Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
4e0114b0
Commit
4e0114b0
authored
Jan 31, 2018
by
Dr. Stefan Schimanski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apiserver: make SecureServingOptions and authz/n options re-usable
parent
0cbe0a60
Hide whitespace changes
Inline
Side-by-side
Showing
26 changed files
with
222 additions
and
166 deletions
+222
-166
options.go
cmd/kube-apiserver/app/options/options.go
+1
-1
options_test.go
cmd/kube-apiserver/app/options/options_test.go
+3
-2
server.go
cmd/kube-apiserver/app/server.go
+3
-3
authentication.go
pkg/kubeapiserver/options/authentication.go
+3
-5
serving.go
pkg/kubeapiserver/options/serving.go
+3
-3
master.go
pkg/master/master.go
+3
-3
config.go
staging/src/k8s.io/apiserver/pkg/server/config.go
+40
-24
genericapiserver.go
staging/src/k8s.io/apiserver/pkg/server/genericapiserver.go
+1
-1
genericapiserver_test.go
.../src/k8s.io/apiserver/pkg/server/genericapiserver_test.go
+1
-1
BUILD
staging/src/k8s.io/apiserver/pkg/server/options/BUILD
+1
-0
admission.go
staging/src/k8s.io/apiserver/pkg/server/options/admission.go
+1
-1
authentication.go
...src/k8s.io/apiserver/pkg/server/options/authentication.go
+6
-7
authorization.go
.../src/k8s.io/apiserver/pkg/server/options/authorization.go
+1
-1
recommended.go
...ng/src/k8s.io/apiserver/pkg/server/options/recommended.go
+4
-4
serving.go
staging/src/k8s.io/apiserver/pkg/server/options/serving.go
+9
-47
serving_test.go
...g/src/k8s.io/apiserver/pkg/server/options/serving_test.go
+3
-3
serving_with_loopback.go
....io/apiserver/pkg/server/options/serving_with_loopback.go
+79
-0
serve.go
staging/src/k8s.io/apiserver/pkg/server/serve.go
+16
-16
accessreview_test.go
test/integration/auth/accessreview_test.go
+6
-6
auth_test.go
test/integration/auth/auth_test.go
+19
-19
bootstraptoken_test.go
test/integration/auth/bootstraptoken_test.go
+1
-1
node_test.go
test/integration/auth/node_test.go
+2
-2
rbac_test.go
test/integration/auth/rbac_test.go
+4
-4
master_utils.go
test/integration/framework/master_utils.go
+7
-7
synthetic_master_test.go
test/integration/master/synthetic_master_test.go
+3
-3
service_account_test.go
test/integration/serviceaccount/service_account_test.go
+2
-2
No files found.
cmd/kube-apiserver/app/options/options.go
View file @
4e0114b0
...
@@ -42,7 +42,7 @@ import (
...
@@ -42,7 +42,7 @@ import (
type
ServerRunOptions
struct
{
type
ServerRunOptions
struct
{
GenericServerRunOptions
*
genericoptions
.
ServerRunOptions
GenericServerRunOptions
*
genericoptions
.
ServerRunOptions
Etcd
*
genericoptions
.
EtcdOptions
Etcd
*
genericoptions
.
EtcdOptions
SecureServing
*
genericoptions
.
SecureServingOptions
SecureServing
*
genericoptions
.
SecureServingOptions
WithLoopback
InsecureServing
*
kubeoptions
.
InsecureServingOptions
InsecureServing
*
kubeoptions
.
InsecureServingOptions
Audit
*
genericoptions
.
AuditOptions
Audit
*
genericoptions
.
AuditOptions
Features
*
genericoptions
.
FeatureOptions
Features
*
genericoptions
.
FeatureOptions
...
...
cmd/kube-apiserver/app/options/options_test.go
View file @
4e0114b0
...
@@ -26,6 +26,7 @@ import (
...
@@ -26,6 +26,7 @@ import (
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apimachinery/pkg/util/diff"
apiserveroptions
"k8s.io/apiserver/pkg/server/options"
apiserveroptions
"k8s.io/apiserver/pkg/server/options"
genericoptions
"k8s.io/apiserver/pkg/server/options"
"k8s.io/apiserver/pkg/storage/storagebackend"
"k8s.io/apiserver/pkg/storage/storagebackend"
utilflag
"k8s.io/apiserver/pkg/util/flag"
utilflag
"k8s.io/apiserver/pkg/util/flag"
auditwebhook
"k8s.io/apiserver/plugin/pkg/audit/webhook"
auditwebhook
"k8s.io/apiserver/plugin/pkg/audit/webhook"
...
@@ -137,14 +138,14 @@ func TestAddFlags(t *testing.T) {
...
@@ -137,14 +138,14 @@ func TestAddFlags(t *testing.T) {
EnableWatchCache
:
true
,
EnableWatchCache
:
true
,
DefaultWatchCacheSize
:
100
,
DefaultWatchCacheSize
:
100
,
},
},
SecureServing
:
&
apiserveroptions
.
SecureServingOptions
{
SecureServing
:
genericoptions
.
WithLoopback
(
&
apiserveroptions
.
SecureServingOptions
{
BindAddress
:
net
.
ParseIP
(
"192.168.10.20"
),
BindAddress
:
net
.
ParseIP
(
"192.168.10.20"
),
BindPort
:
6443
,
BindPort
:
6443
,
ServerCert
:
apiserveroptions
.
GeneratableKeyCert
{
ServerCert
:
apiserveroptions
.
GeneratableKeyCert
{
CertDirectory
:
"/var/run/kubernetes"
,
CertDirectory
:
"/var/run/kubernetes"
,
PairName
:
"apiserver"
,
PairName
:
"apiserver"
,
},
},
},
}
)
,
InsecureServing
:
&
kubeoptions
.
InsecureServingOptions
{
InsecureServing
:
&
kubeoptions
.
InsecureServingOptions
{
BindAddress
:
net
.
ParseIP
(
"127.0.0.1"
),
BindAddress
:
net
.
ParseIP
(
"127.0.0.1"
),
BindPort
:
8080
,
BindPort
:
8080
,
...
...
cmd/kube-apiserver/app/server.go
View file @
4e0114b0
...
@@ -450,12 +450,12 @@ func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transp
...
@@ -450,12 +450,12 @@ func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transp
)
)
}
}
genericConfig
.
Authenticator
,
genericConfig
.
OpenAPIConfig
.
SecurityDefinitions
,
err
=
BuildAuthenticator
(
s
,
storageFactory
,
client
,
sharedInformers
)
genericConfig
.
Authenticat
ion
.
Authenticat
or
,
genericConfig
.
OpenAPIConfig
.
SecurityDefinitions
,
err
=
BuildAuthenticator
(
s
,
storageFactory
,
client
,
sharedInformers
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
nil
,
nil
,
nil
,
fmt
.
Errorf
(
"invalid authentication config: %v"
,
err
)
return
nil
,
nil
,
nil
,
nil
,
nil
,
fmt
.
Errorf
(
"invalid authentication config: %v"
,
err
)
}
}
genericConfig
.
Authorizer
,
genericConfig
.
RuleResolver
,
err
=
BuildAuthorizer
(
s
,
sharedInformers
,
versionedInformers
)
genericConfig
.
Authoriz
ation
.
Authoriz
er
,
genericConfig
.
RuleResolver
,
err
=
BuildAuthorizer
(
s
,
sharedInformers
,
versionedInformers
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
nil
,
nil
,
nil
,
fmt
.
Errorf
(
"invalid authorization config: %v"
,
err
)
return
nil
,
nil
,
nil
,
nil
,
nil
,
fmt
.
Errorf
(
"invalid authorization config: %v"
,
err
)
}
}
...
@@ -634,7 +634,7 @@ func BuildStorageFactory(s *options.ServerRunOptions, apiResourceConfig *servers
...
@@ -634,7 +634,7 @@ func BuildStorageFactory(s *options.ServerRunOptions, apiResourceConfig *servers
func
defaultOptions
(
s
*
options
.
ServerRunOptions
)
error
{
func
defaultOptions
(
s
*
options
.
ServerRunOptions
)
error
{
// set defaults
// set defaults
if
err
:=
s
.
GenericServerRunOptions
.
DefaultAdvertiseAddress
(
s
.
SecureServing
);
err
!=
nil
{
if
err
:=
s
.
GenericServerRunOptions
.
DefaultAdvertiseAddress
(
s
.
SecureServing
.
SecureServingOptions
);
err
!=
nil
{
return
err
return
err
}
}
if
err
:=
kubeoptions
.
DefaultAdvertiseAddress
(
s
.
GenericServerRunOptions
,
s
.
InsecureServing
);
err
!=
nil
{
if
err
:=
kubeoptions
.
DefaultAdvertiseAddress
(
s
.
GenericServerRunOptions
,
s
.
InsecureServing
);
err
!=
nil
{
...
...
pkg/kubeapiserver/options/authentication.go
View file @
4e0114b0
...
@@ -341,19 +341,17 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
...
@@ -341,19 +341,17 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
var
err
error
var
err
error
if
o
.
