Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
68468559
Commit
68468559
authored
Nov 10, 2016
by
deads2k
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
add delegating authorization flags and options
parent
ca2b5f13
Hide whitespace changes
Inline
Side-by-side
Showing
10 changed files
with
153 additions
and
29 deletions
+153
-29
server.go
cmd/kube-apiserver/app/server.go
+2
-2
BUILD
cmd/kubelet/app/BUILD
+0
-1
auth.go
cmd/kubelet/app/auth.go
+7
-6
known-flags.txt
hack/verify-flags/known-flags.txt
+1
-0
BUILD
pkg/genericapiserver/authorizer/BUILD
+5
-2
authz_test.go
pkg/genericapiserver/authorizer/authz_test.go
+19
-17
builtin.go
pkg/genericapiserver/authorizer/builtin.go
+0
-0
delegating.go
pkg/genericapiserver/authorizer/delegating.go
+46
-0
BUILD
pkg/genericapiserver/options/BUILD
+1
-0
authorization.go
pkg/genericapiserver/options/authorization.go
+72
-1
No files found.
cmd/kube-apiserver/app/server.go
View file @
68468559
...
...
@@ -246,8 +246,8 @@ func Run(s *options.ServerRunOptions) error {
}
sharedInformers
:=
informers
.
NewSharedInformerFactory
(
nil
,
client
,
10
*
time
.
Minute
)
authoriz
erc
onfig
:=
s
.
Authorization
.
ToAuthorizationConfig
(
sharedInformers
)
apiAuthorizer
,
err
:=
authorizer
.
NewAuthorizerFromAuthorizationConfig
(
authoriz
erc
onfig
)
authoriz
ationC
onfig
:=
s
.
Authorization
.
ToAuthorizationConfig
(
sharedInformers
)
apiAuthorizer
,
err
:=
authorizer
.
NewAuthorizerFromAuthorizationConfig
(
authoriz
ationC
onfig
)
if
err
!=
nil
{
glog
.
Fatalf
(
"Invalid Authorization Config: %v"
,
err
)
}
...
...
cmd/kubelet/app/BUILD
View file @
68468559
...
...
@@ -98,7 +98,6 @@ go_library(
"//pkg/volume/rbd:go_default_library",
"//pkg/volume/secret:go_default_library",
"//pkg/volume/vsphere_volume:go_default_library",
"//plugin/pkg/auth/authorizer/webhook:go_default_library",
"//vendor:github.com/golang/glog",
"//vendor:github.com/spf13/cobra",
"//vendor:github.com/spf13/pflag",
...
...
cmd/kubelet/app/auth.go
View file @
68468559
...
...
@@ -29,9 +29,9 @@ import (
authenticationclient
"k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5/typed/authentication/v1beta1"
authorizationclient
"k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5/typed/authorization/v1beta1"
alwaysallowauthorizer
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
apiserverauthorizer
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
"k8s.io/kubernetes/pkg/kubelet/server"
"k8s.io/kubernetes/pkg/types"
webhooksar
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/webhook"
)
func
buildAuth
(
nodeName
types
.
NodeName
,
client
clientset
.
Interface
,
config
componentconfig
.
KubeletConfiguration
)
(
server
.
AuthInterface
,
error
)
{
...
...
@@ -87,11 +87,12 @@ func buildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz c
if
client
==
nil
{
return
nil
,
errors
.
New
(
"no client provided, cannot use webhook authorization"
)
}
return
webhooksar
.
NewFromInterface
(
client
,
authz
.
Webhook
.
CacheAuthorizedTTL
.
Duration
,
authz
.
Webhook
.
CacheUnauthorizedTTL
.
Duration
,
)
authorizerConfig
:=
apiserverauthorizer
.
DelegatingAuthorizerConfig
{
SubjectAccessReviewClient
:
client
,
AllowCacheTTL
:
authz
.
Webhook
.
CacheAuthorizedTTL
.
Duration
,
DenyCacheTTL
:
authz
.
