@deads2k Indeed many test case failed just for this, should I fix them or just keep the AlwaysAllow authz mode there?

@deads2k Indeed many test case failed just for this, should I fix them or just keep the AlwaysAllow authz mode there?

Is it exposed as a default in the kube-apiserver command? We don't keep defaults in our code to make tests easy, we keep defaults in our code to make "normal" objects match user expectations. If it is only for testing purposes, it should be changed.

OK, got it, will work on fixing test cases.

Is it exposed as a default in the kube-apiserver command?

No, not any words at all.

/retest

flake case

hyperkube kube-apiserver --help 2>&1 | grep authorization-mode
      --authorization-mode string                               Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: AlwaysAllow,AlwaysDeny,ABAC,Webhook,RBAC,Node. (default "AlwaysAllow")

Looks like it may be a default value. How about starting a thread on the mailing list about changing the default to RBAC. It's stable now and used in all our e2e tests.

Looks like it may be a default value

I think you use an old version, newest does not saying that default https://github.com/kubernetes/kubernetes/blob/master/pkg/kubeapiserver/options/authorization.go#L93-L95.

How about starting a thread on the mailing list about changing the default to RBAC.

That's ok.

I think you use an old version, newest does not saying that default

It is the current default. The help text prints the current value of the Modes variable, which is AlwayAllow by default

It is the current default. The help text prints the current value of the Modes variable, which is AlwayAllow by default

Yes, it is the default behavior indeed.

/retest

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hzxuzhonghu
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: deads2k

Assign the PR to them by writing /assign @deads2k in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

/retest

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

ping @liggitt @deads2k

/remove-lifecycle stale

changing default behavior is not something we typically do, especially for something that fundamentally changes the way you interact with a cluster like this.

A good point at which to improve the default behavior would be when we move to starting the apiserver from a config file (proposal in progress), similar to what we did for the kubelet in #59666.

I'd probably recommend the authorization mode be explicitly specified when starting from a config file, rather than defaulting to permissive mode or a particular authorizer.

Thanks @liggitt for your clarification.