ClientCert
!=
nil
{
if
o
.
ClientCert
!=
nil
{
c
,
err
=
c
.
ApplyClientCert
(
o
.
ClientCert
.
ClientCA
)
if
err
=
c
.
Authentication
.
ApplyClientCert
(
o
.
ClientCert
.
ClientCA
,
c
.
SecureServing
);
err
!=
nil
{
if
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
}
}
}
if
o
.
RequestHeader
!=
nil
{
if
o
.
RequestHeader
!=
nil
{
c
,
err
=
c
.
ApplyClientCert
(
o
.
RequestHeader
.
ClientCAFile
)
if
err
=
c
.
Authentication
.
ApplyClientCert
(
o
.
RequestHeader
.
ClientCAFile
,
c
.
SecureServing
);
err
!=
nil
{
if
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
}
}
}
c
.
SupportsBasicAuth
=
o
.
PasswordFile
!=
nil
&&
len
(
o
.
PasswordFile
.
BasicAuthFile
)
>
0
c
.
Authentication
.
SupportsBasicAuth
=
o
.
PasswordFile
!=
nil
&&
len
(
o
.
PasswordFile
.
BasicAuthFile
)
>
0
return
nil
return
nil
}
}
...
...
pkg/kubeapiserver/options/serving.go
View file @
4e0114b0
...
@@ -33,15 +33,15 @@ import (
...
@@ -33,15 +33,15 @@ import (
// NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by
// NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by
// "normal" API servers running on the platform
// "normal" API servers running on the platform
func
NewSecureServingOptions
()
*
genericoptions
.
SecureServingOptions
{
func
NewSecureServingOptions
()
*
genericoptions
.
SecureServingOptions
WithLoopback
{
return
&
genericoptions
.
SecureServingOptions
{
return
genericoptions
.
WithLoopback
(
&
genericoptions
.
SecureServingOptions
{
BindAddress
:
net
.
ParseIP
(
"0.0.0.0"
),
BindAddress
:
net
.
ParseIP
(
"0.0.0.0"
),
BindPort
:
6443
,
BindPort
:
6443
,
ServerCert
:
genericoptions
.
GeneratableKeyCert
{
ServerCert
:
genericoptions
.
GeneratableKeyCert
{
PairName
:
"apiserver"
,
PairName
:
"apiserver"
,
CertDirectory
:
"/var/run/kubernetes"
,
CertDirectory
:
"/var/run/kubernetes"
,
},
},
}
}
)
}
}
// DefaultAdvertiseAddress sets the field AdvertiseAddress if
// DefaultAdvertiseAddress sets the field AdvertiseAddress if
...
...
pkg/master/master.go
View file @
4e0114b0
...
@@ -337,15 +337,15 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
...
@@ -337,15 +337,15 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
// TODO: describe the priority all the way down in the RESTStorageProviders and plumb it back through the various discovery
// TODO: describe the priority all the way down in the RESTStorageProviders and plumb it back through the various discovery
// handlers that we have.
// handlers that we have.
restStorageProviders
:=
[]
RESTStorageProvider
{
restStorageProviders
:=
[]
RESTStorageProvider
{
authenticationrest
.
RESTStorageProvider
{
Authenticator
:
c
.
GenericConfig
.
Authenticator
},
authenticationrest
.
RESTStorageProvider
{
Authenticator
:
c
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
},
authorizationrest
.
RESTStorageProvider
{
Authorizer
:
c
.
GenericConfig
.
Authorizer
,
RuleResolver
:
c
.
GenericConfig
.
RuleResolver
},
authorizationrest
.
RESTStorageProvider
{
Authorizer
:
c
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
,
RuleResolver
:
c
.
GenericConfig
.
RuleResolver
},
autoscalingrest
.
RESTStorageProvider
{},
autoscalingrest
.
RESTStorageProvider
{},
batchrest
.
RESTStorageProvider
{},
batchrest
.
RESTStorageProvider
{},
certificatesrest
.
RESTStorageProvider
{},
certificatesrest
.
RESTStorageProvider
{},
extensionsrest
.
RESTStorageProvider
{},
extensionsrest
.
RESTStorageProvider
{},
networkingrest
.
RESTStorageProvider
{},
networkingrest
.
RESTStorageProvider
{},
policyrest
.
RESTStorageProvider
{},
policyrest
.
RESTStorageProvider
{},
rbacrest
.
RESTStorageProvider
{
Authorizer
:
c
.
GenericConfig
.
Authorizer
},
rbacrest
.
RESTStorageProvider
{
Authorizer
:
c
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
},
schedulingrest
.
RESTStorageProvider
{},
schedulingrest
.
RESTStorageProvider
{},
settingsrest
.
RESTStorageProvider
{},
settingsrest
.
RESTStorageProvider
{},
storagerest
.
RESTStorageProvider
{},
storagerest
.
RESTStorageProvider
{},
...
...
staging/src/k8s.io/apiserver/pkg/server/config.go
View file @
4e0114b0
...
@@ -79,14 +79,19 @@ const (
...
@@ -79,14 +79,19 @@ const (
// Config is a structure used to configure a GenericAPIServer.
// Config is a structure used to configure a GenericAPIServer.
// Its members are sorted roughly in order of importance for composers.
// Its members are sorted roughly in order of importance for composers.
type
Config
struct
{
type
Config
struct
{
// SecureServingInfo is required to serve https
// SecureServing is required to serve https
SecureServingInfo
*
SecureServingInfo
SecureServing
*
SecureServingInfo
// Authentication is the configuration for authentication
Authentication
AuthenticationInfo
// Authentication is the configuration for authentication
Authorization
AuthorizationInfo
// LoopbackClientConfig is a config for a privileged loopback connection to the API server
// LoopbackClientConfig is a config for a privileged loopback connection to the API server
// This is required for proper functioning of the PostStartHooks on a GenericAPIServer
// This is required for proper functioning of the PostStartHooks on a GenericAPIServer
// TODO: move into SecureServing(WithLoopback) as soon as insecure serving is gone
LoopbackClientConfig
*
restclient
.
Config
LoopbackClientConfig
*
restclient
.
Config
// Authenticator determines which subject is making the request
Authenticator
authenticator
.
Request
// Authorizer determines whether the subject is allowed to make the request based only
// Authorizer determines whether the subject is allowed to make the request based only
// on the RequestURI
// on the RequestURI
Authorizer
authorizer
.
Authorizer
Authorizer
authorizer
.
Authorizer
...
@@ -116,10 +121,6 @@ type Config struct {
...
@@ -116,10 +121,6 @@ type Config struct {
AuditBackend
audit
.
Backend
AuditBackend
audit
.
Backend
// AuditPolicyChecker makes the decision of whether and how to audit log a request.
// AuditPolicyChecker makes the decision of whether and how to audit log a request.
AuditPolicyChecker
auditpolicy
.
Checker
AuditPolicyChecker
auditpolicy
.
Checker
// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
// If this is true, a basic auth challenge is returned on authentication failure
// TODO(roberthbailey): Remove once the server no longer supports http basic auth.
SupportsBasicAuth
bool
// ExternalAddress is the host name to use for external (public internet) facing URLs (e.g. Swagger)
// ExternalAddress is the host name to use for external (public internet) facing URLs (e.g. Swagger)
// Will default to a value based on secure serving info and available ipv4 IPs.
// Will default to a value based on secure serving info and available ipv4 IPs.
ExternalAddress
string
ExternalAddress
string
...
@@ -231,6 +232,21 @@ type SecureServingInfo struct {
...
@@ -231,6 +232,21 @@ type SecureServingInfo struct {
CipherSuites
[]
uint16
CipherSuites
[]
uint16
}
}
type
AuthenticationInfo
struct
{
// Authenticator determines which subject is making the request
Authenticator
authenticator
.
Request
// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
// If this is true, a basic auth challenge is returned on authentication failure
// TODO(roberthbailey): Remove once the server no longer supports http basic auth.
SupportsBasicAuth
bool
}
type
AuthorizationInfo
struct
{
// Authorizer determines whether the subject is allowed to make the request based only
// on the RequestURI
Authorizer
authorizer
.
Authorizer
}
// NewConfig returns a Config struct with the default values
// NewConfig returns a Config struct with the default values
func
NewConfig
(
codecs
serializer
.
CodecFactory
)
*
Config
{
func
NewConfig
(
codecs
serializer
.
CodecFactory
)
*
Config
{
return
&
Config
{
return
&
Config
{
...
@@ -302,23 +318,23 @@ func DefaultSwaggerConfig() *swagger.Config {
...
@@ -302,23 +318,23 @@ func DefaultSwaggerConfig() *swagger.Config {
}
}
}
}
func
(
c
*
Config
)
ApplyClientCert
(
clientCAFile
string
)
(
*
Config
,
error
)
{
func
(
c
*
AuthenticationInfo
)
ApplyClientCert
(
clientCAFile
string
,
servingInfo
*
SecureServingInfo
)
error
{
if
c
.
SecureS
ervingInfo
!=
nil
{
if
s
ervingInfo
!=
nil
{
if
len
(
clientCAFile
)
>
0
{
if
len
(
clientCAFile
)
>
0
{
clientCAs
,
err
:=
certutil
.
