From 76f22a02004c112f67208d40908cefecf155beeb Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Tue, 19 Dec 2017 15:49:43 -0800 Subject: [PATCH] gce: reorder authorizers to the order Node,Webhook,RBAC,ABAC --- cluster/gce/gci/configure-helper.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 0bf30051c9e..7ee791fc016 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1663,7 +1663,7 @@ function start-kube-apiserver { if [[ -n "${PROJECT_ID:-}" && -n "${TOKEN_URL:-}" && -n "${TOKEN_BODY:-}" && -n "${NODE_NETWORK:-}" ]]; then local -r vm_external_ip=$(curl --retry 5 --retry-delay 3 ${CURL_RETRY_CONNREFUSED} --fail --silent -H 'Metadata-Flavor: Google' "http://metadata/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip") if [[ -n "${PROXY_SSH_USER:-}" ]]; then - params+=" --advertise-address=${vm_external_ip}" + params+=" --advertise-address=${vm_external_ip}" params+=" --ssh-user=${PROXY_SSH_USER}" params+=" --ssh-keyfile=/etc/srv/sshproxy/.sshkeyfile" else @@ -1682,7 +1682,7 @@ function start-kube-apiserver { fi - local authorization_mode="Node,RBAC" + local authorization_mode="RBAC" local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" # Enable ABAC mode unless the user explicitly opts out with ENABLE_LEGACY_ABAC=false @@ -1707,11 +1707,12 @@ function start-kube-apiserver { local webhook_config_mount="" local webhook_config_volume="" if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then - authorization_mode+=",Webhook" + authorization_mode="Webhook,${authorization_mode}" params+=" --authorization-webhook-config-file=/etc/gcp_authz.config" webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false}," webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\", \"type\": \"FileOrCreate\"}}," fi + authorization_mode="Node,${authorization_mode}" params+=" --authorization-mode=${authorization_mode}" local container_env=""