From 92d038062e4c53bd6f61dd10060f91dba88f19cd Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <matthew.mosesohn@gmail.com>
Date: Sat, 14 Oct 2017 11:28:46 +0100
Subject: [PATCH] Fix node authorization for cloudprovider installs (#1794)

In 1.8, the Node authorization mode should be listed first to
allow kubelet to access secrets. This seems to only impact
environments with cloudprovider enabled.
---
 docs/vars.md                                | 5 +++--
 roles/kubespray-defaults/defaults/main.yaml | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/docs/vars.md b/docs/vars.md
index 0b9370700..3303f6bcb 100644
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -72,8 +72,9 @@ following default cluster paramters:
   alpha/experimental Kubernetes features. (defaults is `[]`)
 * *authorization_modes* - A list of [authorization mode](
 https://kubernetes.io/docs/admin/authorization/#using-flags-for-your-authorization-module)
-  that the cluster should be configured for. Defaults to `['RBAC', 'Node']` (RBAC and Node authorizers).
-  Note: `RBAC` is enabled by default. Previously deployed clusters can be
+  that the cluster should be configured for. Defaults to `['Node', 'RBAC']`
+  (Node and RBAC authorizers).
+  Note: `Node` and `RBAC` are enabled by default. Previously deployed clusters can be
   converted to RBAC mode. However, your apps which rely on Kubernetes API will
   require a service account and cluster role bindings. You can override this
   setting by setting authorization_modes to `[]`.
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index f8d4e99c5..9b5eced94 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -147,8 +147,8 @@ openstack_lbaas_enabled: false
 
 ## List of authorization modes that must be configured for
 ## the k8s cluster. Only 'AlwaysAllow', 'AlwaysDeny', 'Node' and
-## 'RBAC' modes are tested.
-authorization_modes: ['RBAC', 'Node']
+## 'RBAC' modes are tested. Order is important.
+authorization_modes: ['Node', 'RBAC']
 rbac_enabled: "{{ 'RBAC' in authorization_modes or kubeadm_enabled }}"
 
 ## List of key=value pairs that describe feature gates for
-- 
GitLab