From f794a8187b95a96eb3e05ef1c1f377195262d9b2 Mon Sep 17 00:00:00 2001
From: Jack Francis <jack.francis@microsoft.com>
Date: Tue, 13 Feb 2018 13:23:34 -0800
Subject: [PATCH 1/2] =?UTF-8?q?untangle=20=E2=80=94authorization-mode=20fr?=
 =?UTF-8?q?om=20=E2=80=9Csecure=20kubelet=E2=80=9D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 pkg/acsengine/defaults-apiserver.go      | 11 +++--------
 pkg/acsengine/defaults-apiserver_test.go |  4 ++--
 pkg/acsengine/defaults-kubelet.go        |  2 +-
 pkg/acsengine/defaults-kubelet_test.go   |  2 +-
 4 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/pkg/acsengine/defaults-apiserver.go b/pkg/acsengine/defaults-apiserver.go
index 57d2ae4c97..f06c15c421 100644
--- a/pkg/acsengine/defaults-apiserver.go
+++ b/pkg/acsengine/defaults-apiserver.go
@@ -85,7 +85,6 @@ func setAPIServerConfig(cs *api.ContainerService) {
 	// Default apiserver config
 	defaultAPIServerConfig := map[string]string{
 		"--admission-control":   "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DenyEscalatingExec,AlwaysPullImages",
-		"--authorization-mode":  "Node",
 		"--audit-log-maxage":    "30",
 		"--audit-log-maxbackup": "10",
 		"--audit-log-maxsize":   "100",
@@ -93,15 +92,11 @@ func setAPIServerConfig(cs *api.ContainerService) {
 
 	// RBAC configuration
 	if helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableRbac) {
-		defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC"
-		if !isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") || !helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableSecureKubelet) {
+		if isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") {
+			defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC"
+		} else {
 			defaultAPIServerConfig["--authorization-mode"] = "RBAC"
 		}
-	} else if !isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") || !helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableSecureKubelet) {
-		// remove authorization-mode for 1.6 clusters without RBAC since Node authorization isn't supported
-		for _, key := range []string{"--authorization-mode"} {
-			delete(defaultAPIServerConfig, key)
-		}
 	}
 
 	// Pod Security Policy configuration
diff --git a/pkg/acsengine/defaults-apiserver_test.go b/pkg/acsengine/defaults-apiserver_test.go
index 446d0efbf5..a322eabd15 100644
--- a/pkg/acsengine/defaults-apiserver_test.go
+++ b/pkg/acsengine/defaults-apiserver_test.go
@@ -188,8 +188,8 @@ func TestAPIServerConfigEnableRbac(t *testing.T) {
 	cs.Properties.OrchestratorProfile.KubernetesConfig.EnableRbac = pointerToBool(false)
 	setAPIServerConfig(cs)
 	a = cs.Properties.OrchestratorProfile.KubernetesConfig.APIServerConfig
-	if a["--authorization-mode"] != "Node" {
-		t.Fatalf("got unexpected '--authorization-mode' API server config value for EnableRbac=false: %s",
+	if _, ok := a["--authorization-mode"]; ok {
+		t.Fatalf("got unexpected '--authorization-mode' kubelet config value for EnableRbac=false: %s",
 			a["--authorization-mode"])
 	}
 
diff --git a/pkg/acsengine/defaults-kubelet.go b/pkg/acsengine/defaults-kubelet.go
index 9fef1dcb5d..64cd170060 100644
--- a/pkg/acsengine/defaults-kubelet.go
+++ b/pkg/acsengine/defaults-kubelet.go
@@ -82,7 +82,7 @@ func setKubeletConfig(cs *api.ContainerService) {
 
 	// Remove secure kubelet flags, if configured
 	if !helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableSecureKubelet) {
-		for _, key := range []string{"--anonymous-auth", "--authorization-mode", "--client-ca-file"} {
+		for _, key := range []string{"--anonymous-auth", "--client-ca-file"} {
 			delete(o.KubernetesConfig.KubeletConfig, key)
 		}
 	}
diff --git a/pkg/acsengine/defaults-kubelet_test.go b/pkg/acsengine/defaults-kubelet_test.go
index 691572f201..a6fa3a565c 100644
--- a/pkg/acsengine/defaults-kubelet_test.go
+++ b/pkg/acsengine/defaults-kubelet_test.go
@@ -89,7 +89,7 @@ func TestKubeletConfigEnableSecureKubelet(t *testing.T) {
 	cs.Properties.OrchestratorProfile.KubernetesConfig.EnableSecureKubelet = pointerToBool(false)
 	setKubeletConfig(cs)
 	k = cs.Properties.OrchestratorProfile.KubernetesConfig.KubeletConfig
-	for _, key := range []string{"--anonymous-auth", "--authorization-mode", "--client-ca-file"} {
+	for _, key := range []string{"--anonymous-auth", "--client-ca-file"} {
 		if _, ok := k[key]; ok {
 			t.Fatalf("got unexpected '%s' kubelet config value for EnableSecureKubelet=false: %s",
 				key, k[key])

From de31cc23f5de40d84d0544b681f8891afe92323d Mon Sep 17 00:00:00 2001
From: Jack Francis <jack.francis@microsoft.com>
Date: Tue, 13 Feb 2018 14:30:13 -0800
Subject: [PATCH 2/2] fix typo

---
 pkg/acsengine/defaults-apiserver_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/acsengine/defaults-apiserver_test.go b/pkg/acsengine/defaults-apiserver_test.go
index a322eabd15..c0b3bc6c5d 100644
--- a/pkg/acsengine/defaults-apiserver_test.go
+++ b/pkg/acsengine/defaults-apiserver_test.go
@@ -189,7 +189,7 @@ func TestAPIServerConfigEnableRbac(t *testing.T) {
 	setAPIServerConfig(cs)
 	a = cs.Properties.OrchestratorProfile.KubernetesConfig.APIServerConfig
 	if _, ok := a["--authorization-mode"]; ok {
-		t.Fatalf("got unexpected '--authorization-mode' kubelet config value for EnableRbac=false: %s",
+		t.Fatalf("got unexpected '--authorization-mode' API server config value for EnableRbac=false: %s",
 			a["--authorization-mode"])
 	}