Fix k8s 1.6 regression (#2049)

* remove SecurityContextDeny * Revert "remove SecurityContextDeny" This reverts commit 39260bb. * remove audit log options * remove Node authorization-mode * Only support Node authorization-mode after 1.7 * add unit tests
Azure · Jan 13, 2018 · 65d98f4 · 65d98f4
1 parent b3f3643
commit 65d98f4
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 2 deletions.
diff --git a/pkg/acsengine/defaults-apiserver.go b/pkg/acsengine/defaults-apiserver.go
@@ -88,7 +88,15 @@ func setAPIServerConfig(cs *api.ContainerService) {
 
 	// RBAC configuration
 	if helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableRbac) {
-		defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC"
+		defaultAPIServerConfig["--authorization-mode"] = "RBAC"
+		if isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") {
+			defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC"
+		}
+	} else if !isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") {
+		// remove authorization-mode for 1.6 clusters without RBAC since Node authorization isn't supported
+		for _, key := range []string{"--authorization-mode"} {
+			delete(defaultAPIServerConfig, key)
+		}
 	}
 
 	// If no user-configurable apiserver config values exists, use the defaults

diff --git a/pkg/acsengine/defaults-apiserver_test.go b/pkg/acsengine/defaults-apiserver_test.go
@@ -171,13 +171,33 @@ func TestAPIServerConfigEnableRbac(t *testing.T) {
 			a["--authorization-mode"])
 	}
 
+	// Test EnableRbac = true with 1.6 cluster
+	cs = createContainerService("testcluster", common.KubernetesVersion1Dot6Dot11, 3, 2)
+	cs.Properties.OrchestratorProfile.KubernetesConfig.EnableRbac = pointerToBool(true)
+	setAPIServerConfig(cs)
+	a = cs.Properties.OrchestratorProfile.KubernetesConfig.APIServerConfig
+	if a["--authorization-mode"] != "RBAC" {
+		t.Fatalf("got unexpected '--authorization-mode' API server config value for 1.6 cluster with EnableRbac=true: %s",
+			a["--authorization-mode"])
+	}
+
 	// Test EnableRbac = false
 	cs = createContainerService("testcluster", common.KubernetesVersion1Dot7Dot12, 3, 2)
 	cs.Properties.OrchestratorProfile.KubernetesConfig.EnableRbac = pointerToBool(false)
 	setAPIServerConfig(cs)
 	a = cs.Properties.OrchestratorProfile.KubernetesConfig.APIServerConfig
 	if a["--authorization-mode"] != "Node" {
-		t.Fatalf("got unexpected '--authorization-mode' API server config value for EnableRbac=true: %s",
+		t.Fatalf("got unexpected '--authorization-mode' API server config value for EnableRbac=false: %s",
+			a["--authorization-mode"])
+	}
+
+	// Test EnableRbac = false with 1.6 cluster
+	cs = createContainerService("testcluster", common.KubernetesVersion1Dot6Dot11, 3, 2)
+	cs.Properties.OrchestratorProfile.KubernetesConfig.EnableRbac = pointerToBool(false)
+	setAPIServerConfig(cs)
+	a = cs.Properties.OrchestratorProfile.KubernetesConfig.APIServerConfig
+	if _, ok := a["--authorization-mode"]; ok {
+		t.Fatalf("got unexpected '--authorization-mode' API server config value for 1.6 cluster with EnableRbac=false: %s",
 			a["--authorization-mode"])
 	}
 }