Merge pull request #42197 from jcbsmpsn/legacy-abac-16

Automatic merge from submit-queue (batch tested with PRs 41931, 39821, 41841, 42197, 42195)

Adding legacy ABAC for 1.6

This is a fork of a previous [pull request](https://github.com/kubernetes/kubernetes/pull/42014) to include feedback as the original author is unavailable.

Adds a mechanism to optionally enable legacy abac for 1.6 to provide a migration path for existing users.

cluster/gce/gci/configure-helper.sh

@@ -1074,6 +1074,21 @@ function start-kube-apiserver {
 
 
   local authorization_mode="RBAC"
+
+  # Create the ABAC file only if it's explicitly requested.
+  if [[ -n "${ENABLE_LEGACY_ABAC_16_ONLY:-}" ]]; then
+    if [[ -n "${KUBE_USER:-}" || ! -e /etc/srv/kubernetes/abac-authz-policy.jsonl ]]; then
+      local -r abac_policy_json="${src_dir}/abac-authz-policy.jsonl"
+      remove-salt-config-comments "${abac_policy_json}"
+      if [[ -n "${KUBE_USER:-}" ]]; then
+        sed -i -e "s/{{kube_user}}/${KUBE_USER}/g" "${abac_policy_json}"
+      else
+        sed -i -e "/{{kube_user}}/d" "${abac_policy_json}"
+      fi
+      cp "${abac_policy_json}" /etc/srv/kubernetes/
+    fi
+  fi
+
   # Load existing ABAC policy files written by versions < 1.6 of this script
   # TODO: only default to this legacy path when in upgrade mode
   ABAC_AUTHZ_FILE="${ABAC_AUTHZ_FILE:-/etc/srv/kubernetes/abac-authz-policy.jsonl}"