Webhook
.
CacheUnauthorizedTTL
.
Duration
,
}
return
authorizerConfig
.
New
()
case
""
:
return
nil
,
fmt
.
Errorf
(
"No authorization mode specified"
)
...
...
hack/verify-flags/known-flags.txt
View file @
68468559
...
...
@@ -36,6 +36,7 @@ authentication-kubeconfig
authentication-token-webhook
authentication-token-webhook-cache-ttl
authentication-token-webhook-config-file
authorization-kubeconfig
authorization-mode
authorization-policy-file
authorization-rbac-super-user
...
...
pkg/genericapiserver/authorizer/BUILD
View file @
68468559
...
...
@@ -12,12 +12,16 @@ load(
go_library(
name = "go_default_library",
srcs = ["authz.go"],
srcs = [
"builtin.go",
"delegating.go",
],
tags = ["automanaged"],
deps = [
"//pkg/auth/authorizer:go_default_library",
"//pkg/auth/authorizer/abac:go_default_library",
"//pkg/auth/authorizer/union:go_default_library",
"//pkg/client/clientset_generated/release_1_5/typed/authorization/v1beta1:go_default_library",
"//pkg/controller/informers:go_default_library",
"//plugin/pkg/auth/authorizer/rbac:go_default_library",
"//plugin/pkg/auth/authorizer/webhook:go_default_library",
...
...
@@ -35,6 +39,5 @@ go_test(
deps = [
"//pkg/auth/authorizer:go_default_library",
"//pkg/auth/user:go_default_library",
"//pkg/genericapiserver/options:go_default_library",
],
)
pkg/genericapiserver/authorizer/authz_test.go
View file @
68468559
...
...
@@ -19,8 +19,6 @@ package authorizer
import
(
"testing"
"k8s.io/kubernetes/pkg/genericapiserver/options"
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/user"
)
...
...
@@ -50,67 +48,71 @@ func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) {
examplePolicyFile
:=
"../../auth/authorizer/abac/example_policy_file.jsonl"
tests
:=
[]
struct
{
modes
[]
string
config
AuthorizationConfig
wantErr
bool
msg
string
}{
{
// Unknown modes should return errors
modes
:
[]
string
{
"DoesNotExist"
},
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
"DoesNotExist"
}
},
wantErr
:
true
,
msg
:
"using a fake mode should have returned an error"
,
},
{
// ModeAlwaysAllow and ModeAlwaysDeny should return without authorizationPolicyFile
// but error if one is given
modes
:
[]
string
{
options
.
ModeAlwaysAllow
,
options
.
ModeAlwaysDeny
},
msg
:
"returned an error for valid config"
,
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
}
},
msg
:
"returned an error for valid config"
,
},
{
// ModeABAC requires a policy file
modes
:
[]
string
{
options
.
ModeAlwaysAllow
,
options
.
ModeAlwaysDeny
,
options
.
ModeABAC
},
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
,
ModeABAC
}
},
wantErr
:
true
,
msg
:
"specifying ABAC with no policy file should return an error"
,
},
{
// ModeABAC should not error if a valid policy path is provided
modes
:
[]
string
{
options
.
ModeAlwaysAllow
,
options
.
ModeAlwaysDeny
,
options
.
ModeABAC
},
config
:
AuthorizationConfig
{
PolicyFile
:
examplePolicyFile
},
msg
:
"errored while using a valid policy file"
,
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
,
ModeABAC
},
PolicyFile
:
examplePolicyFile
,
},
msg
:
"errored while using a valid policy file"
,
},
{
// Authorization Policy file cannot be used without ModeABAC
modes
:
[]
string
{
options
.
ModeAlwaysAllow
,
options
.
