Merge pull request #64068 from luxas/kubeadm_remove_authzmodes

Automatic merge from submit-queue (batch tested with PRs 63151, 63795, 63553, 64068, 64113). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

kubeadm: Remove .AuthorizationModes in the v1alpha2 API

**What this PR does / why we need it**:
Now that we have https://github.com/kubernetes/kubernetes/pull/63879, we don't actually need to have `:AuthorizationModes` in our API anymore. This PR removes support for `.AuthorizationModes` in the v1alpha2 API, but keeps an upgrade path available (automatic conversion) from the v1alpha1 version.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Part of kubernetes/community#2131

**Special notes for your reviewer**:
Depends on:
 - [x] https://github.com/kubernetes/kubernetes/pull/63879
 - [x] https://github.com/kubernetes/kubernetes/pull/63917

**Release note**:

```release-note
[action required] kubeadm: Support for `.AuthorizationModes` in the kubeadm v1alpha2 API has been removed. Instead, you can use the `.APIServerExtraArgs` and `.APIServerExtraVolumes` fields to achieve the same effect. Files using the v1alpha1 API and setting this field will be automatically upgraded to this v1alpha2 API and the information will be preserved.
```
@kubernetes/sig-cluster-lifecycle-pr-reviews @liztio

cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go

@@ -39,7 +39,6 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} {
 			obj.API.AdvertiseAddress = "foo"
 			obj.Networking.ServiceSubnet = "foo"
 			obj.Networking.DNSDomain = "foo"
-			obj.AuthorizationModes = []string{"foo"}
 			obj.CertificatesDir = "foo"
 			obj.APIServerCertSANs = []string{"foo"}
 			obj.Etcd.ServerCertSANs = []string{"foo"}

cmd/kubeadm/app/apis/kubeadm/types.go

@@ -45,10 +45,6 @@ type MasterConfiguration struct {
 	// NodeName is the name of the node that will host the k8s control plane.
 	// Defaults to the hostname if not provided.
 	NodeName string
-	// AuthorizationModes is a set of authorization modes used inside the cluster.
-	// If not specified, defaults to Node and RBAC, meaning both the node
-	// authorizer and RBAC are enabled.
-	AuthorizationModes []string
 	// NoTaintMaster will, if set, suppress the tainting of the
 	// master node allowing workloads to be run on it (e.g. in
 	// single node configurations).

cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go

@@ -17,6 +17,9 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"reflect"
+	"strings"
+
 	"k8s.io/apimachinery/pkg/conversion"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
@@ -41,6 +44,7 @@ func Convert_v1alpha1_MasterConfiguration_To_kubeadm_MasterConfiguration(in *Mas
 	}
 
 	UpgradeCloudProvider(in, out)
+	UpgradeAuthorizationModes(in, out)
 	// We don't support migrating information from the .PrivilegedPods field which was removed in v1alpha2
 	// We don't support migrating information from the .ImagePullPolicy field which was removed in v1alpha2
 
@@ -70,3 +74,14 @@ func UpgradeCloudProvider(in *MasterConfiguration, out *kubeadm.MasterConfigurat
 		out.ControllerManagerExtraArgs["cloud-provider"] = in.CloudProvider
 	}
 }
+
+func UpgradeAuthorizationModes(in *MasterConfiguration, out *kubeadm.MasterConfiguration) {
+	// If .AuthorizationModes was set to something else than the default, preserve the information via extraargs
+	if !reflect.DeepEqual(in.AuthorizationModes, strings.Split(DefaultAuthorizationModes, ",")) {
+
+		if out.APIServerExtraArgs == nil {
+			out.APIServerExtraArgs = map[string]string{}
+		}
+		out.APIServerExtraArgs["authorization-mode"] = strings.Join(in.AuthorizationModes, ",")
+	}
+}

