diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh index 3a44423951531..6dcb6030a5349 100755 --- a/cluster/gce/configure-vm.sh +++ b/cluster/gce/configure-vm.sh @@ -791,7 +791,7 @@ EOF CLOUD_CONFIG=/etc/gce.conf fi - if [[ -n "${CLOUD_CONFIG:-}" ]]; then + if [[ -n ${CLOUD_CONFIG:-} ]]; then cat <>/etc/salt/minion.d/grains.conf cloud_config: ${CLOUD_CONFIG} EOF @@ -799,29 +799,6 @@ EOF rm -f /etc/gce.conf fi - if [[ -n "${GCP_AUTHZ_URL:-}" ]]; then - cat <>/etc/salt/minion.d/grains.conf - webhook_authorization_config: /etc/gcp_authz.config -EOF - cat </etc/gcp_authz.config -clusters: - - name: gcp-authorization-server - cluster: - server: ${GCP_AUTHZ_URL} -users: - - name: kube-apiserver - user: - auth-provider: - name: gcp -current-context: webhook -contexts: -- context: - cluster: gcp-authorization-server - user: kube-apiserver - name: webhook -EOF - fi - # If the kubelet on the master is enabled, give it the same CIDR range # as a generic node. if [[ ! -z "${KUBELET_APISERVER:-}" ]] && [[ ! -z "${KUBELET_CERT:-}" ]] && [[ ! -z "${KUBELET_KEY:-}" ]]; then diff --git a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest index 956159883f969..81e31b291e2f2 100644 --- a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest +++ b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest @@ -83,16 +83,6 @@ {% set abac_policy_file = " --authorization-policy-file=/srv/kubernetes/abac-authz-policy.jsonl" -%} {% endif -%} -{% set webhook_authorization_config = "" -%} -{% set webhook_config_mount = "" -%} -{% set webhook_config_volume = "" -%} -{% if grains.webhook_authorization_config is defined -%} - {% set webhook_authorization_config = " --authorization-webhook-config-file=" + grains.webhook_authorization_config -%} - {% set webhook_config_mount = "{\"name\": \"webhookconfigmount\",\"mountPath\": \"" + grains.webhook_authorization_config + "\", \"readOnly\": false}," -%} - {% set webhook_config_volume = "{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"" + grains.webhook_authorization_config + "\"}}," -%} - {% set authz_mode = authz_mode + ",Webhook" -%} -{% endif -%} - {% set admission_control = "" -%} {% if pillar['admission_control'] is defined -%} {% set admission_control = "--admission-control=" + pillar['admission_control'] -%} @@ -109,7 +99,7 @@ {% endif -%} {% set params = address + " " + etcd_servers + " " + etcd_servers_overrides + " " + cloud_provider + " " + cloud_config + " " + runtime_config + " " + admission_control + " " + service_cluster_ip_range + " " + client_ca_file + basic_auth_file + " " + min_request_timeout -%} -{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address + " " + proxy_ssh_options + authz_mode + abac_policy_file + webhook_authorization_config-%} +{% set params = params + " " + cert_file + " " + key_file + " --secure-port=" + secure_port + token_auth_file + " " + bind_address + " " + log_level + " " + advertise_address + " " + proxy_ssh_options + authz_mode + abac_policy_file -%} # test_args has to be kept at the end, so they'll overwrite any prior configuration {% if pillar['apiserver_test_args'] is defined -%} @@ -162,7 +152,6 @@ ], "volumeMounts": [ {{cloud_config_mount}} - {{webhook_config_mount}} {{additional_cloud_config_mount}} { "name": "srvkube", "mountPath": "{{srv_kube_path}}", @@ -190,7 +179,6 @@ ], "volumes":[ {{cloud_config_volume}} - {{webhook_config_volume}} {{additional_cloud_config_volume}} { "name": "srvkube", "hostPath": {