From e44c876276dc3dbdd2543bd66938627ec99ddf92 Mon Sep 17 00:00:00 2001
From: CJ Cullen <cjcullen@google.com>
Date: Fri, 25 Aug 2017 13:56:48 -0700
Subject: [PATCH] Default ABAC to off in GCE/GKE (for new clusters).

---
 cluster/common.sh             | 1 +
 cluster/gce/config-default.sh | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/cluster/common.sh b/cluster/common.sh
index c6ac31d591..bdd6a1163f 100755
--- a/cluster/common.sh
+++ b/cluster/common.sh
@@ -1270,6 +1270,7 @@ function parse-master-env() {
   REQUESTHEADER_CA_CERT_BASE64=$(get-env-val "${master_env}" "REQUESTHEADER_CA_CERT")
   PROXY_CLIENT_CERT_BASE64=$(get-env-val "${master_env}" "PROXY_CLIENT_CERT")
   PROXY_CLIENT_KEY_BASE64=$(get-env-val "${master_env}" "PROXY_CLIENT_KEY")
+  ENABLE_LEGACY_ABAC=$(get-env-val "${master_env}" "ENABLE_LEGACY_ABAC")
 }
 
 # Update or verify required gcloud components are installed
diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh
index 2e10b9b0fb..6bbdbde84e 100755
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@@ -266,7 +266,7 @@ SCHEDULING_ALGORITHM_PROVIDER="${SCHEDULING_ALGORITHM_PROVIDER:-}"
 ENABLE_DEFAULT_STORAGE_CLASS="${ENABLE_DEFAULT_STORAGE_CLASS:-true}"
 
 # Optional: Enable legacy ABAC policy that makes all service accounts superusers.
-ENABLE_LEGACY_ABAC="${ENABLE_LEGACY_ABAC:-true}" # true, false
+ENABLE_LEGACY_ABAC="${ENABLE_LEGACY_ABAC:-false}" # true, false
 
 # TODO(dawn1107): Remove this once the flag is built into CVM image.
 # Kernel panic upon soft lockup issue