add MinimumKubeletVersion authorization-mode if feature is on

haircommander · haircommander · commit e4c99d6c21ef · 2024-12-19T09:50:08.000-05:00
Signed-off-by: Peter Hunt &lt;pehunt@redhat.com&gt;
diff --git a/pkg/cmd/render/render.go b/pkg/cmd/render/render.go
@@ -22,6 +22,7 @@ import (
 	"github.com/openshift/cluster-kube-apiserver-operator/bindata"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation/apienablement"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation/auth"
+	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation/node"
 	libgoaudit "github.com/openshift/library-go/pkg/operator/apiserver/audit"
 	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	genericrender "github.com/openshift/library-go/pkg/operator/render"
@@ -357,6 +358,12 @@ func bootstrapDefaultConfig(featureGates featuregates.FeatureGate) ([]byte, erro
 		}
 	}
 
+	if featureGates.Enabled(features.FeatureGateMinimumKubeletVersion) {
+		if err := node.SetAPIServerArgumentsToEnforceMinimumKubeletVersion(defaultConfig, true); err != nil {
+			return nil, err
+		}
+	}
+
 	defaultConfigRaw, err := json.Marshal(defaultConfig)
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal default config - %s", err)
diff --git a/pkg/cmd/render/render_test.go b/pkg/cmd/render/render_test.go
@@ -264,7 +264,7 @@ func TestRenderCommand(t *testing.T) {
 				if !ok {
 					return fmt.Errorf("missing \"feature-gates\" entry in APIServerArguments")
 				}
-				expectedGates := []string{"Bar=false", "Foo=true", "OpenShiftPodSecurityAdmission=true"}
+				expectedGates := []string{"Bar=false", "Foo=true", "OpenShiftPodSecurityAdmission=true", "MinimumKubeletVersion=true"}
 				if len(actualGates) != len(expectedGates) {
 					return fmt.Errorf("expected to get exactly %d feature gates but found %d: expected=%v got=%v", len(expectedGates), len(actualGates), expectedGates, actualGates)
 				}
@@ -675,7 +675,7 @@ spec:
 }
 
 func TestGetDefaultConfigWithAuditPolicy(t *testing.T) {
-	raw, err := bootstrapDefaultConfig(featuregates.NewFeatureGate([]configv1.FeatureGateName{features.FeatureGateOpenShiftPodSecurityAdmission}, nil))
+	raw, err := bootstrapDefaultConfig(featuregates.NewFeatureGate([]configv1.FeatureGateName{features.FeatureGateOpenShiftPodSecurityAdmission, features.FeatureGateMinimumKubeletVersion}, nil))
 	require.NoError(t, err)
 	require.True(t, len(raw) > 0)
 
diff --git a/pkg/cmd/render/testdata/rendered/default-fg/featuregate.yaml b/pkg/cmd/render/testdata/rendered/default-fg/featuregate.yaml
@@ -8,5 +8,6 @@ status:
     enabled:
     - name: Foo
     - name: OpenShiftPodSecurityAdmission
+    - name: MinimumKubeletVersion
     disabled:
     - name: Bar
diff --git a/pkg/operator/configobservation/configobservercontroller/observe_config_controller.go b/pkg/operator/configobservation/configobservercontroller/observe_config_controller.go
@@ -158,6 +158,7 @@ func NewConfigObserver(operatorClient v1helpers.StaticPodOperatorClient, kubeInf
 				},
 			),
 			node.NewMinimumKubeletVersionObserver(featureGateAccessor),
+			node.NewAuthorizationModeObserver(featureGateAccessor),
 			proxy.NewProxyObserveFunc([]string{"targetconfigcontroller", "proxy"}),
 			images.ObserveInternalRegistryHostname,
 			images.ObserveExternalRegistryHostnames,
diff --git a/pkg/operator/configobservation/node/observe_minimum_kubelet_version.go b/pkg/operator/configobservation/node/observe_minimum_kubelet_version.go
@@ -1,6 +1,8 @@
 package node
 
 import (
+	"sort"
+
 	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/api/features"
 	"github.com/openshift/library-go/pkg/operator/configobserver"
@@ -11,7 +13,16 @@ import (
 	"k8s.io/klog/v2"
 )
 