ModeAlwaysDeny
},
config
:
AuthorizationConfig
{
PolicyFile
:
examplePolicyFile
},
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
},
PolicyFile
:
examplePolicyFile
,
},
wantErr
:
true
,
msg
:
"should have errored when Authorization Policy File is used without ModeABAC"
,
},
{
// At least one authorizationMode is necessary
modes
:
[]
string
{},
config
:
AuthorizationConfig
{
PolicyFile
:
examplePolicyFile
},
wantErr
:
true
,
msg
:
"should have errored when no authorization modes are passed"
,
},
{
// ModeWebhook requires at minimum a target.
modes
:
[]
string
{
options
.
ModeWebhook
},
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
ModeWebhook
}
},
wantErr
:
true
,
msg
:
"should have errored when config was empty with ModeWebhook"
,
},
{
// Cannot provide webhook flags without ModeWebhook
modes
:
[]
string
{
options
.
ModeAlwaysAllow
},
config
:
AuthorizationConfig
{
WebhookConfigFile
:
"authz_webhook_config.yml"
},
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
ModeAlwaysAllow
},
WebhookConfigFile
:
"authz_webhook_config.yml"
,
},
wantErr
:
true
,
msg
:
"should have errored when Webhook config file is used without ModeWebhook"
,
},
}
for
_
,
tt
:=
range
tests
{
_
,
err
:=
NewAuthorizerFromAuthorizationConfig
(
tt
.
modes
,
tt
.
config
)
_
,
err
:=
NewAuthorizerFromAuthorizationConfig
(
tt
.
config
)
if
tt
.
wantErr
&&
(
err
==
nil
)
{
t
.
Errorf
(
"NewAuthorizerFromAuthorizationConfig %s"
,
tt
.
msg
)
}
else
if
!
tt
.
wantErr
&&
(
err
!=
nil
)
{
...
...
pkg/genericapiserver/authorizer/
authz
.go
→
pkg/genericapiserver/authorizer/
builtin
.go
View file @
68468559
File moved
pkg/genericapiserver/authorizer/delegating.go
0 → 100644
View file @
68468559
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
authorizer
import
(
"time"
"k8s.io/kubernetes/pkg/auth/authorizer"
authorizationclient
"k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5/typed/authorization/v1beta1"
webhooksar
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/webhook"
)
// DelegatingAuthorizerConfig is the minimal configuration needed to create an authenticator
// built to delegate authentication to a kube API server
type
DelegatingAuthorizerConfig
struct
{
SubjectAccessReviewClient
authorizationclient
.
SubjectAccessReviewInterface
// AllowCacheTTL is the length of time that a successful authorization response will be cached
AllowCacheTTL
time
.
Duration
// DenyCacheTTL is the length of time that an unsuccessful authorization response will be cached.
// You generally want more responsive, "deny, try again" flows.
DenyCacheTTL
time
.
Duration
}
func
(
c
DelegatingAuthorizerConfig
)
New
()
(
authorizer
.
Authorizer
,
error
)
{
return
webhooksar
.
NewFromInterface
(
c
.
SubjectAccessReviewClient
,
c
.
AllowCacheTTL
,
c
.
DenyCacheTTL
,
)
}
pkg/genericapiserver/options/BUILD
View file @
68468559
...
...
@@ -27,6 +27,7 @@ go_library(
"//pkg/apimachinery/registered:go_default_library",
"//pkg/apiserver/authenticator:go_default_library",
"//pkg/client/clientset_generated/release_1_5/typed/authentication/v1beta1:go_default_library",
"//pkg/client/clientset_generated/release_1_5/typed/authorization/v1beta1:go_default_library",
"//pkg/client/restclient:go_default_library",
"//pkg/client/unversioned/clientcmd:go_default_library",
"//pkg/controller/informers:go_default_library",
...
...
pkg/genericapiserver/options/authorization.go
View file @
68468559
...
...
@@ -22,6 +22,8 @@ import (
"github.com/spf13/pflag"
authorizationclient
"k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5/typed/authorization/v1beta1"
"k8s.io/kubernetes/pkg/client/unversioned/clientcmd"
"k8s.io/kubernetes/pkg/controller/informers"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
)
...
