diff --git a/docs/clusterdefinition.md b/docs/clusterdefinition.md index d2469a73ba..0e838bd6cb 100644 --- a/docs/clusterdefinition.md +++ b/docs/clusterdefinition.md @@ -276,11 +276,17 @@ Below is a list of cloud-controller-manager options that are *not* currently use See [here](https://kubernetes.io/docs/reference/generated/kube-apiserver/) for a reference of supported apiserver options. +Below is a list of apiserver options that acs-engine will configure by default: + +|apiserver option|default value| +|"--admission-control"|"NamespaceLifecycle, LimitRanger, ServiceAccount, DefaultStorageClass, ResourceQuota, DenyEscalatingExec, AlwaysPullImages, SecurityContextDeny"| +|"--authorization-mode"|"Node", "RBAC" (*the latter if enabledRbac is true*)| + + Below is a list of apiserver options that are *not* currently user-configurable, either because a higher order configuration vector is available that enforces kubelet configuration, or because a static configuration is required to build a functional cluster: |apiserver option|default value| |---|---| -|"--admission-control"|"NamespaceLifecycle, LimitRanger, ServiceAccount, DefaultStorageClass, ResourceQuota, DenyEscalatingExec, AlwaysPullImages, SecurityContextDeny"| |"--address"|"0.0.0.0"| |"--advertise-address"|*calculated value that represents listening URI for API server*| |"--allow-privileged"|"true"| @@ -308,7 +314,6 @@ Below is a list of apiserver options that are *not* currently user-configurable, |"--service-cluster-ip-range"|*see serviceCIDR*| |"--storage-backend"|*calculated value that represents etcd version*| |"--v"|"4"| -|"--authorization-mode"|"Node", and "RBAC" (*if enabledRbac is true*)| |"--experimental-encryption-provider-config"|"/etc/kubernetes/encryption-config.yaml" (*if enableDataEncryptionAtRest is true*)| |"--requestheader-client-ca-file"|"/etc/kubernetes/certs/proxy-ca.crt" (*if enableAggregatedAPIs is true*)| |"--proxy-client-cert-file"|"/etc/kubernetes/certs/proxy.crt" (*if enableAggregatedAPIs is true*)| diff --git a/pkg/acsengine/defaults-apiserver.go b/pkg/acsengine/defaults-apiserver.go index 24c2347c20..39a75088a8 100644 --- a/pkg/acsengine/defaults-apiserver.go +++ b/pkg/acsengine/defaults-apiserver.go @@ -10,7 +10,6 @@ import ( func setAPIServerConfig(cs *api.ContainerService) { o := cs.Properties.OrchestratorProfile staticLinuxAPIServerConfig := map[string]string{ - "--admission-control": "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DenyEscalatingExec,AlwaysPullImages,SecurityContextDeny", "--address": "0.0.0.0", "--advertise-address": "", "--allow-privileged": "true", @@ -19,7 +18,6 @@ func setAPIServerConfig(cs *api.ContainerService) { "--audit-log-maxbackup": "10", "--audit-log-maxsize": "100", "--audit-log-path": "/var/log/apiserver/audit.log", - "--authorization-mode": "Node", "--insecure-port": "8080", "--secure-port": "443", "--service-account-lookup": "true", @@ -41,11 +39,6 @@ func setAPIServerConfig(cs *api.ContainerService) { "--v": "4", } - // RBAC configuration - if helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableRbac) { - staticLinuxAPIServerConfig["--authorization-mode"] = "Node,RBAC" - } - // Data Encryption at REST configuration if helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableDataEncryptionAtRest) { staticLinuxAPIServerConfig["--experimental-encryption-provider-config"] = "/etc/kubernetes/encryption-config.yaml" @@ -87,7 +80,15 @@ func setAPIServerConfig(cs *api.ContainerService) { // TODO placeholder for specific config overrides for Windows clusters // Default apiserver config - defaultAPIServerConfig := map[string]string{} + defaultAPIServerConfig := map[string]string{ + "--admission-control": "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DenyEscalatingExec,AlwaysPullImages,SecurityContextDeny", + "--authorization-mode": "Node", + } + + // RBAC configuration + if helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableRbac) { + defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC" + } // If no user-configurable apiserver config values exists, use the defaults if o.KubernetesConfig.APIServerConfig == nil {