From 23d02c8f07e441e6dca518ab47e4e114525b3b31 Mon Sep 17 00:00:00 2001
From: Mike Danese <mikedanese@google.com>
Date: Thu, 11 Jan 2018 15:47:24 -0800
Subject: [PATCH] enable token auth for kubelets in GCE

---
 cluster/gce/util.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
index 00aa35e071b..e709de7c37c 100755
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -571,8 +571,11 @@ function construct-kubelet-flags {
        [[ "${HAIRPIN_MODE:-}" == "none" ]]; then
       flags+=" --hairpin-mode=${HAIRPIN_MODE}"
     fi
+    flags+=" --anonymous-auth=false"
+    flags+=" --authentication-token-webhook"
+    flags+=" --authorization-mode=Webhook"
     # Keep client-ca-file in sync with CA_CERT_BUNDLE_PATH in configure-helper.sh
-    flags+=" --anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/etc/srv/kubernetes/pki/ca-certificates.crt"
+    flags+=" --client-ca-file=/etc/srv/kubernetes/pki/ca-certificates.crt"
   fi
   # Network plugin
   if [[ -n "${NETWORK_PROVIDER:-}" || -n "${NETWORK_POLICY_PROVIDER:-}" ]]; then