CertsFromFile
(
clientCAFile
)
clientCAs
,
err
:=
certutil
.
CertsFromFile
(
clientCAFile
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
}
if
c
.
SecureS
ervingInfo
.
ClientCA
==
nil
{
if
s
ervingInfo
.
ClientCA
==
nil
{
c
.
SecureS
ervingInfo
.
ClientCA
=
x509
.
NewCertPool
()
s
ervingInfo
.
ClientCA
=
x509
.
NewCertPool
()
}
}
for
_
,
cert
:=
range
clientCAs
{
for
_
,
cert
:=
range
clientCAs
{
c
.
SecureS
ervingInfo
.
ClientCA
.
AddCert
(
cert
)
s
ervingInfo
.
ClientCA
.
AddCert
(
cert
)
}
}
}
}
}
}
return
c
,
nil
return
nil
}
}
type
completedConfig
struct
{
type
completedConfig
struct
{
...
@@ -385,7 +401,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
...
@@ -385,7 +401,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
}
}
}
}
if
c
.
SwaggerConfig
!=
nil
&&
len
(
c
.
SwaggerConfig
.
WebServicesUrl
)
==
0
{
if
c
.
SwaggerConfig
!=
nil
&&
len
(
c
.
SwaggerConfig
.
WebServicesUrl
)
==
0
{
if
c
.
SecureServing
Info
!=
nil
{
if
c
.
SecureServing
!=
nil
{
c
.
SwaggerConfig
.
WebServicesUrl
=
"https://"
+
c
.
ExternalAddress
c
.
SwaggerConfig
.
WebServicesUrl
=
"https://"
+
c
.
ExternalAddress
}
else
{
}
else
{
c
.
SwaggerConfig
.
WebServicesUrl
=
"http://"
+
c
.
ExternalAddress
c
.
SwaggerConfig
.
WebServicesUrl
=
"http://"
+
c
.
ExternalAddress
...
@@ -397,7 +413,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
...
@@ -397,7 +413,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
// If the loopbackclientconfig is specified AND it has a token for use against the API server
// If the loopbackclientconfig is specified AND it has a token for use against the API server
// wrap the authenticator and authorizer in loopback authentication logic
// wrap the authenticator and authorizer in loopback authentication logic
if
c
.
Authenticat
or
!=
nil
&&
c
.
Authorizer
!=
nil
&&
c
.
LoopbackClientConfig
!=
nil
&&
len
(
c
.
LoopbackClientConfig
.
BearerToken
)
>
0
{
if
c
.
Authenticat
ion
.
Authenticator
!=
nil
&&
c
.
Authorization
.
Authorizer
!=
nil
&&
c
.
LoopbackClientConfig
!=
nil
&&
len
(
c
.
LoopbackClientConfig
.
BearerToken
)
>
0
{
privilegedLoopbackToken
:=
c
.
LoopbackClientConfig
.
BearerToken
privilegedLoopbackToken
:=
c
.
LoopbackClientConfig
.
BearerToken
var
uid
=
uuid
.
NewRandom
()
.
String
()
var
uid
=
uuid
.
NewRandom
()
.
String
()
tokens
:=
make
(
map
[
string
]
*
user
.
DefaultInfo
)
tokens
:=
make
(
map
[
string
]
*
user
.
DefaultInfo
)
...
@@ -408,10 +424,10 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
...
@@ -408,10 +424,10 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
}
}
tokenAuthenticator
:=
authenticatorfactory
.
NewFromTokens
(
tokens
)
tokenAuthenticator
:=
authenticatorfactory
.
NewFromTokens
(
tokens
)
c
.
Authenticat
or
=
authenticatorunion
.
New
(
tokenAuthenticator
,
c
.
Authenticator
)
c
.
Authenticat
ion
.
Authenticator
=
authenticatorunion
.
New
(
tokenAuthenticator
,
c
.
Authentication
.
Authenticator
)
tokenAuthorizer
:=
authorizerfactory
.
NewPrivilegedGroups
(
user
.
SystemPrivilegedGroup
)
tokenAuthorizer
:=
authorizerfactory
.
NewPrivilegedGroups
(
user
.
SystemPrivilegedGroup
)
c
.
Authoriz
er
=
authorizerunion
.
New
(
tokenAuthorizer
,
c
.
Authorizer
)
c
.
Authoriz
ation
.
Authorizer
=
authorizerunion
.
New
(
tokenAuthorizer
,
c
.
Authorization
.
Authorizer
)
}
}
if
c
.
RequestInfoResolver
==
nil
{
if
c
.
RequestInfoResolver
==
nil
{
...
@@ -458,7 +474,7 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G
...
@@ -458,7 +474,7 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G
minRequestTimeout
:
time
.
Duration
(
c
.
MinRequestTimeout
)
*
time
.
Second
,
minRequestTimeout
:
time
.
Duration
(
c
.
MinRequestTimeout
)
*
time
.
Second
,
ShutdownTimeout
:
c
.
RequestTimeout
,
ShutdownTimeout
:
c
.
RequestTimeout
,
SecureServingInfo
:
c
.
SecureServing
Info
,
SecureServingInfo
:
c
.
SecureServing
,
ExternalAddress
:
c
.
ExternalAddress
,
ExternalAddress
:
c
.
ExternalAddress
,
Handler
:
apiServerHandler
,
Handler
:
apiServerHandler
,
...
@@ -530,19 +546,19 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G
...
@@ -530,19 +546,19 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G
}
}
func
DefaultBuildHandlerChain
(
apiHandler
http
.
Handler
,
c
*
Config
)
http
.
Handler
{
func
DefaultBuildHandlerChain
(
apiHandler
http
.
Handler
,
c
*
Config
)
http
.
Handler
{
handler
:=
genericapifilters
.
WithAuthorization
(
apiHandler
,
c
.
RequestContextMapper
,
c
.
Authorizer
,
c
.
Serializer
)
handler
:=
genericapifilters
.
WithAuthorization
(
apiHandler
,
c
.
RequestContextMapper
,
c
.
Authoriz
ation
.
Authoriz
er
,
c
.
Serializer
)
handler
=
genericfilters
.
WithMaxInFlightLimit
(
handler
,
c
.
MaxRequestsInFlight
,
c
.
MaxMutatingRequestsInFlight
,
c
.
RequestContextMapper
,
c
.
LongRunningFunc
)
handler
=
genericfilters
.
WithMaxInFlightLimit
(
handler
,
c
.
MaxRequestsInFlight
,
c
.
MaxMutatingRequestsInFlight
,
c
.
RequestContextMapper
,
c
.
LongRunningFunc
)
handler
=
genericapifilters
.
WithImpersonation
(
handler
,
c
.
RequestContextMapper
,
c
.
Authorizer
,
c
.
Serializer
)
handler
=
genericapifilters
.
WithImpersonation
(
handler
,
c
.
RequestContextMapper
,
c
.
Authoriz
ation
.
Authoriz
er
,
c
.
Serializer
)
if
utilfeature
.
DefaultFeatureGate
.
Enabled
(
features
.
AdvancedAuditing
)
{
if
utilfeature
.
DefaultFeatureGate
.
Enabled
(
features
.
AdvancedAuditing
)
{
handler
=
genericapifilters
.
WithAudit
(
handler
,
c
.
RequestContextMapper
,
c
.
AuditBackend
,
c
.
AuditPolicyChecker
,
c
.
LongRunningFunc
)
handler
=
genericapifilters
.
WithAudit
(
handler
,
c
.
RequestContextMapper
,
c
.
AuditBackend
,
c
.
AuditPolicyChecker
,
c
.
LongRunningFunc
)
}
else
{
}
else
{
handler
=
genericapifilters
.
WithLegacyAudit
(
handler
,
c
.
RequestContextMapper
,
c
.
LegacyAuditWriter
)
handler
=
genericapifilters
.
WithLegacyAudit
(
handler
,
c
.
RequestContextMapper
,
c
.
LegacyAuditWriter
)
}
}
failedHandler
:=
genericapifilters
.
Unauthorized
(
c
.
RequestContextMapper
,
c
.
Serializer
,
c
.
SupportsBasicAuth
)
failedHandler
:=
genericapifilters
.
Unauthorized
(
c
.
RequestContextMapper
,
c
.
Serializer
,
c
.
Authentication
.
SupportsBasicAuth
)
if
utilfeature
.
DefaultFeatureGate
.
Enabled
(
features
.
AdvancedAuditing
)
{
if
utilfeature
.
DefaultFeatureGate
.
Enabled
(
features
.
AdvancedAuditing
)
{
failedHandler
=
genericapifilters
.
WithFailedAuthenticationAudit
(
failedHandler
,
c
.
RequestContextMapper
,
c
.
AuditBackend
,
c
.
AuditPolicyChecker
)
failedHandler
=
genericapifilters
.
WithFailedAuthenticationAudit
(
failedHandler
,
c
.
RequestContextMapper
,
c
.
AuditBackend
,
c
.
