From 3adac0daceaedb56d07349306b8ece81c1d11c9e Mon Sep 17 00:00:00 2001 From: Quintin Lee Date: Thu, 23 Feb 2017 12:17:34 -0800 Subject: [PATCH] Adding legacy ABAC for 1.6 --- cluster/gce/gci/configure-helper.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 7dab90a221f..d4dc5ccbf5d 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1051,6 +1051,21 @@ function start-kube-apiserver { local authorization_mode="RBAC" + + # Create the ABAC file only if it's explicitly requested. + if [[ -n "${ENABLE_LEGACY_ABAC_16_ONLY:-}" ]]; then + if [[ -n "${KUBE_USER:-}" || ! -e /etc/srv/kubernetes/abac-authz-policy.jsonl ]]; then + local -r abac_policy_json="${src_dir}/abac-authz-policy.jsonl" + remove-salt-config-comments "${abac_policy_json}" + if [[ -n "${KUBE_USER:-}" ]]; then + sed -i -e "s/{{kube_user}}/${KUBE_USER}/g" "${abac_policy_json}" + else + sed -i -e "/{{kube_user}}/d" "${abac_policy_json}" + fi + cp "${abac_policy_json}" /etc/srv/kubernetes/ + fi + fi + # Load existing ABAC policy files written by versions < 1.6 of this script # TODO: only default to this legacy path when in upgrade mode ABAC_AUTHZ_FILE="${ABAC_AUTHZ_FILE:-/etc/srv/kubernetes/abac-authz-policy.jsonl}"