string{"RBAC", "Node"}, nil, true}, // supported - {[]string{"Node", "RBAC", "Webhook", "ABAC"}, nil, true}, // supported - } - for _, rt := range tests { - actual := ValidateAuthorizationModes(rt.s, rt.f) - if (len(actual) == 0) != rt.expected { - t.Errorf( - "failed ValidateAuthorizationModes:\n\texpected: %t\n\t actual: %t", - rt.expected, - (len(actual) == 0), - ) - } - } -} - func TestValidateNodeName(t *testing.T) { var tests = []struct { s string @@ -431,7 +403,6 @@ func TestValidateMasterConfiguration(t *testing.T) { AdvertiseAddress: "1.2.3.4", BindPort: 6443, }, - AuthorizationModes: []string{"Node", "RBAC"}, Networking: kubeadm.Networking{ ServiceSubnet: "10.96.0.1/12", DNSDomain: "cluster.local", @@ -445,7 +416,6 @@ func TestValidateMasterConfiguration(t *testing.T) { AdvertiseAddress: "1.2.3.4", BindPort: 6443, }, - AuthorizationModes: []string{"Node", "RBAC"}, Networking: kubeadm.Networking{ ServiceSubnet: "2001:db8::1/98", DNSDomain: "cluster.local", @@ -459,7 +429,6 @@ func TestValidateMasterConfiguration(t *testing.T) { AdvertiseAddress: "1.2.3.4", BindPort: 6443, }, - AuthorizationModes: []string{"Node", "RBAC"}, Networking: kubeadm.Networking{ ServiceSubnet: "10.96.0.1/12", DNSDomain: "cluster.local", @@ -473,7 +442,6 @@ func TestValidateMasterConfiguration(t *testing.T) { AdvertiseAddress: "1.2.3.4", BindPort: 6443, }, - AuthorizationModes: []string{"Node", "RBAC"}, Networking: kubeadm.Networking{ ServiceSubnet: "10.96.0.1/12", DNSDomain: "cluster.local", @@ -515,7 +483,6 @@ func TestValidateMasterConfiguration(t *testing.T) { }, }, }, - AuthorizationModes: []string{"Node", "RBAC"}, Networking: kubeadm.Networking{ ServiceSubnet: "10.96.0.1/12", DNSDomain: "cluster.local", @@ -557,7 +524,6 @@ func TestValidateMasterConfiguration(t *testing.T) { }, }, }, - AuthorizationModes: []string{"Node", "RBAC"}, Networking: kubeadm.Networking{ ServiceSubnet: "2001:db8::1/98", DNSDomain: "cluster.local", diff --git a/cmd/kubeadm/app/cmd/init.go b/cmd/kubeadm/app/cmd/init.go index a901b25a208..94655063933 100644 --- a/cmd/kubeadm/app/cmd/init.go +++ b/cmd/kubeadm/app/cmd/init.go @@ -252,7 +252,6 @@ func NewInit(cfgPath string, externalcfg *kubeadmapiv1alpha2.MasterConfiguration } glog.Infof("[init] using Kubernetes version: %s\n", cfg.KubernetesVersion) - glog.Infof("[init] using Authorization modes: %v\n", cfg.AuthorizationModes) glog.Infoln("[preflight] running pre-flight checks") diff --git a/cmd/kubeadm/app/constants/constants.go b/cmd/kubeadm/app/constants/constants.go index 5137e198a32..ea53fade786 100644 --- a/cmd/kubeadm/app/constants/constants.go +++ b/cmd/kubeadm/app/constants/constants.go @@ -275,11 +275,6 @@ var ( Effect: v1.TaintEffectNoSchedule, } - // AuthorizationPolicyPath defines the supported location of authorization policy file - AuthorizationPolicyPath = filepath.Join(KubernetesDir, "abac_policy.json") - // AuthorizationWebhookConfigPath defines the supported location of webhook config file - AuthorizationWebhookConfigPath = filepath.Join(KubernetesDir, "webhook_authz.conf") - // DefaultTokenUsages specifies the default functions a token will get DefaultTokenUsages = bootstrapapi.KnownTokenUsages diff --git a/cmd/kubeadm/app/phases/upgrade/staticpods_test.go b/cmd/kubeadm/app/phases/upgrade/staticpods_test.go index 127d3bb26d7..060f5e094be 100644 --- a/cmd/kubeadm/app/phases/upgrade/staticpods_test.go +++ b/cmd/kubeadm/app/phases/upgrade/staticpods_test.go @@ -46,14 +46,13 @@ const ( waitForPodsWithLabel = "wait-for-pods-with-label" testConfiguration = ` +apiVersion: kubeadm.k8s.io/v1alpha2 +kind: MasterConfiguration api: advertiseAddress: 1.2.3.4 bindPort: 6443 apiServerCertSANs: null apiServerExtraArgs: null -authorizationModes: -- Node -- RBAC certificatesDir: %s controllerManagerExtraArgs: null etcd: @@ -508,6 +507,7 @@ func getAPIServerHash(dir string) (string, error) { return fmt.Sprintf("%x", sha256.Sum256(fileBytes)), nil } +// TODO: Make this test function use the rest of the "official" API machinery helper funcs we have inside of kubeadm func getConfig(version, certsDir, etcdDataDir