AuditPolicyChecker
)
}
}
handler
=
genericapifilters
.
WithAuthentication
(
handler
,
c
.
RequestContextMapper
,
c
.
Authenticator
,
failedHandler
)
handler
=
genericapifilters
.
WithAuthentication
(
handler
,
c
.
RequestContextMapper
,
c
.
Authenticat
ion
.
Authenticat
or
,
failedHandler
)
handler
=
genericfilters
.
WithCORS
(
handler
,
c
.
CorsAllowedOriginList
,
nil
,
nil
,
nil
,
"true"
)
handler
=
genericfilters
.
WithCORS
(
handler
,
c
.
CorsAllowedOriginList
,
nil
,
nil
,
nil
,
"true"
)
handler
=
genericfilters
.
WithTimeoutForNonLongRunningRequests
(
handler
,
c
.
RequestContextMapper
,
c
.
LongRunningFunc
,
c
.
RequestTimeout
)
handler
=
genericfilters
.
WithTimeoutForNonLongRunningRequests
(
handler
,
c
.
RequestContextMapper
,
c
.
LongRunningFunc
,
c
.
RequestTimeout
)
handler
=
genericfilters
.
WithWaitGroup
(
handler
,
c
.
RequestContextMapper
,
c
.
LongRunningFunc
,
c
.
HandlerChainWaitGroup
)
handler
=
genericfilters
.
WithWaitGroup
(
handler
,
c
.
RequestContextMapper
,
c
.
LongRunningFunc
,
c
.
HandlerChainWaitGroup
)
...
...
staging/src/k8s.io/apiserver/pkg/server/genericapiserver.go
View file @
4e0114b0
...
@@ -310,7 +310,7 @@ func (s preparedGenericAPIServer) NonBlockingRun(stopCh <-chan struct{}) error {
...
@@ -310,7 +310,7 @@ func (s preparedGenericAPIServer) NonBlockingRun(stopCh <-chan struct{}) error {
internalStopCh
:=
make
(
chan
struct
{})
internalStopCh
:=
make
(
chan
struct
{})
if
s
.
SecureServingInfo
!=
nil
&&
s
.
Handler
!=
nil
{
if
s
.
SecureServingInfo
!=
nil
&&
s
.
Handler
!=
nil
{
if
err
:=
s
.
serveSecurely
(
internalStopCh
);
err
!=
nil
{
if
err
:=
s
.
SecureServingInfo
.
Serve
(
s
.
Handler
,
s
.
ShutdownTimeout
,
internalStopCh
);
err
!=
nil
{
close
(
internalStopCh
)
close
(
internalStopCh
)
return
err
return
err
}
}
...
...
staging/src/k8s.io/apiserver/pkg/server/genericapiserver_test.go
View file @
4e0114b0
...
@@ -387,7 +387,7 @@ func TestNotRestRoutesHaveAuth(t *testing.T) {
...
@@ -387,7 +387,7 @@ func TestNotRestRoutesHaveAuth(t *testing.T) {
authz
:=
mockAuthorizer
{}
authz
:=
mockAuthorizer
{}
config
.
LegacyAPIGroupPrefixes
=
sets
.
NewString
(
"/apiPrefix"
)
config
.
LegacyAPIGroupPrefixes
=
sets
.
NewString
(
"/apiPrefix"
)
config
.
Authorizer
=
&
authz
config
.
Authoriz
ation
.
Authoriz
er
=
&
authz
config
.
EnableSwaggerUI
=
true
config
.
EnableSwaggerUI
=
true
config
.
EnableIndex
=
true
config
.
EnableIndex
=
true
...
...
staging/src/k8s.io/apiserver/pkg/server/options/BUILD
View file @
4e0114b0
...
@@ -15,6 +15,7 @@ go_library(
...
@@ -15,6 +15,7 @@ go_library(
"recommended.go",
"recommended.go",
"server_run_options.go",
"server_run_options.go",
"serving.go",
"serving.go",
"serving_with_loopback.go",
],
],
importpath = "k8s.io/apiserver/pkg/server/options",
importpath = "k8s.io/apiserver/pkg/server/options",
visibility = ["//visibility:public"],
visibility = ["//visibility:public"],
...
...
staging/src/k8s.io/apiserver/pkg/server/options/admission.go
View file @
4e0114b0
...
@@ -136,7 +136,7 @@ func (a *AdmissionOptions) ApplyTo(
...
@@ -136,7 +136,7 @@ func (a *AdmissionOptions) ApplyTo(
if
err
!=
nil
{
if
err
!=
nil
{
return
err
return
err
}
}
genericInitializer
:=
initializer
.
New
(
clientset
,
informers
,
c
.
Authorizer
,
scheme
)
genericInitializer
:=
initializer
.
New
(
clientset
,
informers
,
c
.
Authoriz
ation
.
Authoriz
er
,
scheme
)
initializersChain
:=
admission
.
PluginInitializers
{}
initializersChain
:=
admission
.
PluginInitializers
{}
pluginInitializers
=
append
(
pluginInitializers
,
genericInitializer
)
pluginInitializers
=
append
(
pluginInitializers
,
genericInitializer
)
initializersChain
=
append
(
initializersChain
,
pluginInitializers
...
)
initializersChain
=
append
(
initializersChain
,
pluginInitializers
...
)
...
...
staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
View file @
4e0114b0
...
@@ -32,6 +32,7 @@ import (
...
@@ -32,6 +32,7 @@ import (
coreclient
"k8s.io/client-go/kubernetes/typed/core/v1"
coreclient
"k8s.io/client-go/kubernetes/typed/core/v1"
"k8s.io/client-go/rest"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/client-go/tools/clientcmd"
openapicommon
"k8s.io/kube-openapi/pkg/common"
)
)
type
RequestHeaderAuthenticationOptions
struct
{
type
RequestHeaderAuthenticationOptions
struct
{
...
@@ -146,7 +147,7 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -146,7 +147,7 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
}
}
func
(
s
*
DelegatingAuthenticationOptions
)
ApplyTo
(
c
*
server
.
Config
)
error
{
func
(
s
*
DelegatingAuthenticationOptions
)
ApplyTo
(
c
*
server
.
AuthenticationInfo
,
servingInfo
*
server
.
SecureServingInfo
,
openAPIConfig
*
openapicommon
.
Config
)
error
{
if
s
==
nil
{
if
s
==
nil
{
c
.
Authenticator
=
nil
c
.
Authenticator
=
nil
return
nil
return
nil
...
@@ -156,8 +157,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
...
@@ -156,8 +157,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
if
err
!=
nil
{
if
err
!=
nil
{
return
err
return
err
}
}
c
,
err
=
c
.
ApplyClientCert
(
clientCA
.
ClientCA
)
if
err
=
c
.
ApplyClientCert
(
clientCA
.
ClientCA
,
servingInfo
);
err
!=
nil
{
if
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
}
...
@@ -165,8 +165,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
...
@@ -165,8 +165,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
if
err
!=
nil
{
if
err
!=
nil
{
return
err
return
err
}
}
c
,
err
=
c
.
ApplyClientCert
(
requestHeader
.
ClientCAFile
)
if
err
=
c
.
ApplyClientCert
(
requestHeader
.
ClientCAFile
,
servingInfo
);
err
!=
nil
{
if
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
}
...
@@ -180,8 +179,8 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
...
@@ -180,8 +179,8 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
}
}
c
.
Authenticator
=
authenticator
c
.
Authenticator
=
authenticator
if
c
.
O
penAPIConfig
!=
nil
{
if
o
penAPIConfig
!=
nil
{
c
.
O
penAPIConfig
.
SecurityDefinitions
=
securityDefinitions
o
penAPIConfig
.
SecurityDefinitions
=
securityDefinitions
}
}
c
.
SupportsBasicAuth
=
false
c
.
SupportsBasicAuth
=
false
...
...
staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
View file @
4e0114b0
...
@@ -74,7 +74,7 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -74,7 +74,7 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
"The duration to cache 'unauthorized' responses from the webhook authorizer."
)
"The duration to cache 'unauthorized' responses from the webhook authorizer."
)
}
}
func
(
s
*
DelegatingAuthorizationOptions
)
ApplyTo
(
c
*
server
.
Config
)
error
{
func
(
s
*
DelegatingAuthorizationOptions
)
ApplyTo
(
c
*
server
.
AuthorizationInfo
)
error
{
if
s
==
nil
{
if
s
==
nil
{
c
.
Authorizer
=
authorizerfactory
.
NewAlwaysAllowAuthorizer
()
c
.
Authorizer
=
authorizerfactory
.
NewAlwaysAllowAuthorizer
()
return
nil
return
nil
...
...
staging/src/k8s.io/apiserver/pkg/server/options/recommended.go
View file @
4e0114b0
...
@@ -30,7 +30,7 @@ import (
...
@@ -30,7 +30,7 @@ import (
// Each of them can be nil to leave the feature unconfigured on ApplyTo.
