From 4f0020d1b4caec992460859ceb792f1b785a85fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lucas=20K=C3=A4ldstr=C3=B6m?= Date: Sat, 19 May 2018 15:49:28 +0100 Subject: [PATCH 1/3] Don't support marshalling using the v1alpha1 version in kubeadm v1.11 --- .../app/util/config/masterconfig_test.go | 17 +--- ...defaulted_v1alpha2.yaml => defaulted.yaml} | 3 - .../defaulting/master/defaulted_v1alpha1.yaml | 78 ------------------- 3 files changed, 2 insertions(+), 96 deletions(-) rename cmd/kubeadm/app/util/config/testdata/defaulting/master/{defaulted_v1alpha2.yaml => defaulted.yaml} (98%) delete mode 100644 cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted_v1alpha1.yaml diff --git a/cmd/kubeadm/app/util/config/masterconfig_test.go b/cmd/kubeadm/app/util/config/masterconfig_test.go index 8b3409399cb..ee46de4cd14 100644 --- a/cmd/kubeadm/app/util/config/masterconfig_test.go +++ b/cmd/kubeadm/app/util/config/masterconfig_test.go @@ -39,8 +39,7 @@ const ( master_v1alpha2YAML = "testdata/conversion/master/v1alpha2.yaml" master_internalYAML = "testdata/conversion/master/internal.yaml" master_incompleteYAML = "testdata/defaulting/master/incomplete.yaml" - master_defaultedv1alpha1YAML = "testdata/defaulting/master/defaulted_v1alpha1.yaml" - master_defaultedv1alpha2YAML = "testdata/defaulting/master/defaulted_v1alpha2.yaml" + master_defaultedYAML = "testdata/defaulting/master/defaulted.yaml" master_invalidYAML = "testdata/validation/invalid_mastercfg.yaml" master_beforeUpgradeYAML = "testdata/v1alpha1_upgrade/before.yaml" master_afterUpgradeYAML = "testdata/v1alpha1_upgrade/after.yaml" @@ -79,12 +78,6 @@ func TestConfigFileAndDefaultsToInternalConfig(t *testing.T) { out: master_internalYAML, groupVersion: kubeadm.SchemeGroupVersion, }, - { // v1alpha1 (faulty) -> internal -> v1alpha1 - name: "v1alpha1WithoutTypeMetaTov1alpha1", - in: master_v1alpha1WithoutTypeMetaYAML, - out: master_v1alpha1YAML, - groupVersion: v1alpha1.SchemeGroupVersion, - }, { // v1alpha2 -> internal name: "v1alpha2ToInternal", in: master_v1alpha2YAML, @@ -105,16 +98,10 @@ func TestConfigFileAndDefaultsToInternalConfig(t *testing.T) { }, // These tests are reading one file that has only a subset of the fields populated, loading it using ConfigFileAndDefaultsToInternalConfig, // and then marshals the internal object to the expected groupVersion - { // v1alpha1 (faulty) -> default -> validate -> internal -> v1alpha1 - name: "incompleteYAMLToDefaultedv1alpha1", - in: master_incompleteYAML, - out: master_defaultedv1alpha1YAML, - groupVersion: v1alpha1.SchemeGroupVersion, - }, { // v1alpha1 (faulty) -> default -> validate -> internal -> v1alpha2 name: "incompleteYAMLToDefaultedv1alpha2", in: master_incompleteYAML, - out: master_defaultedv1alpha2YAML, + out: master_defaultedYAML, groupVersion: v1alpha2.SchemeGroupVersion, }, { // v1alpha1 (faulty) -> validation should fail diff --git a/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted_v1alpha2.yaml b/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml similarity index 98% rename from cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted_v1alpha2.yaml rename to cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml index ee133e25dc6..09506810936 100644 --- a/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted_v1alpha2.yaml +++ b/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml @@ -7,9 +7,6 @@ auditPolicy: logDir: /var/log/kubernetes/audit logMaxAge: 2 path: "" -authorizationModes: -- Node -- RBAC certificatesDir: /var/lib/kubernetes/pki clusterName: kubernetes criSocket: /var/run/criruntime.sock diff --git