...
@@ -39,7 +41,7 @@ type BuiltInAuthorizationOptions struct {
func
NewBuiltInAuthorizationOptions
()
*
BuiltInAuthorizationOptions
{
return
&
BuiltInAuthorizationOptions
{
Mode
:
"AlwaysAllow"
,
Mode
:
authorizer
.
ModeAlwaysAllow
,
WebhookCacheAuthorizedTTL
:
5
*
time
.
Minute
,
WebhookCacheUnauthorizedTTL
:
30
*
time
.
Second
,
}
...
...
@@ -87,3 +89,72 @@ func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory info
InformerFactory
:
informerFactory
,
}
}
// DelegatingAuthorizationOptions provides an easy way for composing API servers to delegate their authorization to
// the root kube API server
type
DelegatingAuthorizationOptions
struct
{
// RemoteKubeConfigFile is the file to use to connect to a "normal" kube API server which hosts the
// TokenAcessReview.authentication.k8s.io endpoint for checking tokens.
RemoteKubeConfigFile
string
// AllowCacheTTL is the length of time that a successful authorization response will be cached
AllowCacheTTL
time
.
Duration
// DenyCacheTTL is the length of time that an unsuccessful authorization response will be cached.
// You generally want more responsive, "deny, try again" flows.
DenyCacheTTL
time
.
Duration
}
func
NewDelegatingAuthorizationOptions
()
*
DelegatingAuthorizationOptions
{
return
&
DelegatingAuthorizationOptions
{
AllowCacheTTL
:
5
*
time
.
Minute
,
DenyCacheTTL
:
30
*
time
.
Second
,
}
}
func
(
s
*
DelegatingAuthorizationOptions
)
Validate
()
[]
error
{
allErrors
:=
[]
error
{}
return
allErrors
}
func
(
s
*
DelegatingAuthorizationOptions
)
AddFlags
(
fs
*
pflag
.
FlagSet
)
{
fs
.
StringVar
(
&
s
.
RemoteKubeConfigFile
,
"authorization-kubeconfig"
,
s
.
RemoteKubeConfigFile
,
""
+
"kubeconfig file pointing at the 'core' kubernetes server with enough rights to create "
+
" subjectaccessreviews.authorization.k8s.io."
)
}
func
(
s
*
DelegatingAuthorizationOptions
)
ToAuthorizationConfig
()
(
authorizer
.
DelegatingAuthorizerConfig
,
error
)
{
tokenClient
,
err
:=
s
.
newSubjectAccessReview
()
if
err
!=
nil
{
return
authorizer
.
DelegatingAuthorizerConfig
{},
err
}
ret
:=
authorizer
.
DelegatingAuthorizerConfig
{
SubjectAccessReviewClient
:
tokenClient
,
AllowCacheTTL
:
s
.
AllowCacheTTL
,
DenyCacheTTL
:
s
.
DenyCacheTTL
,
}
return
ret
,
nil
}
func
(
s
*
DelegatingAuthorizationOptions
)
newSubjectAccessReview
()
(
authorizationclient
.
SubjectAccessReviewInterface
,
error
)
{
if
len
(
s
.
RemoteKubeConfigFile
)
==
0
{
return
nil
,
nil
}
loadingRules
:=
clientcmd
.
NewDefaultClientConfigLoadingRules
()
loadingRules
.
ExplicitPath
=
s
.
RemoteKubeConfigFile
loader
:=
clientcmd
.
NewNonInteractiveDeferredLoadingClientConfig
(
loadingRules
,
&
clientcmd
.
ConfigOverrides
{})
clientConfig
,
err
:=
loader
.
ClientConfig
()
if
err
!=
nil
{
return
nil
,
err
}
client
,
err
:=
authorizationclient
.
NewForConfig
(
clientConfig
)
if
err
!=
nil
{
return
nil
,
err
}
return
client
.
SubjectAccessReviews
(),
nil
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment