@@ -99,8 +99,6 @@ ENABLE_TRACING=${ENABLE_TRACING:-false}
9999# enable Kubernetes-CSI snapshotter
100100ENABLE_CSI_SNAPSHOTTER=${ENABLE_CSI_SNAPSHOTTER:- false}
101101
102- # RBAC Mode options
103- AUTHORIZATION_MODE=${AUTHORIZATION_MODE:- " Node,RBAC"
104102KUBECONFIG_TOKEN=${KUBECONFIG_TOKEN:- " "
105103AUTH_ARGS=${AUTH_ARGS:- " "
106104
@@ -494,10 +492,19 @@ function start_apiserver {
494492 # Append security_admission plugin
495493 ENABLE_ADMISSION_PLUGINS=" ${ENABLE_ADMISSION_PLUGINS}${security_admission} "
496494
497- authorizer_arg=" "
498- if [[ -n " ${AUTHORIZATION_MODE} " ; then
499- authorizer_arg=" --authorization-mode=${AUTHORIZATION_MODE} "
495+ authorizer_args=()
496+ if [[ -n " ${AUTHORIZATION_CONFIG:- } " ; then
497+ authorizer_args+=(" --authorization-config=${AUTHORIZATION_CONFIG} "
498+ else
499+ if [[ -n " ${AUTHORIZATION_MODE:- Node,RBAC} " ; then
500+ authorizer_args+=(" --authorization-mode=${AUTHORIZATION_MODE:- Node,RBAC} "
501+ fi
502+ authorizer_args+=(
503+ " --authorization-webhook-config-file=${AUTHORIZATION_WEBHOOK_CONFIG_FILE} "
504+ " --authentication-token-webhook-config-file=${AUTHENTICATION_WEBHOOK_CONFIG_FILE} "
505+ )
500506 fi
507+
501508 priv_arg=" "
502509 if [[ -n " ${ALLOW_PRIVILEGED} " ; then
503510 priv_arg=" --allow-privileged=${ALLOW_PRIVILEGED} "
@@ -570,16 +577,14 @@ EOF
570577
571578 APISERVER_LOG=${LOG_DIR} /kube-apiserver.log
572579 # shellcheck disable=SC2086
573- ${CONTROLPLANE_SUDO} " ${GO_OUT} /kube-apiserver" " ${authorizer_arg } " " ${priv_arg} " ${runtime_config} \
580+ ${CONTROLPLANE_SUDO} " ${GO_OUT} /kube-apiserver" " ${authorizer_args[@] } " " ${priv_arg} " ${runtime_config} \
574581 ${cloud_config_arg} \
575582 " ${advertise_address} "
576583 " ${node_port_range} "
577584 --v=" ${LOG_LEVEL} "
578585 --vmodule=" ${LOG_SPEC} "
579586 --audit-policy-file=" ${AUDIT_POLICY_FILE} "
580587 --audit-log-path=" ${LOG_DIR} /kube-apiserver-audit.log"
581- --authorization-webhook-config-file=" ${AUTHORIZATION_WEBHOOK_CONFIG_FILE} "
582- --authentication-token-webhook-config-file=" ${AUTHENTICATION_WEBHOOK_CONFIG_FILE} "
583588 --cert-dir=" ${CERT_DIR} "
584589 --egress-selector-config-file=" ${EGRESS_SELECTOR_CONFIG_FILE:- } "
585590 --client-ca-file=" ${CERT_DIR} /client-ca.crt"
@@ -613,14 +618,15 @@ EOF
613618 --cors-allowed-origins=" ${API_CORS_ALLOWED_ORIGINS} " > " ${APISERVER_LOG} " 2>&1 &
614619 APISERVER_PID=$!
615620
621+ # Create kubeconfigs for all components, using client certs
622+ kube::util::write_client_kubeconfig " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " " ${ROOT_CA_FILE} " " ${API_HOST} " " ${API_SECURE_PORT} "
623+ ${CONTROLPLANE_SUDO} chown " ${USER} " " ${CERT_DIR} /client-admin.key" # make readable for kubectl
624+
616625 # Wait for kube-apiserver to come up before launching the rest of the components.
617626 echo " Waiting for apiserver to come up"
618627 kube::util::wait_for_url " https://${API_HOST_IP} :${API_SECURE_PORT} /healthz" " apiserver: " " ${WAIT_FOR_URL_API_SERVER} " " ${MAX_TIME_FOR_URL_API_SERVER} "
619628 || { echo " check apiserver logs: ${APISERVER_LOG} " ; exit 1 ; }
620629
621- # Create kubeconfigs for all components, using client certs
622- kube::util::write_client_kubeconfig " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " " ${ROOT_CA_FILE} " " ${API_HOST} " " ${API_SECURE_PORT} "
623- ${CONTROLPLANE_SUDO} chown " ${USER} " " ${CERT_DIR} /client-admin.key" # make readable for kubectl
624630 kube::util::write_client_kubeconfig " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " " ${ROOT_CA_FILE} " " ${API_HOST} " " ${API_SECURE_PORT} "
625631 kube::util::write_client_kubeconfig " ${CONTROLPLANE_SUDO} " " ${CERT_DIR} " " ${ROOT_CA_FILE} " " ${API_HOST} " " ${API_SECURE_PORT} "
626632
0 commit comments