diff --git a/cluster/kubemark/gce/config-default.sh b/cluster/kubemark/gce/config-default.sh index 3804c29275..8314484f82 100644 --- a/cluster/kubemark/gce/config-default.sh +++ b/cluster/kubemark/gce/config-default.sh @@ -81,7 +81,7 @@ fi ENABLE_GARBAGE_COLLECTOR=${ENABLE_GARBAGE_COLLECTOR:-true} USE_REAL_PROXIER=${USE_REAL_PROXIER:-true} # for hollow-proxy -CUSTOM_ADMISSION_PLUGINS="${CUSTOM_ADMISSION_PLUGINS:-Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PodPreset,DefaultTolerationSeconds,ResourceQuota}" +CUSTOM_ADMISSION_PLUGINS="${CUSTOM_ADMISSION_PLUGINS:-Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PodPreset,DefaultTolerationSeconds,NodeRestriction,ResourceQuota}" KUBELET_TEST_ARGS="--max-pods=100 $TEST_CLUSTER_LOG_LEVEL ${TEST_CLUSTER_API_CONTENT_TYPE}" APISERVER_TEST_ARGS="--runtime-config=extensions/v1beta1 ${API_SERVER_TEST_LOG_LEVEL} ${TEST_CLUSTER_STORAGE_MEDIA_TYPE} ${TEST_CLUSTER_MAX_REQUESTS_INFLIGHT} ${TEST_CLUSTER_DELETE_COLLECTION_WORKERS} --enable-garbage-collector=${ENABLE_GARBAGE_COLLECTOR}" diff --git a/test/kubemark/resources/manifests/addons/kubemark-rbac-bindings/kubelet-binding.yaml b/test/kubemark/resources/manifests/addons/kubemark-rbac-bindings/kubelet-binding.yaml new file mode 100644 index 0000000000..c0ce195546 --- /dev/null +++ b/test/kubemark/resources/manifests/addons/kubemark-rbac-bindings/kubelet-binding.yaml @@ -0,0 +1,18 @@ +# The Kubemark environment currently gives all kubelets a single shared credential. +# +# TODO: give each kubelet a credential in the system:nodes group with username system:node:, +# to exercise the Node authorizer and admission, then remove this binding +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: kubelet-node + labels: + kubernetes.io/cluster-service: "true" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:node +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: kubelet diff --git a/test/kubemark/resources/start-kubemark-master.sh b/test/kubemark/resources/start-kubemark-master.sh index bdc11bc64b..cea2932b3f 100755 --- a/test/kubemark/resources/start-kubemark-master.sh +++ b/test/kubemark/resources/start-kubemark-master.sh @@ -351,7 +351,7 @@ function compute-kube-apiserver-params { params+=" --storage-backend=${STORAGE_BACKEND}" params+=" --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" params+=" --admission-control=${CUSTOM_ADMISSION_PLUGINS}" - params+=" --authorization-mode=RBAC" + params+=" --authorization-mode=Node,RBAC" echo "${params}" }