Commit 48aa2caf authored by Darren Shepherd's avatar Darren Shepherd

Drop more authn/z, volumes, container runtime, plugins

parent 58f99964
...@@ -110,7 +110,6 @@ kubernetes.tar.gz ...@@ -110,7 +110,6 @@ kubernetes.tar.gz
# generated files in any directory # generated files in any directory
# TODO(thockin): uncomment this when we stop committing the generated files. # TODO(thockin): uncomment this when we stop committing the generated files.
#zz_generated.* #zz_generated.*
zz_generated.openapi.go
# make-related metadata # make-related metadata
/.make/ /.make/
......
...@@ -116,7 +116,7 @@ func NewServerRunOptions() *ServerRunOptions { ...@@ -116,7 +116,7 @@ func NewServerRunOptions() *ServerRunOptions {
s.ServiceClusterIPRange = kubeoptions.DefaultServiceIPCIDR s.ServiceClusterIPRange = kubeoptions.DefaultServiceIPCIDR
// Overwrite the default for storage data format. // Overwrite the default for storage data format.
s.Etcd.DefaultStorageMediaType = "application/vnd.kubernetes.protobuf" //s.Etcd.DefaultStorageMediaType = "application/vnd.kubernetes.protobuf"
return &s return &s
} }
......
...@@ -27,7 +27,6 @@ import ( ...@@ -27,7 +27,6 @@ import (
"net/http" "net/http"
"net/url" "net/url"
"os" "os"
"reflect"
"strconv" "strconv"
"strings" "strings"
"time" "time"
...@@ -35,12 +34,10 @@ import ( ...@@ -35,12 +34,10 @@ import (
"github.com/golang/glog" "github.com/golang/glog"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
utilerrors "k8s.io/apimachinery/pkg/util/errors" utilerrors "k8s.io/apimachinery/pkg/util/errors"
utilnet "k8s.io/apimachinery/pkg/util/net" utilnet "k8s.io/apimachinery/pkg/util/net"
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
utilwait "k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
webhookconfig "k8s.io/apiserver/pkg/admission/plugin/webhook/config" webhookconfig "k8s.io/apiserver/pkg/admission/plugin/webhook/config"
webhookinit "k8s.io/apiserver/pkg/admission/plugin/webhook/initializer" webhookinit "k8s.io/apiserver/pkg/admission/plugin/webhook/initializer"
...@@ -52,7 +49,6 @@ import ( ...@@ -52,7 +49,6 @@ import (
serveroptions "k8s.io/apiserver/pkg/server/options" serveroptions "k8s.io/apiserver/pkg/server/options"
"k8s.io/apiserver/pkg/server/options/encryptionconfig" "k8s.io/apiserver/pkg/server/options/encryptionconfig"
serverstorage "k8s.io/apiserver/pkg/server/storage" serverstorage "k8s.io/apiserver/pkg/server/storage"
"k8s.io/apiserver/pkg/storage/etcd3/preflight"
clientgoinformers "k8s.io/client-go/informers" clientgoinformers "k8s.io/client-go/informers"
clientgoclientset "k8s.io/client-go/kubernetes" clientgoclientset "k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
...@@ -84,7 +80,6 @@ import ( ...@@ -84,7 +80,6 @@ import (
rbacrest "k8s.io/kubernetes/pkg/registry/rbac/rest" rbacrest "k8s.io/kubernetes/pkg/registry/rbac/rest"
"k8s.io/kubernetes/pkg/version" "k8s.io/kubernetes/pkg/version"
"k8s.io/kubernetes/pkg/version/verflag" "k8s.io/kubernetes/pkg/version/verflag"
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"
utilflag "k8s.io/kubernetes/pkg/util/flag" utilflag "k8s.io/kubernetes/pkg/util/flag"
_ "k8s.io/kubernetes/pkg/util/reflector/prometheus" // for reflector metric registration _ "k8s.io/kubernetes/pkg/util/reflector/prometheus" // for reflector metric registration
...@@ -94,6 +89,10 @@ import ( ...@@ -94,6 +89,10 @@ import (
const etcdRetryLimit = 60 const etcdRetryLimit = 60
const etcdRetryInterval = 1 * time.Second const etcdRetryInterval = 1 * time.Second
var (
DefaultProxyDialerFn utilnet.DialFunc
)
// NewAPIServerCommand creates a *cobra.Command object with default parameters // NewAPIServerCommand creates a *cobra.Command object with default parameters
func NewAPIServerCommand() *cobra.Command { func NewAPIServerCommand() *cobra.Command {
s := options.NewServerRunOptions() s := options.NewServerRunOptions()
...@@ -124,7 +123,7 @@ func Run(runOptions *options.ServerRunOptions, stopCh <-chan struct{}) error { ...@@ -124,7 +123,7 @@ func Run(runOptions *options.ServerRunOptions, stopCh <-chan struct{}) error {
// To help debugging, immediately log version // To help debugging, immediately log version
glog.Infof("Version: %+v", version.Get()) glog.Infof("Version: %+v", version.Get())
server, err := CreateServerChain(runOptions, stopCh) _, server, err := CreateServerChain(runOptions, stopCh)
if err != nil { if err != nil {
return err return err
} }
...@@ -133,31 +132,31 @@ func Run(runOptions *options.ServerRunOptions, stopCh <-chan struct{}) error { ...@@ -133,31 +132,31 @@ func Run(runOptions *options.ServerRunOptions, stopCh <-chan struct{}) error {
} }
// CreateServerChain creates the apiservers connected via delegation. // CreateServerChain creates the apiservers connected via delegation.
func CreateServerChain(runOptions *options.ServerRunOptions, stopCh <-chan struct{}) (*genericapiserver.GenericAPIServer, error) { func CreateServerChain(runOptions *options.ServerRunOptions, stopCh <-chan struct{}) (*master.Config, *genericapiserver.GenericAPIServer, error) {
nodeTunneler, proxyTransport, err := CreateNodeDialer(runOptions) nodeTunneler, proxyTransport, err := CreateNodeDialer(runOptions)
if err != nil { if err != nil {
return nil, err return nil, nil, err
} }
kubeAPIServerConfig, sharedInformers, versionedInformers, insecureServingOptions, serviceResolver, pluginInitializer, err := CreateKubeAPIServerConfig(runOptions, nodeTunneler, proxyTransport) kubeAPIServerConfig, sharedInformers, versionedInformers, insecureServingOptions, serviceResolver, pluginInitializer, err := CreateKubeAPIServerConfig(runOptions, nodeTunneler, proxyTransport)
if err != nil { if err != nil {
return nil, err return nil, nil, err
} }
// TPRs are enabled and not yet beta, since this these are the successor, they fall under the same enablement rule // TPRs are enabled and not yet beta, since this these are the successor, they fall under the same enablement rule
// If additional API servers are added, they should be gated. // If additional API servers are added, they should be gated.
apiExtensionsConfig, err := createAPIExtensionsConfig(*kubeAPIServerConfig.GenericConfig, versionedInformers, pluginInitializer, runOptions) apiExtensionsConfig, err := createAPIExtensionsConfig(*kubeAPIServerConfig.GenericConfig, versionedInformers, pluginInitializer, runOptions)
if err != nil { if err != nil {
return nil, err return nil, nil, err
} }
apiExtensionsServer, err := createAPIExtensionsServer(apiExtensionsConfig, genericapiserver.EmptyDelegate) apiExtensionsServer, err := createAPIExtensionsServer(apiExtensionsConfig, genericapiserver.EmptyDelegate)
if err != nil { if err != nil {
return nil, err return nil, nil, err
} }
kubeAPIServer, err := CreateKubeAPIServer(kubeAPIServerConfig, apiExtensionsServer.GenericAPIServer, sharedInformers, versionedInformers) kubeAPIServer, err := CreateKubeAPIServer(kubeAPIServerConfig, apiExtensionsServer.GenericAPIServer, sharedInformers, versionedInformers)
if err != nil { if err != nil {
return nil, err return nil, nil, err
} }
// if we're starting up a hacked up version of this API server for a weird test case, // if we're starting up a hacked up version of this API server for a weird test case,
...@@ -166,11 +165,11 @@ func CreateServerChain(runOptions *options.ServerRunOptions, stopCh <-chan struc ...@@ -166,11 +165,11 @@ func CreateServerChain(runOptions *options.ServerRunOptions, stopCh <-chan struc
if insecureServingOptions != nil { if insecureServingOptions != nil {
insecureHandlerChain := kubeserver.BuildInsecureHandlerChain(kubeAPIServer.GenericAPIServer.UnprotectedHandler(), kubeAPIServerConfig.GenericConfig) insecureHandlerChain := kubeserver.BuildInsecureHandlerChain(kubeAPIServer.GenericAPIServer.UnprotectedHandler(), kubeAPIServerConfig.GenericConfig)
if err := kubeserver.NonBlockingRun(insecureServingOptions, insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil { if err := kubeserver.NonBlockingRun(insecureServingOptions, insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil {
return nil, err return nil, nil, err
} }
} }
return kubeAPIServer.GenericAPIServer, nil return nil, kubeAPIServer.GenericAPIServer, nil
} }
// otherwise go down the normal path of standing the aggregator up in front of the API server // otherwise go down the normal path of standing the aggregator up in front of the API server
...@@ -183,24 +182,24 @@ func CreateServerChain(runOptions *options.ServerRunOptions, stopCh <-chan struc ...@@ -183,24 +182,24 @@ func CreateServerChain(runOptions *options.ServerRunOptions, stopCh <-chan struc
// aggregator comes last in the chain // aggregator comes last in the chain
aggregatorConfig, err := createAggregatorConfig(*kubeAPIServerConfig.GenericConfig, runOptions, versionedInformers, serviceResolver, proxyTransport, pluginInitializer) aggregatorConfig, err := createAggregatorConfig(*kubeAPIServerConfig.GenericConfig, runOptions, versionedInformers, serviceResolver, proxyTransport, pluginInitializer)
if err != nil { if err != nil {
return nil, err return nil, nil, err
} }
aggregatorConfig.ExtraConfig.ProxyTransport = proxyTransport aggregatorConfig.ExtraConfig.ProxyTransport = proxyTransport
aggregatorConfig.ExtraConfig.ServiceResolver = serviceResolver aggregatorConfig.ExtraConfig.ServiceResolver = serviceResolver
aggregatorServer, err := createAggregatorServer(aggregatorConfig, kubeAPIServer.GenericAPIServer, apiExtensionsServer.Informers) aggregatorServer, err := createAggregatorServer(aggregatorConfig, kubeAPIServer.GenericAPIServer, apiExtensionsServer.Informers)
if err != nil { if err != nil {
// we don't need special handling for innerStopCh because the aggregator server doesn't create any go routines // we don't need special handling for innerStopCh because the aggregator server doesn't create any go routines
return nil, err return nil, nil, err
} }
if insecureServingOptions != nil { if insecureServingOptions != nil {
insecureHandlerChain := kubeserver.BuildInsecureHandlerChain(aggregatorServer.GenericAPIServer.UnprotectedHandler(), kubeAPIServerConfig.GenericConfig) insecureHandlerChain := kubeserver.BuildInsecureHandlerChain(aggregatorServer.GenericAPIServer.UnprotectedHandler(), kubeAPIServerConfig.GenericConfig)
if err := kubeserver.NonBlockingRun(insecureServingOptions, insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil { if err := kubeserver.NonBlockingRun(insecureServingOptions, insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil {
return nil, err return nil, nil, err
} }
} }
return aggregatorServer.GenericAPIServer, nil return kubeAPIServerConfig, aggregatorServer.GenericAPIServer, nil
} }
// CreateKubeAPIServer creates and wires a workable kube-apiserver // CreateKubeAPIServer creates and wires a workable kube-apiserver
...@@ -221,7 +220,7 @@ func CreateKubeAPIServer(kubeAPIServerConfig *master.Config, delegateAPIServer g ...@@ -221,7 +220,7 @@ func CreateKubeAPIServer(kubeAPIServerConfig *master.Config, delegateAPIServer g
func CreateNodeDialer(s *options.ServerRunOptions) (tunneler.Tunneler, *http.Transport, error) { func CreateNodeDialer(s *options.ServerRunOptions) (tunneler.Tunneler, *http.Transport, error) {
// Setup nodeTunneler if needed // Setup nodeTunneler if needed
var nodeTunneler tunneler.Tunneler var nodeTunneler tunneler.Tunneler
var proxyDialerFn utilnet.DialFunc proxyDialerFn := DefaultProxyDialerFn
if len(s.SSHUser) > 0 { if len(s.SSHUser) > 0 {
// Get ssh key distribution func, if supported // Get ssh key distribution func, if supported
var installSSHKey tunneler.InstallSSHKey var installSSHKey tunneler.InstallSSHKey
...@@ -250,6 +249,9 @@ func CreateNodeDialer(s *options.ServerRunOptions) (tunneler.Tunneler, *http.Tra ...@@ -250,6 +249,9 @@ func CreateNodeDialer(s *options.ServerRunOptions) (tunneler.Tunneler, *http.Tra
Dial: proxyDialerFn, Dial: proxyDialerFn,
TLSClientConfig: proxyTLSClientConfig, TLSClientConfig: proxyTLSClientConfig,
}) })
if s.KubeletConfig.Dial == nil {
s.KubeletConfig.Dial = proxyDialerFn
}
return nodeTunneler, proxyTransport, nil return nodeTunneler, proxyTransport, nil
} }
...@@ -284,13 +286,6 @@ func CreateKubeAPIServerConfig( ...@@ -284,13 +286,6 @@ func CreateKubeAPIServerConfig(
return return
} }
if _, port, err := net.SplitHostPort(s.Etcd.StorageConfig.ServerList[0]); err == nil && port != "0" && len(port) != 0 {
if err := utilwait.PollImmediate(etcdRetryInterval, etcdRetryLimit*etcdRetryInterval, preflight.EtcdConnection{ServerList: s.Etcd.StorageConfig.ServerList}.CheckEtcdServers); err != nil {
lastErr = fmt.Errorf("error waiting for etcd connection: %v", err)
return
}
}
capabilities.Initialize(capabilities.Capabilities{ capabilities.Initialize(capabilities.Capabilities{
AllowPrivileged: s.AllowPrivileged, AllowPrivileged: s.AllowPrivileged,
// TODO(vmarmol): Implement support for HostNetworkSources. // TODO(vmarmol): Implement support for HostNetworkSources.
...@@ -312,13 +307,6 @@ func CreateKubeAPIServerConfig( ...@@ -312,13 +307,6 @@ func CreateKubeAPIServerConfig(
return return
} }
if s.ServiceAccountSigningKeyFile != "" ||
s.Authentication.ServiceAccounts.Issuer != "" ||
len(s.Authentication.ServiceAccounts.APIAudiences) > 0 {
lastErr = fmt.Errorf("the TokenRequest feature is not enabled but --service-account-signing-key-file and/or --service-account-issuer-id flags were passed")
return
}
config = &master.Config{ config = &master.Config{
GenericConfig: genericConfig, GenericConfig: genericConfig,
ExtraConfig: master.ExtraConfig{ ExtraConfig: master.ExtraConfig{
...@@ -549,14 +537,6 @@ func BuildAuthenticator(s *options.ServerRunOptions, storageFactory serverstorag ...@@ -549,14 +537,6 @@ func BuildAuthenticator(s *options.ServerRunOptions, storageFactory serverstorag
if s.Authentication.ServiceAccounts.Lookup { if s.Authentication.ServiceAccounts.Lookup {
authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(extclient) authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(extclient)
} }
if client == nil || reflect.ValueOf(client).IsNil() {
// TODO: Remove check once client can never be nil.
glog.Errorf("Failed to setup bootstrap token authenticator because the loopback clientset was not setup properly.")
} else {
authenticatorConfig.BootstrapTokenAuthenticator = bootstrap.NewTokenAuthenticator(
sharedInformers.Core().InternalVersion().Secrets().Lister().Secrets(v1.NamespaceSystem),
)
}
return authenticatorConfig.New() return authenticatorConfig.New()
} }
......
...@@ -30,19 +30,10 @@ import ( ...@@ -30,19 +30,10 @@ import (
"github.com/golang/glog" "github.com/golang/glog"
"k8s.io/kubernetes/pkg/volume" "k8s.io/kubernetes/pkg/volume"
"k8s.io/kubernetes/pkg/volume/csi" "k8s.io/kubernetes/pkg/volume/csi"
"k8s.io/kubernetes/pkg/volume/fc"
"k8s.io/kubernetes/pkg/volume/flexvolume" "k8s.io/kubernetes/pkg/volume/flexvolume"
"k8s.io/kubernetes/pkg/volume/flocker"
"k8s.io/kubernetes/pkg/volume/glusterfs"
"k8s.io/kubernetes/pkg/volume/host_path" "k8s.io/kubernetes/pkg/volume/host_path"
"k8s.io/kubernetes/pkg/volume/iscsi"
"k8s.io/kubernetes/pkg/volume/local" "k8s.io/kubernetes/pkg/volume/local"
"k8s.io/kubernetes/pkg/volume/nfs" "k8s.io/kubernetes/pkg/volume/nfs"
"k8s.io/kubernetes/pkg/volume/portworx"
"k8s.io/kubernetes/pkg/volume/quobyte"
"k8s.io/kubernetes/pkg/volume/rbd"
"k8s.io/kubernetes/pkg/volume/scaleio"
"k8s.io/kubernetes/pkg/volume/storageos"
volumeutil "k8s.io/kubernetes/pkg/volume/util" volumeutil "k8s.io/kubernetes/pkg/volume/util"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
...@@ -56,12 +47,6 @@ import ( ...@@ -56,12 +47,6 @@ import (
func ProbeAttachableVolumePlugins() []volume.VolumePlugin { func ProbeAttachableVolumePlugins() []volume.VolumePlugin {
allPlugins := []volume.VolumePlugin{} allPlugins := []volume.VolumePlugin{}
allPlugins = append(allPlugins, portworx.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, iscsi.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) { if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) {
allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...) allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
} }
...@@ -79,12 +64,6 @@ func GetDynamicPluginProber(config componentconfig.VolumeConfiguration) volume.D ...@@ -79,12 +64,6 @@ func GetDynamicPluginProber(config componentconfig.VolumeConfiguration) volume.D
func ProbeExpandableVolumePlugins(config componentconfig.VolumeConfiguration) []volume.VolumePlugin { func ProbeExpandableVolumePlugins(config componentconfig.VolumeConfiguration) []volume.VolumePlugin {
allPlugins := []volume.VolumePlugin{} allPlugins := []volume.VolumePlugin{}
allPlugins = append(allPlugins, portworx.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, glusterfs.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
return allPlugins return allPlugins
} }
...@@ -123,16 +102,7 @@ func ProbeControllerVolumePlugins(config componentconfig.VolumeConfiguration) [] ...@@ -123,16 +102,7 @@ func ProbeControllerVolumePlugins(config componentconfig.VolumeConfiguration) []
glog.Fatalf("Could not create NFS recycler pod from file %s: %+v", config.PersistentVolumeRecyclerConfiguration.PodTemplateFilePathNFS, err) glog.Fatalf("Could not create NFS recycler pod from file %s: %+v", config.PersistentVolumeRecyclerConfiguration.PodTemplateFilePathNFS, err)
} }
allPlugins = append(allPlugins, nfs.ProbeVolumePlugins(nfsConfig)...) allPlugins = append(allPlugins, nfs.ProbeVolumePlugins(nfsConfig)...)
allPlugins = append(allPlugins, glusterfs.ProbeVolumePlugins()...)
// add rbd provisioner
allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, quobyte.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, flocker.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, portworx.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, local.ProbeVolumePlugins()...) allPlugins = append(allPlugins, local.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
return allPlugins return allPlugins
} }
......
