From db115ca929e5248afdc21368cde40f67dd590dd0 Mon Sep 17 00:00:00 2001 From: Lior Lieberman Date: Sun, 3 Mar 2024 14:35:28 +0000 Subject: [PATCH] [kubeadam] do not set authorization-mode in api server when authorization-config is provided --- .../app/phases/controlplane/manifests.go | 5 +- .../app/phases/controlplane/manifests_test.go | 97 +++++++++++++++++++ 2 files changed, 101 insertions(+), 1 deletion(-) diff --git a/cmd/kubeadm/app/phases/controlplane/manifests.go b/cmd/kubeadm/app/phases/controlplane/manifests.go index ae8d2199de5..11b93e083db 100644 --- a/cmd/kubeadm/app/phases/controlplane/manifests.go +++ b/cmd/kubeadm/app/phases/controlplane/manifests.go @@ -229,7 +229,10 @@ func getAPIServerCommand(cfg *kubeadmapi.ClusterConfiguration, localAPIEndpoint cfg.APIServer.ExtraArgs = []kubeadmapi.Arg{} } authzVal, _ := kubeadmapi.GetArgValue(cfg.APIServer.ExtraArgs, "authorization-mode", -1) - defaultArguments = kubeadmapi.SetArgValues(defaultArguments, "authorization-mode", getAuthzModes(authzVal), 1) + _, hasStructuredAuthzVal := kubeadmapi.GetArgValue(cfg.APIServer.ExtraArgs, "authorization-config", -1) + if hasStructuredAuthzVal == -1 { + defaultArguments = kubeadmapi.SetArgValues(defaultArguments, "authorization-mode", getAuthzModes(authzVal), 1) + } command = append(command, kubeadmutil.ArgumentsToCommand(defaultArguments, cfg.APIServer.ExtraArgs)...) return command diff --git a/cmd/kubeadm/app/phases/controlplane/manifests_test.go b/cmd/kubeadm/app/phases/controlplane/manifests_test.go index 6bf1e5057fa..b1516f179d0 100644 --- a/cmd/kubeadm/app/phases/controlplane/manifests_test.go +++ b/cmd/kubeadm/app/phases/controlplane/manifests_test.go @@ -514,6 +514,103 @@ func TestGetAPIServerCommand(t *testing.T) { "--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"), }, }, + { + name: "authorization-config extra-args", + cfg: &kubeadmapi.ClusterConfiguration{ + Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"}, + CertificatesDir: testCertsDir, + APIServer: kubeadmapi.APIServer{ + ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{ + ExtraArgs: []kubeadmapi.Arg{ + {Name: "authorization-config", Value: "/path/to/authorization/config/file"}, + }, + }, + }, + }, + endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"}, + expected: []string{ + "kube-apiserver", + "--enable-admission-plugins=NodeRestriction", + "--service-cluster-ip-range=bar", + "--service-account-key-file=" + filepath.Join(testCertsDir, "sa.pub"), + "--service-account-signing-key-file=" + filepath.Join(testCertsDir, "sa.key"), + "--service-account-issuer=https://kubernetes.default.svc.cluster.local", + "--client-ca-file=" + filepath.Join(testCertsDir, "ca.crt"), + "--tls-cert-file=" + filepath.Join(testCertsDir, "apiserver.crt"), + "--tls-private-key-file=" + filepath.Join(testCertsDir, "apiserver.key"), + "--kubelet-client-certificate=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.crt"), + "--kubelet-client-key=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.key"), + "--enable-bootstrap-token-auth=true", + "--secure-port=123", + "--allow-privileged=true", + "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", + "--proxy-client-cert-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.crt"), + "--proxy-client-key-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.key"), + "--requestheader-username-headers=X-Remote-User", + "--requestheader-group-headers=X-Remote-Group", + "--requestheader-extra-headers-prefix=X-Remote-Extra-", + "--requestheader-client-ca-file=" + filepath.Join(testCertsDir, "front-proxy-ca.crt"), + "--requestheader-allowed-names=front-proxy-client", + "--authorization-config=/path/to/authorization/config/file", + "--advertise-address=1.2.3.4", + fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort), + "--etcd-cafile=" + filepath.Join(testCertsDir, "etcd/ca.crt"), + "--etcd-certfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.crt"), + "--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"), + }, + }, + { + // Note that we do not block it at this level but api server would fail to start. + name: "authorization-config and authorization-mode extra-args", + cfg: &kubeadmapi.ClusterConfiguration{ + Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"}, + CertificatesDir: testCertsDir, + APIServer: kubeadmapi.APIServer{ + ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{ + ExtraArgs: []kubeadmapi.Arg{ + {Name: "authorization-config", Value: "/path/to/authorization/config/file"}, + {Name: "authorization-mode", Value: strings.Join([]string{ + kubeadmconstants.ModeNode, + kubeadmconstants.ModeRBAC, + kubeadmconstants.ModeWebhook, + }, ",")}, + }, + }, + }, + }, + endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"}, + expected: []string{ + "kube-apiserver", + "--enable-admission-plugins=NodeRestriction", + "--service-cluster-ip-range=bar", + "--service-account-key-file=" + filepath.Join(testCertsDir, "sa.pub"), + "--service-account-signing-key-file=" + filepath.Join(testCertsDir, "sa.key"), + "--service-account-issuer=https://kubernetes.default.svc.cluster.local", + "--client-ca-file=" + filepath.Join(testCertsDir, "ca.crt"), + "--tls-cert-file=" + filepath.Join(testCertsDir, "apiserver.crt"), + "--tls-private-key-file=" + filepath.Join(testCertsDir, "apiserver.key"), + "--kubelet-client-certificate=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.crt"), + "--kubelet-client-key=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.key"), + "--enable-bootstrap-token-auth=true", + "--secure-port=123", + "--allow-privileged=true", + "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", + "--proxy-client-cert-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.crt"), + "--proxy-client-key-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.key"), + "--requestheader-username-headers=X-Remote-User", + "--requestheader-group-headers=X-Remote-Group", + "--requestheader-extra-headers-prefix=X-Remote-Extra-", + "--requestheader-client-ca-file=" + filepath.Join(testCertsDir, "front-proxy-ca.crt"), + "--requestheader-allowed-names=front-proxy-client", + "--authorization-config=/path/to/authorization/config/file", + "--authorization-mode=Node,RBAC,Webhook", + "--advertise-address=1.2.3.4", + fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort), + "--etcd-cafile=" + filepath.Join(testCertsDir, "etcd/ca.crt"), + "--etcd-certfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.crt"), + "--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"), + }, + }, } for _, rt := range tests {