kubeadm: fix misleading warning for authz modes

kubeadm init prints: W0410 23:02:10.119723 13040 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC" Add a new function compareAuthzModes() and a unit test for it. Make sure the warning is printed only if the user modes don't match the defaults.
2025-07-22 19:31:44 +00:00 · 2020-04-10 23:40:28 +03:00 · 2020-04-10 23:40:28 +03:00 · 6cfd772401
commit 6cfd772401
parent 1c01efe10f
2 changed files with 59 additions and 4 deletions
--- a/cmd/kubeadm/app/phases/controlplane/manifests.go
+++ b/cmd/kubeadm/app/phases/controlplane/manifests.go
@ -222,16 +222,31 @@ func getAuthzModes(authzModeExtraArgs string) string {

 		// only return the user provided mode if at least one was valid
 		if len(mode) > 0 {
-			klog.Warningf("the default kube-apiserver authorization-mode is %q; using %q",
-				strings.Join(defaultMode, ","),
-				strings.Join(mode, ","),
-			)
+			if !compareAuthzModes(defaultMode, mode) {
+				klog.Warningf("the default kube-apiserver authorization-mode is %q; using %q",
+					strings.Join(defaultMode, ","),
+					strings.Join(mode, ","),
+				)
+			}
 			return strings.Join(mode, ",")
 		}
 	}
 	return strings.Join(defaultMode, ",")
 }

+// compareAuthzModes compares two given authz modes and returns false if they do not match
+func compareAuthzModes(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i, m := range a {
+		if m != b[i] {
+			return false
+		}
+	}
+	return true
+}
+
 func isValidAuthzMode(authzMode string) bool {
 	allModes := []string{
 		kubeadmconstants.ModeNode,
--- a/cmd/kubeadm/app/phases/controlplane/manifests_test.go
+++ b/cmd/kubeadm/app/phases/controlplane/manifests_test.go
@ -1144,3 +1144,43 @@ func TestIsValidAuthzMode(t *testing.T) {
 		})
 	}
 }
+
+func TestCompareAuthzModes(t *testing.T) {
+	var tests = []struct {
+		name   string
+		modesA []string
+		modesB []string
+		equal  bool
+	}{
+		{
+			name:   "modes match",
+			modesA: []string{"a", "b", "c"},
+			modesB: []string{"a", "b", "c"},
+			equal:  true,
+		},
+		{
+			name:   "modes order does not match",
+			modesA: []string{"a", "c", "b"},
+			modesB: []string{"a", "b", "c"},
+		},
+		{
+			name:   "modes do not match; A has less modes",
+			modesA: []string{"a", "b"},
+			modesB: []string{"a", "b", "c"},
+		},
+		{
+			name:   "modes do not match; B has less modes",
+			modesA: []string{"a", "b", "c"},
+			modesB: []string{"a", "b"},
+		},
+	}
+
+	for _, rt := range tests {
+		t.Run(rt.name, func(t *testing.T) {
+			equal := compareAuthzModes(rt.modesA, rt.modesB)
+			if equal != rt.equal {
+				t.Errorf("failed compareAuthzModes:\nexpected:\n%v\nsaw:\n%v", rt.equal, equal)
+			}
+		})
+	}
+}