github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-06 02:34:03 +00:00
Code Issues Projects Releases Wiki Activity

[kubeadam] do not set authorization-mode in api server when authorization-config is provided

Browse Source
This commit is contained in:
Lior Lieberman 2024-03-03 14:35:28 +00:00
parent 7c11cc9cfc
commit db115ca929
No known key found for this signature in database
2 changed files with 101 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/kubeadm/app/phases/controlplane/manifests.go
View File

@ -229,7 +229,10 @@ func getAPIServerCommand(cfg *kubeadmapi.ClusterConfiguration, localAPIEndpoint
cfg.APIServer.ExtraArgs = []kubeadmapi.Arg{} cfg.APIServer.ExtraArgs = []kubeadmapi.Arg{}
} }
authzVal, _ := kubeadmapi.GetArgValue(cfg.APIServer.ExtraArgs, "authorization-mode", -1) authzVal, _ := kubeadmapi.GetArgValue(cfg.APIServer.ExtraArgs, "authorization-mode", -1)
_, hasStructuredAuthzVal := kubeadmapi.GetArgValue(cfg.APIServer.ExtraArgs, "authorization-config", -1)
if hasStructuredAuthzVal == -1 {
defaultArguments = kubeadmapi.SetArgValues(defaultArguments, "authorization-mode", getAuthzModes(authzVal), 1) defaultArguments = kubeadmapi.SetArgValues(defaultArguments, "authorization-mode", getAuthzModes(authzVal), 1)
}
command = append(command, kubeadmutil.ArgumentsToCommand(defaultArguments, cfg.APIServer.ExtraArgs)...) command = append(command, kubeadmutil.ArgumentsToCommand(defaultArguments, cfg.APIServer.ExtraArgs)...)
return command return command

97
cmd/kubeadm/app/phases/controlplane/manifests_test.go
View File

@ -514,6 +514,103 @@ func TestGetAPIServerCommand(t *testing.T) {
"--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"), "--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"),
}, },
}, },
{
name: "authorization-config extra-args",
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
CertificatesDir: testCertsDir,
APIServer: kubeadmapi.APIServer{
ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
ExtraArgs: []kubeadmapi.Arg{
{Name: "authorization-config", Value: "/path/to/authorization/config/file"},
},
},
},
},
endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
expected: []string{
"kube-apiserver",
"--enable-admission-plugins=NodeRestriction",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + filepath.Join(testCertsDir, "sa.pub"),
"--service-account-signing-key-file=" + filepath.Join(testCertsDir, "sa.key"),
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
"--client-ca-file=" + filepath.Join(testCertsDir, "ca.crt"),
"--tls-cert-file=" + filepath.Join(testCertsDir, "apiserver.crt"),
"--tls-private-key-file=" + filepath.Join(testCertsDir, "apiserver.key"),
"--kubelet-client-certificate=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.crt"),
"--kubelet-client-key=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.key"),
"--enable-bootstrap-token-auth=true",
"--secure-port=123",
"--allow-privileged=true",
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
"--proxy-client-cert-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.crt"),
"--proxy-client-key-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.key"),
"--requestheader-username-headers=X-Remote-User",
"--requestheader-group-headers=X-Remote-Group",
"--requestheader-extra-headers-prefix=X-Remote-Extra-",
"--requestheader-client-ca-file=" + filepath.Join(testCertsDir, "front-proxy-ca.crt"),
"--requestheader-allowed-names=front-proxy-client",
"--authorization-config=/path/to/authorization/config/file",
"--advertise-address=1.2.3.4",
fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
"--etcd-cafile=" + filepath.Join(testCertsDir, "etcd/ca.crt"),
"--etcd-certfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.crt"),
"--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"),
},
},
{
// Note that we do not block it at this level but api server would fail to start.
name: "authorization-config and authorization-mode extra-args",
cfg: &kubeadmapi.ClusterConfiguration{
Networking: kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
CertificatesDir: testCertsDir,
APIServer: kubeadmapi.APIServer{
ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
ExtraArgs: []kubeadmapi.Arg{
{Name: "authorization-config", Value: "/path/to/authorization/config/file"},
{Name: "authorization-mode", Value: strings.Join([]string{
kubeadmconstants.ModeNode,
kubeadmconstants.ModeRBAC,
kubeadmconstants.ModeWebhook,
}, ",")},
},
},
},
},
endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
expected: []string{
"kube-apiserver",
"--enable-admission-plugins=NodeRestriction",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + filepath.Join(testCertsDir, "sa.pub"),
"--service-account-signing-key-file=" + filepath.Join(testCertsDir, "sa.key"),
"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
"--client-ca-file=" + filepath.Join(testCertsDir, "ca.crt"),
"--tls-cert-file=" + filepath.Join(testCertsDir, "apiserver.crt"),
"--tls-private-key-file=" + filepath.Join(testCertsDir, "apiserver.key"),
"--kubelet-client-certificate=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.crt"),
"--kubelet-client-key=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.key"),
"--enable-bootstrap-token-auth=true",
"--secure-port=123",
"--allow-privileged=true",
"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
"--proxy-client-cert-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.crt"),
"--proxy-client-key-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.key"),
"--requestheader-username-headers=X-Remote-User",
"--requestheader-group-headers=X-Remote-Group",
"--requestheader-extra-headers-prefix=X-Remote-Extra-",
"--requestheader-client-ca-file=" + filepath.Join(testCertsDir, "front-proxy-ca.crt"),
"--requestheader-allowed-names=front-proxy-client",
"--authorization-config=/path/to/authorization/config/file",
"--authorization-mode=Node,RBAC,Webhook",
"--advertise-address=1.2.3.4",
fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
"--etcd-cafile=" + filepath.Join(testCertsDir, "etcd/ca.crt"),
"--etcd-certfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.crt"),
"--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"),
},
},
} }
for _, rt := range tests { for _, rt := range tests {