[kubeadam] do not set authorization-mode in api server when authoriza…

…tion-config is provided
openshift · Mar 3, 2024 · db115ca · db115ca
1 parent 7c11cc9
commit db115ca
Show file tree

Hide file tree

Showing 2 changed files with 101 additions and 1 deletion.
diff --git a/cmd/kubeadm/app/phases/controlplane/manifests.go b/cmd/kubeadm/app/phases/controlplane/manifests.go
@@ -229,7 +229,10 @@ func getAPIServerCommand(cfg *kubeadmapi.ClusterConfiguration, localAPIEndpoint
 		cfg.APIServer.ExtraArgs = []kubeadmapi.Arg{}
 	}
 	authzVal, _ := kubeadmapi.GetArgValue(cfg.APIServer.ExtraArgs, "authorization-mode", -1)
-	defaultArguments = kubeadmapi.SetArgValues(defaultArguments, "authorization-mode", getAuthzModes(authzVal), 1)
+	_, hasStructuredAuthzVal := kubeadmapi.GetArgValue(cfg.APIServer.ExtraArgs, "authorization-config", -1)
+	if hasStructuredAuthzVal == -1 {
+		defaultArguments = kubeadmapi.SetArgValues(defaultArguments, "authorization-mode", getAuthzModes(authzVal), 1)
+	}
 	command = append(command, kubeadmutil.ArgumentsToCommand(defaultArguments, cfg.APIServer.ExtraArgs)...)
 
 	return command

diff --git a/cmd/kubeadm/app/phases/controlplane/manifests_test.go b/cmd/kubeadm/app/phases/controlplane/manifests_test.go
@@ -514,6 +514,103 @@ func TestGetAPIServerCommand(t *testing.T) {
 				"--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"),
 			},
 		},
+		{
+			name: "authorization-config extra-args",
+			cfg: &kubeadmapi.ClusterConfiguration{
+				Networking:      kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
+				CertificatesDir: testCertsDir,
+				APIServer: kubeadmapi.APIServer{
+					ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
+						ExtraArgs: []kubeadmapi.Arg{
+							{Name: "authorization-config", Value: "/path/to/authorization/config/file"},
+						},
+					},
+				},
+			},
+			endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
+			expected: []string{
+				"kube-apiserver",
+				"--enable-admission-plugins=NodeRestriction",
+				"--service-cluster-ip-range=bar",
+				"--service-account-key-file=" + filepath.Join(testCertsDir, "sa.pub"),
+				"--service-account-signing-key-file=" + filepath.Join(testCertsDir, "sa.key"),
+				"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
+				"--client-ca-file=" + filepath.Join(testCertsDir, "ca.crt"),
+				"--tls-cert-file=" + filepath.Join(testCertsDir, "apiserver.crt"),
+				"--tls-private-key-file=" + filepath.Join(testCertsDir, "apiserver.key"),
+				"--kubelet-client-certificate=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.crt"),
+				"--kubelet-client-key=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.key"),
+				"--enable-bootstrap-token-auth=true",
+				"--secure-port=123",
+				"--allow-privileged=true",
+				"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
+				"--proxy-client-cert-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.crt"),
+				"--proxy-client-key-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.key"),
+				"--requestheader-username-headers=X-Remote-User",
+				"--requestheader-group-headers=X-Remote-Group",
+				"--requestheader-extra-headers-prefix=X-Remote-Extra-",
+				"--requestheader-client-ca-file=" + filepath.Join(testCertsDir, "front-proxy-ca.crt"),
+				"--requestheader-allowed-names=front-proxy-client",
+				"--authorization-config=/path/to/authorization/config/file",
+				"--advertise-address=1.2.3.4",
+				fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
+				"--etcd-cafile=" + filepath.Join(testCertsDir, "etcd/ca.crt"),
+				"--etcd-certfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.crt"),
+				"--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"),
+			},
+		},
+		{
+			// Note that we do not block it at this level but api server would fail to start.
+			name: "authorization-config and authorization-mode extra-args",
+			cfg: &kubeadmapi.ClusterConfiguration{
+				Networking:      kubeadmapi.Networking{ServiceSubnet: "bar", DNSDomain: "cluster.local"},
+				CertificatesDir: testCertsDir,
+				APIServer: kubeadmapi.APIServer{
+					ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{
+						ExtraArgs: []kubeadmapi.Arg{
+							{Name: "authorization-config", Value: "/path/to/authorization/config/file"},
+							{Name: "authorization-mode", Value: strings.Join([]string{
+								kubeadmconstants.ModeNode,
+								kubeadmconstants.ModeRBAC,
+								kubeadmconstants.ModeWebhook,
+							}, ",")},
+						},
+					},
+				},
+			},
+			endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"},
+			expected: []string{
+				"kube-apiserver",
+				"--enable-admission-plugins=NodeRestriction",
+				"--service-cluster-ip-range=bar",
+				"--service-account-key-file=" + filepath.Join(testCertsDir, "sa.pub"),
+				"--service-account-signing-key-file=" + filepath.Join(testCertsDir, "sa.key"),
+				"--service-account-issuer=https://kubernetes.default.svc.cluster.local",
+				"--client-ca-file=" + filepath.Join(testCertsDir, "ca.crt"),
+				"--tls-cert-file=" + filepath.Join(testCertsDir, "apiserver.crt"),
+				"--tls-private-key-file=" + filepath.Join(testCertsDir, "apiserver.key"),
+				"--kubelet-client-certificate=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.crt"),
+				"--kubelet-client-key=" + filepath.Join(testCertsDir, "apiserver-kubelet-client.key"),
+				"--enable-bootstrap-token-auth=true",
+				"--secure-port=123",
+				"--allow-privileged=true",
+				"--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
+				"--proxy-client-cert-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.crt"),
+				"--proxy-client-key-file=" + filepath.FromSlash("/var/lib/certs/front-proxy-client.key"),
+				"--requestheader-username-headers=X-Remote-User",
+				"--requestheader-group-headers=X-Remote-Group",
+				"--requestheader-extra-headers-prefix=X-Remote-Extra-",
+				"--requestheader-client-ca-file=" + filepath.Join(testCertsDir, "front-proxy-ca.crt"),
+				"--requestheader-allowed-names=front-proxy-client",
+				"--authorization-config=/path/to/authorization/config/file",
+				"--authorization-mode=Node,RBAC,Webhook",
+				"--advertise-address=1.2.3.4",
+				fmt.Sprintf("--etcd-servers=https://127.0.0.1:%d", kubeadmconstants.EtcdListenClientPort),
+				"--etcd-cafile=" + filepath.Join(testCertsDir, "etcd/ca.crt"),
+				"--etcd-certfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.crt"),
+				"--etcd-keyfile=" + filepath.Join(testCertsDir, "apiserver-etcd-client.key"),
+			},
+		},
 	}
 
 	for _, rt := range tests {