// Each of them can be nil to leave the feature unconfigured on ApplyTo.
type
RecommendedOptions
struct
{
type
RecommendedOptions
struct
{
Etcd
*
EtcdOptions
Etcd
*
EtcdOptions
SecureServing
*
SecureServingOptions
SecureServing
*
SecureServingOptions
WithLoopback
Authentication
*
DelegatingAuthenticationOptions
Authentication
*
DelegatingAuthenticationOptions
Authorization
*
DelegatingAuthorizationOptions
Authorization
*
DelegatingAuthorizationOptions
Audit
*
AuditOptions
Audit
*
AuditOptions
...
@@ -46,7 +46,7 @@ type RecommendedOptions struct {
...
@@ -46,7 +46,7 @@ type RecommendedOptions struct {
func
NewRecommendedOptions
(
prefix
string
,
codec
runtime
.
Codec
)
*
RecommendedOptions
{
func
NewRecommendedOptions
(
prefix
string
,
codec
runtime
.
Codec
)
*
RecommendedOptions
{
return
&
RecommendedOptions
{
return
&
RecommendedOptions
{
Etcd
:
NewEtcdOptions
(
storagebackend
.
NewDefaultConfig
(
prefix
,
codec
)),
Etcd
:
NewEtcdOptions
(
storagebackend
.
NewDefaultConfig
(
prefix
,
codec
)),
SecureServing
:
NewSecureServingOptions
(
),
SecureServing
:
WithLoopback
(
NewSecureServingOptions
()
),
Authentication
:
NewDelegatingAuthenticationOptions
(),
Authentication
:
NewDelegatingAuthenticationOptions
(),
Authorization
:
NewDelegatingAuthorizationOptions
(),
Authorization
:
NewDelegatingAuthorizationOptions
(),
Audit
:
NewAuditOptions
(),
Audit
:
NewAuditOptions
(),
...
@@ -78,10 +78,10 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig, scheme *r
...
@@ -78,10 +78,10 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig, scheme *r
if
err
:=
o
.
SecureServing
.
ApplyTo
(
&
config
.
Config
);
err
!=
nil
{
if
err
:=
o
.
SecureServing
.
ApplyTo
(
&
config
.
Config
);
err
!=
nil
{
return
err
return
err
}
}
if
err
:=
o
.
Authentication
.
ApplyTo
(
&
config
.
Config
);
err
!=
nil
{
if
err
:=
o
.
Authentication
.
ApplyTo
(
&
config
.
Config
.
Authentication
,
config
.
SecureServing
,
config
.
OpenAPIConfig
);
err
!=
nil
{
return
err
return
err
}
}
if
err
:=
o
.
Authorization
.
ApplyTo
(
&
config
.
Config
);
err
!=
nil
{
if
err
:=
o
.
Authorization
.
ApplyTo
(
&
config
.
Config
.
Authorization
);
err
!=
nil
{
return
err
return
err
}
}
if
err
:=
o
.
Audit
.
ApplyTo
(
&
config
.
Config
);
err
!=
nil
{
if
err
:=
o
.
Audit
.
ApplyTo
(
&
config
.
Config
);
err
!=
nil
{
...
...
staging/src/k8s.io/apiserver/pkg/server/options/serving.go
View file @
4e0114b0
...
@@ -24,7 +24,6 @@ import (
...
@@ -24,7 +24,6 @@ import (
"strconv"
"strconv"
"github.com/golang/glog"
"github.com/golang/glog"
"github.com/pborman/uuid"
"github.com/spf13/pflag"
"github.com/spf13/pflag"
utilnet
"k8s.io/apimachinery/pkg/util/net"
utilnet
"k8s.io/apimachinery/pkg/util/net"
...
@@ -110,9 +109,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -110,9 +109,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
}
}
fs
.
IPVar
(
&
s
.
BindAddress
,
"bind-address"
,
s
.
BindAddress
,
""
+
fs
.
IPVar
(
&
s
.
BindAddress
,
"bind-address"
,
s
.
BindAddress
,
""
+
"The IP address on which to listen for the --secure-port port. The "
+
"The IP address on which to listen for the --secure-port port. If blank, all interfaces will be used (0.0.0.0)."
)
"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "
+
"clients. If blank, all interfaces will be used (0.0.0.0)."
)
fs
.
IntVar
(
&
s
.
BindPort
,
"secure-port"
,
s
.
BindPort
,
""
+
fs
.
IntVar
(
&
s
.
BindPort
,
"secure-port"
,
s
.
BindPort
,
""
+
"The port on which to serve HTTPS with authentication and authorization. If 0, "
+
"The port on which to serve HTTPS with authentication and authorization. If 0, "
+
...
@@ -156,7 +153,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -156,7 +153,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
}
}
// ApplyTo fills up serving information in the server configuration.
// ApplyTo fills up serving information in the server configuration.
func
(
s
*
SecureServingOptions
)
ApplyTo
(
c
*
server
.
Config
)
error
{
func
(
s
*
SecureServingOptions
)
ApplyTo
(
c
onfig
**
server
.
SecureServingInfo
)
error
{
if
s
==
nil
{
if
s
==
nil
{
return
nil
return
nil
}
}
...
@@ -173,42 +170,10 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
...
@@ -173,42 +170,10 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
}
}
}
}
if
err
:=
s
.
applyServingInfoTo
(
c
);
err
!=
nil
{
*
config
=
&
server
.
SecureServingInfo
{
return
err
Listener
:
s
.
Listener
,
}
c
.
SecureServingInfo
.
Listener
=
s
.
Listener
// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and
// let the server return it when the loopback client connects.
certPem
,
keyPem
,
err
:=
certutil
.
GenerateSelfSignedCertKey
(
server
.
LoopbackClientServerNameOverride
,
nil
,
nil
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"failed to generate self-signed certificate for loopback connection: %v"
,
err
)
}
}
tlsCert
,
err
:=
tls
.
X509KeyPair
(
certPem
,
keyPem
)
c
:=
*
config
if
err
!=
nil
{
return
fmt
.
Errorf
(
"failed to generate self-signed certificate for loopback connection: %v"
,
err
)
}
secureLoopbackClientConfig
,
err
:=
c
.
SecureServingInfo
.
NewLoopbackClientConfig
(
uuid
.
NewRandom
()
.
String
(),
certPem
)
switch
{
// if we failed and there's no fallback loopback client config, we need to fail
case
err
!=
nil
&&
c
.
LoopbackClientConfig
==
nil
:
return
err
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
case
err
!=
nil
&&
c
.
LoopbackClientConfig
!=
nil
:
default
:
c
.
LoopbackClientConfig
=
secureLoopbackClientConfig
c
.
SecureServingInfo
.
SNICerts
[
server
.
LoopbackClientServerNameOverride
]
=
&
tlsCert
}
return
nil
}
func
(
s
*
SecureServingOptions
)
applyServingInfoTo
(
c
*
server
.
Config
)
error
{
secureServingInfo
:=
&
server
.
SecureServingInfo
{}
serverCertFile
,
serverKeyFile
:=
s
.
ServerCert
.
CertKey
.
CertFile
,
s
.
ServerCert
.
CertKey
.
KeyFile
serverCertFile
,
serverKeyFile
:=
s
.
ServerCert
.
CertKey
.
CertFile
,
s
.
ServerCert
.
CertKey
.
KeyFile
// load main cert
// load main cert
...
@@ -217,7 +182,7 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
...
@@ -217,7 +182,7 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
if
err
!=
nil
{
if
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load server certificate: %v"
,
err
)
return
fmt
.
Errorf
(
"unable to load server certificate: %v"
,
err
)
}
}
secureServingInfo
.
Cert
=
&
tlsCert
c
.
Cert
=
&
tlsCert
}
}
if
len
(
s
.
CipherSuites
)
!=
0
{
if
len
(
s
.
CipherSuites
)
!=
0
{
...
@@ -225,11 +190,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
...
@@ -225,11 +190,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
if
err
!=
nil
{
if
err
!=
nil
{
return
err
return
err
}
}
secureServingInfo
.
CipherSuites
=
cipherSuites
c
.
CipherSuites
=
cipherSuites
}
}
var
err
error
var
err
error
secureServingInfo
.
MinTLSVersion
,
err
=
utilflag
.
TLSVersion
(
s
.
MinTLSVersion
)
c
.
MinTLSVersion
,
err
=
utilflag
.
TLSVersion
(
s
.
MinTLSVersion
)
if
err
!=
nil
{
if
err
!=
nil
{
return
err
return
err
}
}
...
@@ -246,14 +211,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
...
@@ -246,14 +211,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
return
fmt
.
Errorf
(
"failed to load SNI cert and key: %v"
,
err
)
return
fmt
.
Errorf
(
"failed to load SNI cert and key: %v"
,
err
)
}
}
}
}
secureServingInfo
.
SNICerts
,
err
=
server
.
GetNamedCertificateMap
(
namedTLSCerts
)
c
.
SNICerts
,
err
=
server
.
GetNamedCertificateMap
(
namedTLSCerts
)
if
err
!=
nil
{
if
err
!=
nil
{
return
err
return
err
}
}
c
.
SecureServingInfo
=
secureServingInfo
c
.
ReadWritePort
=
s
.
BindPort
return
nil
return
nil
}
}
...