-var minimumKubeletVersionConfigPath = "minimumKubeletVersion"
+var (
+	ModeMinimumKubeletVersion       = "MinimumKubeletVersion"
+	minimumKubeletVersionConfigPath = "minimumKubeletVersion"
+	authModeFlag                    = "authorization-mode"
+	apiServerArgs                   = "apiServerArguments"
+	authModePath                    = []string{apiServerArgs, authModeFlag}
+	// The default value for apiServerArguments.authorization-mode.
+	// Should be synced with bindata/assets/config/defaultconfig.yaml
+	DefaultAuthorizationModes = []string{"Scope", "SystemMasters", "RBAC", "Node"}
+)
 
 type minimumKubeletVersionObserver struct {
 	featureGateAccessor featuregates.FeatureGateAccess
@@ -31,7 +42,6 @@ func (o *minimumKubeletVersionObserver) ObserveMinimumKubeletVersion(genericList
 	}()
 
 	if !o.featureGateAccessor.AreInitialFeatureGatesObserved() {
-		// if we haven't observed featuregates yet, return the existing
 		return existingConfig, nil
 	}
 
@@ -63,7 +73,7 @@ func (o *minimumKubeletVersionObserver) ObserveMinimumKubeletVersion(genericList
 		// return empty set of configs, this helps to unset the config
 		// values related to the minimumKubeletVersion.
 		// Also, ensures that this observer doesn't break cluster upgrades/downgrades
-		return map[string]interface{}{}, errs
+		return ret, errs
 	}
 
 	if err := unstructured.SetNestedField(ret, configNode.Spec.MinimumKubeletVersion, minimumKubeletVersionConfigPath); err != nil {
@@ -72,3 +82,51 @@ func (o *minimumKubeletVersionObserver) ObserveMinimumKubeletVersion(genericList
 
 	return ret, errs
 }
+
+type authorizationModeObserver struct {
+	featureGateAccessor featuregates.FeatureGateAccess
+}
+
+func NewAuthorizationModeObserver(featureGateAccessor featuregates.FeatureGateAccess) configobserver.ObserveConfigFunc {
+	return (&authorizationModeObserver{
+		featureGateAccessor: featureGateAccessor,
+	}).ObserveAuthorizationMode
+}
+
+// ObserveAuthorizationMode watches the featuregate configuration and generates the apiServerArguments.authorization-mode
+// It currently hardcodes the default set and adds MinimumKubeletVersion if the feature is set to on.
+func (o *authorizationModeObserver) ObserveAuthorizationMode(genericListers configobserver.Listers, _ events.Recorder, existingConfig map[string]interface{}) (ret map[string]interface{}, errs []error) {
+	ret = map[string]interface{}{}
+	if !o.featureGateAccessor.AreInitialFeatureGatesObserved() {
+		return existingConfig, nil
+	}
+
+	featureGates, err := o.featureGateAccessor.CurrentFeatureGates()
+	if err != nil {
+		return existingConfig, append(errs, err)
+	}
+
+	defer func() {
+		// Prune the observed config so that it only contains minimumKubeletVersion field.
+		ret = configobserver.Pruned(ret, authModePath)
+	}()
+
+	if err := SetAPIServerArgumentsToEnforceMinimumKubeletVersion(ret, featureGates.Enabled(features.FeatureGateMinimumKubeletVersion)); err != nil {
+		return existingConfig, append(errs, err)
+	}
+	return ret, nil
+}
+
+// SetAPIServerArgumentsToEnforceMinimumKubeletVersion modifies the passed in config
+// to add the "authorization-mode": "MinimumKubeletVersion" if the feature is on. If it's off, it
+// removes it instead.
+func SetAPIServerArgumentsToEnforceMinimumKubeletVersion(newConfig map[string]interface{}, on bool) error {
+	defaultSet := DefaultAuthorizationModes
+	if on {
+		defaultSet = append(defaultSet, ModeMinimumKubeletVersion)
+	}
+	sort.Sort(sort.StringSlice(defaultSet))
+
+	unstructured.RemoveNestedField(newConfig, authModePath...)
+	return unstructured.SetNestedStringSlice(newConfig, defaultSet, authModePath...)
+}
diff --git a/pkg/operator/configobservation/node/observe_minimum_kubelet_version_test.go b/pkg/operator/configobservation/node/observe_minimum_kubelet_version_test.go
@@ -17,48 +17,48 @@ import (
 