cmd/kubeadm/app/apis/kubeadm/v1alpha1/zz_generated.conversion.go

@@ -230,7 +230,7 @@ func autoConvert_v1alpha1_MasterConfiguration_To_kubeadm_MasterConfiguration(in
 	out.KubernetesVersion = in.KubernetesVersion
 	// WARNING: in.CloudProvider requires manual conversion: does not exist in peer-type
 	out.NodeName = in.NodeName
-	out.AuthorizationModes = *(*[]string)(unsafe.Pointer(&in.AuthorizationModes))
+	// WARNING: in.AuthorizationModes requires manual conversion: does not exist in peer-type
 	out.NoTaintMaster = in.NoTaintMaster
 	// WARNING: in.PrivilegedPods requires manual conversion: does not exist in peer-type
 	out.Token = in.Token
@@ -275,7 +275,6 @@ func autoConvert_kubeadm_MasterConfiguration_To_v1alpha1_MasterConfiguration(in
 	}
 	out.KubernetesVersion = in.KubernetesVersion
 	out.NodeName = in.NodeName
-	out.AuthorizationModes = *(*[]string)(unsafe.Pointer(&in.AuthorizationModes))
 	out.NoTaintMaster = in.NoTaintMaster
 	out.Token = in.Token
 	out.TokenTTL = (*meta_v1.Duration)(unsafe.Pointer(in.TokenTTL))

cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go

@@ -18,7 +18,6 @@ package v1alpha2
 
 import (
 	"net/url"
-	"strings"
 	"time"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -42,8 +41,6 @@ const (
 	DefaultKubernetesVersion = "stable-1.10"
 	// DefaultAPIBindPort defines default API port
 	DefaultAPIBindPort = 6443
-	// DefaultAuthorizationModes defines default authorization modes
-	DefaultAuthorizationModes = "Node,RBAC"
 	// DefaultCertificatesDir defines default certificate directory
 	DefaultCertificatesDir = "/etc/kubernetes/pki"
 	// DefaultImageRepository defines default image registry
@@ -96,10 +93,6 @@ func SetDefaults_MasterConfiguration(obj *MasterConfiguration) {
 		obj.Networking.DNSDomain = DefaultServiceDNSDomain
 	}
 
-	if len(obj.AuthorizationModes) == 0 {
-		obj.AuthorizationModes = strings.Split(DefaultAuthorizationModes, ",")
-	}
-
 	if obj.CertificatesDir == "" {
 		obj.CertificatesDir = DefaultCertificatesDir
 	}

cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go

@@ -45,10 +45,6 @@ type MasterConfiguration struct {
 	// NodeName is the name of the node that will host the k8s control plane.
 	// Defaults to the hostname if not provided.
 	NodeName string `json:"nodeName"`
-	// AuthorizationModes is a set of authorization modes used inside the cluster.
-	// If not specified, defaults to Node and RBAC, meaning both the node
-	// authorizer and RBAC are enabled.
-	AuthorizationModes []string `json:"authorizationModes,omitempty"`
 	// NoTaintMaster will, if set, suppress the tainting of the
 	// master node allowing workloads to be run on it (e.g. in
 	// single node configurations).

cmd/kubeadm/app/apis/kubeadm/v1alpha2/zz_generated.conversion.go

@@ -233,7 +233,6 @@ func autoConvert_v1alpha2_MasterConfiguration_To_kubeadm_MasterConfiguration(in
 	}
 	out.KubernetesVersion = in.KubernetesVersion
 	out.NodeName = in.NodeName
-	out.AuthorizationModes = *(*[]string)(unsafe.Pointer(&in.AuthorizationModes))
 	out.NoTaintMaster = in.NoTaintMaster
 	out.Token = in.Token
 	out.TokenTTL = (*meta_v1.Duration)(unsafe.Pointer(in.TokenTTL))
@@ -281,7 +280,6 @@ func autoConvert_kubeadm_MasterConfiguration_To_v1alpha2_MasterConfiguration(in
 	}
 	out.KubernetesVersion = in.KubernetesVersion
 	out.NodeName = in.NodeName
-	out.AuthorizationModes = *(*[]string)(unsafe.Pointer(&in.AuthorizationModes))
 	out.NoTaintMaster = in.NoTaintMaster
 	out.Token = in.Token
 	out.TokenTTL = (*meta_v1.Duration)(unsafe.Pointer(in.TokenTTL))

