mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-04 09:49:50 +00:00
[kubeadam] do not set authorization-mode in api server when authorization-config is provided
This commit is contained in:
Lior Lieberman
parent
7c11cc9cfc
commit
db115ca929
@ -229,7 +229,10 @@ func getAPIServerCommand(cfg *kubeadmapi.ClusterConfiguration, localAPIEndpoint
|
||||
cfg.APIServer.ExtraArgs = []kubeadmapi.Arg{}
|
||||
}
|
||||
authzVal, _ := kubeadmapi.GetArgValue(cfg.APIServer.ExtraArgs, "authorization-mode", -1)
|
||||
defaultArguments = kubeadmapi.SetArgValues(defaultArguments, "authorization-mode", getAuthzModes(authzVal), 1)
|
||||
_, hasStructuredAuthzVal := kubeadmapi.GetArgValue(cfg.APIServer.ExtraArgs, "authorization-config", -1)
|
||||
if hasStructuredAuthzVal == -1 {
|
||||
defaultArguments = kubeadmapi.SetArgValues(defaultArguments, "authorization-mode", getAuthzModes(authzVal), 1)
|
||||
}
|
||||
command = append(command, kubeadmutil.ArgumentsToCommand(defaultArguments, cfg.APIServer.ExtraArgs)...)
|
||||
|
||||
return command
|
||||
|
||||
@ -514,6 +514,103 @@ func TestGetAPIServerCommand(t *testing.T) {
|
||||
"--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"),
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "authorization-config extra-args",
|
||||
cfg: &kubeadmapi.ClusterConfiguration{
|
||||
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
|
||||
CertificatesDir: testCertsDir,
|
||||
APIServer: kubeadmapi.APIServer{
|
||||
ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
|
||||
ExtraArgs: []kubeadmapi.Arg{
|
||||
{Name: "authorization-config", Value: "/path/to/authorization/config/file"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
|
||||
expected: []string{
|
||||
"kube-apiserver",
|
||||
"--enable-admission-plugins=NodeRestriction",
|
||||
"--service-cluster-ip-range=bar",
|
||||
"--service-account-key-file=" + filepath.Join(testCertsDir, "sa.pub"),
|
||||
"--service-account-signing-key-file=" + filepath.Join(testCertsDir, "sa.key"),
|
||||
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
|
||||
"--client-ca-file=" + filepath.Join(testCertsDir, "ca.crt"),
|
||||
"--tls-cert-file=" + filepath.Join(testCertsDir, "apiserver.crt"),
|
||||
"--tls-private-key-file=" + filepath.Join(testCertsDir, "apiserver.key"),
|
||||
"--kubelet-client-certificate=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.crt"),
|
||||
"--kubelet-client-key=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.key"),
|
||||
"--enable-bootstrap-token-auth=true",
|
||||
"--secure-port=123",
|
||||
"--allow-privileged=true",
|
||||
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
|
||||
"--proxy-client-cert-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.crt"),
|
||||
"--proxy-client-key-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.key"),
|
||||
"--requestheader-username-headers=X-Remote-User",
|
||||
"--requestheader-group-headers=X-Remote-Group",
|
||||
"--requestheader-extra-headers-prefix=X-Remote-Extra-",
|
||||
"--requestheader-client-ca-file=" + filepath.Join(testCertsDir, "front-proxy-ca.crt"),
|
||||
"--requestheader-allowed-names=front-proxy-client",
|
||||
"--authorization-config=/path/to/authorization/config/file",
|
||||
"--advertise-address=1.2.3.4",
|
||||
fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
|
||||
"--etcd-cafile=" + filepath.Join(testCertsDir, "etcd/ca.crt"),
|
||||
"--etcd-certfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.crt"),
|
||||
"--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"),
|
||||
},
|
||||
},
|
||||
{
|
||||
// Note that we do not block it at this level but api server would fail to start.
|
||||
name: "authorization-config and authorization-mode extra-args",
|
||||
cfg: &kubeadmapi.ClusterConfiguration{
|
||||
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
|
||||
CertificatesDir: testCertsDir,
|
||||
APIServer: kubeadmapi.APIServer{
|
||||
ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
|
||||
ExtraArgs: []kubeadmapi.Arg{
|
||||
{Name: "authorization-config", Value: "/path/to/authorization/config/file"},
|
||||
{Name: "authorization-mode", Value: strings.Join([]string{
|
||||
kubeadmconstants.ModeNode,
|
||||
kubeadmconstants.ModeRBAC,
|
||||
kubeadmconstants.ModeWebhook,
|
||||
}, ",")},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
|
||||
expected: []string{
|
||||
"kube-apiserver",
|
||||
"--enable-admission-plugins=NodeRestriction",
|
||||
"--service-cluster-ip-range=bar",
|
||||
"--service-account-key-file=" + filepath.Join(testCertsDir, "sa.pub"),
|
||||
"--service-account-signing-key-file=" + filepath.Join(testCertsDir, "sa.key"),
|
||||
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
|
||||
"--client-ca-file=" + filepath.Join(testCertsDir, "ca.crt"),
|
||||
"--tls-cert-file=" + filepath.Join(testCertsDir, "apiserver.crt"),
|
||||
"--tls-private-key-file=" + filepath.Join(testCertsDir, "apiserver.key"),
|
||||
"--kubelet-client-certificate=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.crt"),
|
||||
"--kubelet-client-key=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.key"),
|
||||
"--enable-bootstrap-token-auth=true",
|
||||
"--secure-port=123",
|
||||
"--allow-privileged=true",
|
||||
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
|
||||
"--proxy-client-cert-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.crt"),
|
||||
"--proxy-client-key-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.key"),
|
||||
"--requestheader-username-headers=X-Remote-User",
|
||||
"--requestheader-group-headers=X-Remote-Group",
|
||||
"--requestheader-extra-headers-prefix=X-Remote-Extra-",
|
||||
"--requestheader-client-ca-file=" + filepath.Join(testCertsDir, "front-proxy-ca.crt"),
|
||||
"--requestheader-allowed-names=front-proxy-client",
|
||||
"--authorization-config=/path/to/authorization/config/file",
|
||||
"--authorization-mode=Node,RBAC,Webhook",
|
||||
"--advertise-address=1.2.3.4",
|
||||
fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
|
||||
"--etcd-cafile=" + filepath.Join(testCertsDir, "etcd/ca.crt"),
|
||||
"--etcd-certfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.crt"),
|
||||
"--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, rt := range tests {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user