...@@ -81,7 +81,10 @@ func (rct realConntracker) SetMax(max int) error { ...@@ -81,7 +81,10 @@ func (rct realConntracker) SetMax(max int) error {
} }
// TODO: generify this and sysctl to a new sysfs.WriteInt() // TODO: generify this and sysctl to a new sysfs.WriteInt()
glog.Infof("Setting conntrack hashsize to %d", max/4) glog.Infof("Setting conntrack hashsize to %d", max/4)
return writeIntStringFile("/sys/module/nf_conntrack/parameters/hashsize", max/4) if err := writeIntStringFile("/sys/module/nf_conntrack/parameters/hashsize", max/4); err != nil {
glog.Errorf("failed to set conntrack hashsize to %d: %v", max/4, err)
}
return nil
} }
func (rct realConntracker) SetTCPEstablishedTimeout(seconds int) error { func (rct realConntracker) SetTCPEstablishedTimeout(seconds int) error {
......
...@@ -550,7 +550,7 @@ func createClients(config componentconfig.ClientConnectionConfiguration, masterO ...@@ -550,7 +550,7 @@ func createClients(config componentconfig.ClientConnectionConfiguration, masterO
} }
// Run runs the SchedulerServer. This should never exit. // Run runs the SchedulerServer. This should never exit.
func (s *SchedulerServer) Run(stop chan struct{}) error { func (s *SchedulerServer) Run(stop <-chan struct{}) error {
// To help debugging, immediately log version // To help debugging, immediately log version
glog.Infof("Version: %+v", version.Get()) glog.Infof("Version: %+v", version.Get())
......
...@@ -48,7 +48,7 @@ func NewContainerRuntimeOptions() *config.ContainerRuntimeOptions { ...@@ -48,7 +48,7 @@ func NewContainerRuntimeOptions() *config.ContainerRuntimeOptions {
} }
return &config.ContainerRuntimeOptions{ return &config.ContainerRuntimeOptions{
ContainerRuntime: kubetypes.DockerContainerRuntime, ContainerRuntime: kubetypes.RemoteContainerRuntime,
DockerEndpoint: dockerEndpoint, DockerEndpoint: dockerEndpoint,
DockershimRootDirectory: "/var/lib/dockershim", DockershimRootDirectory: "/var/lib/dockershim",
DockerDisableSharedPID: true, DockerDisableSharedPID: true,
......
...@@ -21,30 +21,18 @@ import ( ...@@ -21,30 +21,18 @@ import (
// Network plugins // Network plugins
"k8s.io/kubernetes/pkg/kubelet/network" "k8s.io/kubernetes/pkg/kubelet/network"
"k8s.io/kubernetes/pkg/kubelet/network/cni" "k8s.io/kubernetes/pkg/kubelet/network/cni"
"k8s.io/kubernetes/pkg/kubelet/network/kubenet"
// Volume plugins // Volume plugins
"k8s.io/kubernetes/pkg/volume" "k8s.io/kubernetes/pkg/volume"
"k8s.io/kubernetes/pkg/volume/cephfs"
"k8s.io/kubernetes/pkg/volume/configmap" "k8s.io/kubernetes/pkg/volume/configmap"
"k8s.io/kubernetes/pkg/volume/csi" "k8s.io/kubernetes/pkg/volume/csi"
"k8s.io/kubernetes/pkg/volume/downwardapi" "k8s.io/kubernetes/pkg/volume/downwardapi"
"k8s.io/kubernetes/pkg/volume/empty_dir" "k8s.io/kubernetes/pkg/volume/empty_dir"
"k8s.io/kubernetes/pkg/volume/fc"
"k8s.io/kubernetes/pkg/volume/flexvolume" "k8s.io/kubernetes/pkg/volume/flexvolume"
"k8s.io/kubernetes/pkg/volume/flocker"
"k8s.io/kubernetes/pkg/volume/git_repo"
"k8s.io/kubernetes/pkg/volume/glusterfs"
"k8s.io/kubernetes/pkg/volume/host_path" "k8s.io/kubernetes/pkg/volume/host_path"
"k8s.io/kubernetes/pkg/volume/iscsi"
"k8s.io/kubernetes/pkg/volume/local" "k8s.io/kubernetes/pkg/volume/local"
"k8s.io/kubernetes/pkg/volume/nfs" "k8s.io/kubernetes/pkg/volume/nfs"
"k8s.io/kubernetes/pkg/volume/portworx"
"k8s.io/kubernetes/pkg/volume/projected" "k8s.io/kubernetes/pkg/volume/projected"
"k8s.io/kubernetes/pkg/volume/quobyte"
"k8s.io/kubernetes/pkg/volume/rbd"
"k8s.io/kubernetes/pkg/volume/scaleio"
"k8s.io/kubernetes/pkg/volume/secret" "k8s.io/kubernetes/pkg/volume/secret"
"k8s.io/kubernetes/pkg/volume/storageos"
// features check // features check
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
...@@ -61,24 +49,13 @@ func ProbeVolumePlugins() []volume.VolumePlugin { ...@@ -61,24 +49,13 @@ func ProbeVolumePlugins() []volume.VolumePlugin {
// Kubelet does not currently need to configure volume plugins. // Kubelet does not currently need to configure volume plugins.
// If/when it does, see kube-controller-manager/app/plugins.go for example of using volume.VolumeConfig // If/when it does, see kube-controller-manager/app/plugins.go for example of using volume.VolumeConfig
allPlugins = append(allPlugins, empty_dir.ProbeVolumePlugins()...) allPlugins = append(allPlugins, empty_dir.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, git_repo.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, host_path.ProbeVolumePlugins(volume.VolumeConfig{})...) allPlugins = append(allPlugins, host_path.ProbeVolumePlugins(volume.VolumeConfig{})...)
allPlugins = append(allPlugins, nfs.ProbeVolumePlugins(volume.VolumeConfig{})...) allPlugins = append(allPlugins, nfs.ProbeVolumePlugins(volume.VolumeConfig{})...)
allPlugins = append(allPlugins, secret.ProbeVolumePlugins()...) allPlugins = append(allPlugins, secret.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, iscsi.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, glusterfs.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, rbd.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, quobyte.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, cephfs.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, downwardapi.ProbeVolumePlugins()...) allPlugins = append(allPlugins, downwardapi.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, fc.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, flocker.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, configmap.ProbeVolumePlugins()...) allPlugins = append(allPlugins, configmap.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, projected.ProbeVolumePlugins()...) allPlugins = append(allPlugins, projected.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, portworx.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, scaleio.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, local.ProbeVolumePlugins()...) allPlugins = append(allPlugins, local.ProbeVolumePlugins()...)
allPlugins = append(allPlugins, storageos.ProbeVolumePlugins()...)
if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) { if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) {
allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...) allPlugins = append(allPlugins, csi.ProbeVolumePlugins()...)
} }
...@@ -98,7 +75,6 @@ func ProbeNetworkPlugins(cniConfDir, cniBinDir string) []network.NetworkPlugin { ...@@ -98,7 +75,6 @@ func ProbeNetworkPlugins(cniConfDir, cniBinDir string) []network.NetworkPlugin {
// for each existing plugin, add to the list // for each existing plugin, add to the list
allPlugins = append(allPlugins, cni.ProbeNetworkPlugins(cniConfDir, cniBinDir)...) allPlugins = append(allPlugins, cni.ProbeNetworkPlugins(cniConfDir, cniBinDir)...)
allPlugins = append(allPlugins, kubenet.NewPlugin(cniBinDir))
return allPlugins return allPlugins
} }
...@@ -68,7 +68,6 @@ import ( ...@@ -68,7 +68,6 @@ import (
"k8s.io/kubernetes/pkg/kubelet/cm" "k8s.io/kubernetes/pkg/kubelet/cm"
"k8s.io/kubernetes/pkg/kubelet/config" "k8s.io/kubernetes/pkg/kubelet/config"
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
"k8s.io/kubernetes/pkg/kubelet/dockershim"
"k8s.io/kubernetes/pkg/kubelet/eviction" "k8s.io/kubernetes/pkg/kubelet/eviction"
evictionapi "k8s.io/kubernetes/pkg/kubelet/eviction/api" evictionapi "k8s.io/kubernetes/pkg/kubelet/eviction/api"
dynamickubeletconfig "k8s.io/kubernetes/pkg/kubelet/kubeletconfig" dynamickubeletconfig "k8s.io/kubernetes/pkg/kubelet/kubeletconfig"
...@@ -323,20 +322,10 @@ func UnsecuredDependencies(s *options.KubeletServer) (*kubelet.Dependencies, err ...@@ -323,20 +322,10 @@ func UnsecuredDependencies(s *options.KubeletServer) (*kubelet.Dependencies, err
writer = &kubeio.NsenterWriter{} writer = &kubeio.NsenterWriter{}
} }
var dockerClientConfig *dockershim.ClientConfig
if s.ContainerRuntime == kubetypes.DockerContainerRuntime {
dockerClientConfig = &dockershim.ClientConfig{
DockerEndpoint: s.DockerEndpoint,
RuntimeRequestTimeout: s.RuntimeRequestTimeout.Duration,
ImagePullProgressDeadline: s.ImagePullProgressDeadline.Duration,
}
}
return &kubelet.Dependencies{ return &kubelet.Dependencies{
Auth: nil, // default does not enforce auth[nz] Auth: nil, // default does not enforce auth[nz]
CAdvisorInterface: nil, // cadvisor.New launches background processes (bg http.ListenAndServe, and some bg cleaners), not set here CAdvisorInterface: nil, // cadvisor.New launches background processes (bg http.ListenAndServe, and some bg cleaners), not set here
ContainerManager: nil, ContainerManager: nil,
DockerClientConfig: dockerClientConfig,
KubeClient: nil, KubeClient: nil,
HeartbeatClient: nil, HeartbeatClient: nil,
ExternalKubeClient: nil, ExternalKubeClient: nil,
......