cmd/kubeadm/app/apis/kubeadm/v1alpha2/zz_generated.deepcopy.go

@@ -181,11 +181,6 @@ func (in *MasterConfiguration) DeepCopyInto(out *MasterConfiguration) {
 	in.Etcd.DeepCopyInto(&out.Etcd)
 	in.KubeletConfiguration.DeepCopyInto(&out.KubeletConfiguration)
 	out.Networking = in.Networking
-	if in.AuthorizationModes != nil {
-		in, out := &in.AuthorizationModes, &out.AuthorizationModes
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
 	if in.TokenTTL != nil {
 		in, out := &in.TokenTTL, &out.TokenTTL
 		if *in == nil {

cmd/kubeadm/app/apis/kubeadm/validation/BUILD

@@ -12,7 +12,6 @@ go_library(
         "//cmd/kubeadm/app/util:go_default_library",
         "//cmd/kubeadm/app/util/token:go_default_library",
         "//pkg/apis/core/validation:go_default_library",
-        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
         "//pkg/kubelet/apis/kubeletconfig:go_default_library",
         "//pkg/kubelet/apis/kubeletconfig/scheme:go_default_library",
         "//pkg/kubelet/apis/kubeletconfig/validation:go_default_library",

cmd/kubeadm/app/apis/kubeadm/validation/validation.go

@@ -37,7 +37,6 @@ import (
 	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
 	tokenutil "k8s.io/kubernetes/cmd/kubeadm/app/util/token"
 	apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
-	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 	"k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig"
 	kubeletscheme "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/scheme"
 	kubeletvalidation "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/validation"
@@ -49,16 +48,9 @@ import (
 	"k8s.io/kubernetes/pkg/util/node"
 )
 
-// Describes the authorization modes that are enforced by kubeadm
-var requiredAuthzModes = []string{
-	authzmodes.ModeRBAC,
-	authzmodes.ModeNode,
-}
-
 // ValidateMasterConfiguration validates master configuration and collects all encountered errors
 func ValidateMasterConfiguration(c *kubeadm.MasterConfiguration) field.ErrorList {
 	allErrs := field.ErrorList{}
-	allErrs = append(allErrs, ValidateAuthorizationModes(c.AuthorizationModes, field.NewPath("authorizationModes"))...)
 	allErrs = append(allErrs, ValidateNetworking(&c.Networking, field.NewPath("networking"))...)
 	allErrs = append(allErrs, ValidateCertSANs(c.APIServerCertSANs, field.NewPath("apiServerCertSANs"))...)
 	allErrs = append(allErrs, ValidateCertSANs(c.Etcd.ServerCertSANs, field.NewPath("etcd").Child("serverCertSANs"))...)
@@ -102,29 +94,6 @@ func ValidateNodeConfiguration(c *kubeadm.NodeConfiguration) field.ErrorList {
 	return allErrs
 }
 
-// ValidateAuthorizationModes  validates authorization modes and collects all encountered errors
-func ValidateAuthorizationModes(authzModes []string, fldPath *field.Path) field.ErrorList {
-	allErrs := field.ErrorList{}
-	found := map[string]bool{}
-	for _, authzMode := range authzModes {
-		if !authzmodes.IsValidAuthorizationMode(authzMode) {
-			allErrs = append(allErrs, field.Invalid(fldPath, authzMode, "invalid authorization mode"))
-		}
-
-		if found[authzMode] {
-			allErrs = append(allErrs, field.Invalid(fldPath, authzMode, "duplicate authorization mode"))
-			continue
-		}
-		found[authzMode] = true
-	}
-	for _, requiredMode := range requiredAuthzModes {
-		if !found[requiredMode] {
-			allErrs = append(allErrs, field.Required(fldPath, fmt.Sprintf("authorization mode %s must be enabled", requiredMode)))
-		}
-	}
-	return allErrs
-}
-
 // ValidateDiscovery validates discovery related configuration and collects all encountered errors
 func ValidateDiscovery(c *kubeadm.NodeConfiguration) field.ErrorList {
 	allErrs := field.ErrorList{}

cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go

@@ -104,34 +104,6 @@ func TestValidateTokenGroups(t *testing.T) {
 	}
 }
 
-func TestValidateAuthorizationModes(t *testing.T) {
-	var tests = []struct {
-		s        []string
-		f        *field.Path
-		expected bool
-	}{
-		{[]string{""}, nil, false},
-		{[]string{"rBAC"}, nil, false},                               // mode not supported
-		{[]string{"rBAC", "Webhook"}, nil, false},                    // mode not supported
-		{[]string{"RBAC", "Webhook"}, nil, false},                    // mode Node required
-		{[]string{"Node", "RBAC", "Webhook", "Webhook"}, nil, false}, // no duplicates allowed
-		{[]string{"not valid"}, nil, false},                          // invalid mode
-		{[]string{"Node", "RBAC"}, nil, true},                        // supported
-		{[]string{"RBAC", "Node"}, nil, true},                        // supported
-		{[]string{"Node", "RBAC", "Webhook", "ABAC"}, nil, true},     // supported
-	}
-	for _, rt := range tests {
-		actual := ValidateAuthorizationModes(rt.s, rt.f)
-		if (len(actual) == 0) != rt.expected {
-			t.Errorf(
-				"failed ValidateAuthorizationModes:\n\texpected: %t\n\t  actual: %t",
-				rt.expected,
-				(len(actual) == 0),
-			)
-		}
-	}
-}
-
 func TestValidateNodeName(t *testing.T) {
 	var tests = []struct {
 		s        string
@@ -431,7 +403,6 @@ func TestValidateMasterConfiguration(t *testing.T) {
 					AdvertiseAddress: "1.2.3.4",
 					BindPort:         6443,
 				},
-				AuthorizationModes: []string{"Node", "RBAC"},
 				Networking: kubeadm.Networking{
 					ServiceSubnet: "10.96.0.1/12",
 					DNSDomain:     "cluster.local",
@@ -445,7 +416,6 @@ func TestValidateMasterConfiguration(t *testing.T) {
 					AdvertiseAddress: "1.2.3.4",
 					BindPort:         6443,
 				},
-				AuthorizationModes: []string{"Node", "RBAC"},
 				Networking: kubeadm.Networking{
 					ServiceSubnet: "2001:db8::1/98",
 					DNSDomain:     "cluster.local",
@@ -459,7 +429,6 @@ func TestValidateMasterConfiguration(t *testing.T) {
 					AdvertiseAddress: "1.2.3.4",
 					BindPort:         6443,
 				},
-				AuthorizationModes: []string{"Node", "RBAC"},
 				Networking: kubeadm.Networking{
 					ServiceSubnet: "10.96.0.1/12",
 					DNSDomain:     "cluster.local",
@@ -473,7 +442,6 @@ func TestValidateMasterConfiguration(t *testing.T) {
 					AdvertiseAddress: "1.2.3.4",
 					BindPort:         6443,
 				},
-				AuthorizationModes: []string{"Node", "RBAC"},
 				Networking: kubeadm.Networking{
 					ServiceSubnet: "10.96.0.1/12",
 					DNSDomain:     "cluster.local",
@@ -515,7 +483,6 @@ func TestValidateMasterConfiguration(t *testing.T) {
 						},
 					},
 				},
-				AuthorizationModes: []string{"Node", "RBAC"},
 				Networking: kubeadm.Networking{
 					ServiceSubnet: "10.96.0.1/12",
 					DNSDomain:     "cluster.local",
@@ -557,7 +524,6 @@ func TestValidateMasterConfiguration(t *testing.T) {
 						},
 					},
 				},
-				AuthorizationModes: []string{"Node", "RBAC"},
 				Networking: kubeadm.Networking{
 					ServiceSubnet: "2001:db8::1/98",
 					DNSDomain:     "cluster.local",

