Use existing ABAC policy file when upgrading GCE cluster #40172
Conversation
|
This change is |
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
size/S
| # ABAC_AUTHZ_FILE | ||
| function detect-legacy-abac-file() { | ||
| # This is the location GCE scripts wrote ABAC policy files to prior to 1.6 | ||
| local -r legacy_abac_path="/etc/srv/kubernetes/abac-authz-policy.jsonl" |
There was a problem hiding this comment.
The container-linux scripts put it /srv/kubernetes/abac-authz-policy.jsonl :(
There was a problem hiding this comment.
really? both places I saw it referenced by the apiserver it was at this path
There was a problem hiding this comment.
also, the container-linux scripts didn't exist in release-1.5
k8s-github-robot
added
size/XS
| @@ -900,6 900,9 @@ function start-kube-apiserver { | |||
|
|
|||
|
|
|||
| local authorization_mode="RBAC" | |||
| # Load existing ABAC policy files written by versions < 1.6 of this script | |||
| # TODO: only default to this legacy path when in upgrade mode | |||
| ABAC_AUTHZ_FILE="${ABAC_AUTHZ_FILE:-/etc/srv/kubernetes/abac-authz-policy.jsonl}" | |||
There was a problem hiding this comment.
LGTM for GCI.
I think you'd need the same thing above the corresponding stanza in the container-linux script.
Trusty would be the same as this, but it looks like it isn't being maintained anymore...
Debian sets this up w/ salt (https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase/salt/kube-apiserver) and it appears to still be using ABAC all the time.
Those can be handled in followup PRs.
There was a problem hiding this comment.
The container-linux script didn't exist in 1.5. Is it possible for someone to have an existing install that they upgrade using that script?
There was a problem hiding this comment.
The container-linux script was recently renamed from "coreos". It was heavily refactored after the 1.5 cut (due to my slow review) and I'm not sure if the maintainers are concerned with upgrade compatibility as they are still heavily modifying the script.
|
@k8s-bot test this |
|
@k8s-bot cross build this |
|
/approve |
k8s-github-robot
added
approved
|
[APPROVALNOTIFIER] This PR is APPROVED The following people have approved this PR: roberthbailey Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
tagging based on #40172 (comment) |
liggitt
added
lgtm
|
Automatic merge from submit-queue (batch tested with PRs 38739, 40480, 40495, 40172, 40393) |
When upgrading, continue loading an existing ABAC policy file so that existing system components continue working as-is