From 2d972889efdda26aae4f87f9e45965473b567ab2 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Mon, 9 Dec 2024 15:02:05 -0500 Subject: [PATCH] targetconfigcontroller: inject authorization-mode just in case observer doesn't run Signed-off-by: Peter Hunt --- .../node/observe_authorization_mode.go | 10 +++++++++- .../targetconfigcontroller/targetconfigcontroller.go | 10 ++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/pkg/operator/configobservation/node/observe_authorization_mode.go b/pkg/operator/configobservation/node/observe_authorization_mode.go index d908f58b0d..ea729fde6d 100644 --- a/pkg/operator/configobservation/node/observe_authorization_mode.go +++ b/pkg/operator/configobservation/node/observe_authorization_mode.go @@ -16,6 +16,14 @@ var defaultAuthenticationModes = []string{ "RBAC", "Node", } + +var authenticationModesWithMinimumKubeletVersion = []string{ + "Scope", + "SystemMasters", + "RBAC", + ModeMinimumKubeletVersion, // before "Node" to have a chance to deny a node + "Node", +} var ( authModeFlag = "authorization-mode" apiServerArgs = "apiServerArguments" @@ -65,7 +73,7 @@ func (o *authorizationModeObserver) ObserveAuthorizationMode(genericListers conf func AddAuthorizationModes(observedConfig map[string]interface{}, isMinimumKubeletVersionEnabled bool) error { modes := defaultAuthenticationModes if isMinimumKubeletVersionEnabled { - modes = append(modes, ModeMinimumKubeletVersion) + modes = authenticationModesWithMinimumKubeletVersion } unstructured.RemoveNestedField(observedConfig, authModePath...) diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go index d8745fd10f..e920357bcd 100644 --- a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go +++ b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go @@ -17,6 +17,7 @@ import ( kubecontrolplanev1 "github.com/openshift/api/kubecontrolplane/v1" operatorv1 "github.com/openshift/api/operator/v1" "github.com/openshift/cluster-kube-apiserver-operator/bindata" + "github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation/node" "github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/operatorclient" "github.com/openshift/cluster-kube-apiserver-operator/pkg/version" "github.com/openshift/library-go/pkg/controller/factory" @@ -228,12 +229,21 @@ func manageKubeAPIServerConfig(ctx context.Context, client coreclientv1.ConfigMa configOverrides := bindata.MustAsset("assets/config/config-overrides.yaml") specialMergeRules := map[string]resourcemerge.MergeFunc{} + // Guarantee the authorization-mode will be present in the base config, regardless of whether the observer is running + authModeOverride := map[string]interface{}{} + node.AddAuthorizationModes(authModeOverride, false) + authModeOverrideJSON, err := json.Marshal(authModeOverride) + if err != nil { + return nil, false, err + } + requiredConfigMap, _, err := resourcemerge.MergePrunedConfigMap( &kubecontrolplanev1.KubeAPIServerConfig{}, configMap, "config.yaml", specialMergeRules, defaultConfig, + authModeOverrideJSON, configOverrides, operatorSpec.ObservedConfig.Raw, operatorSpec.UnsupportedConfigOverrides.Raw,