kubeadm: remove dependency on pkg/kubeapiserver/authorizer/modes

moved constants from pkg/kubeapiserver/authorizer/modes
to kubeadm/app/constants module.

cmd/kubeadm/.import-restrictions

@@ -63,7 +63,6 @@
 				"k8s.io/kubernetes/pkg/controller",
 				"k8s.io/kubernetes/pkg/features",
 				"k8s.io/kubernetes/pkg/fieldpath",
-				"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes",
 				"k8s.io/kubernetes/pkg/kubelet/apis",
 				"k8s.io/kubernetes/pkg/kubelet/qos",
 				"k8s.io/kubernetes/pkg/kubelet/types",

cmd/kubeadm/app/constants/constants.go

@@ -366,6 +366,19 @@ const (
 	// May be overridden by a flag at startup.
 	// Deprecated: use the secure KubeControllerManagerPort instead.
 	InsecureKubeControllerManagerPort = 10252
+
+	// Mode* constants were copied from pkg/kubeapiserver/authorizer/modes
+	// to avoid kubeadm dependency on the internal module
+	// TODO: share Mode* constants in component config
+
+	// ModeABAC is the mode to use Attribute Based Access Control to authorize
+	ModeABAC string = "ABAC"
+	// ModeWebhook is the mode to make an external webhook call to authorize
+	ModeWebhook string = "Webhook"
+	// ModeRBAC is the mode to use Role Based Access Control to authorize
+	ModeRBAC string = "RBAC"
+	// ModeNode is an authorization mode that authorizes API requests made by kubelets.
+	ModeNode string = "Node"
 )
 
 var (

cmd/kubeadm/app/phases/controlplane/BUILD

@@ -38,7 +38,6 @@ go_library(
         "//cmd/kubeadm/app/phases/certs:go_default_library",
         "//cmd/kubeadm/app/util:go_default_library",
         "//cmd/kubeadm/app/util/staticpod:go_default_library",
-        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
         "//staging/src/k8s.io/api/core/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",

cmd/kubeadm/app/phases/controlplane/manifests.go

@@ -34,7 +34,6 @@ import (
 	certphase "k8s.io/kubernetes/cmd/kubeadm/app/phases/certs"
 	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
 	staticpodutil "k8s.io/kubernetes/cmd/kubeadm/app/util/staticpod"
-	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 	utilsnet "k8s.io/utils/net"
 )
 
@@ -198,14 +197,14 @@ func getAPIServerCommand(cfg *kubeadmapi.ClusterConfiguration, localAPIEndpoint
 // AlwaysAllow and AlwaysDeny is ignored as they are only for testing
 func getAuthzModes(authzModeExtraArgs string) string {
 	modes := []string{
-		authzmodes.ModeNode,
+		kubeadmconstants.ModeNode,
-		authzmodes.ModeRBAC,
+		kubeadmconstants.ModeRBAC,
 	}
-	if strings.Contains(authzModeExtraArgs, authzmodes.ModeABAC) {
+	if strings.Contains(authzModeExtraArgs, kubeadmconstants.ModeABAC) {
-		modes = append(modes, authzmodes.ModeABAC)
+		modes = append(modes, kubeadmconstants.ModeABAC)
 	}
-	if strings.Contains(authzModeExtraArgs, authzmodes.ModeWebhook) {
+	if strings.Contains(authzModeExtraArgs, kubeadmconstants.ModeWebhook) {
-		modes = append(modes, authzmodes.ModeWebhook)
+		modes = append(modes, kubeadmconstants.ModeWebhook)
 	}
 	return strings.Join(modes, ",")
 }