Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
4e0114b0
Commit
4e0114b0
authored
Jan 31, 2018
by
Dr. Stefan Schimanski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apiserver: make SecureServingOptions and authz/n options re-usable
parent
0cbe0a60
Hide whitespace changes
Inline
Side-by-side
Showing
26 changed files
with
222 additions
and
166 deletions
+222
-166
options.go
cmd/kube-apiserver/app/options/options.go
+1
-1
options_test.go
cmd/kube-apiserver/app/options/options_test.go
+3
-2
server.go
cmd/kube-apiserver/app/server.go
+3
-3
authentication.go
pkg/kubeapiserver/options/authentication.go
+3
-5
serving.go
pkg/kubeapiserver/options/serving.go
+3
-3
master.go
pkg/master/master.go
+3
-3
config.go
staging/src/k8s.io/apiserver/pkg/server/config.go
+40
-24
genericapiserver.go
staging/src/k8s.io/apiserver/pkg/server/genericapiserver.go
+1
-1
genericapiserver_test.go
.../src/k8s.io/apiserver/pkg/server/genericapiserver_test.go
+1
-1
BUILD
staging/src/k8s.io/apiserver/pkg/server/options/BUILD
+1
-0
admission.go
staging/src/k8s.io/apiserver/pkg/server/options/admission.go
+1
-1
authentication.go
...src/k8s.io/apiserver/pkg/server/options/authentication.go
+6
-7
authorization.go
.../src/k8s.io/apiserver/pkg/server/options/authorization.go
+1
-1
recommended.go
...ng/src/k8s.io/apiserver/pkg/server/options/recommended.go
+4
-4
serving.go
staging/src/k8s.io/apiserver/pkg/server/options/serving.go
+9
-47
serving_test.go
...g/src/k8s.io/apiserver/pkg/server/options/serving_test.go
+3
-3
serving_with_loopback.go
....io/apiserver/pkg/server/options/serving_with_loopback.go
+79
-0
serve.go
staging/src/k8s.io/apiserver/pkg/server/serve.go
+16
-16
accessreview_test.go
test/integration/auth/accessreview_test.go
+6
-6
auth_test.go
test/integration/auth/auth_test.go
+19
-19
bootstraptoken_test.go
test/integration/auth/bootstraptoken_test.go
+1
-1
node_test.go
test/integration/auth/node_test.go
+2
-2
rbac_test.go
test/integration/auth/rbac_test.go
+4
-4
master_utils.go
test/integration/framework/master_utils.go
+7
-7
synthetic_master_test.go
test/integration/master/synthetic_master_test.go
+3
-3
service_account_test.go
test/integration/serviceaccount/service_account_test.go
+2
-2
No files found.
cmd/kube-apiserver/app/options/options.go
View file @
4e0114b0
...
...
@@ -42,7 +42,7 @@ import (
type
ServerRunOptions
struct
{
GenericServerRunOptions
*
genericoptions
.
ServerRunOptions
Etcd
*
genericoptions
.
EtcdOptions
SecureServing
*
genericoptions
.
SecureServingOptions
SecureServing
*
genericoptions
.
SecureServingOptions
WithLoopback
InsecureServing
*
kubeoptions
.
InsecureServingOptions
Audit
*
genericoptions
.
AuditOptions
Features
*
genericoptions
.
FeatureOptions
...
...
cmd/kube-apiserver/app/options/options_test.go
View file @
4e0114b0
...
...
@@ -26,6 +26,7 @@ import (
"k8s.io/apimachinery/pkg/util/diff"
apiserveroptions
"k8s.io/apiserver/pkg/server/options"
genericoptions
"k8s.io/apiserver/pkg/server/options"
"k8s.io/apiserver/pkg/storage/storagebackend"
utilflag
"k8s.io/apiserver/pkg/util/flag"
auditwebhook
"k8s.io/apiserver/plugin/pkg/audit/webhook"
...
...
@@ -137,14 +138,14 @@ func TestAddFlags(t *testing.T) {
EnableWatchCache
:
true
,
DefaultWatchCacheSize
:
100
,
},
SecureServing
:
&
apiserveroptions
.
SecureServingOptions
{
SecureServing
:
genericoptions
.
WithLoopback
(
&
apiserveroptions
.
SecureServingOptions
{
BindAddress
:
net
.
ParseIP
(
"192.168.10.20"
),
BindPort
:
6443
,
ServerCert
:
apiserveroptions
.
GeneratableKeyCert
{
CertDirectory
:
"/var/run/kubernetes"
,
PairName
:
"apiserver"
,
},
},
}
)
,
InsecureServing
:
&
kubeoptions
.
InsecureServingOptions
{
BindAddress
:
net
.
ParseIP
(
"127.0.0.1"
),
BindPort
:
8080
,
...
...
cmd/kube-apiserver/app/server.go
View file @
4e0114b0
...
...
@@ -450,12 +450,12 @@ func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transp
)
}
genericConfig
.
Authenticator
,
genericConfig
.
OpenAPIConfig
.
SecurityDefinitions
,
err
=
BuildAuthenticator
(
s
,
storageFactory
,
client
,
sharedInformers
)
genericConfig
.
Authenticat
ion
.
Authenticat
or
,
genericConfig
.
OpenAPIConfig
.
SecurityDefinitions
,
err
=
BuildAuthenticator
(
s
,
storageFactory
,
client
,
sharedInformers
)
if
err
!=
nil
{
return
nil
,
nil
,
nil
,
nil
,
nil
,
fmt
.
Errorf
(
"invalid authentication config: %v"
,
err
)
}
genericConfig
.
Authorizer
,
genericConfig
.
RuleResolver
,
err
=
BuildAuthorizer
(
s
,
sharedInformers
,
versionedInformers
)
genericConfig
.
Authoriz
ation
.
Authoriz
er
,
genericConfig
.
RuleResolver
,
err
=
BuildAuthorizer
(
s
,
sharedInformers
,
versionedInformers
)
if
err
!=
nil
{
return
nil
,
nil
,
nil
,
nil
,
nil
,
fmt
.
Errorf
(
"invalid authorization config: %v"
,
err
)
}
...
...
@@ -634,7 +634,7 @@ func BuildStorageFactory(s *options.ServerRunOptions, apiResourceConfig *servers
func
defaultOptions
(
s
*
options
.
ServerRunOptions
)
error
{
// set defaults
if
err
:=
s
.
GenericServerRunOptions
.