a/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted_v1alpha1.yaml b/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted_v1alpha1.yaml deleted file mode 100644 index e36204f99fb..00000000000 --- a/cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted_v1alpha1.yaml +++ /dev/null @@ -1,78 +0,0 @@ -api: - advertiseAddress: 192.168.2.2 - bindPort: 6443 - controlPlaneEndpoint: "" -apiVersion: kubeadm.k8s.io/v1alpha1 -auditPolicy: - logDir: /var/log/kubernetes/audit - logMaxAge: 2 - path: "" -authorizationModes: -- Node -- RBAC -certificatesDir: /var/lib/kubernetes/pki -cloudProvider: "" -clusterName: kubernetes -criSocket: /var/run/criruntime.sock -etcd: - caFile: "" - certFile: "" - dataDir: /var/lib/etcd - endpoints: null - image: "" - keyFile: "" -imageRepository: my-company.com -kind: MasterConfiguration -kubeProxy: - config: - bindAddress: 0.0.0.0 - clientConnection: - acceptContentTypes: "" - burst: 10 - contentType: application/vnd.kubernetes.protobuf - kubeconfig: /var/lib/kube-proxy/kubeconfig.conf - qps: 5 - clusterCIDR: "" - configSyncPeriod: 15m0s - conntrack: - max: null - maxPerCore: 32768 - min: 131072 - tcpCloseWaitTimeout: 1h0m0s - tcpEstablishedTimeout: 24h0m0s - enableProfiling: false - healthzBindAddress: 0.0.0.0:10256 - hostnameOverride: "" - iptables: - masqueradeAll: false - masqueradeBit: 14 - minSyncPeriod: 0s - syncPeriod: 30s - ipvs: - ExcludeCIDRs: null - minSyncPeriod: 0s - scheduler: "" - syncPeriod: 30s - metricsBindAddress: 127.0.0.1:10249 - mode: "" - nodePortAddresses: null - oomScoreAdj: -999 - portRange: "" - resourceContainer: /kube-proxy - udpIdleTimeout: 250ms -kubeletConfiguration: {} -kubernetesVersion: v1.10.2 -networking: - dnsDomain: cluster.global - podSubnet: "" - serviceSubnet: 10.196.0.0/12 -nodeName: master-1 -privilegedPods: false -token: s73ybu.6tw6wnqgp5z0wb77 -tokenGroups: -- system:bootstrappers:kubeadm:default-node-token -tokenTTL: 24h0m0s -tokenUsages: -- signing -- authentication -unifiedControlPlaneImage: "" From 5687f652db97504c5278732c69c6bbc968da5261 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lucas=20K=C3=A4ldstr=C3=B6m?= Date: Mon, 21 May 2018 08:49:12 +0300 Subject: [PATCH 2/3] kubeadm: Remove .AuthorizationModes in the v1alpha2 API --- cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go | 1 - cmd/kubeadm/app/apis/kubeadm/types.go | 4 --- .../app/apis/kubeadm/v1alpha1/conversion.go | 15 ++++++++ .../app/apis/kubeadm/v1alpha2/defaults.go | 7 ---- .../app/apis/kubeadm/v1alpha2/types.go | 4 --- .../app/apis/kubeadm/validation/validation.go | 31 ----------------- .../kubeadm/validation/validation_test.go | 34 ------------------- cmd/kubeadm/app/cmd/init.go | 1 - cmd/kubeadm/app/constants/constants.go | 5 --- .../app/phases/upgrade/staticpods_test.go | 6 ++-- cmd/kubeadm/app/preflight/checks.go | 11 ------ .../app/util/config/masterconfig_test.go | 2 +- .../testdata/conversion/master/internal.yaml | 6 ++-- .../testdata/conversion/master/v1alpha1.yaml | 1 + .../master/v1alpha1_without_TypeMeta.yaml | 1 + .../testdata/conversion/master/v1alpha2.yaml | 5 ++- 16 files changed, 25 insertions(+), 109 deletions(-) diff --git a/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go b/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go index 89d8cd4fc82..a8e8c8ce447 100644 --- a/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go +++ b/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go @@ -39,7 +39,6 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} { obj.API.AdvertiseAddress = "foo" obj.Networking.ServiceSubnet = "foo" obj.Networking.DNSDomain = "foo" - obj.AuthorizationModes = []string{"foo"} obj.CertificatesDir = "foo" obj.APIServerCertSANs = []string{"foo"} obj.Etcd.ServerCertSANs = []string{"foo"} diff --git a/cmd/kubeadm/app/apis/kubeadm/types.go b/cmd/kubeadm/app/apis/kubeadm/types.go index 8ffdfb2c497..f3b9df49138 100644 --- a/cmd/kubeadm/app/apis/kubeadm/types.go +++ b/cmd/kubeadm/app/apis/kubeadm/types.go @@ -45,10 +45,6 @@ type MasterConfiguration struct { // NodeName is the name of the node that will host the k8s control plane. // Defaults to the hostname if not provided. NodeName string - // AuthorizationModes is a set of authorization modes used inside the cluster. - // If not specified, defaults to Node and RBAC, meaning both the node - // authorizer and RBAC are enabled. - AuthorizationModes []string // NoTaintMaster will, if set, suppress the tainting of the // master node allowing workloads to be run on it (e.g. in // single node configurations). diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go index 814ad8b0ed7..9baad9d1d42 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go @@ -17,6 +17,9 @@ limitations under the License. package v1alpha1 import ( + "reflect" + "strings" + "k8s.io/apimachinery/pkg/conversion" "k8s.io/apimachinery/pkg/runtime" "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" @@ -41,6 +44,7 @@ func Convert_v1alpha1_MasterConfiguration_To_kubeadm_MasterConfiguration(in *Mas } UpgradeCloudProvider(in, out) + UpgradeAuthorizationModes(in, out) // We don't support migrating information from the .PrivilegedPods field which was removed in v1alpha2 return nil @@ -69,3 +73,14 @@ func UpgradeCloudProvider(in *MasterConfiguration, out *kubeadm.MasterConfigurat out.ControllerManagerExtraArgs["cloud-provider"] = in.CloudProvider } } + +func UpgradeAuthorizationModes(in *MasterConfiguration, out *kubeadm.MasterConfiguration) { + // If .AuthorizationModes was set to something else than the default, preserve the information via extraargs + if !reflect.DeepEqual(in.AuthorizationModes, strings.Split(DefaultAuthorizationModes, ",")) { + + if out.APIServerExtraArgs == nil { + out.APIServerExtraArgs = map[string]string{} + } + out.APIServerExtraArgs["authorization-mode"] = strings.Join(in.AuthorizationModes, ",") + } +} diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go index ca5fe1cc748..266f0033a9b 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go @@ -18,7 +18,6 @@ package v1alpha2 import ( "net/url" - "strings" "time" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -42,8 +41,6 @@ const ( DefaultKubernetesVersion = "stable-1.10" // DefaultAPIBindPort defines default API port DefaultAPIBindPort = 6443 - // DefaultAuthorizationModes defines default authorization modes - DefaultAuthorizationModes = "Node,RBAC" // DefaultCertificatesDir defines default certificate directory DefaultCertificatesDir = "/etc/kubernetes/pki" // DefaultImageRepository defines default image registry @@ -96,10 +93,6 @@ func SetDefaults_MasterConfiguration(obj *MasterConfiguration) { obj.Networking.DNSDomain = DefaultServiceDNSDomain } - if len(obj.AuthorizationModes) == 0 { - obj.AuthorizationModes = strings.Split(DefaultAuthorizationModes, ",") - } - if obj.CertificatesDir == "" { obj.CertificatesDir = DefaultCertificatesDir } diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go index 1a34dc7d8ae..dadaab24352 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go @@ -45,10 +45,6 @@ type MasterConfiguration struct { // NodeName is the name of the node that will host the k8s control plane. // Defaults to the hostname if not provided. NodeName string `json:"nodeName"` - // AuthorizationModes is a set of authorization modes used inside the cluster. - // If not specified, defaults to Node and RBAC, meaning both the node - // authorizer and RBAC are enabled. - AuthorizationModes []string `json:"authorizationModes,omitempty"` // NoTaintMaster will, if set, suppress the tainting of the // master node allowing workloads to be run on it (e.g. in // single node configurations). diff --git a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go index a4ad6f04c58..a038a723591 100644 --- a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go +++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go @@ -37,7 +37,6 @@ import ( kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util" tokenutil "k8s.io/kubernetes/cmd/kubeadm/app/util/token" apivalidation "k8s.io/kubernetes/pkg/apis/core/validation" - authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig" kubeletscheme "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/scheme" kubeletvalidation "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/validation" @@ -49,16 +48,9 @@ import ( "k8s.io/kubernetes/pkg/util/node" ) -// Describes the authorization modes that are enforced by kubeadm -var requiredAuthzModes = []string{ - authzmodes.ModeRBAC, - authzmodes.ModeNode, -} - // ValidateMasterConfiguration validates master configuration and collects all encountered errors func ValidateMasterConfiguration(c *kubeadm.MasterConfiguration) field.ErrorList { allErrs := field.ErrorList{} - allErrs = append(allErrs, ValidateAuthorizationModes(c.AuthorizationModes, field.NewPath("authorizationModes"))...) allErrs = append(allErrs, ValidateNetworking(&c.Networking, field.NewPath("networking"))...) allErrs = append(allErrs, ValidateCertSANs(c.APIServerCertSANs, field.NewPath("apiServerCertSANs"))...) allErrs = append(allErrs, ValidateCertSANs(c.Etcd.ServerCertSANs, field.NewPath("etcd").Child("serverCertSANs"))...) @@ -102,29 +94,6 @@ func ValidateNodeConfiguration(c *kubeadm.NodeConfiguration) field.ErrorList { return allErrs } -// ValidateAuthorizationModes validates authorization modes and collects all encountered errors -func ValidateAuthorizationModes(authzModes []string, fldPath *field.Path) field.ErrorList { - allErrs := field.ErrorList{} - found := map[string]bool{} - for _, authzMode := range authzModes { - if !authzmodes.IsValidAuthorizationMode(authzMode) { - allErrs = append(allErrs, field.Invalid(fldPath, authzMode, "invalid authorization mode")) - } - - if found[authzMode] { - allErrs = append(allErrs, field.Invalid(fldPath, authzMode, "duplicate authorization mode")) - continue - } - found[authzMode] = true - } - for _, requiredMode := range requiredAuthzModes { - if !found[requiredMode] { - allErrs = append(allErrs, field.Required(fldPath, fmt.Sprintf("authorization mode %s must be enabled", requiredMode))) - } - } - return allErrs -} - // ValidateDiscovery validates discovery related configuration and collects all encountered errors func ValidateDiscovery(c *kubeadm.NodeConfiguration) field.ErrorList { allErrs := field.ErrorList{} diff --git a/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go b/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go index a5427546775..8c51a354000 100644 --- a/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go +++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go @@ -104,34 +104,6 @@ func TestValidateTokenGroups(t *testing.T) { } } -func TestValidateAuthorizationModes(t *testing.T) { - var tests = []struct { - s []string - f *field.Path - expected bool - }{ - {[]string{""}, nil, false}, - {[]string{"rBAC"}, nil, false}, // mode