 func TestObserveKubeletMinimumVersion(t *testing.T) {
 	type Test struct {
-		name                   string
-		existingConfig         map[string]interface{}
-		expectedObservedConfig map[string]interface{}
-		minimumKubeletVersion  string
-		featureOn              bool
+		name                  string
+		existingConfig        map[string]interface{}
+		expectedConfig        map[string]interface{}
+		minimumKubeletVersion string
+		featureOn             bool
 	}
 	tests := []Test{
 		{
-			name:                   "feature off",
-			existingConfig:         map[string]interface{}{},
-			expectedObservedConfig: map[string]interface{}{},
-			minimumKubeletVersion:  "1.30.0",
-			featureOn:              false,
+			name:                  "feature off",
+			existingConfig:        map[string]interface{}{},
+			expectedConfig:        map[string]interface{}{},
+			minimumKubeletVersion: "1.30.0",
+			featureOn:             false,
 		},
 		{
-			name:                   "empty minimumKubeletVersion",
-			expectedObservedConfig: map[string]interface{}{},
-			minimumKubeletVersion:  "",
-			featureOn:              true,
+			name:                  "empty minimumKubeletVersion",
+			expectedConfig:        map[string]interface{}{},
+			minimumKubeletVersion: "",
+			featureOn:             true,
 		},
 		{
 			name: "set minimumKubeletVersion",
-			expectedObservedConfig: map[string]interface{}{
+			expectedConfig: map[string]interface{}{
 				"minimumKubeletVersion": string("1.30.0"),
 			},
 			minimumKubeletVersion: "1.30.0",
 			featureOn:             true,
 		},
 		{
 			name: "existing minimumKubeletVersion",
-			expectedObservedConfig: map[string]interface{}{
-				"minimumKubeletVersion": string("1.30.0"),
-			},
 			existingConfig: map[string]interface{}{
 				"minimumKubeletVersion": string("1.29.0"),
 			},
+			expectedConfig: map[string]interface{}{
+				"minimumKubeletVersion": string("1.30.0"),
+			},
 			minimumKubeletVersion: "1.30.0",
 			featureOn:             true,
 		},
 		{
-			name:                   "existing minimumKubeletVersion unset",
-			expectedObservedConfig: map[string]interface{}{},
+			name:           "existing minimumKubeletVersion unset",
+			expectedConfig: map[string]any{},
 			existingConfig: map[string]interface{}{
 				"minimumKubeletVersion": string("1.29.0"),
 			},
@@ -91,9 +91,87 @@ func TestObserveKubeletMinimumVersion(t *testing.T) {
 			if len(errs) > 0 {
 				t.Fatal(errs)
 			}
-			if diff := cmp.Diff(test.expectedObservedConfig, actualObservedConfig); diff != "" {
+			if diff := cmp.Diff(test.expectedConfig, actualObservedConfig); diff != "" {
 				t.Fatalf("unexpected configuration, diff = %v", diff)
 			}
 		})
 	}
 }
+
+func TestSetAPIServerArgumentsToEnforceMinimumKubeletVersion(t *testing.T) {
+	for _, on := range []bool{false, true} {
+		expectedSet := []any{"Node", "RBAC", "Scope", "SystemMasters"}
+		if on {
+			expectedSet = append([]any{ModeMinimumKubeletVersion}, expectedSet...)
+		}
+		for _, tc := range []struct {
+			name           string
+			existingConfig map[string]interface{}
+			expectedConfig map[string]interface{}
+		}{
+			{
+				name: "should not fail if apiServerArguments not present",
+				existingConfig: map[string]interface{}{
+					"fakeconfig": "fake",
+				},