cmd/kubeadm/app/apis/kubeadm/zz_generated.deepcopy.go

@@ -181,11 +181,6 @@ func (in *MasterConfiguration) DeepCopyInto(out *MasterConfiguration) {
 	in.Etcd.DeepCopyInto(&out.Etcd)
 	in.KubeletConfiguration.DeepCopyInto(&out.KubeletConfiguration)
 	out.Networking = in.Networking
-	if in.AuthorizationModes != nil {
-		in, out := &in.AuthorizationModes, &out.AuthorizationModes
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
 	if in.TokenTTL != nil {
 		in, out := &in.TokenTTL, &out.TokenTTL
 		if *in == nil {

cmd/kubeadm/app/cmd/init.go

@@ -252,7 +252,6 @@ func NewInit(cfgPath string, externalcfg *kubeadmapiv1alpha2.MasterConfiguration
 	}
 
 	glog.Infof("[init] using Kubernetes version: %s\n", cfg.KubernetesVersion)
-	glog.Infof("[init] using Authorization modes: %v\n", cfg.AuthorizationModes)
 
 	glog.Infoln("[preflight] running pre-flight checks")
 

cmd/kubeadm/app/constants/constants.go

@@ -275,11 +275,6 @@ var (
 		Effect: v1.TaintEffectNoSchedule,
 	}
 
-	// AuthorizationPolicyPath defines the supported location of authorization policy file
-	AuthorizationPolicyPath = filepath.Join(KubernetesDir, "abac_policy.json")
-	// AuthorizationWebhookConfigPath defines the supported location of webhook config file
-	AuthorizationWebhookConfigPath = filepath.Join(KubernetesDir, "webhook_authz.conf")
-
 	// DefaultTokenUsages specifies the default functions a token will get
 	DefaultTokenUsages = bootstrapapi.KnownTokenUsages
 

cmd/kubeadm/app/phases/upgrade/staticpods_test.go

@@ -46,14 +46,13 @@ const (
 	waitForPodsWithLabel = "wait-for-pods-with-label"
 
 	testConfiguration = `
+apiVersion: kubeadm.k8s.io/v1alpha2
+kind: MasterConfiguration
 api:
   advertiseAddress: 1.2.3.4
   bindPort: 6443
 apiServerCertSANs: null
 apiServerExtraArgs: null
-authorizationModes:
-- Node
-- RBAC
 certificatesDir: %s
 controllerManagerExtraArgs: null
 etcd:
@@ -508,6 +507,7 @@ func getAPIServerHash(dir string) (string, error) {
 	return fmt.Sprintf("%x", sha256.Sum256(fileBytes)), nil
 }
 
+// TODO: Make this test function use the rest of the "official" API machinery helper funcs we have inside of kubeadm
 func getConfig(version, certsDir, etcdDataDir string) (*kubeadmapi.MasterConfiguration, error) {
 	externalcfg := &kubeadmapiv1alpha2.MasterConfiguration{}
 	internalcfg := &kubeadmapi.MasterConfiguration{}

cmd/kubeadm/app/preflight/BUILD

@@ -53,7 +53,6 @@ go_library(
         "//cmd/kubeadm/app/apis/kubeadm/v1alpha1:go_default_library",
         "//cmd/kubeadm/app/constants:go_default_library",
         "//pkg/apis/core/validation:go_default_library",
-        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
         "//pkg/registry/core/service/ipallocator:go_default_library",
         "//pkg/util/initsystem:go_default_library",
         "//pkg/util/procfs:go_default_library",

cmd/kubeadm/app/preflight/checks.go

@@ -47,7 +47,6 @@ import (
 	kubeadmdefaults "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha1"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/pkg/apis/core/validation"
-	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 	"k8s.io/kubernetes/pkg/registry/core/service/ipallocator"
 	"k8s.io/kubernetes/pkg/util/initsystem"
 	"k8s.io/kubernetes/pkg/util/procfs"
@@ -889,16 +888,6 @@ func RunInitMasterChecks(execer utilsexec.Interface, cfg *kubeadmapi.MasterConfi
 		)
 	}
 
