diff --git a/pkg/acsengine/defaults-apiserver.go b/pkg/acsengine/defaults-apiserver.go index 57d2ae4c97..f06c15c421 100644 --- a/pkg/acsengine/defaults-apiserver.go +++ b/pkg/acsengine/defaults-apiserver.go @@ -85,7 +85,6 @@ func setAPIServerConfig(cs *api.ContainerService) { // Default apiserver config defaultAPIServerConfig := map[string]string{ "--admission-control": "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DenyEscalatingExec,AlwaysPullImages", - "--authorization-mode": "Node", "--audit-log-maxage": "30", "--audit-log-maxbackup": "10", "--audit-log-maxsize": "100", @@ -93,15 +92,11 @@ func setAPIServerConfig(cs *api.ContainerService) { // RBAC configuration if helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableRbac) { - defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC" - if !isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") || !helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableSecureKubelet) { + if isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") { + defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC" + } else { defaultAPIServerConfig["--authorization-mode"] = "RBAC" } - } else if !isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") || !helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableSecureKubelet) { - // remove authorization-mode for 1.6 clusters without RBAC since Node authorization isn't supported - for _, key := range []string{"--authorization-mode"} { - delete(defaultAPIServerConfig, key) - } } // Pod Security Policy configuration diff --git a/pkg/acsengine/defaults-apiserver_test.go b/pkg/acsengine/defaults-apiserver_test.go index 446d0efbf5..c0b3bc6c5d 100644 --- a/pkg/acsengine/defaults-apiserver_test.go +++ b/pkg/acsengine/defaults-apiserver_test.go @@ -188,7 +188,7 @@ func TestAPIServerConfigEnableRbac(t *testing.T) { cs.Properties.OrchestratorProfile.KubernetesConfig.EnableRbac = pointerToBool(false) setAPIServerConfig(cs) a = cs.Properties.OrchestratorProfile.KubernetesConfig.APIServerConfig - if a["--authorization-mode"] != "Node" { + if _, ok := a["--authorization-mode"]; ok { t.Fatalf("got unexpected '--authorization-mode' API server config value for EnableRbac=false: %s", a["--authorization-mode"]) } diff --git a/pkg/acsengine/defaults-kubelet.go b/pkg/acsengine/defaults-kubelet.go index 9fef1dcb5d..64cd170060 100644 --- a/pkg/acsengine/defaults-kubelet.go +++ b/pkg/acsengine/defaults-kubelet.go @@ -82,7 +82,7 @@ func setKubeletConfig(cs *api.ContainerService) { // Remove secure kubelet flags, if configured if !helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableSecureKubelet) { - for _, key := range []string{"--anonymous-auth", "--authorization-mode", "--client-ca-file"} { + for _, key := range []string{"--anonymous-auth", "--client-ca-file"} { delete(o.KubernetesConfig.KubeletConfig, key) } } diff --git a/pkg/acsengine/defaults-kubelet_test.go b/pkg/acsengine/defaults-kubelet_test.go index 691572f201..a6fa3a565c 100644 --- a/pkg/acsengine/defaults-kubelet_test.go +++ b/pkg/acsengine/defaults-kubelet_test.go @@ -89,7 +89,7 @@ func TestKubeletConfigEnableSecureKubelet(t *testing.T) { cs.Properties.OrchestratorProfile.KubernetesConfig.EnableSecureKubelet = pointerToBool(false) setKubeletConfig(cs) k = cs.Properties.OrchestratorProfile.KubernetesConfig.KubeletConfig - for _, key := range []string{"--anonymous-auth", "--authorization-mode", "--client-ca-file"} { + for _, key := range []string{"--anonymous-auth", "--client-ca-file"} { if _, ok := k[key]; ok { t.Fatalf("got unexpected '%s' kubelet config value for EnableSecureKubelet=false: %s", key, k[key])