...
staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go
View file @
4e0114b0
...
@@ -32,6 +32,7 @@ import (
...
@@ -32,6 +32,7 @@ import (
"os"
"os"
"path/filepath"
"path/filepath"
"reflect"
"reflect"
"strconv"
"strings"
"strings"
"testing"
"testing"
"time"
"time"
...
@@ -47,7 +48,6 @@ import (
...
@@ -47,7 +48,6 @@ import (
utilflag
"k8s.io/apiserver/pkg/util/flag"
utilflag
"k8s.io/apiserver/pkg/util/flag"
"k8s.io/client-go/discovery"
"k8s.io/client-go/discovery"
restclient
"k8s.io/client-go/rest"
restclient
"k8s.io/client-go/rest"
"strconv"
)
)
func
setUp
(
t
*
testing
.
T
)
Config
{
func
setUp
(
t
*
testing
.
T
)
Config
{
...
@@ -471,7 +471,7 @@ NextTest:
...
@@ -471,7 +471,7 @@ NextTest:
config
.
Version
=
&
v
config
.
Version
=
&
v
config
.
EnableIndex
=
true
config
.
EnableIndex
=
true
secureOptions
:=
&
SecureServingOptions
{
secureOptions
:=
WithLoopback
(
&
SecureServingOptions
{
BindAddress
:
net
.
ParseIP
(
"127.0.0.1"
),
BindAddress
:
net
.
ParseIP
(
"127.0.0.1"
),
BindPort
:
6443
,
BindPort
:
6443
,
ServerCert
:
GeneratableKeyCert
{
ServerCert
:
GeneratableKeyCert
{
...
@@ -481,7 +481,7 @@ NextTest:
...
@@ -481,7 +481,7 @@ NextTest:
},
},
},
},
SNICertKeys
:
namedCertKeys
,
SNICertKeys
:
namedCertKeys
,
}
}
)
// use a random free port
// use a random free port
ln
,
err
:=
net
.
Listen
(
"tcp"
,
"127.0.0.1:0"
)
ln
,
err
:=
net
.
Listen
(
"tcp"
,
"127.0.0.1:0"
)
if
err
!=
nil
{
if
err
!=
nil
{
...
...
staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go
0 → 100644
View file @
4e0114b0
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
options
import
(
"crypto/tls"
"fmt"
"github.com/pborman/uuid"
"k8s.io/apiserver/pkg/server"
certutil
"k8s.io/client-go/util/cert"
)
type
SecureServingOptionsWithLoopback
struct
{
*
SecureServingOptions
}
func
WithLoopback
(
o
*
SecureServingOptions
)
*
SecureServingOptionsWithLoopback
{
return
&
SecureServingOptionsWithLoopback
{
o
}
}
// ApplyTo fills up serving information in the server configuration.
func
(
s
*
SecureServingOptionsWithLoopback
)
ApplyTo
(
c
*
server
.
Config
)
error
{
if
s
==
nil
||
s
.
SecureServingOptions
==
nil
{
return
nil
}
if
err
:=
s
.
SecureServingOptions
.
ApplyTo
(
&
c
.
SecureServing
);
err
!=
nil
{
return
err
}
if
c
.
SecureServing
==
nil
{
return
nil
}
c
.
ReadWritePort
=
s
.
BindPort
// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and
// let the server return it when the loopback client connects.
certPem
,
keyPem
,
err
:=
certutil
.
GenerateSelfSignedCertKey
(
server
.
LoopbackClientServerNameOverride
,
nil
,
nil
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"failed to generate self-signed certificate for loopback connection: %v"
,
err
)
}
tlsCert
,
err
:=
tls
.
X509KeyPair
(
certPem
,
keyPem
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"failed to generate self-signed certificate for loopback connection: %v"
,
err
)
}
secureLoopbackClientConfig
,
err
:=
c
.
SecureServing
.
NewLoopbackClientConfig
(
uuid
.
NewRandom
()
.
String
(),
certPem
)
switch
{
// if we failed and there's no fallback loopback client config, we need to fail
case
err
!=
nil
&&
c
.
LoopbackClientConfig
==
nil
:
return
err
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
case
err
!=
nil
&&
c
.
LoopbackClientConfig
!=
nil
:
default
:
c
.
LoopbackClientConfig
=
secureLoopbackClientConfig
c
.
SecureServing
.
SNICerts
[
server
.
LoopbackClientServerNameOverride
]
=
&
tlsCert
}
return
nil
}
staging/src/k8s.io/apiserver/pkg/server/serve.go
View file @
4e0114b0
...
@@ -39,17 +39,17 @@ const (
...
@@ -39,17 +39,17 @@ const (
// serveSecurely runs the secure http server. It fails only if certificates cannot
// serveSecurely runs the secure http server. It fails only if certificates cannot
// be loaded or the initial listen call fails. The actual server loop (stoppable by closing
// be loaded or the initial listen call fails. The actual server loop (stoppable by closing
// stopCh) runs in a go routine, i.e. serveSecurely does not block.
// stopCh) runs in a go routine, i.e. serveSecurely does not block.
func
(
s
*
GenericAPIServer
)
serveSecurely
(
stopCh
<-
chan
struct
{})
error
{
func
(
s
*
SecureServingInfo
)
Serve
(
handler
http
.
Handler
,
shutdownTimeout
time
.
Duration
,
stopCh
<-
chan
struct
{})
error
{
if
s
.
SecureServingInfo
.
Listener
==
nil
{
if
s
.
Listener
==
nil
{
return
fmt
.
Errorf
(
"listener must not be nil"
)
return
fmt
.
Errorf
(
"listener must not be nil"
)
}
}
secureServer
:=
&
http
.
Server
{
secureServer
:=
&
http
.
Server
{
Addr
:
s
.
SecureServingInfo
.
Listener
.
Addr
()
.
String
(),
Addr
:
s
.
Listener
.
Addr
()
.
String
(),
Handler
:
s
.
H
andler
,
Handler
:
h
andler
,
MaxHeaderBytes
:
1
<<
20
,
MaxHeaderBytes
:
1
<<
20
,
TLSConfig
:
&
tls
.
Config
{
TLSConfig
:
&
tls
.
Config
{
NameToCertificate
:
s
.
S
ecureServingInfo
.
S
NICerts
,
NameToCertificate
:
s
.
SNICerts
,
// Can't use SSLv3 because of POODLE and BEAST
// Can't use SSLv3 because of POODLE and BEAST
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
// Can't use TLSv1.1 because of RC4 cipher usage
// Can't use TLSv1.1 because of RC4 cipher usage
...
@@ -59,41 +59,41 @@ func (s *GenericAPIServer) serveSecurely(stopCh <-chan struct{}) error {
...
@@ -59,41 +59,41 @@ func (s *GenericAPIServer) serveSecurely(stopCh <-chan struct{}) error {
},
},
}
}
if
s
.
SecureServingInfo
.
MinTLSVersion
>
0
{
if
s
.
MinTLSVersion
>
0
{
secureServer
.
TLSConfig
.
MinVersion
=
s
.
SecureServingInfo
.
MinTLSVersion
secureServer
.
TLSConfig
.
MinVersion
=
s
.
MinTLSVersion
}
}
if
len
(
s
.
SecureServingInfo
.
CipherSuites
)
>
0
{
if
len
(
s
.
CipherSuites
)
>
0
{
secureServer
.
TLSConfig
.
CipherSuites
=
s
.
SecureServingInfo
.
CipherSuites
secureServer
.
TLSConfig
.
CipherSuites
=
s
.
CipherSuites
}
}
if
s
.
SecureServingInfo
.
Cert
!=
nil
{
if
s
.
Cert
!=
nil
{
secureServer
.
TLSConfig
.
Certificates
=
[]
tls
.
Certificate
{
*
s
.
SecureServingInfo
.
Cert
}
secureServer
.
TLSConfig
.
Certificates
=
[]
tls
.
Certificate
{
*
s
.
Cert
}
}
}
// append all named certs. Otherwise, the go tls stack will think no SNI processing
// append all named certs. Otherwise, the go tls stack will think no SNI processing
// is necessary because there is only one cert anyway.
// is necessary because there is only one cert anyway.
// Moreover, if ServerCert.CertFile/ServerCert.KeyFile are not set, the first SNI
// Moreover, if ServerCert.CertFile/ServerCert.KeyFile are not set, the first SNI
// cert will become the default cert. That's what we expect anyway.
// cert will become the default cert. That's what we expect anyway.
for
_
,
c
:=
range
s
.
S
ecureServingInfo
.
S
NICerts
{
for
_
,
c
:=
range
s
.
SNICerts
{
secureServer
.
TLSConfig
.
Certificates
=
append
(
secureServer
.
TLSConfig
.
Certificates
,
*
c
)
secureServer
.
TLSConfig
.
Certificates
=
append
(
secureServer
.
TLSConfig
.
Certificates
,
*
c
)
}
}
if
s
.
SecureServingInfo
.
ClientCA
!=
nil
{
if
s
.
ClientCA
!=
nil
{
// Populate PeerCertificates in requests, but don't reject connections without certificates
// Populate PeerCertificates in requests, but don't reject connections without certificates
// This allows certificates to be validated by authenticators, while still allowing other auth types
// This allows certificates to be validated by authenticators, while still allowing other auth types
secureServer
.
TLSConfig
.
ClientAuth
=
tls
.
RequestClientCert
secureServer
.
TLSConfig
.
ClientAuth
=
tls
.
RequestClientCert
// Specify allowed CAs for client certificates
// Specify allowed CAs for client certificates
secureServer
.
TLSConfig
.
ClientCAs
=
s
.
SecureServingInfo
.
ClientCA
secureServer
.
TLSConfig
.
ClientCAs
=
s
.
ClientCA
}
}
glog
.
Infof
(
"Serving securely on %s"
,
secureServer
.
Addr
)
glog
.
Infof
(
"Serving securely on %s"
,
secureServer
.
Addr
)
err
:=
RunServer
(
secureServer
,
s
.
SecureServingInfo
.
Listener
,
s
.
ShutdownTimeout
,
stopCh
)
return
RunServer
(
secureServer
,
s
.
Listener
,
shutdownTimeout
,
stopCh
)
return
err
}
}
// RunServer listens on the given port if listener is not given,
// RunServer listens on the given port if listener is not given,
// then spawns a go-routine continuously serving
// then spawns a go-routine continuously serving
// until the stopCh is closed. This function does not block.
// until the stopCh is closed. This function does not block.
// TODO: make private when insecure serving is gone from the kube-apiserver
func
RunServer
(
func
RunServer
(
server
*
http
.
Server
,
server
*
http
.
Server
,
ln
net
.
Listener
,
ln
net
.
Listener
,
...
...
test/integration/auth/accessreview_test.go
View file @
4e0114b0
...
@@ -55,8 +55,8 @@ func alwaysAlice(req *http.Request) (user.Info, bool, error) {
...
@@ -55,8 +55,8 @@ func alwaysAlice(req *http.Request) (user.Info, bool, error) {
func
TestSubjectAccessReview
(
t
*
testing
.
T
)
{
func
TestSubjectAccessReview
(
t
*
testing
.
T
)
{
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
.
RequestFunc
(
alwaysAlice
)
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
.
RequestFunc
(
alwaysAlice
)
masterConfig
.
GenericConfig
.
Authorizer
=
sarAuthorizer
{}
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
sarAuthorizer
{}
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
@@ -147,10 +147,10 @@ func TestSubjectAccessReview(t *testing.T) {
...
@@ -147,10 +147,10 @@ func TestSubjectAccessReview(t *testing.T) {
func
TestSelfSubjectAccessReview
(
t
*
testing
.
T
)
{
func
TestSelfSubjectAccessReview
(
t
*
testing
.
T
)
{
username
:=
"alice"
username
:=
"alice"
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
Name
:
username
},
true
,
nil
return
&
user
.
DefaultInfo
{
Name
:
username
},
true
,
nil
})
})
masterConfig
.
GenericConfig
.
Authorizer
=
sarAuthorizer
{}
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
sarAuthorizer
{}
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
@@ -229,8 +229,8 @@ func TestSelfSubjectAccessReview(t *testing.T) {
...
@@ -229,8 +229,8 @@ func TestSelfSubjectAccessReview(t *testing.T) {
func
TestLocalSubjectAccessReview
(
t
*
testing
.
T
)
{
func
TestLocalSubjectAccessReview
(
t
*
testing
.
T
)
{
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
.
RequestFunc
(
alwaysAlice
)
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
.
RequestFunc
(
alwaysAlice
)
masterConfig
.
GenericConfig
.
Authorizer
=
sarAuthorizer
{}
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
sarAuthorizer
{}
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
...
test/integration/auth/auth_test.go
View file @
4e0114b0
...
@@ -500,7 +500,7 @@ func getPreviousResourceVersionKey(url, id string) string {
...
@@ -500,7 +500,7 @@ func getPreviousResourceVersionKey(url, id string) string {
func
TestAuthModeAlwaysDeny
(
t
*
testing
.
T
)
{
func
TestAuthModeAlwaysDeny
(
t
*
testing
.
T
)
{
// Set up a master
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authorizer
=
authorizerfactory
.
NewAlwaysDenyAuthorizer
()
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
authorizerfactory
.
NewAlwaysDenyAuthorizer
()
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
@@ -549,8 +549,8 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) {
...
@@ -549,8 +549,8 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) {
// Set up a master
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
allowAliceAuthorizer
{}
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
allowAliceAuthorizer
{}
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
@@ -619,8 +619,8 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) {
...
@@ -619,8 +619,8 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) {
func
TestBobIsForbidden
(
t
*
testing
.
T
)
{
func
TestBobIsForbidden
(
t
*
testing
.
T
)
{
// This file has alice and bob in it.
// This file has alice and bob in it.
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
allowAliceAuthorizer
{}
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
allowAliceAuthorizer
{}
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
@@ -663,8 +663,8 @@ func TestUnknownUserIsUnauthorized(t *testing.T) {
...
@@ -663,8 +663,8 @@ func TestUnknownUserIsUnauthorized(t *testing.T) {
// Set up a master
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
allowAliceAuthorizer
{}
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
allowAliceAuthorizer
{}
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
@@ -725,8 +725,8 @@ func (impersonateAuthorizer) Authorize(a authorizer.Attributes) (authorizer.Deci
...
@@ -725,8 +725,8 @@ func (impersonateAuthorizer) Authorize(a authorizer.Attributes) (authorizer.Deci
func
TestImpersonateIsForbidden
(
t
*
testing
.
T
)
{
func
TestImpersonateIsForbidden
(
t
*
testing
.
T
)
{
// Set up a master
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
impersonateAuthorizer
{}
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
impersonateAuthorizer
{}
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
@@ -872,8 +872,8 @@ func TestAuthorizationAttributeDetermination(t *testing.T) {
...
@@ -872,8 +872,8 @@ func TestAuthorizationAttributeDetermination(t *testing.T) {
// Set up a master
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
trackingAuthorizer
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
trackingAuthorizer
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
@@ -938,8 +938,8 @@ func TestNamespaceAuthorization(t *testing.T) {
...
@@ -938,8 +938,8 @@ func TestNamespaceAuthorization(t *testing.T) {
// Set up a master
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
a
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
a
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
@@ -1036,8 +1036,8 @@ func TestKindAuthorization(t *testing.T) {
...
@@ -1036,8 +1036,8 @@ func TestKindAuthorization(t *testing.T) {
// Set up a master
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
a
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
a
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
@@ -1120,8 +1120,8 @@ func TestReadOnlyAuthorization(t *testing.T) {
...
@@ -1120,8 +1120,8 @@ func TestReadOnlyAuthorization(t *testing.T) {
// Set up a master
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
getTestTokenAuth
()
masterConfig
.
GenericConfig
.
Authorizer
=
a
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
a
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
@@ -1179,8 +1179,8 @@ func TestWebhookTokenAuthenticator(t *testing.T) {
...
@@ -1179,8 +1179,8 @@ func TestWebhookTokenAuthenticator(t *testing.T) {
// Set up a master
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
masterConfig
.
GenericConfig
.
Authorizer
=
allowAliceAuthorizer
{}
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
allowAliceAuthorizer
{}
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
...
test/integration/auth/bootstraptoken_test.go
View file @
4e0114b0
...
@@ -125,7 +125,7 @@ func TestBootstrapTokenAuth(t *testing.T) {
...
@@ -125,7 +125,7 @@ func TestBootstrapTokenAuth(t *testing.T) {
authenticator
:=
bearertoken
.
New
(
bootstrap
.
NewTokenAuthenticator
(
bootstrapSecrets
{
test
.
secret
}))
authenticator
:=
bearertoken
.
New
(
bootstrap
.
NewTokenAuthenticator
(
bootstrapSecrets
{
test
.
secret
}))
// Set up a master
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
masterConfig
.
GenericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
defer
closeFn
()
defer
closeFn
()
...
...
test/integration/auth/node_test.go
View file @
4e0114b0
...
@@ -101,8 +101,8 @@ func TestNodeAuthorizer(t *testing.T) {
...
@@ -101,8 +101,8 @@ func TestNodeAuthorizer(t *testing.T) {
// Start the server
// Start the server
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
masterConfig
.
GenericConfig
.
Authorizer
=
nodeRBACAuthorizer
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
nodeRBACAuthorizer
masterConfig
.
GenericConfig
.
AdmissionControl
=
nodeRestrictionAdmission
masterConfig
.
GenericConfig
.
AdmissionControl
=
nodeRestrictionAdmission
_
,
_
,
closeFn
:=
framework
.
RunAMasterUsingServer
(
masterConfig
,
apiServer
,
h
)
_
,
_
,
closeFn
:=
framework
.
RunAMasterUsingServer
(
masterConfig
,
apiServer
,
h
)
...
...
test/integration/auth/rbac_test.go
View file @
4e0114b0
...
@@ -414,8 +414,8 @@ func TestRBAC(t *testing.T) {
...
