Merge pull request #41238 from xilabao/add-check-to-authorization-config

Automatic merge from submit-queue (batch tested with PRs 41466, 41456, 41550, 41238, 41416)

add check to authorization config

Prompt user to create the config when using abac/webhook.

cmd/kubeadm/app/constants/constants.go

@@ -19,6 +19,9 @@ package constants
 import "time"
 
 const (
+	AuthorizationPolicyFile        = "abac_policy.json"
+	AuthorizationWebhookConfigFile = "webhook_authz.conf"
+
 	CACertAndKeyBaseName = "ca"
 	CACertName           = "ca.crt"
 	CAKeyName            = "ca.key"

cmd/kubeadm/app/master/manifests.go

@@ -40,17 +40,15 @@ const (
 	DefaultClusterName     = "kubernetes"
 	DefaultCloudConfigPath = "/etc/kubernetes/cloud-config"
 
-	etcd                           = "etcd"
+	etcd                  = "etcd"
-	apiServer                      = "apiserver"
+	apiServer             = "apiserver"
-	controllerManager              = "controller-manager"
+	controllerManager     = "controller-manager"
-	scheduler                      = "scheduler"
+	scheduler             = "scheduler"
-	proxy                          = "proxy"
+	proxy                 = "proxy"
-	kubeAPIServer                  = "kube-apiserver"
+	kubeAPIServer         = "kube-apiserver"
-	kubeControllerManager          = "kube-controller-manager"
+	kubeControllerManager = "kube-controller-manager"
-	kubeScheduler                  = "kube-scheduler"
+	kubeScheduler         = "kube-scheduler"
-	kubeProxy                      = "kube-proxy"
+	kubeProxy             = "kube-proxy"
-	authorizationPolicyFile        = "abac_policy.json"
-	authorizationWebhookConfigFile = "webhook_authz.conf"
 )
 
 // WriteStaticPodManifests builds manifest objects based on user provided configuration and then dumps it to disk
@@ -326,9 +324,9 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [
 		command = append(command, "--authorization-mode="+cfg.AuthorizationMode)
 		switch cfg.AuthorizationMode {
 		case kubeadmconstants.AuthzModeABAC:
-			command = append(command, "--authorization-policy-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, authorizationPolicyFile))
+			command = append(command, "--authorization-policy-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationPolicyFile))
 		case kubeadmconstants.AuthzModeWebhook:
-			command = append(command, "--authorization-webhook-config-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, authorizationWebhookConfigFile))
+			command = append(command, "--authorization-webhook-config-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationWebhookConfigFile))
 		}
 	}
 

cmd/kubeadm/app/preflight/checks.go

@@ -186,6 +186,19 @@ func (fac FileAvailableCheck) Check() (warnings, errors []error) {
 	return nil, errors
 }
 
+// FileExistingCheck checks that the given file does not already exist.
+type FileExistingCheck struct {
+	Path string
+}
+
+func (fac FileExistingCheck) Check() (warnings, errors []error) {
+	errors = []error{}
+	if _, err := os.Stat(fac.Path); err != nil {
+		errors = append(errors, fmt.Errorf("%s doesn't exist", fac.Path))
+	}
+	return nil, errors
+}
+
 // FileContentCheck checks that the given file contains the string Content.
 type FileContentCheck struct {
 	Path    string
@@ -349,6 +362,16 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error {
 		)
 	}
 
+	// Check the config for authorization mode
+	switch cfg.AuthorizationMode {
+	case kubeadmconstants.AuthzModeABAC:
+		authorizationPolicyPath := filepath.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationPolicyFile)
+		checks = append(checks, FileExistingCheck{Path: authorizationPolicyPath})
+	case kubeadmconstants.AuthzModeWebhook:
+		authorizationWebhookConfigPath := filepath.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationWebhookConfigFile)
+		checks = append(checks, FileExistingCheck{Path: authorizationWebhookConfigPath})
+	}
+
 	return RunChecks(checks, os.Stderr)
 }