not supported - {[]string{"rBAC", "Webhook"}, nil, false}, // mode not supported - {[]string{"RBAC", "Webhook"}, nil, false}, // mode Node required - {[]string{"Node", "RBAC", "Webhook", "Webhook"}, nil, false}, // no duplicates allowed - {[]string{"not valid"}, nil, false}, // invalid mode - {[]string{"Node", "RBAC"}, nil, true}, // supported - {[]string{"RBAC", "Node"}, nil, true}, // supported - {[]string{"Node", "RBAC", "Webhook", "ABAC"}, nil, true}, // supported - } - for _, rt := range tests { - actual := ValidateAuthorizationModes(rt.s, rt.f) - if (len(actual) == 0) != rt.expected { - t.Errorf( - "failed ValidateAuthorizationModes:\n\texpected: %t\n\t actual: %t", - rt.expected, - (len(actual) == 0), - ) - } - } -} - func TestValidateNodeName(t *testing.T) { var tests = []struct { s string @@ -431,7 +403,6 @@ func TestValidateMasterConfiguration(t *testing.T) { AdvertiseAddress: "1.2.3.4", BindPort: 6443, }, - AuthorizationModes: []string{"Node", "RBAC"}, Networking: kubeadm.Networking{ ServiceSubnet: "10.96.0.1/12", DNSDomain: "cluster.local", @@ -445,7 +416,6 @@ func TestValidateMasterConfiguration(t *testing.T) { AdvertiseAddress: "1.2.3.4", BindPort: 6443, }, - AuthorizationModes: []string{"Node", "RBAC"}, Networking: kubeadm.Networking{ ServiceSubnet: "2001:db8::1/98", DNSDomain: "cluster.local", @@ -459,7 +429,6 @@ func TestValidateMasterConfiguration(t *testing.T) { AdvertiseAddress: "1.2.3.4", BindPort: 6443, }, - AuthorizationModes: []string{"Node", "RBAC"}, Networking: kubeadm.Networking{ ServiceSubnet: "10.96.0.1/12", DNSDomain: "cluster.local", @@ -473,7 +442,6 @@ func TestValidateMasterConfiguration(t *testing.T) { AdvertiseAddress: "1.2.3.4", BindPort: 6443, }, - AuthorizationModes: []string{"Node", "RBAC"}, Networking: kubeadm.Networking{ ServiceSubnet: "10.96.0.1/12", DNSDomain: "cluster.local", @@ -515,7 +483,6 @@ func TestValidateMasterConfiguration(t *testing.T) { }, }, }, - AuthorizationModes: []string{"Node", "RBAC"}, Networking: kubeadm.Networking{ ServiceSubnet: "10.96.0.1/12", DNSDomain: "cluster.local", @@ -557,7 +524,6 @@ func TestValidateMasterConfiguration(t *testing.T) { }, }, }, - AuthorizationModes: []string{"Node", "RBAC"}, Networking: kubeadm.Networking{ ServiceSubnet: "2001:db8::1/98", DNSDomain: "cluster.local", diff --git a/cmd/kubeadm/app/cmd/init.go b/cmd/kubeadm/app/cmd/init.go index a901b25a208..94655063933 100644 --- a/cmd/kubeadm/app/cmd/init.go +++ b/cmd/kubeadm/app/cmd/init.go @@ -252,7 +252,6 @@ func NewInit(cfgPath string, externalcfg *kubeadmapiv1alpha2.MasterConfiguration } glog.Infof("[init] using Kubernetes version: %s\n", cfg.KubernetesVersion) - glog.Infof("[init] using Authorization modes: %v\n", cfg.AuthorizationModes) glog.Infoln("[preflight] running pre-flight checks") diff --git a/cmd/kubeadm/app/constants/constants.go b/cmd/kubeadm/app/constants/constants.go index 5137e198a32..ea53fade786 100644 --- a/cmd/kubeadm/app/constants/constants.go +++ b/cmd/kubeadm/app/constants/constants.go @@ -275,11 +275,6 @@ var ( Effect: v1.TaintEffectNoSchedule, } - // AuthorizationPolicyPath defines the supported location of authorization policy file - AuthorizationPolicyPath = filepath.Join(KubernetesDir, "abac_policy.json") - // AuthorizationWebhookConfigPath defines the supported location of webhook config file - AuthorizationWebhookConfigPath = filepath.Join(KubernetesDir, "webhook_authz.conf") - // DefaultTokenUsages specifies the default functions a token will get DefaultTokenUsages = bootstrapapi.KnownTokenUsages diff --git a/cmd/kubeadm/app/phases/upgrade/staticpods_test.go b/cmd/kubeadm/app/phases/upgrade/staticpods_test.go index 127d3bb26d7..060f5e094be 100644 --- a/cmd/kubeadm/app/phases/upgrade/staticpods_test.go +++ b/cmd/kubeadm/app/phases/upgrade/staticpods_test.go @@ -46,14 +46,13 @@ const ( waitForPodsWithLabel = "wait-for-pods-with-label" testConfiguration = ` +apiVersion: kubeadm.k8s.io/v1alpha2 +kind: MasterConfiguration api: advertiseAddress: 1.2.3.4 bindPort: 6443 apiServerCertSANs: null apiServerExtraArgs: null -authorizationModes: -- Node -- RBAC certificatesDir: %s controllerManagerExtraArgs: null etcd: @@ -508,6 +507,7 @@ func getAPIServerHash(dir string) (string, error) { return fmt.Sprintf("%x", sha256.Sum256(fileBytes)), nil } +// TODO: Make this test function use the rest of the "official" API machinery helper funcs we have inside of kubeadm func getConfig(version, certsDir, etcdDataDir string) (*kubeadmapi.MasterConfiguration, error) { externalcfg := &kubeadmapiv1alpha2.MasterConfiguration{} internalcfg := &kubeadmapi.MasterConfiguration{} diff --git a/cmd/kubeadm/app/preflight/checks.go b/cmd/kubeadm/app/preflight/checks.go index a7e7312c363..a7f9df241dd 100644 --- a/cmd/kubeadm/app/preflight/checks.go +++ b/cmd/kubeadm/app/preflight/checks.go @@ -47,7 +47,6 @@ import ( kubeadmdefaults "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha1" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" "k8s.io/kubernetes/pkg/apis/core/validation" - authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" "k8s.io/kubernetes/pkg/registry/core/service/ipallocator" "k8s.io/kubernetes/pkg/util/initsystem" "k8s.io/kubernetes/pkg/util/procfs" @@ -889,16 +888,6 @@ func RunInitMasterChecks(execer utilsexec.Interface, cfg *kubeadmapi.MasterConfi ) } - // Check the config for authorization mode - for _, authzMode := range cfg.AuthorizationModes { - switch authzMode { - case authzmodes.ModeABAC: - checks = append(checks, FileExistingCheck{Path: kubeadmconstants.AuthorizationPolicyPath}) - case authzmodes.ModeWebhook: - checks = append(checks, FileExistingCheck{Path: kubeadmconstants.AuthorizationWebhookConfigPath}) - } - } - if ip := net.ParseIP(cfg.API.AdvertiseAddress); ip != nil { if ip.To4() == nil && ip.To16() != nil { checks = append(checks, diff --git a/cmd/kubeadm/app/util/config/masterconfig_test.go b/cmd/kubeadm/app/util/config/masterconfig_test.go index ee46de4cd14..997b4bd9c07 100644 --- a/cmd/kubeadm/app/util/config/masterconfig_test.go +++ b/cmd/kubeadm/app/util/config/masterconfig_test.go @@ -39,7 +39,7 @@ const ( master_v1alpha2YAML = "testdata/conversion/master/v1alpha2.yaml" master_internalYAML = "testdata/conversion/master/internal.yaml" master_incompleteYAML = "testdata/defaulting/master/incomplete.yaml" - master_defaultedYAML = "testdata/defaulting/master/defaulted.yaml" + master_defaultedYAML = "testdata/defaulting/master/defaulted.yaml" master_invalidYAML = "testdata/validation/invalid_mastercfg.yaml" master_beforeUpgradeYAML = "testdata/v1alpha1_upgrade/before.yaml" master_afterUpgradeYAML = "testdata/v1alpha1_upgrade/after.yaml" diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml index 04f70585496..04da36c1d2f 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml @@ -3,15 +3,13 @@ API: BindPort: 6443 ControlPlaneEndpoint: "" APIServerCertSANs: null -APIServerExtraArgs: null +APIServerExtraArgs: + authorization-mode: Node,RBAC,Webhook APIServerExtraVolumes: null AuditPolicyConfiguration: LogDir: /var/log/kubernetes/audit LogMaxAge: 2 Path: "" -AuthorizationModes: -- Node -- RBAC CIImageRepository: "" CRISocket: /var/run/dockershim.sock CertificatesDir: /etc/kubernetes/pki diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1.yaml index 4edd30abbdb..75f36c4279f 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1.yaml @@ -10,6 +10,7 @@ auditPolicy: authorizationModes: - Node - RBAC +- Webhook certificatesDir: /etc/kubernetes/pki cloudProvider: "" clusterName: kubernetes diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1_without_TypeMeta.