DefaultAdvertiseAddress
(
s
.
SecureServing
);
err
!=
nil
{
if
err
:=
s
.
GenericServerRunOptions
.
DefaultAdvertiseAddress
(
s
.
SecureServing
.
SecureServingOptions
);
err
!=
nil
{
return
err
}
if
err
:=
kubeoptions
.
DefaultAdvertiseAddress
(
s
.
GenericServerRunOptions
,
s
.
InsecureServing
);
err
!=
nil
{
...
...
pkg/kubeapiserver/options/authentication.go
View file @
4e0114b0
...
...
@@ -341,19 +341,17 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
var
err
error
if
o
.
ClientCert
!=
nil
{
c
,
err
=
c
.
ApplyClientCert
(
o
.
ClientCert
.
ClientCA
)
if
err
!=
nil
{
if
err
=
c
.
Authentication
.
ApplyClientCert
(
o
.
ClientCert
.
ClientCA
,
c
.
SecureServing
);
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
}
if
o
.
RequestHeader
!=
nil
{
c
,
err
=
c
.
ApplyClientCert
(
o
.
RequestHeader
.
ClientCAFile
)
if
err
!=
nil
{
if
err
=
c
.
Authentication
.
ApplyClientCert
(
o
.
RequestHeader
.
ClientCAFile
,
c
.
SecureServing
);
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
}
c
.
SupportsBasicAuth
=
o
.
PasswordFile
!=
nil
&&
len
(
o
.
PasswordFile
.
BasicAuthFile
)
>
0
c
.
Authentication
.
SupportsBasicAuth
=
o
.
PasswordFile
!=
nil
&&
len
(
o
.
PasswordFile
.
BasicAuthFile
)
>
0
return
nil
}
...
...
pkg/kubeapiserver/options/serving.go
View file @
4e0114b0
...
...
@@ -33,15 +33,15 @@ import (
// NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by
// "normal" API servers running on the platform
func
NewSecureServingOptions
()
*
genericoptions
.
SecureServingOptions
{
return
&
genericoptions
.
SecureServingOptions
{
func
NewSecureServingOptions
()
*
genericoptions
.
SecureServingOptions
WithLoopback
{
return
genericoptions
.
WithLoopback
(
&
genericoptions
.
SecureServingOptions
{
BindAddress
:
net
.
ParseIP
(
"0.0.0.0"
),
BindPort
:
6443
,
ServerCert
:
genericoptions
.
GeneratableKeyCert
{
PairName
:
"apiserver"
,
CertDirectory
:
"/var/run/kubernetes"
,
},
}
}
)
}
// DefaultAdvertiseAddress sets the field AdvertiseAddress if
...
...
pkg/master/master.go
View file @
4e0114b0
...
...
@@ -337,15 +337,15 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
// TODO: describe the priority all the way down in the RESTStorageProviders and plumb it back through the various discovery
// handlers that we have.
restStorageProviders
:=
[]
RESTStorageProvider
{
authenticationrest
.
RESTStorageProvider
{
Authenticator
:
c
.
GenericConfig
.
Authenticator
},
authorizationrest
.
RESTStorageProvider
{
Authorizer
:
c
.
GenericConfig
.
Authorizer
,
RuleResolver
:
c
.
GenericConfig
.
RuleResolver
},
authenticationrest
.
RESTStorageProvider
{
Authenticator
:
c
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
},
authorizationrest
.
RESTStorageProvider
{
Authorizer
:
c
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
,
RuleResolver
:
c
.
GenericConfig
.
RuleResolver
},
autoscalingrest
.
RESTStorageProvider
{},
batchrest
.
RESTStorageProvider
{},
certificatesrest
.
RESTStorageProvider
{},
extensionsrest
.
RESTStorageProvider
{},
networkingrest
.
RESTStorageProvider
{},
policyrest
.
RESTStorageProvider
{},
rbacrest
.
RESTStorageProvider
{
Authorizer
:
c
.
GenericConfig
.
Authorizer
},
rbacrest
.
RESTStorageProvider
{
Authorizer
:
c
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
},
schedulingrest
.
RESTStorageProvider
{},
settingsrest
.
RESTStorageProvider
{},
storagerest
.
RESTStorageProvider
{},
...
...
staging/src/k8s.io/apiserver/pkg/server/config.go
View file @
4e0114b0
...
...
@@ -79,14 +79,19 @@ const (
// Config is a structure used to configure a GenericAPIServer.
// Its members are sorted roughly in order of importance for composers.
type
Config
struct
{
// SecureServingInfo is required to serve https
SecureServingInfo
*
SecureServingInfo
// SecureServing is required to serve https
SecureServing
*
SecureServingInfo
// Authentication is the configuration for authentication
Authentication
AuthenticationInfo
// Authentication is the configuration for authentication
Authorization
AuthorizationInfo
// LoopbackClientConfig is a config for a privileged loopback connection to the API server
// This is required for proper functioning of the PostStartHooks on a GenericAPIServer
// TODO: move into SecureServing(WithLoopback) as soon as insecure serving is gone
LoopbackClientConfig
*
restclient
.
Config
// Authenticator determines which subject is making the request
Authenticator
authenticator
.
Request
// Authorizer determines whether the subject is allowed to make the request based only
// on the RequestURI
Authorizer
authorizer
.
Authorizer
...
...
@@ -116,10 +121,6 @@ type Config struct {
AuditBackend
audit
.
Backend
// AuditPolicyChecker makes the decision of whether and how to audit log a request.
AuditPolicyChecker
auditpolicy
.
Checker
// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
// If this is true, a basic auth challenge is returned on authentication failure
// TODO(roberthbailey): Remove once the server no longer supports http basic auth.
SupportsBasicAuth
bool
// ExternalAddress is the host name to use for external (public internet) facing URLs (e.g. Swagger)
// Will default to a value based on secure serving info and available ipv4 IPs.
ExternalAddress
string
...
...
@@ -231,6 +232,21 @@ type SecureServingInfo struct {
CipherSuites
[]
uint16
}
type
AuthenticationInfo
struct
{
// Authenticator determines which subject is making the request
Authenticator
authenticator
.
Request
// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
// If this is true, a basic auth challenge is returned on authentication failure
// TODO(roberthbailey): Remove once the server no longer supports http basic auth.
SupportsBasicAuth
bool
}
type
AuthorizationInfo
struct
{
// Authorizer determines whether the subject is allowed to make the request based only
// on the RequestURI
Authorizer
authorizer
.
