upstream/k3s
1
0
Fork 0
mirror of https://github.com/k3s-io/k3s.git synced 2026-05-28 04:34:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Fix authorization-config/authentication-config handling

Browse source 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This commit is contained in:
Brad Davidson 2025-05-14 18:40:31 +00:00 committed by Brad Davidson
parent effe6ce019
commit cb889d41f2
2 changed files with 11 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
pkg/daemons/control/server.go
View file

@ -211,10 +211,15 @@ func apiServer(ctx context.Context, cfg *config.Control) error {
argsMap["cert-dir"] = certDir
argsMap["allow-privileged"] = "true"
argsMap["enable-bootstrap-token-auth"] = "true"
if authConfigFile := util.ArgValue("authorization-config", cfg.ExtraAPIArgs); authConfigFile == "" {
logrus.Warn("Not setting kube-apiserver 'authorization-mode' and 'anonymous-auth' flags due to user-provided 'authorization-config' file.")
if util.ArgValue("authorization-config", cfg.ExtraAPIArgs) == "" {
argsMap["authorization-mode"] = strings.Join([]string{modes.ModeNode, modes.ModeRBAC}, ",")
} else {
logrus.Warn("Not setting kube-apiserver 'authorization-mode' flag due to user-provided 'authorization-config' file.")
}
if util.ArgValue("authentication-config", cfg.ExtraAPIArgs) == "" {
argsMap["anonymous-auth"] = "false"
} else {
logrus.Warn("Not setting kube-apiserver 'anonymous-auth' flag due to user-provided 'authentication-config' file.")
}
argsMap["service-account-signing-key-file"] = runtime.ServiceCurrentKey
argsMap["service-cluster-ip-range"] = util.JoinIPNets(cfg.ServiceIPRanges)

7
pkg/daemons/control/server_test.go
View file

@ -103,7 +103,7 @@ func Test_UnitServer(t *testing.T) {
},
},
{
name: "ControlPlane+Kine with authorization-config",
name: "ControlPlane+Kine with auth config",
setup: func(ctx context.Context, t *testing.T) (*config.Control, error) {
control, err := mockControl(ctx, t, false)
if err != nil {
@ -114,10 +114,11 @@ func Test_UnitServer(t *testing.T) {
executor := mock.NewExecutorWithEmbeddedETCD(t)
// authorization-mode and anonymous-auth should not be set when user sets --authorization-config
control.ExtraAPIArgs = []string{"authorization-config=/dev/null"}
// authorization-mode and anonymous-auth should not be set when user sets --authorization-config and --authentication-config
control.ExtraAPIArgs = []string{"authorization-config=/dev/null", "authentication-config=/dev/null"}
matchAuthArgs := mock.GM(And(
ContainElement(ContainSubstring("--authorization-config")),
ContainElement(ContainSubstring("--authentication-config")),
Not(ContainElement(ContainSubstring("--authorization-mode"))),
Not(ContainElement(ContainSubstring("--anonymous-auth"))),
))