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1_without_TypeMeta.yaml index 904c942bc41..e8065236cae 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1_without_TypeMeta.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1_without_TypeMeta.yaml @@ -10,6 +10,7 @@ auditPolicy: authorizationModes: - Node - RBAC +- Webhook certificatesDir: /etc/kubernetes/pki cloudProvider: "" clusterName: kubernetes diff --git a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml index 540c5a5392b..de6b2724910 100644 --- a/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml +++ b/cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml @@ -2,14 +2,13 @@ api: advertiseAddress: 192.168.2.2 bindPort: 6443 controlPlaneEndpoint: "" +apiServerExtraArgs: + authorization-mode: Node,RBAC,Webhook apiVersion: kubeadm.k8s.io/v1alpha2 auditPolicy: logDir: /var/log/kubernetes/audit logMaxAge: 2 path: "" -authorizationModes: -- Node -- RBAC certificatesDir: /etc/kubernetes/pki clusterName: kubernetes criSocket: /var/run/dockershim.sock From 687fe22a6b3b059fc9ffa505e29e8e18ce3b6b71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lucas=20K=C3=A4ldstr=C3=B6m?= Date: Mon, 21 May 2018 08:49:58 +0300 Subject: [PATCH 3/3] autogenerated --- .../app/apis/kubeadm/v1alpha1/zz_generated.conversion.go | 3 +-- .../app/apis/kubeadm/v1alpha2/zz_generated.conversion.go | 2 -- .../app/apis/kubeadm/v1alpha2/zz_generated.deepcopy.go | 5 ----- cmd/kubeadm/app/apis/kubeadm/validation/BUILD | 1 - cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go | 5 ----- cmd/kubeadm/app/preflight/BUILD | 1 - 6 files changed, 1 insertion(+), 16 deletions(-) diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha1/zz_generated.conversion.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha1/zz_generated.conversion.go index 31a48329085..0d2ff1123e6 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha1/zz_generated.conversion.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha1/zz_generated.conversion.go @@ -230,7 +230,7 @@ func autoConvert_v1alpha1_MasterConfiguration_To_kubeadm_MasterConfiguration(in out.KubernetesVersion = in.KubernetesVersion // WARNING: in.CloudProvider requires manual conversion: does not exist in peer-type out.NodeName = in.NodeName - out.AuthorizationModes = *(*[]string)(unsafe.Pointer(&in.AuthorizationModes)) + // WARNING: in.AuthorizationModes requires manual conversion: does not exist in peer-type out.NoTaintMaster = in.NoTaintMaster // WARNING: in.PrivilegedPods requires manual conversion: does not exist in peer-type out.Token = in.Token @@ -275,7 +275,6 @@ func autoConvert_kubeadm_MasterConfiguration_To_v1alpha1_MasterConfiguration(in } out.KubernetesVersion = in.KubernetesVersion out.NodeName = in.NodeName - out.AuthorizationModes = *(*[]string)(unsafe.Pointer(&in.AuthorizationModes)) out.NoTaintMaster = in.NoTaintMaster out.Token = in.Token out.TokenTTL = (*meta_v1.Duration)(unsafe.Pointer(in.TokenTTL)) diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/zz_generated.conversion.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/zz_generated.conversion.go index 3a1f2c9a2cb..0f3cb7c24d3 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/zz_generated.conversion.