Authorizer
}
// NewConfig returns a Config struct with the default values
func
NewConfig
(
codecs
serializer
.
CodecFactory
)
*
Config
{
return
&
Config
{
...
...
@@ -302,23 +318,23 @@ func DefaultSwaggerConfig() *swagger.Config {
}
}
func
(
c
*
Config
)
ApplyClientCert
(
clientCAFile
string
)
(
*
Config
,
error
)
{
if
c
.
SecureS
ervingInfo
!=
nil
{
func
(
c
*
AuthenticationInfo
)
ApplyClientCert
(
clientCAFile
string
,
servingInfo
*
SecureServingInfo
)
error
{
if
s
ervingInfo
!=
nil
{
if
len
(
clientCAFile
)
>
0
{
clientCAs
,
err
:=
certutil
.
CertsFromFile
(
clientCAFile
)
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
if
c
.
SecureS
ervingInfo
.
ClientCA
==
nil
{
c
.
SecureS
ervingInfo
.
ClientCA
=
x509
.
NewCertPool
()
if
s
ervingInfo
.
ClientCA
==
nil
{
s
ervingInfo
.
ClientCA
=
x509
.
NewCertPool
()
}
for
_
,
cert
:=
range
clientCAs
{
c
.
SecureS
ervingInfo
.
ClientCA
.
AddCert
(
cert
)
s
ervingInfo
.
ClientCA
.
AddCert
(
cert
)
}
}
}
return
c
,
nil
return
nil
}
type
completedConfig
struct
{
...
...
@@ -385,7 +401,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
}
}
if
c
.
SwaggerConfig
!=
nil
&&
len
(
c
.
SwaggerConfig
.
WebServicesUrl
)
==
0
{
if
c
.
SecureServing
Info
!=
nil
{
if
c
.
SecureServing
!=
nil
{
c
.
SwaggerConfig
.
WebServicesUrl
=
"https://"
+
c
.
ExternalAddress
}
else
{
c
.
SwaggerConfig
.
WebServicesUrl
=
"http://"
+
c
.
ExternalAddress
...
...
@@ -397,7 +413,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
// If the loopbackclientconfig is specified AND it has a token for use against the API server
// wrap the authenticator and authorizer in loopback authentication logic
if
c
.
Authenticat
or
!=
nil
&&
c
.
Authorizer
!=
nil
&&
c
.
LoopbackClientConfig
!=
nil
&&
len
(
c
.
LoopbackClientConfig
.
BearerToken
)
>
0
{
if
c
.
Authenticat
ion
.
Authenticator
!=
nil
&&
c
.
Authorization
.
Authorizer
!=
nil
&&
c
.
LoopbackClientConfig
!=
nil
&&
len
(
c
.
LoopbackClientConfig
.
BearerToken
)
>
0
{
privilegedLoopbackToken
:=
c
.
LoopbackClientConfig
.
BearerToken
var
uid
=
uuid
.
NewRandom
()
.
String
()
tokens
:=
make
(
map
[
string
]
*
user
.
DefaultInfo
)
...
...
@@ -408,10 +424,10 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
}
tokenAuthenticator
:=
authenticatorfactory
.
NewFromTokens
(
tokens
)
c
.
Authenticat
or
=
authenticatorunion
.
New
(
tokenAuthenticator
,
c
.
Authenticator
)
c
.
Authenticat
ion
.
Authenticator
=
authenticatorunion
.
New
(
tokenAuthenticator
,
c
.
Authentication
.
Authenticator
)
tokenAuthorizer
:=
authorizerfactory
.
NewPrivilegedGroups
(
user
.
SystemPrivilegedGroup
)
c
.
Authoriz
er
=
authorizerunion
.
New
(
tokenAuthorizer
,
c
.
Authorizer
)
c
.
Authoriz
ation
.
Authorizer
=
authorizerunion
.
New
(
tokenAuthorizer
,
c
.
Authorization
.
Authorizer
)
}
if
c
.
RequestInfoResolver
==
nil
{
...
...
@@ -458,7 +474,7 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G
minRequestTimeout
:
time
.
Duration
(
c
.
MinRequestTimeout
)
*
time
.
Second
,
ShutdownTimeout
:
c
.
RequestTimeout
,
SecureServingInfo
:
c
.
SecureServing
Info
,
SecureServingInfo
:
c
.
SecureServing
,
ExternalAddress
:
c
.
ExternalAddress
,
Handler
:
apiServerHandler
,
...
...
@@ -530,19 +546,19 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G
}
func
DefaultBuildHandlerChain
(
apiHandler
http
.
Handler
,
c
*
Config
)
http
.
Handler
{
handler
:=
genericapifilters
.
WithAuthorization
(
apiHandler
,
c
.
RequestContextMapper
,
c
.
Authorizer
,
c
.
Serializer
)
handler
:=
genericapifilters
.
WithAuthorization
(
apiHandler
,
c
.
RequestContextMapper
,
c
.
Authoriz
ation
.
Authoriz
er
,
c
.
Serializer
)
handler
=
genericfilters
.
WithMaxInFlightLimit
(
handler
,
c
.
MaxRequestsInFlight
,
c
.
MaxMutatingRequestsInFlight
,
c
.
RequestContextMapper
,
c
.
LongRunningFunc
)
handler
=
genericapifilters
.
WithImpersonation
(
handler
,
c
.
RequestContextMapper
,
c
.
Authorizer
,
c
.
Serializer
)
handler
=
genericapifilters
.
WithImpersonation
(
handler
,
c
.
RequestContextMapper
,
c
.
Authoriz
ation
.
Authoriz
er
,
c
.
Serializer
)
if
utilfeature
.
DefaultFeatureGate
.
Enabled
(
features
.
AdvancedAuditing
)
{
handler
=
genericapifilters
.
WithAudit
(
handler
,
c
.
RequestContextMapper
,
c
.
AuditBackend
,
c
.
AuditPolicyChecker
,
c
.
LongRunningFunc
)
}
else
{
handler
=
genericapifilters
.
WithLegacyAudit
(
handler
,
c
.
RequestContextMapper
,
c
.
LegacyAuditWriter
)
}
failedHandler
:=
genericapifilters
.
Unauthorized
(
c
.
RequestContextMapper
,
c
.
Serializer
,
c
.
SupportsBasicAuth
)
failedHandler
:=
genericapifilters
.
