From cfd1582b0d989c598aeb484de056dc7afdc475d5 Mon Sep 17 00:00:00 2001
From: John Gardiner Myers <jgmyers@proofpoint.com>
Date: Wed, 21 Jul 2021 19:11:55 -0700
Subject: [PATCH] Use kubeconfig for authentication and authorization as well

---
 nodeup/pkg/model/kube_controller_manager.go                 | 6 ++++--
 nodeup/pkg/model/kube_scheduler.go                          | 5 +++++
 .../tests/golden/minimal/tasks-kube-controller-manager.yaml | 2 ++
 .../model/tests/golden/minimal/tasks-kube-scheduler.yaml    | 2 ++
 .../side-loading/tasks-kube-controller-manager-amd64.yaml   | 2 ++
 .../side-loading/tasks-kube-controller-manager-arm64.yaml   | 2 ++
 .../golden/side-loading/tasks-kube-scheduler-amd64.yaml     | 2 ++
 .../golden/side-loading/tasks-kube-scheduler-arm64.yaml     | 2 ++
 8 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/nodeup/pkg/model/kube_controller_manager.go b/nodeup/pkg/model/kube_controller_manager.go
index 4063a52803..190cdbaebc 100644
--- a/nodeup/pkg/model/kube_controller_manager.go
+++ b/nodeup/pkg/model/kube_controller_manager.go
@@ -123,8 +123,10 @@ func (b *KubeControllerManagerBuilder) buildPod() (*v1.Pod, error) {
 		flags = append(flags, "--cloud-config="+CloudConfigFilePath)
 	}
 
-	// Add kubeconfig flag
-	flags = append(flags, "--kubeconfig="+"/var/lib/kube-controller-manager/kubeconfig")
+	// Add kubeconfig flags
+	for _, flag := range []string{"", "authentication-", "authorization-"} {
+		flags = append(flags, "--"+flag+"kubeconfig="+"/var/lib/kube-controller-manager/kubeconfig")
+	}
 
 	// Configure CA certificate to be used to sign keys
 	flags = append(flags, []string{
diff --git a/nodeup/pkg/model/kube_scheduler.go b/nodeup/pkg/model/kube_scheduler.go
index aac41fe514..30b31a6247 100644
--- a/nodeup/pkg/model/kube_scheduler.go
+++ b/nodeup/pkg/model/kube_scheduler.go
@@ -150,6 +150,11 @@ func (b *KubeSchedulerBuilder) buildPod() (*v1.Pod, error) {
 
 	flags = append(flags, "--config="+"/var/lib/kube-scheduler/config.yaml")
 
+	// Add kubeconfig flags
+	for _, flag := range []string{"authentication-", "authorization-"} {
+		flags = append(flags, "--"+flag+"kubeconfig="+defaultKubeConfig)
+	}
+
 	if c.UsePolicyConfigMap != nil {
 		flags = append(flags, "--policy-configmap=scheduler-policy", "--policy-configmap-namespace=kube-system")
 	}
diff --git a/nodeup/pkg/model/tests/golden/minimal/tasks-kube-controller-manager.yaml b/nodeup/pkg/model/tests/golden/minimal/tasks-kube-controller-manager.yaml
index 0babfbe243..13624a02b1 100644
--- a/nodeup/pkg/model/tests/golden/minimal/tasks-kube-controller-manager.yaml
+++ b/nodeup/pkg/model/tests/golden/minimal/tasks-kube-controller-manager.yaml
@@ -14,6 +14,8 @@ contents: |
     - args:
       - --allocate-node-cidrs=true
       - --attach-detach-reconcile-sync-period=1m0s
+      - --authentication-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
       - --cloud-config=/etc/kubernetes/cloud.config
       - --cloud-provider=aws
       - --cluster-cidr=100.96.0.0/11
diff --git a/nodeup/pkg/model/tests/golden/minimal/tasks-kube-scheduler.yaml b/nodeup/pkg/model/tests/golden/minimal/tasks-kube-scheduler.yaml
index bff86f6d01..8de8f70629 100644
--- a/nodeup/pkg/model/tests/golden/minimal/tasks-kube-scheduler.yaml
+++ b/nodeup/pkg/model/tests/golden/minimal/tasks-kube-scheduler.yaml
@@ -12,6 +12,8 @@ contents: |
   spec:
     containers:
     - args:
+      - --authentication-kubeconfig=/var/lib/kube-scheduler/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-scheduler/kubeconfig
       - --config=/var/lib/kube-scheduler/config.yaml
       - --leader-elect=true
       - --v=2
diff --git a/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-controller-manager-amd64.yaml b/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-controller-manager-amd64.yaml
index 8ff1563139..2eb47b78f2 100644
--- a/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-controller-manager-amd64.yaml
+++ b/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-controller-manager-amd64.yaml
@@ -14,6 +14,8 @@ contents: |
     - args:
       - --allocate-node-cidrs=true
       - --attach-detach-reconcile-sync-period=1m0s
+      - --authentication-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
       - --cloud-config=/etc/kubernetes/cloud.config
       - --cloud-provider=aws
       - --cluster-cidr=100.96.0.0/11
diff --git a/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-controller-manager-arm64.yaml b/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-controller-manager-arm64.yaml
index dbc835f3ef..b181477d96 100644
--- a/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-controller-manager-arm64.yaml
+++ b/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-controller-manager-arm64.yaml
@@ -14,6 +14,8 @@ contents: |
     - args:
       - --allocate-node-cidrs=true
       - --attach-detach-reconcile-sync-period=1m0s
+      - --authentication-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
       - --cloud-config=/etc/kubernetes/cloud.config
       - --cloud-provider=aws
       - --cluster-cidr=100.96.0.0/11
diff --git a/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-scheduler-amd64.yaml b/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-scheduler-amd64.yaml
index fe2267e76f..f05f707958 100644
--- a/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-scheduler-amd64.yaml
+++ b/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-scheduler-amd64.yaml
@@ -12,6 +12,8 @@ contents: |
   spec:
     containers:
     - args:
+      - --authentication-kubeconfig=/var/lib/kube-scheduler/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-scheduler/kubeconfig
       - --config=/var/lib/kube-scheduler/config.yaml
       - --leader-elect=true
       - --v=2
diff --git a/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-scheduler-arm64.yaml b/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-scheduler-arm64.yaml
index 51b99c5004..4fffb09f50 100644
--- a/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-scheduler-arm64.yaml
+++ b/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-scheduler-arm64.yaml
@@ -12,6 +12,8 @@ contents: |
   spec:
     containers:
     - args:
+      - --authentication-kubeconfig=/var/lib/kube-scheduler/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-scheduler/kubeconfig
       - --config=/var/lib/kube-scheduler/config.yaml
       - --leader-elect=true
       - --v=2