From cc3d205b318d138515c374195e311e84a4728e74 Mon Sep 17 00:00:00 2001 From: jecnua Date: Tue, 5 Sep 2023 15:52:32 +0100 Subject: [PATCH] authorization_mode is not configurable --- modules/controllers/00-variables_defaults.tf | 7 ++++++- modules/controllers/04-asg.tf | 1 + modules/controllers/CHANGELOG.md | 2 +- modules/controllers/scripts/bootstrap.sh | 6 ------ modules/controllers/scripts/kubeadm_config.yaml | 1 + 5 files changed, 9 insertions(+), 8 deletions(-) diff --git a/modules/controllers/00-variables_defaults.tf b/modules/controllers/00-variables_defaults.tf index 0d0356d..ea30857 100644 --- a/modules/controllers/00-variables_defaults.tf +++ b/modules/controllers/00-variables_defaults.tf @@ -65,7 +65,6 @@ variable "userdata_pre_install" { } # By default will install calico as CNI but you can override it to use what you want -# Example of weave as alternative (remember to escape the "): variable "cni_file_location" { description = "User-data script that will be applied" type = string @@ -126,6 +125,12 @@ variable "health_check_grace_period" { default = "300" } +variable "authorization_mode"{ + type = string + description = "API server authorization modes: https://kubernetes.io/docs/reference/access-authn-authz/authorization/#authorization-modules" + default = "Node,RBAC" +} + //variable "market_options" { // type = string // description = "Market options for the instances" diff --git a/modules/controllers/04-asg.tf b/modules/controllers/04-asg.tf index cb8bcbd..4437112 100644 --- a/modules/controllers/04-asg.tf +++ b/modules/controllers/04-asg.tf @@ -33,6 +33,7 @@ data "template_file" "bootstrap_k8s_controllers_kubeadm_config" { controller_join_token = var.controller_join_token enable_admission_plugins = var.enable_admission_plugins load_balancer_dns = aws_lb.k8s_controllers_external_lb.dns_name # Sign with the NLB name + authorization_mode = var.authorization_mode } } diff --git a/modules/controllers/CHANGELOG.md b/modules/controllers/CHANGELOG.md index 7c214e1..a511f3d 100644 --- a/modules/controllers/CHANGELOG.md +++ b/modules/controllers/CHANGELOG.md @@ -12,9 +12,9 @@ DO NOT USE 7.0.0. Use this version instead. - Now controller nodes are tagged with a unique 'Name' tag - health_check_type and health_check_grace_period are now variable -- Creating a new configmap in kube-system to allow the configuration of metric-server https://github.com/kubernetes-sigs/metrics-server/blob/master/KNOWN_ISSUES.md#incorrectly-configured-front-proxy-certificate - Port 10250 is now open on all nodes to the internal subnets CIDR to allow metric server to work - Added kubectl alias and bash completition just not to have to do it every time :D +- authorization-mode option for api server can now be modifies (in case you need to add Webhook) ### Bugfixes diff --git a/modules/controllers/scripts/bootstrap.sh b/modules/controllers/scripts/bootstrap.sh index d4fa0b5..6d23b30 100644 --- a/modules/controllers/scripts/bootstrap.sh +++ b/modules/controllers/scripts/bootstrap.sh @@ -218,12 +218,6 @@ EOF # Install CNI plugin su "$KCTL_USER" -c "KUBECONFIG=/home/$KCTL_USER/.kube/local kubectl apply -f ${cni_file_location}" - - # Create a configmap for metricServer to use - # https://github.com/kubernetes-sigs/metrics-server/blob/master/KNOWN_ISSUES.md#incorrectly-configured-front-proxy-certificate - kubectl -nkube-system create configmap front-proxy-ca --from-file=front-proxy-ca.crt=/etc/kubernetes/pki/front-proxy-ca.crt -o yaml \ - | kubectl -nkube-system replace configmap front-proxy-ca -f - - else echo "I am NOT the first controller. I will join the first". diff --git a/modules/controllers/scripts/kubeadm_config.yaml b/modules/controllers/scripts/kubeadm_config.yaml index 498baff..0bee047 100644 --- a/modules/controllers/scripts/kubeadm_config.yaml +++ b/modules/controllers/scripts/kubeadm_config.yaml @@ -36,6 +36,7 @@ apiServer: enable-admission-plugins: ${enable_admission_plugins} encryption-provider-config: /etc/kubernetes/etcd-encryption/etcd-enc.yaml profiling: "false" + authorization-mode: ${authorization_mode} extraVolumes: - hostPath: /etc/kubernetes/etcd-encryption mountPath: /etc/kubernetes/etcd-encryption