Unauthorized
(
c
.
RequestContextMapper
,
c
.
Serializer
,
c
.
Authentication
.
SupportsBasicAuth
)
if
utilfeature
.
DefaultFeatureGate
.
Enabled
(
features
.
AdvancedAuditing
)
{
failedHandler
=
genericapifilters
.
WithFailedAuthenticationAudit
(
failedHandler
,
c
.
RequestContextMapper
,
c
.
AuditBackend
,
c
.
AuditPolicyChecker
)
}
handler
=
genericapifilters
.
WithAuthentication
(
handler
,
c
.
RequestContextMapper
,
c
.
Authenticator
,
failedHandler
)
handler
=
genericapifilters
.
WithAuthentication
(
handler
,
c
.
RequestContextMapper
,
c
.
Authenticat
ion
.
Authenticat
or
,
failedHandler
)
handler
=
genericfilters
.
WithCORS
(
handler
,
c
.
CorsAllowedOriginList
,
nil
,
nil
,
nil
,
"true"
)
handler
=
genericfilters
.
WithTimeoutForNonLongRunningRequests
(
handler
,
c
.
RequestContextMapper
,
c
.
LongRunningFunc
,
c
.
RequestTimeout
)
handler
=
genericfilters
.
WithWaitGroup
(
handler
,
c
.
RequestContextMapper
,
c
.
LongRunningFunc
,
c
.
HandlerChainWaitGroup
)
...
...
staging/src/k8s.io/apiserver/pkg/server/genericapiserver.go
View file @
4e0114b0
...
...
@@ -310,7 +310,7 @@ func (s preparedGenericAPIServer) NonBlockingRun(stopCh <-chan struct{}) error {
internalStopCh
:=
make
(
chan
struct
{})
if
s
.
SecureServingInfo
!=
nil
&&
s
.
Handler
!=
nil
{
if
err
:=
s
.
serveSecurely
(
internalStopCh
);
err
!=
nil
{
if
err
:=
s
.
SecureServingInfo
.
Serve
(
s
.
Handler
,
s
.
ShutdownTimeout
,
internalStopCh
);
err
!=
nil
{
close
(
internalStopCh
)
return
err
}
...
...
staging/src/k8s.io/apiserver/pkg/server/genericapiserver_test.go
View file @
4e0114b0
...
...
@@ -387,7 +387,7 @@ func TestNotRestRoutesHaveAuth(t *testing.T) {
authz
:=
mockAuthorizer
{}
config
.
LegacyAPIGroupPrefixes
=
sets
.
NewString
(
"/apiPrefix"
)
config
.
Authorizer
=
&
authz
config
.
Authoriz
ation
.
Authoriz
er
=
&
authz
config
.
EnableSwaggerUI
=
true
config
.
EnableIndex
=
true
...
...
staging/src/k8s.io/apiserver/pkg/server/options/BUILD
View file @
4e0114b0
...
...
@@ -15,6 +15,7 @@ go_library(
"recommended.go",
"server_run_options.go",
"serving.go",
"serving_with_loopback.go",
],
importpath = "k8s.io/apiserver/pkg/server/options",
visibility = ["//visibility:public"],
...
...
staging/src/k8s.io/apiserver/pkg/server/options/admission.go
View file @
4e0114b0
...
...
@@ -136,7 +136,7 @@ func (a *AdmissionOptions) ApplyTo(
if
err
!=
nil
{
return
err
}
genericInitializer
:=
initializer
.
New
(
clientset
,
informers
,
c
.
Authorizer
,
scheme
)
genericInitializer
:=
initializer
.
New
(
clientset
,
informers
,
c
.
Authoriz
ation
.
Authoriz
er
,
scheme
)
initializersChain
:=
admission
.
PluginInitializers
{}
pluginInitializers
=
append
(
pluginInitializers
,
genericInitializer
)
initializersChain
=
append
(
initializersChain
,
pluginInitializers
...
)
...
...
staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
View file @
4e0114b0
...
...
@@ -32,6 +32,7 @@ import (
coreclient
"k8s.io/client-go/kubernetes/typed/core/v1"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
openapicommon
"k8s.io/kube-openapi/pkg/common"
)
type
RequestHeaderAuthenticationOptions
struct
{
...
...
@@ -146,7 +147,7 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
}
func
(
s
*
DelegatingAuthenticationOptions
)
ApplyTo
(
c
*
server
.
Config
)
error
{
func
(
s
*
DelegatingAuthenticationOptions
)
ApplyTo
(
c
*
server
.
AuthenticationInfo
,
servingInfo
*
server
.
SecureServingInfo
,
openAPIConfig
*
openapicommon
.
Config
)
error
{
if
s
==
nil
{
c
.
Authenticator
=
nil
return
nil
...
...
@@ -156,8 +157,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
if
err
!=
nil
{
return
err
}
c
,
err
=
c
.
ApplyClientCert
(
clientCA
.
ClientCA
)
if
err
!=
nil
{
if
err
=
c
.
ApplyClientCert
(
clientCA
.
ClientCA
,
servingInfo
);
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
...
...
@@ -165,8 +165,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
if
err
!=
nil
{
return
err
}
c
,
err
=
c
.
ApplyClientCert
(
requestHeader
.
ClientCAFile
)
if
err
!=
nil
{
if
err
=
c
.
ApplyClientCert
(
requestHeader
.
ClientCAFile
,
servingInfo
);
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
...
...
@@ -180,8 +179,8 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
}
c
.
Authenticator
=
authenticator
if
c
.
O
penAPIConfig
!=
nil
{
c
.
O
penAPIConfig
.
SecurityDefinitions
=
securityDefinitions
if
o
penAPIConfig
!=
nil
{
o
penAPIConfig
.
SecurityDefinitions
=
securityDefinitions
}
c
.
SupportsBasicAuth
=
false
...
...
staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
View file @
4e0114b0
...
...
@@ -74,7 +74,7 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
"The duration to cache 'unauthorized' responses from the webhook authorizer."
)
}
func
(
s
*
DelegatingAuthorizationOptions
)
ApplyTo
(
c
*
server
.
Config
)
error
{
func
(
s
*
DelegatingAuthorizationOptions
)
ApplyTo
(
c
*
server
.
AuthorizationInfo
)
error
{
if
s
==
nil
{
c
.
Authorizer
=
authorizerfactory
.
NewAlwaysAllowAuthorizer
()
return
nil
...