...@@ -4843,12 +4843,12 @@ func validateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList ...@@ -4843,12 +4843,12 @@ func validateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList
if ip.IsUnspecified() { if ip.IsUnspecified() {
allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be unspecified (0.0.0.0)")) allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be unspecified (0.0.0.0)"))
} }
if ip.IsLoopback() { //if ip.IsLoopback() {
allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be in the loopback range (127.0.0.0/8)")) // allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be in the loopback range (127.0.0.0/8)"))
} //}
if ip.IsLinkLocalUnicast() { //if ip.IsLinkLocalUnicast() {
allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be in the link-local range (169.254.0.0/16)")) // allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be in the link-local range (169.254.0.0/16)"))
} //}
if ip.IsLinkLocalMulticast() { if ip.IsLinkLocalMulticast() {
allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be in the link-local multicast range (224.0.0.0/24)")) allErrs = append(allErrs, field.Invalid(fldPath, ipAddress, "may not be in the link-local multicast range (224.0.0.0/24)"))
} }
......
...@@ -44,12 +44,6 @@ const ( ...@@ -44,12 +44,6 @@ const (
// RangeAllocatorType is the allocator that uses an internal CIDR // RangeAllocatorType is the allocator that uses an internal CIDR
// range allocator to do node CIDR range allocations. // range allocator to do node CIDR range allocations.
RangeAllocatorType CIDRAllocatorType = "RangeAllocator" RangeAllocatorType CIDRAllocatorType = "RangeAllocator"
// IPAMFromClusterAllocatorType uses the ipam controller sync'ing the node
// CIDR range allocations from the cluster to the cloud.
IPAMFromClusterAllocatorType = "IPAMFromCluster"
// IPAMFromCloudAllocatorType uses the ipam controller sync'ing the node
// CIDR range allocations from the cloud to the cluster.
IPAMFromCloudAllocatorType = "IPAMFromCloud"
) )
// TODO: figure out the good setting for those constants. // TODO: figure out the good setting for those constants.
......
...@@ -18,8 +18,6 @@ package nodeipam ...@@ -18,8 +18,6 @@ package nodeipam
import ( import (
"net" "net"
"time"
"github.com/golang/glog" "github.com/golang/glog"
utilruntime "k8s.io/apimachinery/pkg/util/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime"
...@@ -42,18 +40,6 @@ func init() { ...@@ -42,18 +40,6 @@ func init() {
Register() Register()
} }
const (
// ipamResyncInterval is the amount of time between when the cloud and node
// CIDR range assignments are synchronized.
ipamResyncInterval = 30 * time.Second
// ipamMaxBackoff is the maximum backoff for retrying synchronization of a
// given in the error state.
ipamMaxBackoff = 10 * time.Second
// ipamInitialRetry is the initial retry interval for retrying synchronization of a
// given in the error state.
ipamInitialBackoff = 250 * time.Millisecond
)
// Controller is the controller that manages node ipam state. // Controller is the controller that manages node ipam state.
type Controller struct { type Controller struct {
allocatorType ipam.CIDRAllocatorType allocatorType ipam.CIDRAllocatorType
...@@ -142,9 +128,7 @@ func (nc *Controller) Run(stopCh <-chan struct{}) { ...@@ -142,9 +128,7 @@ func (nc *Controller) Run(stopCh <-chan struct{}) {
return return
} }
if nc.allocatorType != ipam.IPAMFromClusterAllocatorType && nc.allocatorType != ipam.IPAMFromCloudAllocatorType { go nc.cidrAllocator.Run(stopCh)
go nc.cidrAllocator.Run(stopCh)
}
<-stopCh <-stopCh
} }
...@@ -20,16 +20,11 @@ import ( ...@@ -20,16 +20,11 @@ import (
"time" "time"
"k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
"k8s.io/apiserver/pkg/authentication/group" "k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/anonymous"
"k8s.io/apiserver/pkg/authentication/request/bearertoken" "k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/request/headerrequest"
"k8s.io/apiserver/pkg/authentication/request/union" "k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/request/websocket" "k8s.io/apiserver/pkg/authentication/request/websocket"
"k8s.io/apiserver/pkg/authentication/request/x509"
tokencache "k8s.io/apiserver/pkg/authentication/token/cache" tokencache "k8s.io/apiserver/pkg/authentication/token/cache"
"k8s.io/apiserver/pkg/authentication/token/tokenfile"
tokenunion "k8s.io/apiserver/pkg/authentication/token/union" tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
"k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile" "k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile"
"k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth" "k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth"
...@@ -40,34 +35,15 @@ import ( ...@@ -40,34 +35,15 @@ import (
) )
type AuthenticatorConfig struct { type AuthenticatorConfig struct {
Anonymous bool
BasicAuthFile string BasicAuthFile string
BootstrapToken bool
ClientCAFile string
TokenAuthFile string
OIDCIssuerURL string
OIDCClientID string
OIDCCAFile string
OIDCUsernameClaim string
OIDCUsernamePrefix string
OIDCGroupsClaim string
OIDCGroupsPrefix string
OIDCSigningAlgs []string
ServiceAccountKeyFiles []string ServiceAccountKeyFiles []string
ServiceAccountLookup bool ServiceAccountLookup bool
ServiceAccountIssuer string
ServiceAccountAPIAudiences []string
WebhookTokenAuthnConfigFile string
WebhookTokenAuthnCacheTTL time.Duration
TokenSuccessCacheTTL time.Duration TokenSuccessCacheTTL time.Duration
TokenFailureCacheTTL time.Duration TokenFailureCacheTTL time.Duration
RequestHeaderConfig *authenticatorfactory.RequestHeaderConfig
// TODO, this is the only non-serializable part of the entire config. Factor it out into a clientconfig // TODO, this is the only non-serializable part of the entire config. Factor it out into a clientconfig
ServiceAccountTokenGetter serviceaccount.ServiceAccountTokenGetter ServiceAccountTokenGetter serviceaccount.ServiceAccountTokenGetter
BootstrapTokenAuthenticator authenticator.Token
} }
// New returns an authenticator.Request or an error that supports the standard // New returns an authenticator.Request or an error that supports the standard
...@@ -76,22 +52,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) { ...@@ -76,22 +52,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) {
var authenticators []authenticator.Request var authenticators []authenticator.Request
var tokenAuthenticators []authenticator.Token var tokenAuthenticators []authenticator.Token
// front-proxy, BasicAuth methods, local first, then remote
// Add the front proxy authenticator if requested
if config.RequestHeaderConfig != nil {
requestHeaderAuthenticator, err := headerrequest.NewSecure(
config.RequestHeaderConfig.ClientCA,
config.RequestHeaderConfig.AllowedClientNames,
config.RequestHeaderConfig.UsernameHeaders,
config.RequestHeaderConfig.GroupHeaders,
config.RequestHeaderConfig.ExtraHeaderPrefixes,
)
if err != nil {
return nil, err
}
authenticators = append(authenticators, requestHeaderAuthenticator)
}
if len(config.BasicAuthFile) > 0 { if len(config.BasicAuthFile) > 0 {
basicAuth, err := newAuthenticatorFromBasicAuthFile(config.BasicAuthFile) basicAuth, err := newAuthenticatorFromBasicAuthFile(config.BasicAuthFile)
if err != nil { if err != nil {
...@@ -100,23 +60,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) { ...@@ -100,23 +60,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) {
authenticators = append(authenticators, basicAuth) authenticators = append(authenticators, basicAuth)
} }
// X509 methods
if len(config.ClientCAFile) > 0 {
certAuth, err := newAuthenticatorFromClientCAFile(config.ClientCAFile)
if err != nil {
return nil, err
}
authenticators = append(authenticators, certAuth)
}
// Bearer token methods, local first, then remote
if len(config.TokenAuthFile) > 0 {
tokenAuth, err := newAuthenticatorFromTokenFile(config.TokenAuthFile)
if err != nil {
return nil, err
}
tokenAuthenticators = append(tokenAuthenticators, tokenAuth)
}
if len(config.ServiceAccountKeyFiles) > 0 { if len(config.ServiceAccountKeyFiles) > 0 {
serviceAccountAuth, err := newLegacyServiceAccountAuthenticator(config.ServiceAccountKeyFiles, config.ServiceAccountLookup, config.ServiceAccountTokenGetter) serviceAccountAuth, err := newLegacyServiceAccountAuthenticator(config.ServiceAccountKeyFiles, config.ServiceAccountLookup, config.ServiceAccountTokenGetter)
if err != nil { if err != nil {
...@@ -124,12 +67,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) { ...@@ -124,12 +67,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) {
} }
tokenAuthenticators = append(tokenAuthenticators, serviceAccountAuth) tokenAuthenticators = append(tokenAuthenticators, serviceAccountAuth)
} }
if config.BootstrapToken {
if config.BootstrapTokenAuthenticator != nil {
// TODO: This can sometimes be nil because of
tokenAuthenticators = append(tokenAuthenticators, config.BootstrapTokenAuthenticator)
}
}
if len(tokenAuthenticators) > 0 { if len(tokenAuthenticators) > 0 {
// Union the token authenticators // Union the token authenticators
...@@ -141,12 +78,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) { ...@@ -141,12 +78,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) {
authenticators = append(authenticators, bearertoken.New(tokenAuth), websocket.NewProtocolAuthenticator(tokenAuth)) authenticators = append(authenticators, bearertoken.New(tokenAuth), websocket.NewProtocolAuthenticator(tokenAuth))
} }
if len(authenticators) == 0 {
if config.Anonymous {
return anonymous.NewAuthenticator(), nil
}
}
switch len(authenticators) { switch len(authenticators) {
case 0: case 0:
return nil, nil return nil, nil
...@@ -156,12 +87,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) { ...@@ -156,12 +87,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) {
authenticator = group.NewAuthenticatedGroupAdder(authenticator) authenticator = group.NewAuthenticatedGroupAdder(authenticator)
if config.Anonymous {
// If the authenticator chain returns an error, return an error (don't consider a bad bearer token
// or invalid username/password combination anonymous).
