mirror of https://github.com/k3s-io/k3s
1e879c69ec
Automatic merge from submit-queue (batch tested with PRs 43546, 43544) Default to enabling legacy ABAC policy in non-test kube-up.sh environments Fixes https://github.com/kubernetes/kubernetes/issues/43541 In 1.5, we unconditionally stomped the abac policy file if KUBE_USER was set, and unconditionally used ABAC mode pointing to that file. In 1.6, unless the user opts out (via `ENABLE_LEGACY_ABAC=false`), we want the same legacy policy included as a fallback to RBAC. This PR: * defaults legacy ABAC **on** in normal deployments * defaults legacy ABAC **on** in upgrade E2Es (ensures combination of ABAC and RBAC works properly for upgraded clusters) * defaults legacy ABAC **off** in non-upgrade E2Es (ensures e2e tests 1.6+ run with tightened permissions, and that default RBAC roles cover the required core components) GKE changes to drive the `ENABLE_LEGACY_ABAC` envvar were made by @cjcullen out of band ```release-note `kube-up.sh` using the `gce` provider enables both RBAC authorization and the permissive legacy ABAC policy that makes all service accounts superusers. To opt out of the permissive ABAC policy, export the environment variable `ENABLE_LEGACY_ABAC=false` before running `cluster/kube-up.sh`. ``` |
||
|---|---|---|
| .. | ||
| container-linux | ||
| debian | ||
| gci | ||
| BUILD | ||
| OWNERS | ||
| config-common.sh | ||
| config-default.sh | ||
| config-test.sh | ||
| configure-vm.sh | ||
| cos | ||
| delete-stranded-load-balancers.sh | ||
| list-resources.sh | ||
| upgrade.sh | ||
| util.sh | ||