...
staging/src/k8s.io/apiserver/pkg/server/options/recommended.go
View file @
4e0114b0
...
...
@@ -30,7 +30,7 @@ import (
// Each of them can be nil to leave the feature unconfigured on ApplyTo.
type
RecommendedOptions
struct
{
Etcd
*
EtcdOptions
SecureServing
*
SecureServingOptions
SecureServing
*
SecureServingOptions
WithLoopback
Authentication
*
DelegatingAuthenticationOptions
Authorization
*
DelegatingAuthorizationOptions
Audit
*
AuditOptions
...
...
@@ -46,7 +46,7 @@ type RecommendedOptions struct {
func
NewRecommendedOptions
(
prefix
string
,
codec
runtime
.
Codec
)
*
RecommendedOptions
{
return
&
RecommendedOptions
{
Etcd
:
NewEtcdOptions
(
storagebackend
.
NewDefaultConfig
(
prefix
,
codec
)),
SecureServing
:
NewSecureServingOptions
(
),
SecureServing
:
WithLoopback
(
NewSecureServingOptions
()
),
Authentication
:
NewDelegatingAuthenticationOptions
(),
Authorization
:
NewDelegatingAuthorizationOptions
(),
Audit
:
NewAuditOptions
(),
...
...
@@ -78,10 +78,10 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig, scheme *r
if
err
:=
o
.
SecureServing
.
ApplyTo
(
&
config
.
Config
);
err
!=
nil
{
return
err
}
if
err
:=
o
.
Authentication
.
ApplyTo
(
&
config
.
Config
);
err
!=
nil
{
if
err
:=
o
.
Authentication
.
ApplyTo
(
&
config
.
Config
.
Authentication
,
config
.
SecureServing
,
config
.
OpenAPIConfig
);
err
!=
nil
{
return
err
}
if
err
:=
o
.
Authorization
.
ApplyTo
(
&
config
.
Config
);
err
!=
nil
{
if
err
:=
o
.
Authorization
.
ApplyTo
(
&
config
.
Config
.
Authorization
);
err
!=
nil
{
return
err
}
if
err
:=
o
.
Audit
.
ApplyTo
(
&
config
.
Config
);
err
!=
nil
{
...
...
staging/src/k8s.io/apiserver/pkg/server/options/serving.go
View file @
4e0114b0
...
...
@@ -24,7 +24,6 @@ import (
"strconv"
"github.com/golang/glog"
"github.com/pborman/uuid"
"github.com/spf13/pflag"
utilnet
"k8s.io/apimachinery/pkg/util/net"
...
...
@@ -110,9 +109,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
}
fs
.
IPVar
(
&
s
.
BindAddress
,
"bind-address"
,
s
.
BindAddress
,
""
+
"The IP address on which to listen for the --secure-port port. The "
+
"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "
+
"clients. If blank, all interfaces will be used (0.0.0.0)."
)
"The IP address on which to listen for the --secure-port port. If blank, all interfaces will be used (0.0.0.0)."
)
fs
.
IntVar
(
&
s
.
BindPort
,
"secure-port"
,
s
.
BindPort
,
""
+
"The port on which to serve HTTPS with authentication and authorization. If 0, "
+
...
...
@@ -156,7 +153,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
}
// ApplyTo fills up serving information in the server configuration.
func
(
s
*
SecureServingOptions
)
ApplyTo
(
c
*
server
.
Config
)
error
{
func
(
s
*
SecureServingOptions
)
ApplyTo
(
c
onfig
**
server
.
SecureServingInfo
)
error
{
if
s
==
nil
{
return
nil
}
...
...
@@ -173,42 +170,10 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
}
}
if
err
:=
s
.
applyServingInfoTo
(
c
);
err
!=
nil
{
return
err
}
c
.
SecureServingInfo
.
Listener
=
s
.
Listener
// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and
// let the server return it when the loopback client connects.
certPem
,
keyPem
,
err
:=
certutil
.
GenerateSelfSignedCertKey
(
server
.
LoopbackClientServerNameOverride
,
nil
,
nil
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"failed to generate self-signed certificate for loopback connection: %v"
,
err
)
*
config
=
&
server
.
SecureServingInfo
{
Listener
:
s
.
Listener
,
}
tlsCert
,
err
:=
tls
.
X509KeyPair
(
certPem
,
keyPem
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"failed to generate self-signed certificate for loopback connection: %v"
,
err
)
}
secureLoopbackClientConfig
,
err
:=
c
.
SecureServingInfo
.
NewLoopbackClientConfig
(
uuid
.
NewRandom
()
.
String
(),
certPem
)
switch
{
// if we failed and there's no fallback loopback client config, we need to fail
case
err
!=
nil
&&
c
.
LoopbackClientConfig
==
nil
:
return
err
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
case
err
!=
nil
&&
c
.
LoopbackClientConfig
!=
nil
:
default
:
c
.
LoopbackClientConfig
=
secureLoopbackClientConfig
c
.
SecureServingInfo
.
SNICerts
[
server
.
LoopbackClientServerNameOverride
]
=
&
tlsCert
}
return
nil
}
func
(
s
*
SecureServingOptions
)
applyServingInfoTo
(
c
*
server
.
Config
)
error
{
secureServingInfo
:=
&
server
.
SecureServingInfo
{}
c
:=
*
config
serverCertFile
,
serverKeyFile
:=
s
.
ServerCert
.
CertKey
.
CertFile
,
s
.
ServerCert
.
CertKey
.
KeyFile
// load main cert
...
...
@@ -217,7 +182,7 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
if
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load server certificate: %v"
,
err
)
}
secureServingInfo
.
Cert
=
&
tlsCert
c
.
Cert
=
&
tlsCert
}
if
len
(
s
.
CipherSuites
)
!=
0
{
...
...
@@ -225,11 +190,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
if
err
!=
nil
{
return
err
}
secureServingInfo
.
CipherSuites
=
cipherSuites
c
.
CipherSuites
=
cipherSuites
}
var
err
error
secureServingInfo
.
MinTLSVersion
,
err
=
utilflag
.
TLSVersion
(
s
.
MinTLSVersion
)
c
.
MinTLSVersion
,
err
=
utilflag
.
TLSVersion
(
s
.
MinTLSVersion
)
if
err
!=
nil
{
return
err
}
...
...
@@ -246,14 +211,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
return
fmt
.
