kubeadm: Remove .AuthorizationModes in the v1alpha2 API

cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go

@@ -39,7 +39,6 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} {
 			obj.API.AdvertiseAddress = "foo"
 			obj.Networking.ServiceSubnet = "foo"
 			obj.Networking.DNSDomain = "foo"
-			obj.AuthorizationModes = []string{"foo"}
 			obj.CertificatesDir = "foo"
 			obj.APIServerCertSANs = []string{"foo"}
 			obj.Etcd.ServerCertSANs = []string{"foo"}

cmd/kubeadm/app/apis/kubeadm/types.go

@@ -45,10 +45,6 @@ type MasterConfiguration struct {
 	// NodeName is the name of the node that will host the k8s control plane.
 	// Defaults to the hostname if not provided.
 	NodeName string
-	// AuthorizationModes is a set of authorization modes used inside the cluster.
-	// If not specified, defaults to Node and RBAC, meaning both the node
-	// authorizer and RBAC are enabled.
-	AuthorizationModes []string
 	// NoTaintMaster will, if set, suppress the tainting of the
 	// master node allowing workloads to be run on it (e.g. in
 	// single node configurations).

cmd/kubeadm/app/apis/kubeadm/v1alpha1/conversion.go

@@ -17,6 +17,9 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"reflect"
+	"strings"
+
 	"k8s.io/apimachinery/pkg/conversion"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
@@ -41,6 +44,7 @@ func Convert_v1alpha1_MasterConfiguration_To_kubeadm_MasterConfiguration(in *Mas
 	}
 
 	UpgradeCloudProvider(in, out)
+	UpgradeAuthorizationModes(in, out)
 	// We don't support migrating information from the .PrivilegedPods field which was removed in v1alpha2
 
 	return nil
@@ -69,3 +73,14 @@ func UpgradeCloudProvider(in *MasterConfiguration, out *kubeadm.MasterConfigurat
 		out.ControllerManagerExtraArgs["cloud-provider"] = in.CloudProvider
 	}
 }
+
+func UpgradeAuthorizationModes(in *MasterConfiguration, out *kubeadm.MasterConfiguration) {
+	// If .AuthorizationModes was set to something else than the default, preserve the information via extraargs
+	if !reflect.DeepEqual(in.AuthorizationModes, strings.Split(DefaultAuthorizationModes, ",")) {
+
+		if out.APIServerExtraArgs == nil {
+			out.APIServerExtraArgs = map[string]string{}
+		}
+		out.APIServerExtraArgs["authorization-mode"] = strings.Join(in.AuthorizationModes, ",")
+	}
+}

cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go

@@ -18,7 +18,6 @@ package v1alpha2
 
 import (
 	"net/url"
-	"strings"
 	"time"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -42,8 +41,6 @@ const (
 	DefaultKubernetesVersion = "stable-1.10"
 	// DefaultAPIBindPort defines default API port
 	DefaultAPIBindPort = 6443
-	// DefaultAuthorizationModes defines default authorization modes
-	DefaultAuthorizationModes = "Node,RBAC"
 	// DefaultCertificatesDir defines default certificate directory
 	DefaultCertificatesDir = "/etc/kubernetes/pki"
 	// DefaultImageRepository defines default image registry
@@ -96,10 +93,6 @@ func SetDefaults_MasterConfiguration(obj *MasterConfiguration) {
 		obj.Networking.DNSDomain = DefaultServiceDNSDomain
 	}
 
-	if len(obj.AuthorizationModes) == 0 {
-		obj.AuthorizationModes = strings.Split(DefaultAuthorizationModes, ",")
-	}
-
 	if obj.CertificatesDir == "" {
 		obj.CertificatesDir = DefaultCertificatesDir
 	}

cmd/kubeadm/app/apis/kubeadm/v1alpha2/types.go

@@ -45,10 +45,6 @@ type MasterConfiguration struct {
 	// NodeName is the name of the node that will host the k8s control plane.
 	// Defaults to the hostname if not provided.
 	NodeName string `json:"nodeName"`
-	// AuthorizationModes is a set of authorization modes used inside the cluster.
-	// If not specified, defaults to Node and RBAC, meaning both the node
-	// authorizer and RBAC are enabled.
-	AuthorizationModes []string `json:"authorizationModes,omitempty"`
 	// NoTaintMaster will, if set, suppress the tainting of the
 	// master node allowing workloads to be run on it (e.g. in
 	// single node configurations).

cmd/kubeadm/app/apis/kubeadm/validation/validation.go

@@ -37,7 +37,6 @@ import (
 	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
 	tokenutil "k8s.io/kubernetes/cmd/kubeadm/app/util/token"
 	apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
-	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 	"k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig"
 	kubeletscheme "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/scheme"
 	kubeletvalidation "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/validation"
@@ -49,16 +48,9 @@ import (
 	"k8s.io/kubernetes/pkg/util/node"
 )
 
-// Describes the authorization modes that are enforced by kubeadm
-var requiredAuthzModes = []string{
-	authzmodes.ModeRBAC,
-	authzmodes.ModeNode,
-}
-
 // ValidateMasterConfiguration validates master configuration and collects all encountered errors
 func ValidateMasterConfiguration(c *kubeadm.MasterConfiguration) field.ErrorList {
 	allErrs := field.ErrorList{}
-	allErrs = append(allErrs, ValidateAuthorizationModes(c.AuthorizationModes, field.NewPath("authorizationModes"))...)
 	allErrs = append(allErrs, ValidateNetworking(&c.Networking, field.NewPath("networking"))...)
 	allErrs = append(allErrs, ValidateCertSANs(c.APIServerCertSANs, field.NewPath("apiServerCertSANs"))...)
 	allErrs = append(allErrs, ValidateCertSANs(c.Etcd.ServerCertSANs, field.NewPath("etcd").Child("serverCertSANs"))...)
@@ -102,29 +94,6 @@ func ValidateNodeConfiguration(c *kubeadm.NodeConfiguration) field.ErrorList {
 	return allErrs
 }
 
-// ValidateAuthorizationModes  validates authorization modes and collects all encountered errors
-func ValidateAuthorizationModes(authzModes []string, fldPath *field.Path) field.ErrorList {
-	allErrs := field.ErrorList{}
-	found := map[string]bool{}
-	for _, authzMode := range authzModes {
-		if !authzmodes.IsValidAuthorizationMode(authzMode) {
-			allErrs = append(allErrs, field.Invalid(fldPath, authzMode, "invalid authorization mode"))
-		}
-
-		if found[authzMode] {
-			allErrs = append(allErrs, field.Invalid(fldPath, authzMode, "duplicate authorization mode"))
-			continue
-		}
-		found[authzMode] = true
-	}
-	for _, requiredMode := range requiredAuthzModes {
-		if !found[requiredMode] {
-			allErrs = append(allErrs, field.Required(fldPath, fmt.Sprintf("authorization mode %s must be enabled", requiredMode)))
-		}
-	}
-	return allErrs
-}
-
 // ValidateDiscovery validates discovery related configuration and collects all encountered errors
 func ValidateDiscovery(c *kubeadm.NodeConfiguration) field.ErrorList {
 	allErrs := field.ErrorList{}

cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go

@@ -104,34 +104,6 @@ func TestValidateTokenGroups(t *testing.T) {
 	}
 }
 
-func TestValidateAuthorizationModes(t *testing.T) {
-	var tests = []struct {
-		s        []string
-		f        *field.Path
-		expected bool
-	}{
-		{[]string{""}, nil, false},
-		{[]string{"rBAC"}, nil, false},                               // mode not supported
-		{[]string{"rBAC", "Webhook"}, nil, false},                    // mode not supported
-		{[]string{"RBAC", "Webhook"}, nil, false},                    // mode Node required
-		{[]string{"Node", "RBAC", "Webhook", "Webhook"}, nil, false}, // no duplicates allowed
-		{[]string{"not valid"}, nil, false},                          // invalid mode
-		{[]string{"Node", "RBAC"}, nil, true},                        // supported
-		{[]string{"RBAC", "Node"}, nil, true},                        // supported
-		{[]string{"Node", "RBAC", "Webhook", "ABAC"}, nil, true},     // supported
-	}
-	for _, rt := range tests {
-		actual := ValidateAuthorizationModes(rt.s, rt.f)
-		if (len(actual) == 0) != rt.expected {
-			t.Errorf(
-				"failed ValidateAuthorizationModes:\n\texpected: %t\n\t  actual: %t",
-				rt.expected,
-				(len(actual) == 0),
-			)
-		}
-	}
-}
-
 func TestValidateNodeName(t *testing.T) {
 	var tests = []struct {
 		s        string
@@ -431,7 +403,6 @@ func TestValidateMasterConfiguration(t *testing.T) {
 					AdvertiseAddress: "1.2.3.4",
 					BindPort:         6443,
 				},
-				AuthorizationModes: []string{"Node", "RBAC"},
 				Networking: kubeadm.Networking{
 					ServiceSubnet: "10.96.0.1/12",
 					DNSDomain:     "cluster.local",
@@ -445,7 +416,6 @@ func TestValidateMasterConfiguration(t *testing.T) {
 					AdvertiseAddress: "1.2.3.4",
 					BindPort:         6443,
 				},
-				AuthorizationModes: []string{"Node", "RBAC"},
 				Networking: kubeadm.Networking{
 					ServiceSubnet: "2001:db8::1/98",
 					DNSDomain:     "cluster.local",
@@ -459,7 +429,6 @@ func TestValidateMasterConfiguration(t *testing.T) {
 					AdvertiseAddress: "1.2.3.4",
 					BindPort:         6443,
 				},
-				AuthorizationModes: []string{"Node", "RBAC"},
 				Networking: kubeadm.Networking{
 					ServiceSubnet: "10.96.0.1/12",
 					DNSDomain:     "cluster.local",
@@ -473,7 +442,6 @@ func TestValidateMasterConfiguration(t *testing.T) {
 					AdvertiseAddress: "1.2.3.4",
 					BindPort:         6443,
 				},
-				AuthorizationModes: []string{"Node", "RBAC"},
 				Networking: kubeadm.Networking{
 					ServiceSubnet: "10.96.0.1/12",
 					DNSDomain:     "cluster.local",
@@ -515,7 +483,6 @@ func TestValidateMasterConfiguration(t *testing.T) {
 						},
 					},
 				},
-				AuthorizationModes: []string{"Node", "RBAC"},
 				Networking: kubeadm.Networking{
 					ServiceSubnet: "10.96.0.1/12",
 					DNSDomain:     "cluster.local",
@@ -557,7 +524,6 @@ func TestValidateMasterConfiguration(t *testing.T) {
 						},
 					},
 				},
-				AuthorizationModes: []string{"Node", "RBAC"},
 				Networking: kubeadm.Networking{
 					ServiceSubnet: "2001:db8::1/98",
 					DNSDomain:     "cluster.local",

cmd/kubeadm/app/cmd/init.go

@@ -252,7 +252,6 @@ func NewInit(cfgPath string, externalcfg *kubeadmapiv1alpha2.MasterConfiguration
 	}
 
 	glog.Infof("[init] using Kubernetes version: %s\n", cfg.KubernetesVersion)
-	glog.Infof("[init] using Authorization modes: %v\n", cfg.AuthorizationModes)
 
 	glog.Infoln("[preflight] running pre-flight checks")
 

cmd/kubeadm/app/constants/constants.go

@@ -275,11 +275,6 @@ var (
 		Effect: v1.TaintEffectNoSchedule,
 	}
 
-	// AuthorizationPolicyPath defines the supported location of authorization policy file
-	AuthorizationPolicyPath = filepath.Join(KubernetesDir, "abac_policy.json")
-	// AuthorizationWebhookConfigPath defines the supported location of webhook config file
-	AuthorizationWebhookConfigPath = filepath.Join(KubernetesDir, "webhook_authz.conf")
-
 	// DefaultTokenUsages specifies the default functions a token will get
 	DefaultTokenUsages = bootstrapapi.KnownTokenUsages
 

cmd/kubeadm/app/phases/upgrade/staticpods_test.go

@@ -46,14 +46,13 @@ const (
 	waitForPodsWithLabel = "wait-for-pods-with-label"
 
 	testConfiguration = `
+apiVersion: kubeadm.k8s.io/v1alpha2
+kind: MasterConfiguration
 api:
   advertiseAddress: 1.2.3.4
   bindPort: 6443
 apiServerCertSANs: null
 apiServerExtraArgs: null
-authorizationModes:
-- Node
-- RBAC
 certificatesDir: %s
 controllerManagerExtraArgs: null
 etcd:
@@ -508,6 +507,7 @@ func getAPIServerHash(dir string) (string, error) {
 	return fmt.Sprintf("%x", sha256.Sum256(fileBytes)), nil
 }
 
+// TODO: Make this test function use the rest of the "official" API machinery helper funcs we have inside of kubeadm
 func getConfig(version, certsDir, etcdDataDir string) (*kubeadmapi.MasterConfiguration, error) {
 	externalcfg := &kubeadmapiv1alpha2.MasterConfiguration{}
 	internalcfg := &kubeadmapi.MasterConfiguration{}

cmd/kubeadm/app/preflight/checks.go

@@ -47,7 +47,6 @@ import (
 	kubeadmdefaults "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha1"
 	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/pkg/apis/core/validation"
-	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 	"k8s.io/kubernetes/pkg/registry/core/service/ipallocator"
 	"k8s.io/kubernetes/pkg/util/initsystem"
 	"k8s.io/kubernetes/pkg/util/procfs"
@@ -889,16 +888,6 @@ func RunInitMasterChecks(execer utilsexec.Interface, cfg *kubeadmapi.MasterConfi
 		)
 	}
 
-	// Check the config for authorization mode
-	for _, authzMode := range cfg.AuthorizationModes {
-		switch authzMode {
-		case authzmodes.ModeABAC:
-			checks = append(checks, FileExistingCheck{Path: kubeadmconstants.AuthorizationPolicyPath})
-		case authzmodes.ModeWebhook:
-			checks = append(checks, FileExistingCheck{Path: kubeadmconstants.AuthorizationWebhookConfigPath})
-		}
-	}
-
 	if ip := net.ParseIP(cfg.API.AdvertiseAddress); ip != nil {
 		if ip.To4() == nil && ip.To16() != nil {
 			checks = append(checks,

cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml

@@ -3,15 +3,13 @@ API:
   BindPort: 6443
   ControlPlaneEndpoint: ""
 APIServerCertSANs: null
-APIServerExtraArgs: null
+APIServerExtraArgs:
+  authorization-mode: Node,RBAC,Webhook
 APIServerExtraVolumes: null
 AuditPolicyConfiguration:
   LogDir: /var/log/kubernetes/audit
   LogMaxAge: 2
   Path: ""
-AuthorizationModes:
-- Node
-- RBAC
 CIImageRepository: ""
 CRISocket: /var/run/dockershim.sock
 CertificatesDir: /etc/kubernetes/pki

cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1.yaml

@@ -10,6 +10,7 @@ auditPolicy:
 authorizationModes:
 - Node
 - RBAC
+- Webhook
 certificatesDir: /etc/kubernetes/pki
 cloudProvider: ""
 clusterName: kubernetes

cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha1_without_TypeMeta.yaml

@@ -10,6 +10,7 @@ auditPolicy:
 authorizationModes:
 - Node
 - RBAC
+- Webhook
 certificatesDir: /etc/kubernetes/pki
 cloudProvider: ""
 clusterName: kubernetes

cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml

@@ -2,14 +2,13 @@ api:
   advertiseAddress: 192.168.2.2
   bindPort: 6443
   controlPlaneEndpoint: ""
+apiServerExtraArgs:
+  authorization-mode: Node,RBAC,Webhook
 apiVersion: kubeadm.k8s.io/v1alpha2
 auditPolicy:
   logDir: /var/log/kubernetes/audit
   logMaxAge: 2
   path: ""
-authorizationModes:
-- Node
-- RBAC
 certificatesDir: /etc/kubernetes/pki
 clusterName: kubernetes
 criSocket: /var/run/dockershim.sock