kubeadm: remove dependency on pkg/kubeapiserver/authorizer/modes

moved constants from pkg/kubeapiserver/authorizer/modes to kubeadm/app/constants module.
2025-07-23 19:56:01 +00:00 · 2019-07-18 16:32:24 +03:00 · 2019-07-18 16:32:24 +03:00 · d60fdcc6ff
commit d60fdcc6ff
parent 15ade86935
4 changed files with 19 additions and 9 deletions
--- a/cmd/kubeadm/.import-restrictions
+++ b/cmd/kubeadm/.import-restrictions
@ -63,7 +63,6 @@
 				"k8s.io/kubernetes/pkg/controller",
 				"k8s.io/kubernetes/pkg/features",
 				"k8s.io/kubernetes/pkg/fieldpath",
-				"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes",
 				"k8s.io/kubernetes/pkg/kubelet/apis",
 				"k8s.io/kubernetes/pkg/kubelet/qos",
 				"k8s.io/kubernetes/pkg/kubelet/types",
--- a/cmd/kubeadm/app/constants/constants.go
+++ b/cmd/kubeadm/app/constants/constants.go
@ -366,6 +366,19 @@ const (
 	// May be overridden by a flag at startup.
 	// Deprecated: use the secure KubeControllerManagerPort instead.
 	InsecureKubeControllerManagerPort = 10252
+
+	// Mode* constants were copied from pkg/kubeapiserver/authorizer/modes
+	// to avoid kubeadm dependency on the internal module
+	// TODO: share Mode* constants in component config
+
+	// ModeABAC is the mode to use Attribute Based Access Control to authorize
+	ModeABAC string = "ABAC"
+	// ModeWebhook is the mode to make an external webhook call to authorize
+	ModeWebhook string = "Webhook"
+	// ModeRBAC is the mode to use Role Based Access Control to authorize
+	ModeRBAC string = "RBAC"
+	// ModeNode is an authorization mode that authorizes API requests made by kubelets.
+	ModeNode string = "Node"
 )

 var (
--- a/cmd/kubeadm/app/phases/controlplane/BUILD
+++ b/cmd/kubeadm/app/phases/controlplane/BUILD
@ -38,7 +38,6 @@ go_library(
        "//cmd/kubeadm/app/phases/certs:go_default_library",
        "//cmd/kubeadm/app/util:go_default_library",
        "//cmd/kubeadm/app/util/staticpod:go_default_library",
-        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
        "//staging/src/k8s.io/api/core/v1:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
--- a/cmd/kubeadm/app/phases/controlplane/manifests.go
+++ b/cmd/kubeadm/app/phases/controlplane/manifests.go
@ -34,7 +34,6 @@ import (
 	certphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/certs"
 	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
 	staticpodutil "k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod"
-	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 	utilsnet "k8s.io/utils/net"
 )

@ -198,14 +197,14 @@ func getAPIServerCommand(cfg *kubeadmapi.ClusterConfiguration, localAPIEndpoint
 // AlwaysAllow and AlwaysDeny is ignored as they are only for testing
 func getAuthzModes(authzModeExtraArgs string) string {
 	modes := []string{
-		authzmodes.ModeNode,
-		authzmodes.ModeRBAC,
+		kubeadmconstants.ModeNode,
+		kubeadmconstants.ModeRBAC,
 	}
-	if strings.Contains(authzModeExtraArgs, authzmodes.ModeABAC) {
-		modes = append(modes, authzmodes.ModeABAC)
+	if strings.Contains(authzModeExtraArgs, kubeadmconstants.ModeABAC) {
+		modes = append(modes, kubeadmconstants.ModeABAC)
 	}
-	if strings.Contains(authzModeExtraArgs, authzmodes.ModeWebhook) {
-		modes = append(modes, authzmodes.ModeWebhook)
+	if strings.Contains(authzModeExtraArgs, kubeadmconstants.ModeWebhook) {
+		modes = append(modes, kubeadmconstants.ModeWebhook)
 	}
 	return strings.Join(modes, ",")
 }