add EnableRBAC to v20180331 api model #2647
Conversation
ghost
assigned 
rjtsdl
force-pushed
the
jiren-addrbacflag
branch
from
81e9755 to
a0bead6
Compare
rjtsdl
force-pushed
the
jiren-addrbacflag
branch
from
a0bead6 to
3a5a6c9
Compare
| @@ -349,6 +350,13 @@ func convertV20180331AgentPoolOnlyWindowsProfile(obj *v20180331.WindowsProfile) | |||
| } | |||
| } | |||
|
|
|||
| func convertV20180331AgentPoolOnlyKubernetesConfig(enableRBAC bool) *KubernetesConfig { | |||
There was a problem hiding this comment.
@rjtsdl thanks for making this change as this also has a good side effect of resolving bug 2265988 in VSTS! You can also now remove lines 126-141 from putmanagedcluster.go and close out bug 2265988 in VSTS when new ACS E is vendored.
There was a problem hiding this comment.
Yeah, I will deal with that.
I think we also need to modify the older agentPoolOnly api version behavior. To always set those two flags to be false ptr.
There was a problem hiding this comment.
Made the change for v20170831 to make sure those two flags to be false ptr. Then RP don't need to deal with that.
| enableRBAC = enableRBAC && *kc.EnableRbac | ||
| } | ||
|
|
||
| if kc.EnableSecureKubelet == nil { |
There was a problem hiding this comment.
IMO if the code in convertertoagentpoolonlyapi.go is written as expected then we shouldn't need to check for EnableSecureKubelet state. Checking enableRBAC flag state should suffice.
There was a problem hiding this comment.
The way we want to make it, is to have EnableSecureKubelet also enabled when use specify enableRBAC. I should make it clear in the enableRBAC flag description. Check the email thread I included you.
There was a problem hiding this comment.
Yes, agreed. We are on the same page regarding:
The way we want to make it, is to have EnableSecureKubelet also enabled when use specify enableRBAC.
I am suggesting that if RBAC is enabled in API model then EnableSecureKubelet should/would have been set to true. So when converting it back to versioned API model state of EnableSecureKubelet should not need to be validated.
Another way to put it is RBAC can still be technically enabled even if EnableSecureKubelet was set to false because customer only controls setting of enableRBAC. So if they set enableRBAC to true then they should get the same value back regardless of the state of EnableSecureKubelet.
There was a problem hiding this comment.
why enableRBAC && false when it must be false?
There was a problem hiding this comment.
what email thread?
Check the email thread I included you.
There was a problem hiding this comment.
@amanohar I got your point. However, I think we still need to validate EnableSecureKubelet. Because,
if EnableRbac == true && EnableSecureKubelet == false, then the cluster won't work properly. In the api model's conversion back and forth, there is no way to make them different. However, I can still see hacks like 126-141 from putmanagedcluster.go could make them different. That is why I want to validate both of them.
Validation is used to surface hacks :)
| @@ -40,6 +40,7 @@ type Properties struct { | |||
| AccessProfiles map[string]AccessProfile `json:"accessProfiles,omitempty"` | |||
| AddonProfiles map[string]AddonProfile `json:"addonProfiles,omitempty"` | |||
| NodeResourceGroup string `json:"nodeResourceGroup,omitempty"` | |||
| EnableRBAC bool `json:"enableRBAC"` | |||
There was a problem hiding this comment.
does omitempty matter here?
There was a problem hiding this comment.
- should this be on by default?
- can this be changed? (turning on and off?)
There was a problem hiding this comment.
Change to *bool, so we have 3 state
nil -> true
true -> true
false -> false
Note, we default behavior is to set it to true.
| } | ||
| // Only if both KubernetesConfig.EnableRbac and KubernetesConfig.EnableSecureKubelet true | ||
| // We think EnableRBAC is on | ||
| enableRBAC := true |
There was a problem hiding this comment.
the code seems pretty complicated to me. why not base on the comments:
enableRBAC := (KubernetesConfig.EnableRbac == true) && (KubernetesConfig.EnableSecureKubelet == true)
There was a problem hiding this comment.
EnableRbac is *bool !
There was a problem hiding this comment.
I see, could this work then:
enableRBAC := (KubernetesConfig.EnableRbac != nil) && ((KubernetesConfig.EnableRbac) == true) && (KubernetesConfig.EnableSecureKubelet != nil) && ((KubernetesConfig.EnableSecureKubelet) == true)
no big deal, just want to make code a bit more easy to read. :)
There was a problem hiding this comment.
Made it easier to read.
| if api.OrchestratorProfile != nil { | ||
| if api.OrchestratorProfile.OrchestratorVersion != "" { | ||
| p.KubernetesVersion = api.OrchestratorProfile.OrchestratorVersion | ||
| } | ||
| p.EnableRBAC = convertKubernetesConfigToEnableRBACV20180331AgentPoolOnly(api.OrchestratorProfile.KubernetesConfig) | ||
| p.EnableRBAC = *api.OrchestratorProfile.KubernetesConfig.EnableRbac && |
There was a problem hiding this comment.
Yeah, it is :) Removed
|
I have change the default behavior to be true for EnableRBAC api flag. |
| // Only if both KubernetesConfig.EnableRbac and KubernetesConfig.EnableSecureKubelet true | ||
| // We think EnableRBAC is on | ||
| if kc != nil && kc.EnableRbac != nil && *kc.EnableRbac && | ||
| kc.EnableSecureKubelet != nil && *kc.EnableSecureKubelet { |
There was a problem hiding this comment.
I still think that EnableSecureKubelet should not factor into converting back to versioned API model. if *kc.EnableRbac then it should be enough to say that RBAC is enabled. You can also always log a warning line that EnableSecureKubelet was not enabled.
There was a problem hiding this comment.
I don't have strong opinion on this. Updated only use *kc.EnableRbac to deduct the versioned api model.
| @@ -349,6 +354,20 @@ func convertV20180331AgentPoolOnlyWindowsProfile(obj *v20180331.WindowsProfile) | |||
| } | |||
| } | |||
|
|
|||
| func convertV20180331AgentPoolOnlyKubernetesConfig(enableRBAC *bool) *KubernetesConfig { | |||
| if enableRBAC == nil || *enableRBAC == true { | |||
There was a problem hiding this comment.
If if enableRBAC == nil shouldn't EnableRbac be false?
There was a problem hiding this comment.
Oh, we want the default behavior to be true.
Default behavior is when enableRBAC == nil
pkg/api/common/helper.go
Outdated
| @@ -51,3 +51,8 @@ func HandleValidationErrors(e validator.ValidationErrors) error { | |||
| } | |||
| return fmt.Errorf("Namespace %s is not caught, %+v", ns, e) | |||
| } | |||
|
|
|||
| // BoolPtr convert a bool to *bool | |||
| func BoolPtr(b bool) *bool { | |||
There was a problem hiding this comment.
there is already a function doing this at
acs-engine/pkg/helpers/helpers.go
Line 55 in 7272611
rjtsdl
force-pushed
the
jiren-addrbacflag
branch
from
ec87d4d to
10bc6a0
Compare
* add EnableRBAC to v20180331 api model * behavior change to set default EnableRBAC to be true for v20180331 api * set KubernetesConfig to be false for those two flags, so RP don't need to hack * set older version's kubernetesConfig's two flags to be false ptr, and add unittest * only use EnableRBAC to convert to versioned api model * re-use PointerToBool
What this PR does / why we need it:
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #2646Special notes for your reviewer:
If applicable:
Release note: