github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 03:41:45 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #40172 from liggitt/abac-upgrade

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 38739, 40480, 40495, 40172, 40393)

Use existing ABAC policy file when upgrading GCE cluster

When upgrading, continue loading an existing ABAC policy file so that existing system components continue working as-is

```
When upgrading an existing 1.5 GCE cluster using `cluster/gce/upgrade.sh`, an existing ABAC policy file located at /etc/srv/kubernetes/abac-authz-policy.jsonl (the default location in 1.5) will enable the ABAC authorizer in addition to the RBAC authorizer. To switch an upgraded 1.5 cluster completely to RBAC, ensure the control plane components and your superuser have been granted sufficient RBAC permissions, move the legacy ABAC policy file to a backup location, and restart the apiserver.
```
This commit is contained in:
Kubernetes Submit Queue 2017-01-25 21:20:32 -08:00 committed by GitHub
commit b1279a31b9
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cluster/gce/gci/configure-helper.sh
View File

@ -903,6 +903,9 @@ function start-kube-apiserver {
local authorization_mode="RBAC"
# Load existing ABAC policy files written by versions < 1.6 of this script
# TODO: only default to this legacy path when in upgrade mode
ABAC_AUTHZ_FILE="${ABAC_AUTHZ_FILE:-/etc/srv/kubernetes/abac-authz-policy.jsonl}"
if [[ -n "${ABAC_AUTHZ_FILE:-}" && -e "${ABAC_AUTHZ_FILE}" ]]; then
params+=" --authorization-policy-file=${ABAC_AUTHZ_FILE}"
authorization_mode+=",ABAC"