+				expectedConfig: map[string]interface{}{
+					"fakeconfig":         "fake",
+					"apiServerArguments": map[string]any{"authorization-mode": expectedSet},
+				},
+			},
+			{
+				name: "should not fail if authorization-mode not present",
+				existingConfig: map[string]interface{}{
+					"apiServerArguments": map[string]any{"fake": []any{"fake"}},
+				},
+				expectedConfig: map[string]interface{}{
+					"apiServerArguments": map[string]any{"fake": []any{"fake"}, "authorization-mode": expectedSet},
+				},
+			},
+			{
+				name: "should clobber value if not expected",
+				existingConfig: map[string]interface{}{
+					"apiServerArguments": map[string]any{"authorization-mode": []any{"fake"}},
+				},
+				expectedConfig: map[string]interface{}{
+					"apiServerArguments": map[string]any{"authorization-mode": expectedSet},
+				},
+			},
+			{
+				name: "should not fail if MinimumKubeletVersion already present",
+				existingConfig: map[string]interface{}{
+					"apiServerArguments": map[string]any{"authorization-mode": []any{"MinimumKubeletVersion"}},
+				},
+				expectedConfig: map[string]interface{}{
+					"apiServerArguments": map[string]any{"authorization-mode": expectedSet},
+				},
+			},
+			{
+				name: "should not fail if apiServerArguments not present",
+				existingConfig: map[string]interface{}{
+					"fakeconfig": "fake",
+				},
+				expectedConfig: map[string]interface{}{
+					"fakeconfig":         "fake",
+					"apiServerArguments": map[string]any{"authorization-mode": expectedSet},
+				},
+			},
+		} {
+			name := tc.name + " when feature is "
+			if on {
+				name += "on"
+			} else {
+				name += "off"
+			}
+			t.Run(name, func(t *testing.T) {
+				if err := SetAPIServerArgumentsToEnforceMinimumKubeletVersion(tc.existingConfig, on); err != nil {
+					t.Fatal(err)
+				}
+
+				if diff := cmp.Diff(tc.expectedConfig, tc.existingConfig); diff != "" {
+					t.Errorf("unexpected config:\n%s", diff)
+				}
+			})
+		}
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -264,7 +264,7 @@ func TestRenderCommand(t *testing.T) {`
`264`	`264`	`if !ok {`
`265`	`265`	`return fmt.Errorf("missing \"feature-gates\" entry in APIServerArguments")`
`266`	`266`	`}`
`267`		`- expectedGates := []string{"Bar=false", "Foo=true", "OpenShiftPodSecurityAdmission=true"}`
	`267`	`+ expectedGates := []string{"Bar=false", "Foo=true", "OpenShiftPodSecurityAdmission=true", "MinimumKubeletVersion=true"}`
`268`	`268`	`if len(actualGates) != len(expectedGates) {`
`269`	`269`	`return fmt.Errorf("expected to get exactly %d feature gates but found %d: expected=%v got=%v", len(expectedGates), len(actualGates), expectedGates, actualGates)`
`270`	`270`	`}`
`@@ -675,7 +675,7 @@ spec:`
`675`	`675`	`}`
`676`	`676`
`677`	`677`	`func TestGetDefaultConfigWithAuditPolicy(t *testing.T) {`
`678`		`- raw, err := bootstrapDefaultConfig(featuregates.NewFeatureGate([]configv1.FeatureGateName{features.FeatureGateOpenShiftPodSecurityAdmission}, nil))`
	`678`	`+ raw, err := bootstrapDefaultConfig(featuregates.NewFeatureGate([]configv1.FeatureGateName{features.FeatureGateOpenShiftPodSecurityAdmission, features.FeatureGateMinimumKubeletVersion}, nil))`
`679`	`679`	`require.NoError(t, err)`
`680`	`680`	`require.True(t, len(raw) > 0)`
`681`	`681`