Errorf
(
"failed to load SNI cert and key: %v"
,
err
)
}
}
secureServingInfo
.
SNICerts
,
err
=
server
.
GetNamedCertificateMap
(
namedTLSCerts
)
c
.
SNICerts
,
err
=
server
.
GetNamedCertificateMap
(
namedTLSCerts
)
if
err
!=
nil
{
return
err
}
c
.
SecureServingInfo
=
secureServingInfo
c
.
ReadWritePort
=
s
.
BindPort
return
nil
}
...
...
staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go
View file @
4e0114b0
...
...
@@ -32,6 +32,7 @@ import (
"os"
"path/filepath"
"reflect"
"strconv"
"strings"
"testing"
"time"
...
...
@@ -47,7 +48,6 @@ import (
utilflag
"k8s.io/apiserver/pkg/util/flag"
"k8s.io/client-go/discovery"
restclient
"k8s.io/client-go/rest"
"strconv"
)
func
setUp
(
t
*
testing
.
T
)
Config
{
...
...
@@ -471,7 +471,7 @@ NextTest:
config
.
Version
=
&
v
config
.
EnableIndex
=
true
secureOptions
:=
&
SecureServingOptions
{
secureOptions
:=
WithLoopback
(
&
SecureServingOptions
{
BindAddress
:
net
.
ParseIP
(
"127.0.0.1"
),
BindPort
:
6443
,
ServerCert
:
GeneratableKeyCert
{
...
...
@@ -481,7 +481,7 @@ NextTest:
},
},
SNICertKeys
:
namedCertKeys
,
}
}
)
// use a random free port
ln
,
err
:=
net
.
Listen
(
"tcp"
,
"127.0.0.1:0"
)
if
err
!=
nil
{
...
...
staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go
0 → 100644
View file @
4e0114b0
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
options
import
(
"crypto/tls"
"fmt"
"github.com/pborman/uuid"
"k8s.io/apiserver/pkg/server"
certutil
"k8s.io/client-go/util/cert"
)
type
SecureServingOptionsWithLoopback
struct
{
*
SecureServingOptions
}
func
WithLoopback
(
o
*
SecureServingOptions
)
*
SecureServingOptionsWithLoopback
{
return
&
SecureServingOptionsWithLoopback
{
o
}
}
// ApplyTo fills up serving information in the server configuration.
func
(
s
*
SecureServingOptionsWithLoopback
)
ApplyTo
(
c
*
server
.
Config
)
error
{
if
s
==
nil
||
s
.
SecureServingOptions
==
nil
{
return
nil
}
if
err
:=
s
.
SecureServingOptions
.
ApplyTo
(
&
c
.
SecureServing
);
err
!=
nil
{
return
err
}
if
c
.
SecureServing
==
nil
{
return
nil
}
c
.
ReadWritePort
=
s
.
BindPort
// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and
// let the server return it when the loopback client connects.
certPem
,
keyPem
,
err
:=
certutil
.
GenerateSelfSignedCertKey
(
server
.
LoopbackClientServerNameOverride
,
nil
,
nil
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"failed to generate self-signed certificate for loopback connection: %v"
,
err
)
}
tlsCert
,
err
:=
tls
.
X509KeyPair
(
certPem
,
keyPem
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"failed to generate self-signed certificate for loopback connection: %v"
,
err
)
}
secureLoopbackClientConfig
,
err
:=
c
.
SecureServing
.
NewLoopbackClientConfig
(
uuid
.
NewRandom
()
.
String
(),
certPem
)
switch
{
// if we failed and there's no fallback loopback client config, we need to fail
case
err
!=
nil
&&
c
.
LoopbackClientConfig
==
nil
:
return
err
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
case
err
!=
nil
&&
c
.
LoopbackClientConfig
!=
nil
:
default
:
c
.
LoopbackClientConfig
=
secureLoopbackClientConfig
c
.
SecureServing
.
SNICerts
[
server
.
LoopbackClientServerNameOverride
]
=
&
tlsCert
}
return
nil
}
staging/src/k8s.io/apiserver/pkg/server/serve.go
View file @
4e0114b0
...
...
@@ -39,17 +39,17 @@ const (
// serveSecurely runs the secure http server. It fails only if certificates cannot
// be loaded or the initial listen call fails. The actual server loop (stoppable by closing
// stopCh) runs in a go routine, i.e. serveSecurely does not block.
func
(
s
*
GenericAPIServer
)
serveSecurely
(
stopCh
<-
chan
struct
{})
error
{
if
s
.
SecureServingInfo
.
Listener
==
nil
{
func
(
s
*
SecureServingInfo
)
Serve
(
handler
http
.
Handler
,
shutdownTimeout
time
.
Duration
,
stopCh
<-
chan
struct
{})
error
{
if
s
.
Listener
==
nil
{
return
fmt
.
Errorf
(
"listener must not be nil"
)
}
secureServer
:=
&
http
.
Server
{
Addr
:
s
.
SecureServingInfo
.
Listener
.
Addr
()
.
String
(),
Handler
:
s
.
H
andler
,
Addr
:
s
.
Listener
.
Addr
()
.
String
(),
Handler
:
h
andler
,
MaxHeaderBytes
:
1
<<
20
,
TLSConfig
:
&
tls
.
Config
{
NameToCertificate
:
s
.
S
ecureServingInfo
.
S
NICerts
,
NameToCertificate
:
s
.
SNICerts
,
// Can't use SSLv3 because of POODLE and BEAST
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
// Can't use TLSv1.1 because of RC4 cipher usage
...
...
@@ -59,41 +59,41 @@ func (s *GenericAPIServer) serveSecurely(stopCh <-chan struct{}) error {
},
}
if
s
.
SecureServingInfo
.
MinTLSVersion
>
0
{
secureServer
.
TLSConfig
.
MinVersion
=
s
.
SecureServingInfo
.
MinTLSVersion
if
s
.
MinTLSVersion
>
0
{
secureServer
.
TLSConfig
.
MinVersion
=
s
.
MinTLSVersion
}
if
len
(
s
.
SecureServingInfo
.
CipherSuites
)
>
0
{
secureServer
.
TLSConfig
.
CipherSuites
=
s
.
SecureServingInfo
.
CipherSuites
if
len
(
s
.
CipherSuites
)
>
0
{
secureServer
.
TLSConfig
.
CipherSuites
=
s
.
CipherSuites
}
if
s
.
SecureServingInfo
.
Cert
!=
nil
{
secureServer
.