authenticator = union.NewFailOnError(authenticator, anonymous.NewAuthenticator())
}
return authenticator, nil return authenticator, nil
} }
...@@ -181,16 +106,6 @@ func newAuthenticatorFromBasicAuthFile(basicAuthFile string) (authenticator.Requ ...@@ -181,16 +106,6 @@ func newAuthenticatorFromBasicAuthFile(basicAuthFile string) (authenticator.Requ
return basicauth.New(basicAuthenticator), nil return basicauth.New(basicAuthenticator), nil
} }
// newAuthenticatorFromTokenFile returns an authenticator.Token or an error
func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Token, error) {
tokenAuthenticator, err := tokenfile.NewCSV(tokenAuthFile)
if err != nil {
return nil, err
}
return tokenAuthenticator, nil
}
// newLegacyServiceAccountAuthenticator returns an authenticator.Token or an error // newLegacyServiceAccountAuthenticator returns an authenticator.Token or an error
func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) { func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) {
allPublicKeys := []interface{}{} allPublicKeys := []interface{}{}
...@@ -205,31 +120,3 @@ func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, servic ...@@ -205,31 +120,3 @@ func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, servic
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator(serviceaccount.LegacyIssuer, allPublicKeys, serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter)) tokenAuthenticator := serviceaccount.JWTTokenAuthenticator(serviceaccount.LegacyIssuer, allPublicKeys, serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter))
return tokenAuthenticator, nil return tokenAuthenticator, nil
} }
// newServiceAccountAuthenticator returns an authenticator.Token or an error
func newServiceAccountAuthenticator(iss string, audiences []string, keyfiles []string, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) {
allPublicKeys := []interface{}{}
for _, keyfile := range keyfiles {
publicKeys, err := certutil.PublicKeysFromFile(keyfile)
if err != nil {
return nil, err
}
allPublicKeys = append(allPublicKeys, publicKeys...)
}
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator(iss, allPublicKeys, serviceaccount.NewValidator(audiences, serviceAccountGetter))
return tokenAuthenticator, nil
}
// newAuthenticatorFromClientCAFile returns an authenticator.Request or an error
func newAuthenticatorFromClientCAFile(clientCAFile string) (authenticator.Request, error) {
roots, err := certutil.NewPool(clientCAFile)
if err != nil {
return nil, err
}
opts := x509.DefaultVerifyOptions()
opts.Roots = roots
return x509.New(opts, x509.CommonNameUserConversion), nil
}
...@@ -19,14 +19,11 @@ package authorizer ...@@ -19,14 +19,11 @@ package authorizer
import ( import (
"errors" "errors"
"fmt" "fmt"
"time"
"k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory" "k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/apiserver/pkg/authorization/union" "k8s.io/apiserver/pkg/authorization/union"
"k8s.io/apiserver/plugin/pkg/authorizer/webhook"
versionedinformers "k8s.io/client-go/informers" versionedinformers "k8s.io/client-go/informers"
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
"k8s.io/kubernetes/pkg/auth/nodeidentifier" "k8s.io/kubernetes/pkg/auth/nodeidentifier"
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
...@@ -38,20 +35,6 @@ import ( ...@@ -38,20 +35,6 @@ import (
type AuthorizationConfig struct { type AuthorizationConfig struct {
AuthorizationModes []string AuthorizationModes []string
// Options for ModeABAC
// Path to an ABAC policy file.
PolicyFile string
// Options for ModeWebhook
// Kubeconfig file for Webhook authorization plugin.
WebhookConfigFile string
// TTL for caching of authorized responses from the webhook server.
WebhookCacheAuthorizedTTL time.Duration
// TTL for caching of unauthorized responses from the webhook server.
WebhookCacheUnauthorizedTTL time.Duration
InformerFactory informers.SharedInformerFactory InformerFactory informers.SharedInformerFactory
VersionedInformerFactory versionedinformers.SharedInformerFactory VersionedInformerFactory versionedinformers.SharedInformerFactory
} }
...@@ -95,28 +78,6 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR ...@@ -95,28 +78,6 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
alwaysDenyAuthorizer := authorizerfactory.NewAlwaysDenyAuthorizer() alwaysDenyAuthorizer := authorizerfactory.NewAlwaysDenyAuthorizer()
authorizers = append(authorizers, alwaysDenyAuthorizer) authorizers = append(authorizers, alwaysDenyAuthorizer)
ruleResolvers = append(ruleResolvers, alwaysDenyAuthorizer) ruleResolvers = append(ruleResolvers, alwaysDenyAuthorizer)
case modes.ModeABAC:
if config.PolicyFile == "" {
return nil, nil, errors.New("ABAC's authorization policy file not passed")
}
abacAuthorizer, err := abac.NewFromFile(config.PolicyFile)
if err != nil {
return nil, nil, err
}
authorizers = append(authorizers, abacAuthorizer)
ruleResolvers = append(ruleResolvers, abacAuthorizer)
case modes.ModeWebhook:
if config.WebhookConfigFile == "" {
return nil, nil, errors.New("Webhook's configuration file not passed")
}
webhookAuthorizer, err := webhook.New(config.WebhookConfigFile,
config.WebhookCacheAuthorizedTTL,
config.WebhookCacheUnauthorizedTTL)
if err != nil {
return nil, nil, err
}
authorizers = append(authorizers, webhookAuthorizer)
ruleResolvers = append(ruleResolvers, webhookAuthorizer)
case modes.ModeRBAC: case modes.ModeRBAC:
rbacAuthorizer := rbac.New( rbacAuthorizer := rbac.New(
&rbac.RoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().Roles().Lister()}, &rbac.RoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().Roles().Lister()},
...@@ -132,12 +93,5 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR ...@@ -132,12 +93,5 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
authorizerMap[authorizationMode] = true authorizerMap[authorizationMode] = true
} }
if !authorizerMap[modes.ModeABAC] && config.PolicyFile != "" {
return nil, nil, errors.New("Cannot specify --authorization-policy-file without mode ABAC")
}
if !authorizerMap[modes.ModeWebhook] && config.WebhookConfigFile != "" {
return nil, nil, errors.New("Cannot specify --authorization-webhook-config-file without mode Webhook")
}
return union.New(authorizers...), union.NewRuleResolvers(ruleResolvers...), nil return union.New(authorizers...), union.NewRuleResolvers(ruleResolvers...), nil
} }
...@@ -21,13 +21,11 @@ import "k8s.io/apimachinery/pkg/util/sets" ...@@ -21,13 +21,11 @@ import "k8s.io/apimachinery/pkg/util/sets"
const ( const (
ModeAlwaysAllow string = "AlwaysAllow" ModeAlwaysAllow string = "AlwaysAllow"
ModeAlwaysDeny string = "AlwaysDeny" ModeAlwaysDeny string = "AlwaysDeny"
ModeABAC string = "ABAC"
ModeWebhook string = "Webhook"
ModeRBAC string = "RBAC" ModeRBAC string = "RBAC"
ModeNode string = "Node" ModeNode string = "Node"
) )
var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABAC, ModeWebhook, ModeRBAC, ModeNode} var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeRBAC, ModeNode}
// IsValidAuthorizationMode returns true if the given authorization mode is a valid one for the apiserver // IsValidAuthorizationMode returns true if the given authorization mode is a valid one for the apiserver
func IsValidAuthorizationMode(authzMode string) bool { func IsValidAuthorizationMode(authzMode string) bool {
......
...@@ -18,7 +18,6 @@ package options ...@@ -18,7 +18,6 @@ package options
import ( import (
"strings" "strings"
"time"
"github.com/spf13/pflag" "github.com/spf13/pflag"
...@@ -29,18 +28,12 @@ import ( ...@@ -29,18 +28,12 @@ import (
) )
type BuiltInAuthorizationOptions struct { type BuiltInAuthorizationOptions struct {
Mode string Mode string
PolicyFile string
WebhookConfigFile string
WebhookCacheAuthorizedTTL time.Duration
WebhookCacheUnauthorizedTTL time.Duration
} }
func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions { func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions {
return &BuiltInAuthorizationOptions{ return &BuiltInAuthorizationOptions{
Mode: authzmodes.ModeAlwaysAllow, Mode: authzmodes.ModeNode + "," + authzmodes.ModeAlwaysAllow,
WebhookCacheAuthorizedTTL: 5 * time.Minute,
WebhookCacheUnauthorizedTTL: 30 * time.Second,
} }
} }
...@@ -54,21 +47,6 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -54,21 +47,6 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
"Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+ "Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+
strings.Join(authzmodes.AuthorizationModeChoices, ",")+".") strings.Join(authzmodes.AuthorizationModeChoices, ",")+".")
fs.StringVar(&s.PolicyFile, "authorization-policy-file", s.PolicyFile, ""+
"File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port.")
fs.StringVar(&s.WebhookConfigFile, "authorization-webhook-config-file", s.WebhookConfigFile, ""+
"File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. "+
"The API server will query the remote service to determine access on the API server's secure port.")
fs.DurationVar(&s.WebhookCacheAuthorizedTTL, "authorization-webhook-cache-authorized-ttl",
s.WebhookCacheAuthorizedTTL,
"The duration to cache 'authorized' responses from the webhook authorizer.")
fs.DurationVar(&s.WebhookCacheUnauthorizedTTL,
"authorization-webhook-cache-unauthorized-ttl", s.WebhookCacheUnauthorizedTTL,
"The duration to cache 'unauthorized' responses from the webhook authorizer.")
fs.String("authorization-rbac-super-user", "", ""+ fs.String("authorization-rbac-super-user", "", ""+
"If specified, a username which avoids RBAC authorization checks and role binding "+ "If specified, a username which avoids RBAC authorization checks and role binding "+
"privilege escalation checks, to be used with --authorization-mode=RBAC.") "privilege escalation checks, to be used with --authorization-mode=RBAC.")
...@@ -86,12 +64,8 @@ func (s *BuiltInAuthorizationOptions) Modes() []string { ...@@ -86,12 +64,8 @@ func (s *BuiltInAuthorizationOptions) Modes() []string {
func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory, versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig { func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory, versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig {
return authorizer.AuthorizationConfig{ return authorizer.AuthorizationConfig{
AuthorizationModes: s.Modes(), AuthorizationModes: s.Modes(),
PolicyFile: s.PolicyFile, InformerFactory: informerFactory,
WebhookConfigFile: s.WebhookConfigFile, VersionedInformerFactory: versionedInformerFactory,
WebhookCacheAuthorizedTTL: s.WebhookCacheAuthorizedTTL,
WebhookCacheUnauthorizedTTL: s.WebhookCacheUnauthorizedTTL,
InformerFactory: informerFactory,
VersionedInformerFactory: versionedInformerFactory,
} }
} }
...@@ -20,32 +20,8 @@ package options ...@@ -20,32 +20,8 @@ package options
// This should probably be part of some configuration fed into the build for a // This should probably be part of some configuration fed into the build for a
// given binary target. // given binary target.
import ( import (
// Admission policies
"k8s.io/kubernetes/plugin/pkg/admission/admit"
"k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages"
"k8s.io/kubernetes/plugin/pkg/admission/antiaffinity"
"k8s.io/kubernetes/plugin/pkg/admission/defaulttolerationseconds"
"k8s.io/kubernetes/plugin/pkg/admission/deny"
"k8s.io/kubernetes/plugin/pkg/admission/eventratelimit"
"k8s.io/kubernetes/plugin/pkg/admission/exec"
"k8s.io/kubernetes/plugin/pkg/admission/extendedresourcetoleration"
"k8s.io/kubernetes/plugin/pkg/admission/gc"
"k8s.io/kubernetes/plugin/pkg/admission/initialresources"
"k8s.io/kubernetes/plugin/pkg/admission/limitranger"
"k8s.io/kubernetes/plugin/pkg/admission/namespace/autoprovision"
"k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"
"k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
"k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/resize"
"k8s.io/kubernetes/plugin/pkg/admission/podnodeselector"
"k8s.io/kubernetes/plugin/pkg/admission/podtolerationrestriction"
podpriority "k8s.io/kubernetes/plugin/pkg/admission/priority"
"k8s.io/kubernetes/plugin/pkg/admission/resourcequota"
"k8s.io/kubernetes/plugin/pkg/admission/security/podsecuritypolicy"
"k8s.io/kubernetes/plugin/pkg/admission/securitycontext/scdeny"
"k8s.io/kubernetes/plugin/pkg/admission/serviceaccount" "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
"k8s.io/kubernetes/plugin/pkg/admission/storage/storageclass/setdefault" "k8s.io/kubernetes/plugin/pkg/admission/storage/storageclass/setdefault"
"k8s.io/kubernetes/plugin/pkg/admission/storage/storageobjectinuseprotection"
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle" "k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
...@@ -53,72 +29,24 @@ import ( ...@@ -53,72 +29,24 @@ import (
// AllOrderedPlugins is the list of all the plugins in order. // AllOrderedPlugins is the list of all the plugins in order.
var AllOrderedPlugins = []string{ var AllOrderedPlugins = []string{
admit.PluginName, // AlwaysAdmit
autoprovision.PluginName, // NamespaceAutoProvision
lifecycle.PluginName, // NamespaceLifecycle lifecycle.PluginName, // NamespaceLifecycle
exists.PluginName, // NamespaceExists
scdeny.PluginName, // SecurityContextDeny
antiaffinity.PluginName, // LimitPodHardAntiAffinityTopology
initialresources.PluginName, // InitialResources
limitranger.PluginName, // LimitRanger
serviceaccount.PluginName, // ServiceAccount serviceaccount.PluginName, // ServiceAccount
noderestriction.PluginName, // NodeRestriction
alwayspullimages.PluginName, // AlwaysPullImages
podsecuritypolicy.PluginName, // PodSecurityPolicy
podnodeselector.PluginName, // PodNodeSelector
podpriority.PluginName, // Priority
defaulttolerationseconds.PluginName, // DefaultTolerationSeconds
podtolerationrestriction.PluginName, // PodTolerationRestriction
exec.DenyEscalatingExec, // DenyEscalatingExec
exec.DenyExecOnPrivileged, // DenyExecOnPrivileged
eventratelimit.PluginName, // EventRateLimit
extendedresourcetoleration.PluginName, // ExtendedResourceToleration
setdefault.PluginName, // DefaultStorageClass setdefault.PluginName, // DefaultStorageClass
storageobjectinuseprotection.PluginName, // StorageObjectInUseProtection
gc.PluginName, // OwnerReferencesPermissionEnforcement
resize.PluginName, // PersistentVolumeClaimResize
resourcequota.PluginName, // ResourceQuota
deny.PluginName, // AlwaysDeny
} }
// RegisterAllAdmissionPlugins registers all admission plugins and // RegisterAllAdmissionPlugins registers all admission plugins and
// sets the recommended plugins order. // sets the recommended plugins order.
func RegisterAllAdmissionPlugins(plugins *admission.Plugins) { func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
admit.Register(plugins) // DEPRECATED as no real meaning
alwayspullimages.Register(plugins)
antiaffinity.Register(plugins)
defaulttolerationseconds.Register(plugins)
deny.Register(plugins) // DEPRECATED as no real meaning
eventratelimit.Register(plugins)
exec.Register(plugins)
extendedresourcetoleration.Register(plugins)
gc.Register(plugins)
initialresources.Register(plugins)
limitranger.Register(plugins)
autoprovision.Register(plugins)
exists.Register(plugins)
noderestriction.Register(plugins)
podnodeselector.Register(plugins)
podtolerationrestriction.Register(plugins)
resourcequota.Register(plugins)
podsecuritypolicy.Register(plugins)
podpriority.Register(plugins)
scdeny.Register(plugins)
serviceaccount.Register(plugins) serviceaccount.Register(plugins)
setdefault.Register(plugins) setdefault.Register(plugins)
resize.Register(plugins)
storageobjectinuseprotection.Register(plugins)
} }
// DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver. // DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
func DefaultOffAdmissionPlugins() sets.String { func DefaultOffAdmissionPlugins() sets.String {
defaultOnPlugins := sets.NewString( defaultOnPlugins := sets.NewString(
lifecycle.PluginName, //NamespaceLifecycle lifecycle.PluginName, //NamespaceLifecycle
limitranger.PluginName, //LimitRanger
serviceaccount.PluginName, //ServiceAccount serviceaccount.PluginName, //ServiceAccount
setdefault.PluginName, //DefaultStorageClass setdefault.PluginName, //DefaultStorageClass
defaulttolerationseconds.PluginName, //DefaultTolerationSeconds
resourcequota.PluginName, //ResourceQuota
) )
return sets.NewString(AllOrderedPlugins...).Difference(defaultOnPlugins) return sets.NewString(AllOrderedPlugins...).Difference(defaultOnPlugins)
......
...@@ -36,10 +36,6 @@ type imageFsInfoProvider struct { ...@@ -36,10 +36,6 @@ type imageFsInfoProvider struct {
// For remote runtimes, it handles additional runtimes natively understood by cAdvisor. // For remote runtimes, it handles additional runtimes natively understood by cAdvisor.
func (i *imageFsInfoProvider) ImageFsInfoLabel() (string, error) { func (i *imageFsInfoProvider) ImageFsInfoLabel() (string, error) {
switch i.runtime { switch i.runtime {
case types.DockerContainerRuntime:
return cadvisorfs.LabelDockerImages, nil
case types.RktContainerRuntime:
return cadvisorfs.LabelRktImages, nil
case types.RemoteContainerRuntime: case types.RemoteContainerRuntime:
// This is a temporary workaround to get stats for cri-o from cadvisor // This is a temporary workaround to get stats for cri-o from cadvisor
// and should be removed. // and should be removed.
......
...@@ -17,8 +17,6 @@ limitations under the License. ...@@ -17,8 +17,6 @@ limitations under the License.
package cadvisor package cadvisor
import ( import (
goruntime "runtime"
cadvisorapi "github.com/google/cadvisor/info/v1" cadvisorapi "github.com/google/cadvisor/info/v1"
cadvisorapi2 "github.com/google/cadvisor/info/v2" cadvisorapi2 "github.com/google/cadvisor/info/v2"
"k8s.io/api/core/v1" "k8s.io/api/core/v1"
...@@ -26,7 +24,6 @@ import ( ...@@ -26,7 +24,6 @@ import (
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper" v1helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
) )
const ( const (
...@@ -75,7 +72,5 @@ func EphemeralStorageCapacityFromFsInfo(info cadvisorapi2.FsInfo) v1.ResourceLis ...@@ -75,7 +72,5 @@ func EphemeralStorageCapacityFromFsInfo(info cadvisorapi2.FsInfo) v1.ResourceLis
// https://github.com/kubernetes/kubernetes/issues/51798 // https://github.com/kubernetes/kubernetes/issues/51798
// UsingLegacyCadvisorStats returns true if container stats are provided by cadvisor instead of through the CRI // UsingLegacyCadvisorStats returns true if container stats are provided by cadvisor instead of through the CRI
func UsingLegacyCadvisorStats(runtime, runtimeEndpoint string) bool { func UsingLegacyCadvisorStats(runtime, runtimeEndpoint string) bool {
return runtime == kubetypes.RktContainerRuntime || return runtimeEndpoint == CrioSocket
(runtime == kubetypes.DockerContainerRuntime && goruntime.GOOS == "linux") ||
runtimeEndpoint == CrioSocket
} }
...@@ -57,7 +57,6 @@ import ( ...@@ -57,7 +57,6 @@ import (
"k8s.io/kubernetes/pkg/kubelet/config" "k8s.io/kubernetes/pkg/kubelet/config"
"k8s.io/kubernetes/pkg/kubelet/configmap" "k8s.io/kubernetes/pkg/kubelet/configmap"
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
"k8s.io/kubernetes/pkg/kubelet/dockershim"
"k8s.io/kubernetes/pkg/kubelet/events" "k8s.io/kubernetes/pkg/kubelet/events"
"k8s.io/kubernetes/pkg/kubelet/eviction" "k8s.io/kubernetes/pkg/kubelet/eviction"
"k8s.io/kubernetes/pkg/kubelet/images" "k8s.io/kubernetes/pkg/kubelet/images"
...@@ -220,7 +219,6 @@ type Dependencies struct { ...@@ -220,7 +219,6 @@ type Dependencies struct {
Auth server.AuthInterface Auth server.AuthInterface
CAdvisorInterface cadvisor.Interface CAdvisorInterface cadvisor.Interface
ContainerManager cm.ContainerManager ContainerManager cm.ContainerManager
DockerClientConfig *dockershim.ClientConfig
EventClient v1core.EventsGetter EventClient v1core.EventsGetter
HeartbeatClient v1core.CoreV1Interface HeartbeatClient v1core.CoreV1Interface
OnHeartbeatFailure func() OnHeartbeatFailure func()
...@@ -470,7 +468,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration, ...@@ -470,7 +468,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
makeIPTablesUtilChains: kubeCfg.MakeIPTablesUtilChains, makeIPTablesUtilChains: kubeCfg.MakeIPTablesUtilChains,
iptablesMasqueradeBit: int(kubeCfg.IPTablesMasqueradeBit), iptablesMasqueradeBit: int(kubeCfg.IPTablesMasqueradeBit),
iptablesDropBit: int(kubeCfg.IPTablesDropBit), iptablesDropBit: int(kubeCfg.IPTablesDropBit),
keepTerminatedPodVolumes: keepTerminatedPodVolumes,
} }
secretManager := secret.NewCachingSecretManager( secretManager := secret.NewCachingSecretManager(
......
...@@ -188,37 +188,7 @@ func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult ...@@ -188,37 +188,7 @@ func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
} }
// Always admit runtimes except docker. // Always admit runtimes except docker.
if a.Runtime.Type() != kubetypes.DockerContainerRuntime {
return PodAdmitResult{Admit: true} return PodAdmitResult{Admit: true}
}
// Make sure docker api version is valid.
rversion, err := a.Runtime.APIVersion()
if err != nil {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
}
}
v, err := rversion.Compare("1.23.0")
if err != nil {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
}
}
// If the version is less than 1.23 it will return -1 above.
if v == -1 {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: docker runtime API version %q must be greater than or equal to 1.23", rversion.String()),
}
}
return PodAdmitResult{Admit: true}
} }
func noNewPrivsRequired(pod *v1.Pod) bool { func noNewPrivsRequired(pod *v1.Pod) bool {
......
...@@ -21,8 +21,6 @@ const ( ...@@ -21,8 +21,6 @@ const (
ResolvConfDefault = "/etc/resolv.conf" ResolvConfDefault = "/etc/resolv.conf"
// different container runtimes // different container runtimes
DockerContainerRuntime = "docker"
RktContainerRuntime = "rkt"
RemoteContainerRuntime = "remote" RemoteContainerRuntime = "remote"
// User visible keys for managing node allocatable enforcement on the node. // User visible keys for managing node allocatable enforcement on the node.
......
...@@ -112,7 +112,7 @@ func validateHost(runtime string) error { ...@@ -112,7 +112,7 @@ func validateHost(runtime string) error {
} }
// Check runtime support. Currently only Docker is supported. // Check runtime support. Currently only Docker is supported.
if runtime != kubetypes.DockerContainerRuntime && runtime != kubetypes.RemoteContainerRuntime { if runtime != kubetypes.RemoteContainerRuntime {
return fmt.Errorf("AppArmor is only enabled for 'docker' and 'remote' runtimes. Found: %q.", runtime) return fmt.Errorf("AppArmor is only enabled for 'docker' and 'remote' runtimes. Found: %q.", runtime)
} }
......
...@@ -28,8 +28,6 @@ import ( ...@@ -28,8 +28,6 @@ import (
"k8s.io/apiserver/pkg/admission/initializer" "k8s.io/apiserver/pkg/admission/initializer"
admissionmetrics "k8s.io/apiserver/pkg/admission/metrics" admissionmetrics "k8s.io/apiserver/pkg/admission/metrics"
"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle" "k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
apiserverapi "k8s.io/apiserver/pkg/apis/apiserver" apiserverapi "k8s.io/apiserver/pkg/apis/apiserver"
apiserverapiv1alpha1 "k8s.io/apiserver/pkg/apis/apiserver/v1alpha1" apiserverapiv1alpha1 "k8s.io/apiserver/pkg/apis/apiserver/v1alpha1"
"k8s.io/apiserver/pkg/server" "k8s.io/apiserver/pkg/server"
...@@ -77,7 +75,7 @@ func NewAdmissionOptions() *AdmissionOptions { ...@@ -77,7 +75,7 @@ func NewAdmissionOptions() *AdmissionOptions {
// admission plugins. The apiserver always runs the validating ones // admission plugins. The apiserver always runs the validating ones
// after all the mutating ones, so their relative order in this list // after all the mutating ones, so their relative order in this list
// doesn't matter. // doesn't matter.
RecommendedPluginOrder: []string{lifecycle.PluginName, mutatingwebhook.PluginName, validatingwebhook.PluginName}, RecommendedPluginOrder: []string{lifecycle.PluginName},
} }
server.RegisterAllAdmissionPlugins(options.Plugins) server.RegisterAllAdmissionPlugins(options.Plugins)
return options return options
......
...@@ -18,7 +18,6 @@ package options ...@@ -18,7 +18,6 @@ package options
import ( import (
"fmt" "fmt"
"net/http"
"strconv" "strconv"
"strings" "strings"
"time" "time"
...@@ -30,9 +29,7 @@ import ( ...@@ -30,9 +29,7 @@ import (
"k8s.io/apiserver/pkg/registry/generic" "k8s.io/apiserver/pkg/registry/generic"
genericregistry "k8s.io/apiserver/pkg/registry/generic/registry" genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
"k8s.io/apiserver/pkg/server" "k8s.io/apiserver/pkg/server"
"k8s.io/apiserver/pkg/server/healthz"
serverstorage "k8s.io/apiserver/pkg/server/storage" serverstorage "k8s.io/apiserver/pkg/server/storage"
"k8s.io/apiserver/pkg/storage/etcd3/preflight"
"k8s.io/apiserver/pkg/storage/storagebackend" "k8s.io/apiserver/pkg/storage/storagebackend"
) )
...@@ -60,7 +57,6 @@ type EtcdOptions struct { ...@@ -60,7 +57,6 @@ type EtcdOptions struct {
var storageTypes = sets.NewString( var storageTypes = sets.NewString(
storagebackend.StorageTypeUnset, storagebackend.StorageTypeUnset,
storagebackend.StorageTypeETCD2,
storagebackend.StorageTypeETCD3, storagebackend.StorageTypeETCD3,
) )
...@@ -78,20 +74,7 @@ func NewEtcdOptions(backendConfig *storagebackend.Config) *EtcdOptions { ...@@ -78,20 +74,7 @@ func NewEtcdOptions(backendConfig *storagebackend.Config) *EtcdOptions {
} }
func (s *EtcdOptions) Validate() []error { func (s *EtcdOptions) Validate() []error {
if s == nil { return nil
return nil
}
allErrors := []error{}
if len(s.StorageConfig.ServerList) == 0 {
allErrors = append(allErrors, fmt.Errorf("--etcd-servers must be specified"))
}
if !storageTypes.Has(s.StorageConfig.Type) {
allErrors = append(allErrors, fmt.Errorf("--storage-backend invalid, must be 'etcd3' or 'etcd2'. If not specified, it will default to 'etcd3'"))
}
return allErrors
} }
// AddEtcdFlags adds flags related to etcd storage for a specific APIServer to the specified FlagSet // AddEtcdFlags adds flags related to etcd storage for a specific APIServer to the specified FlagSet
...@@ -167,30 +150,15 @@ func (s *EtcdOptions) ApplyTo(c *server.Config) error { ...@@ -167,30 +150,15 @@ func (s *EtcdOptions) ApplyTo(c *server.Config) error {
return nil return nil
} }
s.addEtcdHealthEndpoint(c)
c.RESTOptionsGetter = &SimpleRestOptionsFactory{Options: *s} c.RESTOptionsGetter = &SimpleRestOptionsFactory{Options: *s}
return nil return nil
} }
func (s *EtcdOptions) ApplyWithStorageFactoryTo(factory serverstorage.StorageFactory, c *server.Config) error { func (s *EtcdOptions) ApplyWithStorageFactoryTo(factory serverstorage.StorageFactory, c *server.Config) error {
s.addEtcdHealthEndpoint(c)
c.RESTOptionsGetter = &storageFactoryRestOptionsFactory{Options: *s, StorageFactory: factory} c.RESTOptionsGetter = &storageFactoryRestOptionsFactory{Options: *s, StorageFactory: factory}
return nil return nil
} }
func (s *EtcdOptions) addEtcdHealthEndpoint(c *server.Config) {
c.HealthzChecks = append(c.HealthzChecks, healthz.NamedCheck("etcd", func(r *http.Request) error {
done, err := preflight.EtcdConnection{ServerList: s.StorageConfig.ServerList}.CheckEtcdServers()
if !done {
return fmt.Errorf("etcd failed")
}
if err != nil {
return err
}
return nil
}))
}
type SimpleRestOptionsFactory struct { type SimpleRestOptionsFactory struct {
Options EtcdOptions Options EtcdOptions
} }
......
...@@ -29,13 +29,10 @@ import ( ...@@ -29,13 +29,10 @@ import (
// If you add something to this list, it should be in a logical grouping. // If you add something to this list, it should be in a logical grouping.
