Flag to allow non RBAC based setup using credentials from an alternative kubeconfig in kubefed init

Author: Irfan Ur Rehman

pkg/kubefed/init/init.go

@@ -284,21 +284,31 @@ func (i *initFederation) Complete(cmd *cobra.Command, args []string) error {
 // See the design doc in https://github.com/kubernetes/kubernetes/pull/34484
 // for details.
 func (i *initFederation) Run(cmdOut io.Writer, config util.AdminConfig) error {
-	hostFactory := config.ClusterFactory(i.commonOptions.Host, i.commonOptions.Kubeconfig)
+	var hostFactory cmdutil.Factory
+	useRBAC := true
+	if i.commonOptions.CredentialsKubeconfig != "" {
+		hostFactory = config.ClusterFactory(i.commonOptions.Host, i.commonOptions.CredentialsKubeconfig)
+		useRBAC = false
+	} else {
+		hostFactory = config.ClusterFactory(i.commonOptions.Host, i.commonOptions.Kubeconfig)
+	}
+
 	hostClientset, err := hostFactory.ClientSet()
 	if err != nil {
 		return err
 	}
 
-	rbacAvailable := true
-	rbacVersionedClientset, err := util.GetVersionedClientForRBACOrFail(hostFactory)
-	if err != nil {
-		if _, ok := err.(*util.NoRBACAPIError); !ok {
-			return err
+	var rbacVersionedClientset client.Interface
+	if useRBAC {
+		rbacVersionedClientset, err = util.GetVersionedClientForRBACOrFail(hostFactory)
+		if err != nil {
+			if _, ok := err.(*util.NoRBACAPIError); !ok {
+				return err
+			}
+			// If the error is type NoRBACAPIError, We continue to create the rest of
+			// the resources, without the SA and roles (in the absence of RBAC support).
+			useRBAC = false
 		}
-		// If the error is type NoRBACAPIError, We continue to create the rest of
-		// the resources, without the SA and roles (in the absence of RBAC support).
-		rbacAvailable = false
 	}
 
 	serverName := APIServerNameSuffix
@@ -384,7 +394,7 @@ func (i *initFederation) Run(cmdOut io.Writer, config util.AdminConfig) error {
 	sa.Name = ""
 	// Create a service account and related RBAC roles if the host cluster has RBAC support.
 	// TODO: We must evaluate creating a separate service account even when RBAC support is missing
-	if rbacAvailable {
+	if useRBAC {
 		glog.V(4).Info("Creating service account for federation controller manager in the host cluster")
 		sa, err = createControllerManagerSA(rbacVersionedClientset, i.commonOptions.FederationSystemNamespace, i.commonOptions.Name, i.options.dryRun)
 		if err != nil {

pkg/kubefed/init/init_test.go

@@ -92,6 +92,7 @@ func TestInitFederation(t *testing.T) {
 		federation                   string
 		kubeconfigGlobal             string
 		kubeconfigExplicit           string
+		kubeconfigForCredentials     string
 		dnsZoneName                  string
 		lbIP                         string
 		apiserverServiceType         v1.ServiceType
@@ -221,6 +222,28 @@ func TestInitFederation(t *testing.T) {
 			apiserverEnableTokenAuth:     true,
 			isRBACAPIAvailable:           true,
 		},
+		// This test checks if init works ok when a RBAC usage is overridden
+		// using a credentials kubeconfig (even when RBAC API is available).
+		// The same (or default) kubeconfig can be used for both flags.
+		{
+			federation:               "union",
+			kubeconfigGlobal:         fakeKubeFiles[0],
+			kubeconfigForCredentials: fakeKubeFiles[0],
+			dnsZoneName:              "example.test.",
+			apiserverServiceType:     v1.ServiceTypeNodePort,
+			advertiseAddress:         nodeIP,
+			serverImage:              "example.test/foo:bar",
+			imagePullPolicy:          "IfNotPresent",
+			etcdImage:                "gcr.io/google_containers/etcd:latest",
+			etcdPVCapacity:           "5Gi",
+			etcdPVStorageClass:       "fast",
+			etcdPersistence:          "true",
+			expectedErr:              "",
+			dryRun:                   "",
+			apiserverEnableHTTPBasicAuth: true,
+			apiserverEnableTokenAuth:     true,
+			isRBACAPIAvailable:           true,
+		},
 	}
 
 	defaultEtcdImage := "gcr.io/google_containers/etcd:3.1.10"
@@ -261,7 +284,7 @@ func TestInitFederation(t *testing.T) {
 			tc.imagePullPolicy = "IfNotPresent"
 		}
 
-		hostFactory, err := fakeInitHostFactory(tc.apiserverServiceType, tc.federation, util.DefaultFederationSystemNamespace, tc.advertiseAddress, tc.lbIP, tc.dnsZoneName, tc.serverImage, tc.etcdImage, tc.dnsProvider, tc.dnsProviderConfig, tc.etcdPersistence, tc.etcdPVCapacity, tc.etcdPVStorageClass, tc.apiserverArgOverrides, tc.cmArgOverrides, tmpDirPath, tc.apiserverEnableHTTPBasicAuth, tc.apiserverEnableTokenAuth, tc.isRBACAPIAvailable, tc.nodeSelector, tc.imagePullPolicy, tc.imagePullSecrets)
+		hostFactory, err := fakeInitHostFactory(tc.apiserverServiceType, tc.federation, util.DefaultFederationSystemNamespace, tc.advertiseAddress, tc.lbIP, tc.dnsZoneName, tc.serverImage, tc.etcdImage, tc.dnsProvider, tc.dnsProviderConfig, tc.etcdPersistence, tc.etcdPVCapacity, tc.etcdPVStorageClass, tc.apiserverArgOverrides, tc.cmArgOverrides, tmpDirPath, tc.apiserverEnableHTTPBasicAuth, tc.apiserverEnableTokenAuth, tc.isRBACAPIAvailable, tc.nodeSelector, tc.imagePullPolicy, tc.imagePullSecrets, tc.kubeconfigForCredentials)
 		if err != nil {
 			t.Fatalf("[%d] unexpected error: %v", i, err)
 		}
@@ -274,6 +297,7 @@ func TestInitFederation(t *testing.T) {
 		cmd := NewCmdInit(buf, adminConfig, "serverImage", defaultEtcdImage)
 
 		cmd.Flags().Set("kubeconfig", tc.kubeconfigExplicit)
+		cmd.Flags().Set("use-credentials-kubeconfig", tc.kubeconfigForCredentials)
 		cmd.Flags().Set("host-cluster-context", "substrate")
 		cmd.Flags().Set("dns-zone-name", tc.dnsZoneName)
 		cmd.Flags().Set("image", tc.serverImage)
@@ -643,7 +667,7 @@ func TestCertsHTTPS(t *testing.T) {
 	}
 }
 
-func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, namespaceName, advertiseAddress, lbIp, dnsZoneName, serverImage, etcdImage, dnsProvider, dnsProviderConfig, etcdPersistence, etcdPVCapacity, etcdPVStorageClass, apiserverOverrideArg, cmOverrideArg, tmpDirPath string, apiserverEnableHTTPBasicAuth, apiserverEnableTokenAuth, isRBACAPIAvailable bool, nodeSelectorString string, imagePullPolicy, imagePullSecrets string) (cmdutil.Factory, error) {
+func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, namespaceName, advertiseAddress, lbIp, dnsZoneName, serverImage, etcdImage, dnsProvider, dnsProviderConfig, etcdPersistence, etcdPVCapacity, etcdPVStorageClass, apiserverOverrideArg, cmOverrideArg, tmpDirPath string, apiserverEnableHTTPBasicAuth, apiserverEnableTokenAuth, isRBACAPIAvailable bool, nodeSelectorString string, imagePullPolicy, imagePullSecrets, kubeconfigForCredentials string) (cmdutil.Factory, error) {
 	svcName := "apiserver"
 	svcUrlPrefix := "/api/v1/namespaces/federation-system/services"
 	credSecretName := "apiserver" + "-credentials"
@@ -1106,7 +1130,7 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na
 			},
 		},
 	}
-	if isRBACAPIAvailable {
+	if isRBACAPIAvailable && (kubeconfigForCredentials == "") {
 		cm.Spec.Template.Spec.ServiceAccountName = "federation-controller-manager"
 		cm.Spec.Template.Spec.DeprecatedServiceAccount = "federation-controller-manager"
 	}

pkg/kubefed/util/util.go

@@ -141,12 +141,16 @@ type SubcommandOptions struct {
 	Host                      string
 	FederationSystemNamespace string
 	Kubeconfig                string
+	CredentialsKubeconfig     string
 }
 
 func (o *SubcommandOptions) Bind(flags *pflag.FlagSet) {
 	flags.StringVar(&o.Kubeconfig, "kubeconfig", "", "Path to the kubeconfig file to use for CLI requests.")
 	flags.StringVar(&o.Host, "host-cluster-context", "", "Host cluster context")
 	flags.StringVar(&o.FederationSystemNamespace, "federation-system-namespace", DefaultFederationSystemNamespace, "Namespace in the host cluster where the federation system components are installed")
+	flags.StringVar(&o.CredentialsKubeconfig, "use-credentials-kubeconfig", "", "Kubeconfig file path on local file system, which should be used to authenticate with base cluster (instead of the default kubeconfig)."+
+		"This can be used to override the RBAC based authentication while initialising the federation control plane, even when the base cluster exposes the RBAC API.")
+
 }
 
 func (o *SubcommandOptions) SetName(cmd *cobra.Command, args []string) error {