From 92d038062e4c53bd6f61dd10060f91dba88f19cd Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Sat, 14 Oct 2017 11:28:46 +0100 Subject: [PATCH] Fix node authorization for cloudprovider installs (#1794) In 1.8, the Node authorization mode should be listed first to allow kubelet to access secrets. This seems to only impact environments with cloudprovider enabled. --- docs/vars.md | 5 +++-- roles/kubespray-defaults/defaults/main.yaml | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/vars.md b/docs/vars.md index 0b9370700..3303f6bcb 100644 --- a/docs/vars.md +++ b/docs/vars.md @@ -72,8 +72,9 @@ following default cluster paramters: alpha/experimental Kubernetes features. (defaults is `[]`) * *authorization_modes* - A list of [authorization mode]( https://kubernetes.io/docs/admin/authorization/#using-flags-for-your-authorization-module) - that the cluster should be configured for. Defaults to `['RBAC', 'Node']` (RBAC and Node authorizers). - Note: `RBAC` is enabled by default. Previously deployed clusters can be + that the cluster should be configured for. Defaults to `['Node', 'RBAC']` + (Node and RBAC authorizers). + Note: `Node` and `RBAC` are enabled by default. Previously deployed clusters can be converted to RBAC mode. However, your apps which rely on Kubernetes API will require a service account and cluster role bindings. You can override this setting by setting authorization_modes to `[]`. diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index f8d4e99c5..9b5eced94 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -147,8 +147,8 @@ openstack_lbaas_enabled: false ## List of authorization modes that must be configured for ## the k8s cluster. Only 'AlwaysAllow', 'AlwaysDeny', 'Node' and -## 'RBAC' modes are tested. -authorization_modes: ['RBAC', 'Node'] +## 'RBAC' modes are tested. Order is important. +authorization_modes: ['Node', 'RBAC'] rbac_enabled: "{{ 'RBAC' in authorization_modes or kubeadm_enabled }}" ## List of key=value pairs that describe feature gates for