From 65d98f41fa0842aadb3ae8e57f49f1dc8eb743d0 Mon Sep 17 00:00:00 2001
From: Cecile Robert-Michon <cerobert@microsoft.com>
Date: Fri, 12 Jan 2018 16:56:31 -0800
Subject: [PATCH] Fix k8s 1.6 regression (#2049)

* remove SecurityContextDeny

* Revert "remove SecurityContextDeny"

This reverts commit 39260bb2080273e636dae933e8052c66d176ae40.

* remove audit log options

* remove Node authorization-mode

* Only support Node authorization-mode after 1.7

* add unit tests
---
 pkg/acsengine/defaults-apiserver.go      | 10 +++++++++-
 pkg/acsengine/defaults-apiserver_test.go | 22 +++++++++++++++++++++-
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/pkg/acsengine/defaults-apiserver.go b/pkg/acsengine/defaults-apiserver.go
index 5a21783aa5..d5d867b9a9 100644
--- a/pkg/acsengine/defaults-apiserver.go
+++ b/pkg/acsengine/defaults-apiserver.go
@@ -88,7 +88,15 @@ func setAPIServerConfig(cs *api.ContainerService) {
 
 	// RBAC configuration
 	if helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableRbac) {
-		defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC"
+		defaultAPIServerConfig["--authorization-mode"] = "RBAC"
+		if isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") {
+			defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC"
+		}
+	} else if !isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") {
+		// remove authorization-mode for 1.6 clusters without RBAC since Node authorization isn't supported
+		for _, key := range []string{"--authorization-mode"} {
+			delete(defaultAPIServerConfig, key)
+		}
 	}
 
 	// If no user-configurable apiserver config values exists, use the defaults
diff --git a/pkg/acsengine/defaults-apiserver_test.go b/pkg/acsengine/defaults-apiserver_test.go
index 37def66ab1..5f9aea16bc 100644
--- a/pkg/acsengine/defaults-apiserver_test.go
+++ b/pkg/acsengine/defaults-apiserver_test.go
@@ -171,13 +171,33 @@ func TestAPIServerConfigEnableRbac(t *testing.T) {
 			a["--authorization-mode"])
 	}
 
+	// Test EnableRbac = true with 1.6 cluster
+	cs = createContainerService("testcluster", common.KubernetesVersion1Dot6Dot11, 3, 2)
+	cs.Properties.OrchestratorProfile.KubernetesConfig.EnableRbac = pointerToBool(true)
+	setAPIServerConfig(cs)
+	a = cs.Properties.OrchestratorProfile.KubernetesConfig.APIServerConfig
+	if a["--authorization-mode"] != "RBAC" {
+		t.Fatalf("got unexpected '--authorization-mode' API server config value for 1.6 cluster with EnableRbac=true: %s",
+			a["--authorization-mode"])
+	}
+
 	// Test EnableRbac = false
 	cs = createContainerService("testcluster", common.KubernetesVersion1Dot7Dot12, 3, 2)
 	cs.Properties.OrchestratorProfile.KubernetesConfig.EnableRbac = pointerToBool(false)
 	setAPIServerConfig(cs)
 	a = cs.Properties.OrchestratorProfile.KubernetesConfig.APIServerConfig
 	if a["--authorization-mode"] != "Node" {
-		t.Fatalf("got unexpected '--authorization-mode' API server config value for EnableRbac=true: %s",
+		t.Fatalf("got unexpected '--authorization-mode' API server config value for EnableRbac=false: %s",
+			a["--authorization-mode"])
+	}
+
+	// Test EnableRbac = false with 1.6 cluster
+	cs = createContainerService("testcluster", common.KubernetesVersion1Dot6Dot11, 3, 2)
+	cs.Properties.OrchestratorProfile.KubernetesConfig.EnableRbac = pointerToBool(false)
+	setAPIServerConfig(cs)
+	a = cs.Properties.OrchestratorProfile.KubernetesConfig.APIServerConfig
+	if _, ok := a["--authorization-mode"]; ok {
+		t.Fatalf("got unexpected '--authorization-mode' API server config value for 1.6 cluster with EnableRbac=false: %s",
 			a["--authorization-mode"])
 	}
 }