string) (*kubeadmapi.MasterConfiguration, error) { externalcfg := &kubeadmapiv1alpha2.MasterConfiguration{} internalcfg := &kubeadmapi.MasterConfiguration{} diff --git a/cmd/kubeadm/app/preflight/checks.go b/cmd/kubeadm/app/preflight/checks.go index a7e7312c363..a7f9df241dd 100644 --- a/cmd/kubeadm/app/preflight/checks.go +++ b/cmd/kubeadm/app/preflight/checks.go @@ -47,7 +47,6 @@ import ( kubeadmdefaults "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha1" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" "k8s.io/kubernetes/pkg/apis/core/validation" - authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" "k8s.io/kubernetes/pkg/registry/core/service/ipallocator" "k8s.io/kubernetes/pkg/util/initsystem" "k8s.io/kubernetes/pkg/util/procfs" @@ -889,16 +888,6 @@ func RunInitMasterChecks(execer utilsexec.Interface, cfg *kubeadmapi.MasterConfi ) } - // Check the config for authorization mode - for _, authzMode := range cfg.AuthorizationModes { - switch authzMode { - case authzmodes.ModeABAC: - checks = append(checks, FileExistingCheck{Path: kubeadmconstants.AuthorizationPolicyPath}) - case authzmodes.ModeWebhook: - checks = append(checks, FileExistingCheck{Path: kubeadmconstants.AuthorizationWebhookConfigPath}) - } - } - if ip := net.ParseIP(cfg.API.AdvertiseAddress); ip != nil { if ip.To4() == nil && ip.To16() != nil { checks = append(checks, diff --git a/cmd/kubeadm/app/util/config/masterconfig_test.go b/cmd/kubeadm/app/util/config/masterconfig_test.go index ee46de4cd14..997b4bd9c07 100644 --- a/cmd/kubeadm/app/util/config/masterconfig_test.go +++ b/cmd/kubeadm/app/util/config/masterconfig_test.go @@ -39,7 +39,7 @@ const ( master_v1alpha2YAML = "testdata/conversion/master/v1alpha2.yaml" master_internalYAML = "testdata/conversion/master/internal.yaml" master_incompleteYAML = "testdata/defaulting/master/incomplete.yaml" - master_defaultedYAML = "testdata/defaulting/master/defaulted.yaml" + master_defaultedYAML = "testdata/defaulting/master/defaulted.yaml" master_invalidYAML = "testdata/validation/invalid_mastercfg.yaml" master_beforeUpgradeYAML = "testdata/v1alpha1_upgrade/before.yaml" master_afterUpgradeYAML = "testdata/v1alpha1_upgrade/after.yaml" diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml index 04f70585496..04da36c1d2f 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml @@ -3,15 +3,13 @@ API: BindPort: 6443 ControlPlaneEndpoint: "" APIServerCertSANs: null -APIServerExtraArgs: null +APIServerExtraArgs: + authorization-mode: Node,RBAC,Webhook APIServerExtraVolumes: null AuditPolicyConfiguration: LogDir: /var/log/kubernetes/audit LogMaxAge: 2 Path: "" -AuthorizationModes: -- Node -- RBAC CIImageRepository: "" CRISocket: /var/run/dockershim.sock CertificatesDir: /etc/kubernetes/pki diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1.yaml index 4edd30abbdb..75f36c4279f 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1.yaml @@ -10,6 +10,7 @@ auditPolicy: authorizationModes: - Node - RBAC +- Webhook certificatesDir: /etc/kubernetes/pki cloudProvider: "" clusterName: kubernetes diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1_without_TypeMeta.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1_without_TypeMeta.yaml index 904c942bc41..e8065236cae 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1_without_TypeMeta.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1_without_TypeMeta.yaml @@ -10,6 +10,7 @@ auditPolicy: authorizationModes: - Node - RBAC +- Webhook certificatesDir: /etc/kubernetes/pki cloudProvider: "" clusterName: kubernetes diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml index 540c5a5392b..de6b2724910 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml @@ -2,14 +2,13 @@ api: advertiseAddress: 192.168.2.2 bindPort: 6443 controlPlaneEndpoint: "" +apiServerExtraArgs: + authorization-mode: Node,RBAC,Webhook apiVersion: kubeadm.k8s.io/v1alpha2 auditPolicy: logDir: /var/log/kubernetes/audit logMaxAge: 2 path: "" -authorizationModes: -- Node -- RBAC certificatesDir: /etc/kubernetes/pki clusterName: kubernetes criSocket: /var/run/dockershim.sock