-	// Check the config for authorization mode
-	for _, authzMode := range cfg.AuthorizationModes {
-		switch authzMode {
-		case authzmodes.ModeABAC:
-			checks = append(checks, FileExistingCheck{Path: kubeadmconstants.AuthorizationPolicyPath})
-		case authzmodes.ModeWebhook:
-			checks = append(checks, FileExistingCheck{Path: kubeadmconstants.AuthorizationWebhookConfigPath})
-		}
-	}
-
 	if ip := net.ParseIP(cfg.API.AdvertiseAddress); ip != nil {
 		if ip.To4() == nil && ip.To16() != nil {
 			checks = append(checks,

cmd/kubeadm/app/util/config/masterconfig_test.go

@@ -39,8 +39,7 @@ const (
 	master_v1alpha2YAML                = "testdata/conversion/master/v1alpha2.yaml"
 	master_internalYAML                = "testdata/conversion/master/internal.yaml"
 	master_incompleteYAML              = "testdata/defaulting/master/incomplete.yaml"
-	master_defaultedv1alpha1YAML       = "testdata/defaulting/master/defaulted_v1alpha1.yaml"
+	master_defaultedYAML               = "testdata/defaulting/master/defaulted.yaml"
-	master_defaultedv1alpha2YAML       = "testdata/defaulting/master/defaulted_v1alpha2.yaml"
 	master_invalidYAML                 = "testdata/validation/invalid_mastercfg.yaml"
 	master_beforeUpgradeYAML           = "testdata/v1alpha1_upgrade/before.yaml"
 	master_afterUpgradeYAML            = "testdata/v1alpha1_upgrade/after.yaml"
@@ -79,12 +78,6 @@ func TestConfigFileAndDefaultsToInternalConfig(t *testing.T) {
 			out:          master_internalYAML,
 			groupVersion: kubeadm.SchemeGroupVersion,
 		},
-		{ // v1alpha1 (faulty) -> internal -> v1alpha1
-			name:         "v1alpha1WithoutTypeMetaTov1alpha1",
-			in:           master_v1alpha1WithoutTypeMetaYAML,
-			out:          master_v1alpha1YAML,
-			groupVersion: v1alpha1.SchemeGroupVersion,
-		},
 		{ // v1alpha2 -> internal
 			name:         "v1alpha2ToInternal",
 			in:           master_v1alpha2YAML,
@@ -105,16 +98,10 @@ func TestConfigFileAndDefaultsToInternalConfig(t *testing.T) {
 		},
 		// These tests are reading one file that has only a subset of the fields populated, loading it using ConfigFileAndDefaultsToInternalConfig,
 		// and then marshals the internal object to the expected groupVersion
-		{ // v1alpha1 (faulty) -> default -> validate -> internal -> v1alpha1
-			name:         "incompleteYAMLToDefaultedv1alpha1",
-			in:           master_incompleteYAML,
-			out:          master_defaultedv1alpha1YAML,
-			groupVersion: v1alpha1.SchemeGroupVersion,
-		},
 		{ // v1alpha1 (faulty) -> default -> validate -> internal -> v1alpha2
 			name:         "incompleteYAMLToDefaultedv1alpha2",
 			in:           master_incompleteYAML,
-			out:          master_defaultedv1alpha2YAML,
+			out:          master_defaultedYAML,
 			groupVersion: v1alpha2.SchemeGroupVersion,
 		},
 		{ // v1alpha1 (faulty) -> validation should fail

cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml

@@ -3,15 +3,13 @@ API:
   BindPort: 6443
   ControlPlaneEndpoint: ""
 APIServerCertSANs: null
-APIServerExtraArgs: null
+APIServerExtraArgs:
+  authorization-mode: Node,RBAC,Webhook
 APIServerExtraVolumes: null
 AuditPolicyConfiguration:
   LogDir: /var/log/kubernetes/audit
   LogMaxAge: 2
   Path: ""
-AuthorizationModes:
-- Node
-- RBAC
 CIImageRepository: ""
 CRISocket: /var/run/dockershim.sock
 CertificatesDir: /etc/kubernetes/pki

cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1.yaml

@@ -10,6 +10,7 @@ auditPolicy:
 authorizationModes:
 - Node
 - RBAC
+- Webhook
 certificatesDir: /etc/kubernetes/pki
 cloudProvider: ""
 clusterName: kubernetes

cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1_without_TypeMeta.yaml

@@ -10,6 +10,7 @@ auditPolicy:
 authorizationModes:
 - Node
 - RBAC
+- Webhook
 certificatesDir: /etc/kubernetes/pki
 cloudProvider: ""
 clusterName: kubernetes

cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml

@@ -2,14 +2,13 @@ api:
   advertiseAddress: 192.168.2.2
   bindPort: 6443
   controlPlaneEndpoint: ""
+apiServerExtraArgs:
+  authorization-mode: Node,RBAC,Webhook
 apiVersion: kubeadm.k8s.io/v1alpha2
 auditPolicy:
   logDir: /var/log/kubernetes/audit
   logMaxAge: 2
   path: ""
-authorizationModes:
-- Node
-- RBAC
 certificatesDir: /etc/kubernetes/pki
 clusterName: kubernetes
 criSocket: /var/run/dockershim.sock

cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml

@@ -7,9 +7,6 @@ auditPolicy:
   logDir: /var/log/kubernetes/audit
   logMaxAge: 2
   path: ""
-authorizationModes:
-- Node
-- RBAC
 certificatesDir: /var/lib/kubernetes/pki
 clusterName: kubernetes
 criSocket: /var/run/criruntime.sock

cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted_v1alpha1.yaml

@@ -1,78 +0,0 @@
-api:
-  advertiseAddress: 192.168.2.2
-  bindPort: 6443
-  controlPlaneEndpoint: ""
-apiVersion: kubeadm.k8s.io/v1alpha1
-auditPolicy:
-  logDir: /var/log/kubernetes/audit
-  logMaxAge: 2
-  path: ""
-authorizationModes:
-- Node
-- RBAC
-certificatesDir: /var/lib/kubernetes/pki
-cloudProvider: ""
-clusterName: kubernetes
-criSocket: /var/run/criruntime.sock
-etcd:
-  caFile: ""
-  certFile: ""
-  dataDir: /var/lib/etcd
-  endpoints: null
-  image: ""
-  keyFile: ""
-imageRepository: my-company.com
-kind: MasterConfiguration
-kubeProxy:
-  config:
-    bindAddress: 0.0.0.0
-    clientConnection:
-      acceptContentTypes: ""
-      burst: 10
-      contentType: application/vnd.kubernetes.protobuf
-      kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
-      qps: 5
-    clusterCIDR: ""
-    configSyncPeriod: 15m0s
-    conntrack:
-      max: null
-      maxPerCore: 32768
-      min: 131072
-      tcpCloseWaitTimeout: 1h0m0s
-      tcpEstablishedTimeout: 24h0m0s
-    enableProfiling: false
-    healthzBindAddress: 0.0.0.0:10256
-    hostnameOverride: ""
-    iptables:
-      masqueradeAll: false
-      masqueradeBit: 14
-      minSyncPeriod: 0s
-      syncPeriod: 30s
-    ipvs:
-      ExcludeCIDRs: null
-      minSyncPeriod: 0s
-      scheduler: ""
-      syncPeriod: 30s
-    metricsBindAddress: 127.0.0.1:10249
-    mode: ""
-    nodePortAddresses: null
-    oomScoreAdj: -999
-    portRange: ""
-    resourceContainer: /kube-proxy
-    udpIdleTimeout: 250ms
-kubeletConfiguration: {}
-kubernetesVersion: v1.10.2
-networking:
-  dnsDomain: cluster.global
-  podSubnet: ""
-  serviceSubnet: 10.196.0.0/12
-nodeName: master-1
-privilegedPods: false
-token: s73ybu.6tw6wnqgp5z0wb77
-tokenGroups:
-- system:bootstrappers:kubeadm:default-node-token
-tokenTTL: 24h0m0s
-tokenUsages:
-- signing
-- authentication
-unifiedControlPlaneImage: ""