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/zz_generated.conversion.go @@ -233,7 +233,6 @@ func autoConvert_v1alpha2_MasterConfiguration_To_kubeadm_MasterConfiguration(in } out.KubernetesVersion = in.KubernetesVersion out.NodeName = in.NodeName - out.AuthorizationModes = *(*[]string)(unsafe.Pointer(&in.AuthorizationModes)) out.NoTaintMaster = in.NoTaintMaster out.Token = in.Token out.TokenTTL = (*meta_v1.Duration)(unsafe.Pointer(in.TokenTTL)) @@ -282,7 +281,6 @@ func autoConvert_kubeadm_MasterConfiguration_To_v1alpha2_MasterConfiguration(in } out.KubernetesVersion = in.KubernetesVersion out.NodeName = in.NodeName - out.AuthorizationModes = *(*[]string)(unsafe.Pointer(&in.AuthorizationModes)) out.NoTaintMaster = in.NoTaintMaster out.Token = in.Token out.TokenTTL = (*meta_v1.Duration)(unsafe.Pointer(in.TokenTTL)) diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/zz_generated.deepcopy.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/zz_generated.deepcopy.go index 40a9517ae99..108bfbd0dc3 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha2/zz_generated.deepcopy.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha2/zz_generated.deepcopy.go @@ -181,11 +181,6 @@ func (in *MasterConfiguration) DeepCopyInto(out *MasterConfiguration) { in.Etcd.DeepCopyInto(&out.Etcd) in.KubeletConfiguration.DeepCopyInto(&out.KubeletConfiguration) out.Networking = in.Networking - if in.AuthorizationModes != nil { - in, out := &in.AuthorizationModes, &out.AuthorizationModes - *out = make([]string, len(*in)) - copy(*out, *in) - } if in.TokenTTL != nil { in, out := &in.TokenTTL, &out.TokenTTL if *in == nil { diff --git a/cmd/kubeadm/app/apis/kubeadm/validation/BUILD b/cmd/kubeadm/app/apis/kubeadm/validation/BUILD index 5611e972b00..12cb119844f 100644 --- a/cmd/kubeadm/app/apis/kubeadm/validation/BUILD +++ b/cmd/kubeadm/app/apis/kubeadm/validation/BUILD @@ -12,7 +12,6 @@ go_library( "//cmd/kubeadm/app/util:go_default_library", "//cmd/kubeadm/app/util/token:go_default_library", "//pkg/apis/core/validation:go_default_library", - "//pkg/kubeapiserver/authorizer/modes:go_default_library", "//pkg/kubelet/apis/kubeletconfig:go_default_library", "//pkg/kubelet/apis/kubeletconfig/scheme:go_default_library", "//pkg/kubelet/apis/kubeletconfig/validation:go_default_library", diff --git a/cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go b/cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go index 6e63771e975..0e080e0323d 100644 --- a/cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go +++ b/cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go @@ -181,11 +181,6 @@ func (in *MasterConfiguration) DeepCopyInto(out *MasterConfiguration) { in.Etcd.DeepCopyInto(&out.Etcd) in.KubeletConfiguration.DeepCopyInto(&out.KubeletConfiguration) out.Networking = in.Networking - if in.AuthorizationModes != nil { - in, out := &in.AuthorizationModes, &out.AuthorizationModes - *out = make([]string, len(*in)) - copy(*out, *in) - } if in.TokenTTL != nil { in, out := &in.TokenTTL, &out.TokenTTL if *in == nil { diff --git a/cmd/kubeadm/app/preflight/BUILD b/cmd/kubeadm/app/preflight/BUILD index 35717029fd7..d4ddb62f37d 100644 --- a/cmd/kubeadm/app/preflight/BUILD +++ b/cmd/kubeadm/app/preflight/BUILD @@ -53,7 +53,6 @@ go_library( "//cmd/kubeadm/app/apis/kubeadm/v1alpha1:go_default_library", "//cmd/kubeadm/app/constants:go_default_library", "//pkg/apis/core/validation:go_default_library", - "//pkg/kubeapiserver/authorizer/modes:go_default_library", "//pkg/registry/core/service/ipallocator:go_default_library", "//pkg/util/initsystem:go_default_library", "//pkg/util/procfs:go_default_library",