Only default mode to AlwaysAllow when config file is unspecified

liggitt · liggitt · commit 1f40e0916ec4 · 2023-11-08T11:24:28.000-06:00
diff --git a/pkg/controlplane/apiserver/options/options.go b/pkg/controlplane/apiserver/options/options.go
@@ -222,6 +222,9 @@ func (o *Options) Complete(alternateDNS []string, alternateIPs []net.IP) (Comple
 		klog.Infof("external host was not specified, using %v", completed.GenericServerRunOptions.ExternalHost)
 	}
 
+	// put authorization options in final state
+	completed.Authorization.Complete()
+	// adjust authentication for completed authorization
 	completed.Authentication.ApplyAuthorization(completed.Authorization)
 
 	// Use (ServiceAccountSigningKeyFile != "") as a proxy to the user enabling
diff --git a/pkg/kubeapiserver/options/authorization.go b/pkg/kubeapiserver/options/authorization.go
@@ -80,14 +80,22 @@ type BuiltInAuthorizationOptions struct {
 // NewBuiltInAuthorizationOptions create a BuiltInAuthorizationOptions with default value
 func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions {
 	return &BuiltInAuthorizationOptions{
-		Modes:                       []string{authzmodes.ModeAlwaysAllow},
+		Modes:                       []string{},
 		WebhookVersion:              "v1beta1",
 		WebhookCacheAuthorizedTTL:   5 * time.Minute,
 		WebhookCacheUnauthorizedTTL: 30 * time.Second,
 		WebhookRetryBackoff:         genericoptions.DefaultAuthWebhookRetryBackoff(),
 	}
 }
 
+// Complete modifies authorization options
+func (o *BuiltInAuthorizationOptions) Complete() []error {
+	if len(o.AuthorizationConfigurationFile) == 0 && len(o.Modes) == 0 {
+		o.Modes = []string{authzmodes.ModeAlwaysAllow}
+	}
+	return nil
+}
+
 // Validate checks invalid config combination
 func (o *BuiltInAuthorizationOptions) Validate() []error {
 	if o == nil {
@@ -185,7 +193,7 @@ func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
 	}
 
 	fs.StringSliceVar(&o.Modes, authorizationModeFlag, o.Modes, ""+
-		"Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+
+		"Ordered list of plug-ins to do authorization on secure port. Defaults to AlwaysAllow if --authorization-config is not used. Comma-delimited list of: "+
 		strings.Join(authzmodes.AuthorizationModeChoices, ",")+".")
 
 	fs.StringVar(&o.PolicyFile, authorizationPolicyFileFlag, o.PolicyFile, ""+

Original file line number	Diff line number	Diff line change
`@@ -222,6 +222,9 @@ func (o *Options) Complete(alternateDNS []string, alternateIPs []net.IP) (Comple`
`222`	`222`	`klog.Infof("external host was not specified, using %v", completed.GenericServerRunOptions.ExternalHost)`
`223`	`223`	`}`
`224`	`224`
	`225`	`+ // put authorization options in final state`
	`226`	`+ completed.Authorization.Complete()`
	`227`	`+ // adjust authentication for completed authorization`
`225`	`228`	`completed.Authentication.ApplyAuthorization(completed.Authorization)`
`226`	`229`
`227`	`230`	`// Use (ServiceAccountSigningKeyFile != "") as a proxy to the user enabling`