Default ABAC to off in GCE (for new clusters).

[cjcullen]

What this PR does / why we need it:
Disables the legacy ABAC authorizer by default on GCE/GKE clusters using kube-up.sh. Existing clusters upgrading to 1.8 will keep their existing configuration.

Release note:

New GCE or GKE clusters created with `cluster/kube-up.sh` will not enable the legacy ABAC authorizer by default. If you would like to enable the legacy ABAC authorizer, export ENABLE_LEGACY_ABAC=true before running `cluster/kube-up.sh`.

[cjcullen]

@kubernetes/sig-auth-pr-reviews

[liggitt]

Does this set it to "" and prevent the defaulting in config-default?

[cjcullen]

Yes, which means the only way to change this on an existing cluster is to modify the existing kube-env in metadata.

I'm not sure of a better way to handle updates. Either, we do this, and changing the existing value is kinda gross, or we go off of the config-default value, and we (possibly surprisingly) update the value on existing clusters. This felt like the less intrusive approach.

[bgrant0607]

Is there a well defined procedure for changing existing cluster parameters generally?

[liggitt]

we definitely should not update the value on existing clusters during upgrade. existing workloads should continue to run as-is on an upgraded cluster.

updating the default for new clusters is what I'd like to see, though the interaction between metadata env and the config-default.sh scripts is not clear to me (I can't tell which runs first, which informs the other, etc).

[cjcullen]

@bgrant0607 since you had concerns about ABAC defaulting when we initially went for it :).

[bgrant0607]

The deprecation policy doesn't really cover this:
https://kubernetes.io/docs/reference/deprecation-policy/

Technically, kube-up is deprecated and not part of Kubernetes proper, but is part of the release bundle.

I'm ok with changing default behavior for new clusters at this point. RBAC has been well publicized and has been enabled by default for one minor release.

[liggitt]

I agree with the intent of the PR, I'll defer to @roberthbailey on whether this change effectively accomplishes the following:

• running kube-up without an expressed preference disables ABAC
• running kube-up with ENABLE_LEGACY_ABAC set honors the setting
• upgrading existing clusters preserve current settings from metadata

[roberthbailey]

I'm confused by the title of this issue -- we recently removed gke support from kube-up and this PR only touches config files used by the gce implementation.

[cjcullen]

/retest

[cjcullen]

/test pull-kubernetes-e2e-gce-etcd3

[roberthbailey]

Are we still hoping to get this in for 1.8?

[liggitt]

comment at #51367 (comment) stands... it LGTM assuming the three scenarios described have been tested

[cjcullen]

Just verified:

Creating a new cluster w/ cluster/kube-up.sh produces an apiserver w/ --authorization-mode=Node,RBAC (scenario 1)

Running cluster/gce/upgrade.sh -M -l on this cluster keeps the authorization mode w/o ABAC (scenario 3).

Modifying the metadata to set ENABLE_LEGACY_ABAC='true' and then running cluster/gce/upgrade.sh -M -l gets me a cluster w/ --authorization-mode=Node,RBAC,ABAC (scenario 3)

Creating a new cluster w/ ENABLE_LEGACY_ABAC='true' cluster/kube-up.sh produces an apiserver w/ --authorization-mode=Node,RBAC,ABAC (scenario 2)

Running cluster/gce/upgrade.sh -M -l on this cluster keeps the authorization mode w/ ABAC enabled (scenario 3).

[cjcullen]

And yes, I think we still want this in for 1.8 (Our GCE tests already run w/ ABAC off).

[liggitt]

Agree. CI has run with ABAC off since 1.6.

/lgtm

[liggitt]

One last question, does creating a 1.7 cluster populate metadata with ENABLE_LEGACY_ABAC=true?

[cjcullen]

A 1.7 cluster with this script will set ENABLE_LEGACY_ABAC='false'. I think it might be even more confusing to version gate the setting (and I would have to do semver parsing in bash...). WDYT?

[cjcullen]

/test pull-kubernetes-e2e-gce-bazel

[liggitt]

A 1.7 cluster with this script will set ENABLE_LEGACY_ABAC='false'

I'm asking about a 1.7 cluster created with 1.7 scripts. Does metadata contain the environment variable set to true in that case?

[cjcullen]

I'm asking about a 1.7 cluster created with 1.7 scripts. Does metadata contain the environment variable set to true in that case?

Yes

[liggitt]

sounds good to me. @roberthbailey has approval

[roberthbailey]

/approve

[mikedanese]

/approve no-issue

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cjcullen, liggitt, mikedanese, roberthbailey

Associated issue requirement bypassed by: mikedanese

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• cluster/OWNERS [mikedanese,roberthbailey]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

/test all

Tests are more than 96 hours old. Re-running tests.

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 48970, 52497, 51367, 52549, 52541). If you want to cherry-pick this change to another branch, please follow the instructions here..

[k8s-ci-robot]

@cjcullen: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-unit	e44c876	link	/test pull-kubernetes-unit
pull-kubernetes-node-e2e	e44c876	link	/test pull-kubernetes-node-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.