TLSConfig
.
Certificates
=
[]
tls
.
Certificate
{
*
s
.
SecureServingInfo
.
Cert
}
if
s
.
Cert
!=
nil
{
secureServer
.
TLSConfig
.
Certificates
=
[]
tls
.
Certificate
{
*
s
.
Cert
}
}
// append all named certs. Otherwise, the go tls stack will think no SNI processing
// is necessary because there is only one cert anyway.
// Moreover, if ServerCert.CertFile/ServerCert.KeyFile are not set, the first SNI
// cert will become the default cert. That's what we expect anyway.
for
_
,
c
:=
range
s
.
S
ecureServingInfo
.
S
NICerts
{
for
_
,
c
:=
range
s
.
SNICerts
{
secureServer
.
TLSConfig
.
Certificates
=
append
(
secureServer
.
TLSConfig
.
Certificates
,
*
c
)
}
if
s
.
SecureServingInfo
.
ClientCA
!=
nil
{
if
s
.
ClientCA
!=
nil
{
// Populate PeerCertificates in requests, but don't reject connections without certificates
// This allows certificates to be validated by authenticators, while still allowing other auth types
secureServer
.
TLSConfig
.
ClientAuth
=
tls
.
RequestClientCert
// Specify allowed CAs for client certificates
secureServer
.
TLSConfig
.
ClientCAs
=
s
.
SecureServingInfo
.
ClientCA
secureServer
.
TLSConfig
.
ClientCAs
=
s
.
ClientCA
}
glog
.
Infof
(
"Serving securely on %s"
,
secureServer
.
Addr
)
err
:=
RunServer
(
secureServer
,
s
.
SecureServingInfo
.
Listener
,
s
.
ShutdownTimeout
,
stopCh
)
return
err
return
RunServer
(
secureServer
,
s
.
Listener
,
shutdownTimeout
,
stopCh
)
}
// RunServer listens on the given port if listener is not given,
// then spawns a go-routine continuously serving
// until the stopCh is closed. This function does not block.
// TODO: make private when insecure serving is gone from the kube-apiserver
func
RunServer
(
server
*
http
.
Server
,
ln
net
.
Listener
,
...
...
test/integration/auth/accessreview_test.go
View file @
4e0114b0
...
...
@@ -55,8 +55,8 @@ func alwaysAlice(req *http.Request) (user.Info, bool, error) {
func
TestSubjectAccessReview
(
t
*
testing
.
T
)
{
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
.
RequestFunc
(
alwaysAlice
)
masterConfig
.
GenericConfig
.
Authorizer
=
sarAuthorizer
{}
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
.
RequestFunc
(
alwaysAlice
)
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
sarAuthorizer
{}
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
@@ -147,10 +147,10 @@ func TestSubjectAccessReview(t *testing.T) {
func
TestSelfSubjectAccessReview
(
t
*
testing
.
T
)
{
username
:=
"alice"
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
Name
:
username
},
true
,
nil
})
masterConfig
.
GenericConfig
.
Authorizer
=
sarAuthorizer
{}
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
sarAuthorizer
{}
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
@@ -229,8 +229,8 @@ func TestSelfSubjectAccessReview(t *testing.T) {
func
TestLocalSubjectAccessReview
(
t
*
testing
.
T
)
{
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
.
RequestFunc
(
alwaysAlice
)
masterConfig
.
GenericConfig
.
Authorizer
=
sarAuthorizer
{}
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
.
RequestFunc
(
alwaysAlice
)
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
sarAuthorizer
{}
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
test/integration/auth/auth_test.go
View file @
4e0114b0
...
...
@@ -500,7 +500,7 @@ func getPreviousResourceVersionKey(url, id string) string {
func
TestAuthModeAlwaysDeny
(
t
*
testing
.
T
)
{
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authorizer
=
authorizerfactory
.
NewAlwaysDenyAuthorizer
()
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
authorizerfactory
.
NewAlwaysDenyAuthorizer
()
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
@@ -549,8 +549,8 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) {
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
allowAliceAuthorizer
{}
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
allowAliceAuthorizer
{}
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
@@ -619,8 +619,8 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) {
func
TestBobIsForbidden
(
t
*
testing
.
T
)
{
// This file has alice and bob in it.
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
allowAliceAuthorizer
{}
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
allowAliceAuthorizer
{}
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
@@ -663,8 +663,8 @@ func TestUnknownUserIsUnauthorized(t *testing.T) {
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
allowAliceAuthorizer
{}
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
allowAliceAuthorizer
{}
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
@@ -725,8 +725,8 @@ func (impersonateAuthorizer) Authorize(a authorizer.Attributes) (authorizer.Deci
func
TestImpersonateIsForbidden
(
t
*
testing
.
T
)
{
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
impersonateAuthorizer
{}
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
impersonateAuthorizer
{}
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
@@ -872,8 +872,8 @@ func TestAuthorizationAttributeDetermination(t *testing.T) {
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
trackingAuthorizer
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
trackingAuthorizer
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
@@ -938,8 +938,8 @@ func TestNamespaceAuthorization(t *testing.T) {
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
a
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
a
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
@@ -1036,8 +1036,8 @@ func TestKindAuthorization(t *testing.T) {
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
a
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
a
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
@@ -1120,8 +1120,8 @@ func TestReadOnlyAuthorization(t *testing.T) {
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
a
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
a
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
@@ -1179,8 +1179,8 @@ func TestWebhookTokenAuthenticator(t *testing.T) {
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
masterConfig
.
GenericConfig
.
Authorizer
=
allowAliceAuthorizer
{}
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
allowAliceAuthorizer
{}
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
test/integration/auth/bootstraptoken_test.go
View file @
4e0114b0
...
...
@@ -125,7 +125,7 @@ func TestBootstrapTokenAuth(t *testing.T) {
authenticator
:=
bearertoken
.
New
(
bootstrap
.
NewTokenAuthenticator
(
bootstrapSecrets
{
test
.
secret
}))
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
...
...
test/integration/auth/node_test.go
View file @
4e0114b0
...
...
@@ -101,8 +101,8 @@ func TestNodeAuthorizer(t *testing.T) {
// Start the server
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
masterConfig
.
GenericConfig
.
Authorizer
=
nodeRBACAuthorizer
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
nodeRBACAuthorizer
masterConfig
.
GenericConfig
.
AdmissionControl
=
nodeRestrictionAdmission
_
,
_
,
closeFn
:=
framework
.