// Each of them can be nil to leave the feature unconfigured on ApplyTo. // Each of them can be nil to leave the feature unconfigured on ApplyTo.
type RecommendedOptions struct { type RecommendedOptions struct {
Etcd *EtcdOptions Etcd *EtcdOptions
SecureServing *SecureServingOptionsWithLoopback SecureServing *SecureServingOptionsWithLoopback
Authentication *DelegatingAuthenticationOptions Features *FeatureOptions
Authorization *DelegatingAuthorizationOptions CoreAPI *CoreAPIOptions
Audit *AuditOptions
Features *FeatureOptions
CoreAPI *CoreAPIOptions
// ExtraAdmissionInitializers is called once after all ApplyTo from the options above, to pass the returned // ExtraAdmissionInitializers is called once after all ApplyTo from the options above, to pass the returned
// admission plugin initializers to Admission.ApplyTo. // admission plugin initializers to Admission.ApplyTo.
...@@ -55,9 +52,6 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio ...@@ -55,9 +52,6 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio
return &RecommendedOptions{ return &RecommendedOptions{
Etcd: NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)), Etcd: NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)),
SecureServing: WithLoopback(sso), SecureServing: WithLoopback(sso),
Authentication: NewDelegatingAuthenticationOptions(),
Authorization: NewDelegatingAuthorizationOptions(),
Audit: NewAuditOptions(),
Features: NewFeatureOptions(), Features: NewFeatureOptions(),
CoreAPI: NewCoreAPIOptions(), CoreAPI: NewCoreAPIOptions(),
ExtraAdmissionInitializers: func(c *server.RecommendedConfig) ([]admission.PluginInitializer, error) { return nil, nil }, ExtraAdmissionInitializers: func(c *server.RecommendedConfig) ([]admission.PluginInitializer, error) { return nil, nil },
...@@ -68,9 +62,6 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio ...@@ -68,9 +62,6 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio
func (o *RecommendedOptions) AddFlags(fs *pflag.FlagSet) { func (o *RecommendedOptions) AddFlags(fs *pflag.FlagSet) {
o.Etcd.AddFlags(fs) o.Etcd.AddFlags(fs)
o.SecureServing.AddFlags(fs) o.SecureServing.AddFlags(fs)
o.Authentication.AddFlags(fs)
o.Authorization.AddFlags(fs)
o.Audit.AddFlags(fs)
o.Features.AddFlags(fs) o.Features.AddFlags(fs)
o.CoreAPI.AddFlags(fs) o.CoreAPI.AddFlags(fs)
o.Admission.AddFlags(fs) o.Admission.AddFlags(fs)
...@@ -86,15 +77,6 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig, scheme *r ...@@ -86,15 +77,6 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig, scheme *r
if err := o.SecureServing.ApplyTo(&config.Config); err != nil { if err := o.SecureServing.ApplyTo(&config.Config); err != nil {
return err return err
} }
if err := o.Authentication.ApplyTo(&config.Config.Authentication, config.SecureServing); err != nil {
return err
}
if err := o.Authorization.ApplyTo(&config.Config.Authorization); err != nil {
return err
}
if err := o.Audit.ApplyTo(&config.Config); err != nil {
return err
}
if err := o.Features.ApplyTo(&config.Config); err != nil { if err := o.Features.ApplyTo(&config.Config); err != nil {
return err return err
} }
...@@ -114,9 +96,6 @@ func (o *RecommendedOptions) Validate() []error { ...@@ -114,9 +96,6 @@ func (o *RecommendedOptions) Validate() []error {
errors := []error{} errors := []error{}
errors = append(errors, o.Etcd.Validate()...) errors = append(errors, o.Etcd.Validate()...)
errors = append(errors, o.SecureServing.Validate()...) errors = append(errors, o.SecureServing.Validate()...)
errors = append(errors, o.Authentication.Validate()...)
errors = append(errors, o.Authorization.Validate()...)
errors = append(errors, o.Audit.Validate()...)
errors = append(errors, o.Features.Validate()...) errors = append(errors, o.Features.Validate()...)
errors = append(errors, o.CoreAPI.Validate()...) errors = append(errors, o.CoreAPI.Validate()...)
errors = append(errors, o.Admission.Validate()...) errors = append(errors, o.Admission.Validate()...)
......
...@@ -40,6 +40,9 @@ type SecureServingOptions struct { ...@@ -40,6 +40,9 @@ type SecureServingOptions struct {
// "tcp4", and "tcp6". // "tcp4", and "tcp6".
BindNetwork string BindNetwork string
PublicIP *net.IP
PublicPort int
// Listener is the secure server network listener. // Listener is the secure server network listener.
// either Listener or BindAddress/BindPort/BindNetwork is set, // either Listener or BindAddress/BindPort/BindNetwork is set,
// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork. // if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
......
...@@ -75,5 +75,11 @@ func (s *SecureServingOptionsWithLoopback) ApplyTo(c *server.Config) error { ...@@ -75,5 +75,11 @@ func (s *SecureServingOptionsWithLoopback) ApplyTo(c *server.Config) error {
c.SecureServing.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert c.SecureServing.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert
} }
if s.PublicIP != nil {
c.PublicAddress = *s.PublicIP
}
if s.PublicPort > 0 {
c.ReadWritePort = s.PublicPort
}
return nil return nil
} }
...@@ -20,13 +20,9 @@ package server ...@@ -20,13 +20,9 @@ package server
import ( import (
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle" "k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
mutatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
validatingwebhook "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
) )
// RegisterAllAdmissionPlugins registers all admission plugins // RegisterAllAdmissionPlugins registers all admission plugins
func RegisterAllAdmissionPlugins(plugins *admission.Plugins) { func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
lifecycle.Register(plugins) lifecycle.Register(plugins)
validatingwebhook.Register(plugins)
mutatingwebhook.Register(plugins)
} }
...@@ -25,8 +25,7 @@ import ( ...@@ -25,8 +25,7 @@ import (
"k8s.io/apimachinery/pkg/runtime/serializer/recognizer" "k8s.io/apimachinery/pkg/runtime/serializer/recognizer"
"k8s.io/apiserver/pkg/storage/storagebackend" "k8s.io/apiserver/pkg/storage/storagebackend"
"github.com/golang/glog" )
)
// StorageCodecConfig are the arguments passed to newStorageCodecFn // StorageCodecConfig are the arguments passed to newStorageCodecFn
type StorageCodecConfig struct { type StorageCodecConfig struct {
...@@ -48,11 +47,6 @@ func NewStorageCodec(opts StorageCodecConfig) (runtime.Codec, error) { ...@@ -48,11 +47,6 @@ func NewStorageCodec(opts StorageCodecConfig) (runtime.Codec, error) {
return nil, fmt.Errorf("%q is not a valid mime-type", opts.StorageMediaType) return nil, fmt.Errorf("%q is not a valid mime-type", opts.StorageMediaType)
} }
if opts.Config.Type == storagebackend.StorageTypeETCD2 && mediaType != "application/json" {
glog.Warningf(`storage type %q does not support media type %q, using "application/json"`, storagebackend.StorageTypeETCD2, mediaType)
mediaType = "application/json"
}
serializer, ok := runtime.SerializerInfoForMediaType(opts.StorageSerializer.SupportedMediaTypes(), mediaType) serializer, ok := runtime.SerializerInfoForMediaType(opts.StorageSerializer.SupportedMediaTypes(), mediaType)
if !ok { if !ok {
return nil, fmt.Errorf("unable to find serializer for %q", mediaType) return nil, fmt.Errorf("unable to find serializer for %q", mediaType)
...@@ -60,11 +54,6 @@ func NewStorageCodec(opts StorageCodecConfig) (runtime.Codec, error) { ...@@ -60,11 +54,6 @@ func NewStorageCodec(opts StorageCodecConfig) (runtime.Codec, error) {
s := serializer.Serializer s := serializer.Serializer
// make sure the selected encoder supports string data
if !serializer.EncodesAsText && opts.Config.Type == storagebackend.StorageTypeETCD2 {
return nil, fmt.Errorf("storage type %q does not support binary media type %q", storagebackend.StorageTypeETCD2, mediaType)
}
// Give callers the opportunity to wrap encoders and decoders. For decoders, each returned decoder will // Give callers the opportunity to wrap encoders and decoders. For decoders, each returned decoder will
// be passed to the recognizer so that multiple decoders are available. // be passed to the recognizer so that multiple decoders are available.
var encoder runtime.Encoder = s var encoder runtime.Encoder = s
......
...@@ -25,7 +25,6 @@ import ( ...@@ -25,7 +25,6 @@ import (
const ( const (
StorageTypeUnset = "" StorageTypeUnset = ""
StorageTypeETCD2 = "etcd2"
StorageTypeETCD3 = "etcd3" StorageTypeETCD3 = "etcd3"
DefaultCompactInterval = 5 * time.Minute DefaultCompactInterval = 5 * time.Minute
......
...@@ -79,8 +79,8 @@ func (t *Trace) logWithStepThreshold(stepThreshold time.Duration) { ...@@ -79,8 +79,8 @@ func (t *Trace) logWithStepThreshold(stepThreshold time.Duration) {
func (t *Trace) LogIfLong(threshold time.Duration) { func (t *Trace) LogIfLong(threshold time.Duration) {
if time.Since(t.startTime) >= threshold { if time.Since(t.startTime) >= threshold {
// if any step took more than it's share of the total allowed time, it deserves a higher log level // if any step took more than it's share of the total allowed time, it deserves a higher log level
stepThreshold := threshold / time.Duration(len(t.steps)+1) //stepThreshold := threshold / time.Duration(len(t.steps)+1)
t.logWithStepThreshold(stepThreshold) t.logWithStepThreshold(0)
} }
} }
......
...@@ -21,5 +21,4 @@ import ( ...@@ -21,5 +21,4 @@ import (
_ "k8s.io/client-go/plugin/pkg/client/auth/azure" _ "k8s.io/client-go/plugin/pkg/client/auth/azure"
_ "k8s.io/client-go/plugin/pkg/client/auth/gcp" _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
_ "k8s.io/client-go/plugin/pkg/client/auth/oidc" _ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
_ "k8s.io/client-go/plugin/pkg/client/auth/openstack"
) )
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment