upstream/k3s
1
0
Fork 0
mirror of https://github.com/k3s-io/k3s.git synced 2026-06-09 00:33:35 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add anonymous-auth to flags gated on empty authorization-config value

Browse source 
Also warn if default flags are not set due to user provided config

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This commit is contained in:
Brad Davidson 2025-05-06 20:02:26 +00:00 committed by Brad Davidson
parent b15af84e4a
commit 921e502918
2 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
pkg/daemons/control/server.go
View file

@ -208,7 +208,9 @@ func apiServer(ctx context.Context, cfg *config.Control) error {
argsMap["allow-privileged"] = "true"
argsMap["enable-bootstrap-token-auth"] = "true"
if authConfigFile := util.ArgValue("authorization-config", cfg.ExtraAPIArgs); authConfigFile == "" {
logrus.Warn("Not setting kube-apiserver 'authorization-mode' and 'anonymous-auth' flags due to user-provided 'authorization-config' file.")
argsMap["authorization-mode"] = strings.Join([]string{modes.ModeNode, modes.ModeRBAC}, ",")
argsMap["anonymous-auth"] = "false"
}
argsMap["service-account-signing-key-file"] = runtime.ServiceCurrentKey
argsMap["service-cluster-ip-range"] = util.JoinIPNets(cfg.ServiceIPRanges)
@ -249,7 +251,6 @@ func apiServer(ctx context.Context, cfg *config.Control) error {
argsMap["requestheader-username-headers"] = "X-Remote-User"
argsMap["client-ca-file"] = runtime.ClientCA
argsMap["enable-admission-plugins"] = "NodeRestriction"
argsMap["anonymous-auth"] = "false"
argsMap["profiling"] = "false"
if cfg.EncryptSecrets {
argsMap["encryption-provider-config"] = runtime.EncryptionConfig

3
pkg/daemons/control/server_test.go
View file

@ -112,11 +112,12 @@ func Test_UnitServer(t *testing.T) {
executor := mock.NewExecutorWithEmbeddedETCD(t)
// authorization-mode should not be set when user sets --authorization-config
// authorization-mode and anonymous-auth should not be set when user sets --authorization-config
control.ExtraAPIArgs = []string{"authorization-config=/dev/null"}
matchAuthArgs := mock.GM(And(
ContainElement(ContainSubstring("--authorization-config")),
Not(ContainElement(ContainSubstring("--authorization-mode"))),
Not(ContainElement(ContainSubstring("--anonymous-auth"))),
))
// leader-elect should be disabled when using kine+sqlite