RunAMasterUsingServer
(
masterConfig
,
apiServer
,
h
)
...
...
test/integration/auth/rbac_test.go
View file @
4e0114b0
...
...
@@ -414,8 +414,8 @@ func TestRBAC(t *testing.T) {
for
i
,
tc
:=
range
tests
{
// Create an API Server.
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authorizer
=
newRBACAuthorizer
(
masterConfig
)
masterConfig
.
GenericConfig
.
Authenticator
=
bearertoken
.
New
(
tokenfile
.
New
(
map
[
string
]
*
user
.
DefaultInfo
{
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
newRBACAuthorizer
(
masterConfig
)
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
bearertoken
.
New
(
tokenfile
.
New
(
map
[
string
]
*
user
.
DefaultInfo
{
superUser
:
{
Name
:
"admin"
,
Groups
:
[]
string
{
"system:masters"
}},
"any-rolebinding-writer"
:
{
Name
:
"any-rolebinding-writer"
},
"any-rolebinding-writer-namespace"
:
{
Name
:
"any-rolebinding-writer-namespace"
},
...
...
@@ -517,8 +517,8 @@ func TestBootstrapping(t *testing.T) {
superUser
:=
"admin/system:masters"
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authorizer
=
newRBACAuthorizer
(
masterConfig
)
masterConfig
.
GenericConfig
.
Authenticator
=
bearertoken
.
New
(
tokenfile
.
New
(
map
[
string
]
*
user
.
DefaultInfo
{
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
newRBACAuthorizer
(
masterConfig
)
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
bearertoken
.
New
(
tokenfile
.
New
(
map
[
string
]
*
user
.
DefaultInfo
{
superUser
:
{
Name
:
"admin"
,
Groups
:
[]
string
{
"system:masters"
}},
}))
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
...
...
test/integration/framework/master_utils.go
View file @
4e0114b0
...
...
@@ -160,17 +160,17 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv
}
tokenAuthenticator
:=
authenticatorfactory
.
NewFromTokens
(
tokens
)
if
masterConfig
.
GenericConfig
.
Authenticator
==
nil
{
masterConfig
.
GenericConfig
.
Authenticator
=
authenticatorunion
.
New
(
tokenAuthenticator
,
authauthenticator
.
RequestFunc
(
alwaysEmpty
))
if
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
==
nil
{
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticatorunion
.
New
(
tokenAuthenticator
,
authauthenticator
.
RequestFunc
(
alwaysEmpty
))
}
else
{
masterConfig
.
GenericConfig
.
Authenticat
or
=
authenticatorunion
.
New
(
tokenAuthenticator
,
masterConfig
.
GenericConfig
.
Authenticator
)
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticator
=
authenticatorunion
.
New
(
tokenAuthenticator
,
masterConfig
.
GenericConfig
.
Authentication
.
Authenticator
)
}
if
masterConfig
.
GenericConfig
.
Authorizer
!=
nil
{
if
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
!=
nil
{
tokenAuthorizer
:=
authorizerfactory
.
NewPrivilegedGroups
(
user
.
SystemPrivilegedGroup
)
masterConfig
.
GenericConfig
.
Authoriz
er
=
authorizerunion
.
New
(
tokenAuthorizer
,
masterConfig
.
GenericConfig
.
Authorizer
)
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authorizer
=
authorizerunion
.
New
(
tokenAuthorizer
,
masterConfig
.
GenericConfig
.
Authorization
.
Authorizer
)
}
else
{
masterConfig
.
GenericConfig
.
Authorizer
=
alwaysAllow
{}
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
alwaysAllow
{}
}
masterConfig
.
GenericConfig
.
LoopbackClientConfig
.
BearerToken
=
privilegedLoopbackToken
...
...
@@ -281,7 +281,7 @@ func NewMasterConfig() *master.Config {
genericConfig
:=
genericapiserver
.
NewConfig
(
legacyscheme
.
Codecs
)
kubeVersion
:=
version
.
Get
()
genericConfig
.
Version
=
&
kubeVersion
genericConfig
.
Authorizer
=
authorizerfactory
.
NewAlwaysAllowAuthorizer
()
genericConfig
.
Authoriz
ation
.
Authoriz
er
=
authorizerfactory
.
NewAlwaysAllowAuthorizer
()
genericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
genericConfig
.
EnableMetrics
=
true
...
...
test/integration/master/synthetic_master_test.go
View file @
4e0114b0
...
...
@@ -134,7 +134,7 @@ func TestEmptyList(t *testing.T) {
func
initStatusForbiddenMasterCongfig
()
*
master
.
Config
{
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authorizer
=
authorizerfactory
.
NewAlwaysDenyAuthorizer
()
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
authorizerfactory
.
NewAlwaysDenyAuthorizer
()
return
masterConfig
}
...
...
@@ -143,8 +143,8 @@ func initUnauthorizedMasterCongfig() *master.Config {
tokenAuthenticator
:=
tokentest
.
New
()
tokenAuthenticator
.
Tokens
[
AliceToken
]
=
&
user
.
DefaultInfo
{
Name
:
"alice"
,
UID
:
"1"
}
tokenAuthenticator
.
Tokens
[
BobToken
]
=
&
user
.
DefaultInfo
{
Name
:
"bob"
,
UID
:
"2"
}
masterConfig
.
GenericConfig
.
Authenticator
=
group
.
NewGroupAdder
(
bearertoken
.
New
(
tokenAuthenticator
),
[]
string
{
user
.
AllAuthenticated
})
masterConfig
.
GenericConfig
.
Authorizer
=
allowAliceAuthorizer
{}
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
group
.
NewGroupAdder
(
bearertoken
.
New
(
tokenAuthenticator
),
[]
string
{
user
.
AllAuthenticated
})
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
allowAliceAuthorizer
{}
return
masterConfig
}
...
...
test/integration/serviceaccount/service_account_test.go
View file @
4e0114b0
...
...
@@ -425,8 +425,8 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie
masterConfig
:=
framework
.
NewMasterConfig
()
masterConfig
.
GenericConfig
.
EnableIndex
=
true
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
masterConfig
.
GenericConfig
.
Authorizer
=
authorizer
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
authorizer
masterConfig
.
GenericConfig
.
AdmissionControl
=
serviceAccountAdmission
framework
.
RunAMasterUsingServer
(
masterConfig
,
apiServer
,
h
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment