-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: preserve order of user specified apiserver authorization-mode #82616
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -192,20 +192,52 @@ func getAPIServerCommand(cfg *kubeadmapi.ClusterConfiguration, localAPIEndpoint | |
} | ||
|
||
// getAuthzModes gets the authorization-related parameters to the api server | ||
// Node,RBAC should be fixed in this order at the beginning | ||
// AlwaysAllow and AlwaysDeny is ignored as they are only for testing | ||
// Node,RBAC is the default mode if nothing is passed to kubeadm. User provided modes override | ||
// the default. | ||
func getAuthzModes(authzModeExtraArgs string) string { | ||
modes := []string{ | ||
defaultMode := []string{ | ||
kubeadmconstants.ModeNode, | ||
kubeadmconstants.ModeRBAC, | ||
} | ||
if strings.Contains(authzModeExtraArgs, kubeadmconstants.ModeABAC) { | ||
modes = append(modes, kubeadmconstants.ModeABAC) | ||
|
||
if len(authzModeExtraArgs) > 0 { | ||
mode := []string{} | ||
for _, requested := range strings.Split(authzModeExtraArgs, ",") { | ||
if isValidAuthzMode(requested) { | ||
mode = append(mode, requested) | ||
} else { | ||
klog.Warningf("ignoring unknown kube-apiserver authorization-mode %q", requested) | ||
} | ||
ghouscht marked this conversation as resolved.
Show resolved
Hide resolved
|
||
} | ||
|
||
// only return the user provided mode if at least one was valid | ||
if len(mode) > 0 { | ||
klog.Warningf("the default kube-apiserver authorization-mode is %q; using %q", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Theoretically speaking, we don't need the warning if |
||
strings.Join(defaultMode, ","), | ||
strings.Join(mode, ","), | ||
) | ||
return strings.Join(mode, ",") | ||
} | ||
} | ||
return strings.Join(defaultMode, ",") | ||
} | ||
|
||
func isValidAuthzMode(authzMode string) bool { | ||
allModes := []string{ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It seems allModes can be a map - the lookup would be more straight forward |
||
kubeadmconstants.ModeNode, | ||
kubeadmconstants.ModeRBAC, | ||
kubeadmconstants.ModeWebhook, | ||
kubeadmconstants.ModeABAC, | ||
kubeadmconstants.ModeAlwaysAllow, | ||
kubeadmconstants.ModeAlwaysDeny, | ||
} | ||
if strings.Contains(authzModeExtraArgs, kubeadmconstants.ModeWebhook) { | ||
modes = append(modes, kubeadmconstants.ModeWebhook) | ||
|
||
for _, mode := range allModes { | ||
if authzMode == mode { | ||
return true | ||
} | ||
} | ||
return strings.Join(modes, ",") | ||
return false | ||
} | ||
|
||
// calcNodeCidrSize determines the size of the subnets used on each node, based | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Strictly speaking, a typo here is worth bailing out. This can end in an insecure or non-operational cluster.