authorization_mode is not configurable

jecnua · Sep 5, 2023 · cc3d205 · cc3d205
1 parent aecbb52
commit cc3d205
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 8 deletions.
diff --git a/modules/controllers/00-variables_defaults.tf b/modules/controllers/00-variables_defaults.tf
@@ -65,7 +65,6 @@ variable "userdata_pre_install" {
 }
 
 # By default will install calico as CNI but you can override it to use what you want
-# Example of weave as alternative (remember to escape the "):
 variable "cni_file_location" {
   description = "User-data script that will be applied"
   type        = string
@@ -126,6 +125,12 @@ variable "health_check_grace_period" {
   default     = "300"
 }
 
+variable "authorization_mode"{
+  type        = string
+  description = "API server authorization modes: https://kubernetes.io/docs/reference/access-authn-authz/authorization/#authorization-modules"
+  default     = "Node,RBAC"
+}
+
 //variable "market_options" {
 //  type        = string
 //  description = "Market options for the instances"

diff --git a/modules/controllers/04-asg.tf b/modules/controllers/04-asg.tf
@@ -33,6 +33,7 @@ data "template_file" "bootstrap_k8s_controllers_kubeadm_config" {
     controller_join_token    = var.controller_join_token
     enable_admission_plugins = var.enable_admission_plugins
     load_balancer_dns        = aws_lb.k8s_controllers_external_lb.dns_name # Sign with the NLB name
+    authorization_mode       = var.authorization_mode
   }
 }
 

diff --git a/modules/controllers/CHANGELOG.md b/modules/controllers/CHANGELOG.md
@@ -12,9 +12,9 @@ DO NOT USE 7.0.0. Use this version instead.
 
 - Now controller nodes are tagged with a unique 'Name' tag
 - health_check_type and health_check_grace_period are now variable
-- Creating a new configmap in kube-system to allow the configuration of metric-server https://github.com/kubernetes-sigs/metrics-server/blob/master/KNOWN_ISSUES.md#incorrectly-configured-front-proxy-certificate
 - Port 10250 is now open on all nodes to the internal subnets CIDR to allow metric server to work
 - Added kubectl alias and bash completition just not to have to do it every time :D
+- authorization-mode option for api server can now be modifies (in case you need to add Webhook)
 
 ### Bugfixes
 

diff --git a/modules/controllers/scripts/bootstrap.sh b/modules/controllers/scripts/bootstrap.sh
@@ -218,12 +218,6 @@ EOF
 
 	# Install CNI plugin
 	su "$KCTL_USER" -c "KUBECONFIG=/home/$KCTL_USER/.kube/local kubectl apply -f ${cni_file_location}"
-
-	# Create a configmap for metricServer to use
-	# https://github.com/kubernetes-sigs/metrics-server/blob/master/KNOWN_ISSUES.md#incorrectly-configured-front-proxy-certificate
-	kubectl -nkube-system create configmap front-proxy-ca --from-file=front-proxy-ca.crt=/etc/kubernetes/pki/front-proxy-ca.crt -o yaml \
-		| kubectl -nkube-system replace configmap front-proxy-ca -f -
-
 else
 
 	echo "I am NOT the first controller. I will join the first".

diff --git a/modules/controllers/scripts/kubeadm_config.yaml b/modules/controllers/scripts/kubeadm_config.yaml
@@ -36,6 +36,7 @@ apiServer:
     enable-admission-plugins: ${enable_admission_plugins}
     encryption-provider-config: /etc/kubernetes/etcd-encryption/etcd-enc.yaml
     profiling: "false"
+    authorization-mode: ${authorization_mode}
   extraVolumes:
     - hostPath: /etc/kubernetes/etcd-encryption
       mountPath: /etc/kubernetes/etcd-encryption