@@ -414,8 +414,8 @@ func TestRBAC(t *testing.T) {
for
i
,
tc
:=
range
tests
{
for
i
,
tc
:=
range
tests
{
// Create an API Server.
// Create an API Server.
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authorizer
=
newRBACAuthorizer
(
masterConfig
)
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
newRBACAuthorizer
(
masterConfig
)
masterConfig
.
GenericConfig
.
Authenticator
=
bearertoken
.
New
(
tokenfile
.
New
(
map
[
string
]
*
user
.
DefaultInfo
{
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
bearertoken
.
New
(
tokenfile
.
New
(
map
[
string
]
*
user
.
DefaultInfo
{
superUser
:
{
Name
:
"admin"
,
Groups
:
[]
string
{
"system:masters"
}},
superUser
:
{
Name
:
"admin"
,
Groups
:
[]
string
{
"system:masters"
}},
"any-rolebinding-writer"
:
{
Name
:
"any-rolebinding-writer"
},
"any-rolebinding-writer"
:
{
Name
:
"any-rolebinding-writer"
},
"any-rolebinding-writer-namespace"
:
{
Name
:
"any-rolebinding-writer-namespace"
},
"any-rolebinding-writer-namespace"
:
{
Name
:
"any-rolebinding-writer-namespace"
},
...
@@ -517,8 +517,8 @@ func TestBootstrapping(t *testing.T) {
...
@@ -517,8 +517,8 @@ func TestBootstrapping(t *testing.T) {
superUser
:=
"admin/system:masters"
superUser
:=
"admin/system:masters"
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authorizer
=
newRBACAuthorizer
(
masterConfig
)
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
newRBACAuthorizer
(
masterConfig
)
masterConfig
.
GenericConfig
.
Authenticator
=
bearertoken
.
New
(
tokenfile
.
New
(
map
[
string
]
*
user
.
DefaultInfo
{
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
bearertoken
.
New
(
tokenfile
.
New
(
map
[
string
]
*
user
.
DefaultInfo
{
superUser
:
{
Name
:
"admin"
,
Groups
:
[]
string
{
"system:masters"
}},
superUser
:
{
Name
:
"admin"
,
Groups
:
[]
string
{
"system:masters"
}},
}))
}))
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
_
,
s
,
closeFn
:=
framework
.
RunAMaster
(
masterConfig
)
...
...
test/integration/framework/master_utils.go
View file @
4e0114b0
...
@@ -160,17 +160,17 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv
...
@@ -160,17 +160,17 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv
}
}
tokenAuthenticator
:=
authenticatorfactory
.
NewFromTokens
(
tokens
)
tokenAuthenticator
:=
authenticatorfactory
.
NewFromTokens
(
tokens
)
if
masterConfig
.
GenericConfig
.
Authenticator
==
nil
{
if
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
==
nil
{
masterConfig
.
GenericConfig
.
Authenticator
=
authenticatorunion
.
New
(
tokenAuthenticator
,
authauthenticator
.
RequestFunc
(
alwaysEmpty
))
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticatorunion
.
New
(
tokenAuthenticator
,
authauthenticator
.
RequestFunc
(
alwaysEmpty
))
}
else
{
}
else
{
masterConfig
.
GenericConfig
.
Authenticat
or
=
authenticatorunion
.
New
(
tokenAuthenticator
,
masterConfig
.
GenericConfig
.
Authenticator
)
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticator
=
authenticatorunion
.
New
(
tokenAuthenticator
,
masterConfig
.
GenericConfig
.
Authentication
.
Authenticator
)
}
}
if
masterConfig
.
GenericConfig
.
Authorizer
!=
nil
{
if
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
!=
nil
{
tokenAuthorizer
:=
authorizerfactory
.
NewPrivilegedGroups
(
user
.
SystemPrivilegedGroup
)
tokenAuthorizer
:=
authorizerfactory
.
NewPrivilegedGroups
(
user
.
SystemPrivilegedGroup
)
masterConfig
.
GenericConfig
.
Authoriz
er
=
authorizerunion
.
New
(
tokenAuthorizer
,
masterConfig
.
GenericConfig
.
Authorizer
)
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authorizer
=
authorizerunion
.
New
(
tokenAuthorizer
,
masterConfig
.
GenericConfig
.
Authorization
.
Authorizer
)
}
else
{
}
else
{
masterConfig
.
GenericConfig
.
Authorizer
=
alwaysAllow
{}
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
alwaysAllow
{}
}
}
masterConfig
.
GenericConfig
.
LoopbackClientConfig
.
BearerToken
=
privilegedLoopbackToken
masterConfig
.
GenericConfig
.
LoopbackClientConfig
.
BearerToken
=
privilegedLoopbackToken
...
@@ -281,7 +281,7 @@ func NewMasterConfig() *master.Config {
...
@@ -281,7 +281,7 @@ func NewMasterConfig() *master.Config {
genericConfig
:=
genericapiserver
.
NewConfig
(
legacyscheme
.
Codecs
)
genericConfig
:=
genericapiserver
.
NewConfig
(
legacyscheme
.
Codecs
)
kubeVersion
:=
version
.
Get
()
kubeVersion
:=
version
.
Get
()
genericConfig
.
Version
=
&
kubeVersion
genericConfig
.
Version
=
&
kubeVersion
genericConfig
.
Authorizer
=
authorizerfactory
.
NewAlwaysAllowAuthorizer
()
genericConfig
.
Authoriz
ation
.
Authoriz
er
=
authorizerfactory
.
NewAlwaysAllowAuthorizer
()
genericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
genericConfig
.
AdmissionControl
=
admit
.
NewAlwaysAdmit
()
genericConfig
.
EnableMetrics
=
true
genericConfig
.
EnableMetrics
=
true
...
...
test/integration/master/synthetic_master_test.go
View file @
4e0114b0
...
@@ -134,7 +134,7 @@ func TestEmptyList(t *testing.T) {
...
@@ -134,7 +134,7 @@ func TestEmptyList(t *testing.T) {
func
initStatusForbiddenMasterCongfig
()
*
master
.
Config
{
func
initStatusForbiddenMasterCongfig
()
*
master
.
Config
{
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
GenericConfig
.
Authorizer
=
authorizerfactory
.
NewAlwaysDenyAuthorizer
()
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
authorizerfactory
.
NewAlwaysDenyAuthorizer
()
return
masterConfig
return
masterConfig
}
}
...
@@ -143,8 +143,8 @@ func initUnauthorizedMasterCongfig() *master.Config {
...
@@ -143,8 +143,8 @@ func initUnauthorizedMasterCongfig() *master.Config {
tokenAuthenticator
:=
tokentest
.
New
()
tokenAuthenticator
:=
tokentest
.
New
()
tokenAuthenticator
.
Tokens
[
AliceToken
]
=
&
user
.
DefaultInfo
{
Name
:
"alice"
,
UID
:
"1"
}
tokenAuthenticator
.
Tokens
[
AliceToken
]
=
&
user
.
DefaultInfo
{
Name
:
"alice"
,
UID
:
"1"
}
tokenAuthenticator
.
Tokens
[
BobToken
]
=
&
user
.
DefaultInfo
{
Name
:
"bob"
,
UID
:
"2"
}
tokenAuthenticator
.
Tokens
[
BobToken
]
=
&
user
.
DefaultInfo
{
Name
:
"bob"
,
UID
:
"2"
}
masterConfig
.
GenericConfig
.
Authenticator
=
group
.
NewGroupAdder
(
bearertoken
.
New
(
tokenAuthenticator
),
[]
string
{
user
.
AllAuthenticated
})
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
group
.
NewGroupAdder
(
bearertoken
.
New
(
tokenAuthenticator
),
[]
string
{
user
.
AllAuthenticated
})
masterConfig
.
GenericConfig
.
Authorizer
=
allowAliceAuthorizer
{}
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
allowAliceAuthorizer
{}
return
masterConfig
return
masterConfig
}
}
...
...
test/integration/serviceaccount/service_account_test.go
View file @
4e0114b0
...
@@ -425,8 +425,8 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie
...
@@ -425,8 +425,8 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie
masterConfig
:=
framework
.
NewMasterConfig
()
masterConfig
:=
framework
.
NewMasterConfig
()
masterConfig
.
GenericConfig
.
EnableIndex
=
true
masterConfig
.
GenericConfig
.
EnableIndex
=
true
masterConfig
.
GenericConfig
.
Authenticator
=
authenticator
masterConfig
.
GenericConfig
.
Authenticat
ion
.
Authenticat
or
=
authenticator
masterConfig
.
GenericConfig
.
Authorizer
=
authorizer
masterConfig
.
GenericConfig
.
Authoriz
ation
.
Authoriz
er
=
authorizer
masterConfig
.
GenericConfig
.
AdmissionControl
=
serviceAccountAdmission
masterConfig
.
GenericConfig
.
AdmissionControl
=
serviceAccountAdmission
framework
.
RunAMasterUsingServer
(
masterConfig
,
apiServer
,
h
)
framework
.
RunAMasterUsingServer
(
masterConfig
,
apiServer
,
h
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment