Merge pull request kubernetes#25530 from kubernetes/revert-25296-gcpa…

…uthz Revert "Add configuration for GCP webhook authorization."
332054781 · May 12, 2016 · 2682208 · 2682208
2 parents 2706df1 + bfb49d0
commit 2682208
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 37 deletions.
diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh
@@ -791,37 +791,14 @@ EOF
     CLOUD_CONFIG=/etc/gce.conf
   fi
 
-  if [[ -n "${CLOUD_CONFIG:-}" ]]; then
+  if [[ -n ${CLOUD_CONFIG:-} ]]; then
   cat <<EOF >>/etc/salt/minion.d/grains.conf
   cloud_config: ${CLOUD_CONFIG}
 EOF
   else
     rm -f /etc/gce.conf
   fi
 
-  if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then
-    cat <<EOF >>/etc/salt/minion.d/grains.conf
-  webhook_authorization_config: /etc/gcp_authz.config
-EOF
-    cat <<EOF >/etc/gcp_authz.config
-clusters:
-  - name: gcp-authorization-server
-    cluster:
-      server: ${GCP_AUTHZ_URL}
-users:
-  - name: kube-apiserver
-    user:
-      auth-provider:
-        name: gcp
-current-context: webhook
-contexts:
-- context:
-    cluster: gcp-authorization-server
-    user: kube-apiserver
-  name: webhook
-EOF
-  fi
-
   # If the kubelet on the master is enabled, give it the same CIDR range
   # as a generic node.
   if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then

diff --git a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
@@ -83,16 +83,6 @@
   {% set abac_policy_file = " --authorization-policy-file=/srv/kubernetes/abac-authz-policy.jsonl" -%}
 {% endif -%}
 
-{% set webhook_authorization_config = "" -%}
-{% set webhook_config_mount = "" -%}
-{% set webhook_config_volume = "" -%}
-{% if grains.webhook_authorization_config is defined -%}
-  {% set webhook_authorization_config = " --authorization-webhook-config-file=" + grains.webhook_authorization_config -%}
-  {% set webhook_config_mount = "{\"name\": \"webhookconfigmount\",\"mountPath\": \"" + grains.webhook_authorization_config + "\", \"readOnly\": false}," -%}
-  {% set webhook_config_volume = "{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"" + grains.webhook_authorization_config + "\"}}," -%}
-  {% set authz_mode = authz_mode + ",Webhook" -%}
-{% endif -%}
-
 {% set admission_control = "" -%}
 {% if pillar['admission_control'] is defined -%}
  {% set admission_control = "--admission-control=" + pillar['admission_control'] -%}
@@ -109,7 +99,7 @@
 {% endif -%}
 
 {% set params = address + " " + etcd_servers + " " + etcd_servers_overrides + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + admission_control + " " + service_cluster_ip_range + " " + client_ca_file + basic_auth_file + " " + min_request_timeout -%}
-{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address  + " " + proxy_ssh_options + authz_mode + abac_policy_file + webhook_authorization_config-%}
+{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address  + " " + proxy_ssh_options + authz_mode + abac_policy_file -%}
 
 # test_args has to be kept at the end, so they'll overwrite any prior configuration
 {% if pillar['apiserver_test_args'] is defined -%}
@@ -162,7 +152,6 @@
         ],
     "volumeMounts": [
         {{cloud_config_mount}}
-        {{webhook_config_mount}}
         {{additional_cloud_config_mount}}
         { "name": "srvkube",
         "mountPath": "{{srv_kube_path}}",
@@ -190,7 +179,6 @@
 ],
 "volumes":[
   {{cloud_config_volume}}
-  {{webhook_config_volume}}
   {{additional_cloud_config_volume}}
   { "name": "srvkube",
     "hostPath": {