untangle —authorization-mode from enableSecureKubelet

pkg/acsengine/defaults-apiserver.go

@@ -85,23 +85,18 @@ func setAPIServerConfig(cs *api.ContainerService) {
 	// Default apiserver config
 	defaultAPIServerConfig := map[string]string{
 		"--admission-control":   "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DenyEscalatingExec,AlwaysPullImages",
-		"--authorization-mode":  "Node",
 		"--audit-log-maxage":    "30",
 		"--audit-log-maxbackup": "10",
 		"--audit-log-maxsize":   "100",
 	}
 
 	// RBAC configuration
 	if helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableRbac) {
-		defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC"
-		if !isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") || !helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableSecureKubelet) {
+		if isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") {
+			defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC"
+		} else {
 			defaultAPIServerConfig["--authorization-mode"] = "RBAC"
 		}
-	} else if !isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") || !helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableSecureKubelet) {
-		// remove authorization-mode for 1.6 clusters without RBAC since Node authorization isn't supported
-		for _, key := range []string{"--authorization-mode"} {
-			delete(defaultAPIServerConfig, key)
-		}
 	}
 
 	// Pod Security Policy configuration

pkg/acsengine/defaults-apiserver_test.go

@@ -188,7 +188,7 @@ func TestAPIServerConfigEnableRbac(t *testing.T) {
 	cs.Properties.OrchestratorProfile.KubernetesConfig.EnableRbac = pointerToBool(false)
 	setAPIServerConfig(cs)
 	a = cs.Properties.OrchestratorProfile.KubernetesConfig.APIServerConfig
-	if a["--authorization-mode"] != "Node" {
+	if _, ok := a["--authorization-mode"]; ok {
 		t.Fatalf("got unexpected '--authorization-mode' API server config value for EnableRbac=false: %s",
 			a["--authorization-mode"])
 	}

pkg/acsengine/defaults-kubelet.go

@@ -82,7 +82,7 @@ func setKubeletConfig(cs *api.ContainerService) {
 
 	// Remove secure kubelet flags, if configured
 	if !helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableSecureKubelet) {
-		for _, key := range []string{"--anonymous-auth", "--authorization-mode", "--client-ca-file"} {
+		for _, key := range []string{"--anonymous-auth", "--client-ca-file"} {
 			delete(o.KubernetesConfig.KubeletConfig, key)
 		}
 	}

pkg/acsengine/defaults-kubelet_test.go

@@ -89,7 +89,7 @@ func TestKubeletConfigEnableSecureKubelet(t *testing.T) {
 	cs.Properties.OrchestratorProfile.KubernetesConfig.EnableSecureKubelet = pointerToBool(false)
 	setKubeletConfig(cs)
 	k = cs.Properties.OrchestratorProfile.KubernetesConfig.KubeletConfig
-	for _, key := range []string{"--anonymous-auth", "--authorization-mode", "--client-ca-file"} {
+	for _, key := range []string{"--anonymous-auth", "--client-ca-file"} {
 		if _, ok := k[key]; ok {
 			t.Fatalf("got unexpected '%s' kubelet config value for EnableSecureKubelet=false: %s",
 				key, k[key])