From e6a63c8f40d85c871e085f3e8456049e31331228 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <jliggitt@redhat.com>
Date: Thu, 19 Jan 2017 15:25:01 -0500
Subject: [PATCH] Use existing ABAC policy file when upgrading GCE cluster

---
 cluster/gce/gci/configure-helper.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index d91d7a47f1b..9c65097c193 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -900,6 +900,9 @@ function start-kube-apiserver {
 
 
   local authorization_mode="RBAC"
+  # Load existing ABAC policy files written by versions < 1.6 of this script
+  # TODO: only default to this legacy path when in upgrade mode
+  ABAC_AUTHZ_FILE="${ABAC_AUTHZ_FILE:-/etc/srv/kubernetes/abac-authz-policy.jsonl}"
   if [[ -n "${ABAC_AUTHZ_FILE:-}" && -e "${ABAC_AUTHZ_FILE}" ]]; then
     params+=" --authorization-policy-file=${ABAC_AUTHZ_FILE}"
     authorization_mode+=",ABAC"