Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
798d3eda
Commit
798d3eda
authored
Dec 07, 2016
by
deads2k
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
add authentication/authorization to kubernetes-discovery
parent
fc361206
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
84 additions
and
10 deletions
+84
-10
start.go
cmd/kubernetes-discovery/pkg/cmd/server/start.go
+16
-4
local-up-cluster.sh
hack/local-up-cluster.sh
+17
-4
config.go
pkg/genericapiserver/config.go
+40
-0
authorization.go
pkg/genericapiserver/options/authorization.go
+11
-2
No files found.
cmd/kubernetes-discovery/pkg/cmd/server/start.go
View file @
798d3eda
...
@@ -40,8 +40,10 @@ import (
...
@@ -40,8 +40,10 @@ import (
const
defaultEtcdPathPrefix
=
"/registry/kubernetes.io/kubernetes-discovery"
const
defaultEtcdPathPrefix
=
"/registry/kubernetes.io/kubernetes-discovery"
type
DiscoveryServerOptions
struct
{
type
DiscoveryServerOptions
struct
{
Etcd
*
genericoptions
.
EtcdOptions
Etcd
*
genericoptions
.
EtcdOptions
SecureServing
*
genericoptions
.
SecureServingOptions
SecureServing
*
genericoptions
.
SecureServingOptions
Authentication
*
genericoptions
.
DelegatingAuthenticationOptions
Authorization
*
genericoptions
.
DelegatingAuthorizationOptions
StdOut
io
.
Writer
StdOut
io
.
Writer
StdErr
io
.
Writer
StdErr
io
.
Writer
...
@@ -50,8 +52,10 @@ type DiscoveryServerOptions struct {
...
@@ -50,8 +52,10 @@ type DiscoveryServerOptions struct {
// NewCommandStartMaster provides a CLI handler for 'start master' command
// NewCommandStartMaster provides a CLI handler for 'start master' command
func
NewCommandStartDiscoveryServer
(
out
,
err
io
.
Writer
)
*
cobra
.
Command
{
func
NewCommandStartDiscoveryServer
(
out
,
err
io
.
Writer
)
*
cobra
.
Command
{
o
:=
&
DiscoveryServerOptions
{
o
:=
&
DiscoveryServerOptions
{
Etcd
:
genericoptions
.
NewEtcdOptions
(),
Etcd
:
genericoptions
.
NewEtcdOptions
(),
SecureServing
:
genericoptions
.
NewSecureServingOptions
(),
SecureServing
:
genericoptions
.
NewSecureServingOptions
(),
Authentication
:
genericoptions
.
NewDelegatingAuthenticationOptions
(),
Authorization
:
genericoptions
.
NewDelegatingAuthorizationOptions
(),
StdOut
:
out
,
StdOut
:
out
,
StdErr
:
err
,
StdErr
:
err
,
...
@@ -73,6 +77,8 @@ func NewCommandStartDiscoveryServer(out, err io.Writer) *cobra.Command {
...
@@ -73,6 +77,8 @@ func NewCommandStartDiscoveryServer(out, err io.Writer) *cobra.Command {
flags
:=
cmd
.
Flags
()
flags
:=
cmd
.
Flags
()
o
.
Etcd
.
AddFlags
(
flags
)
o
.
Etcd
.
AddFlags
(
flags
)
o
.
SecureServing
.
AddFlags
(
flags
)
o
.
SecureServing
.
AddFlags
(
flags
)
o
.
Authentication
.
AddFlags
(
flags
)
o
.
Authorization
.
AddFlags
(
flags
)
return
cmd
return
cmd
}
}
...
@@ -100,6 +106,12 @@ func (o DiscoveryServerOptions) RunDiscoveryServer() error {
...
@@ -100,6 +106,12 @@ func (o DiscoveryServerOptions) RunDiscoveryServer() error {
if
_
,
err
:=
genericAPIServerConfig
.
ApplySecureServingOptions
(
o
.
SecureServing
);
err
!=
nil
{
if
_
,
err
:=
genericAPIServerConfig
.
ApplySecureServingOptions
(
o
.
SecureServing
);
err
!=
nil
{
return
err
return
err
}
}
if
_
,
err
:=
genericAPIServerConfig
.
ApplyDelegatingAuthenticationOptions
(
o
.
Authentication
);
err
!=
nil
{
return
err
}
if
_
,
err
:=
genericAPIServerConfig
.
ApplyDelegatingAuthorizationOptions
(
o
.
Authorization
);
err
!=
nil
{
return
err
}
var
err
error
var
err
error
privilegedLoopbackToken
:=
uuid
.
NewRandom
()
.
String
()
privilegedLoopbackToken
:=
uuid
.
NewRandom
()
.
String
()
...
...
hack/local-up-cluster.sh
View file @
798d3eda
...
@@ -444,7 +444,7 @@ EOF
...
@@ -444,7 +444,7 @@ EOF
create_client_certkey client-ca kube-proxy system:kube-proxy system:nodes
create_client_certkey client-ca kube-proxy system:kube-proxy system:nodes
create_client_certkey client-ca controller system:controller system:masters
create_client_certkey client-ca controller system:controller system:masters
create_client_certkey client-ca scheduler system:scheduler system:masters
create_client_certkey client-ca scheduler system:scheduler system:masters
create_client_certkey client-ca admin system:admin system:
cluster-admin
s
create_client_certkey client-ca admin system:admin system:
master
s
# Create auth proxy client ca
# Create auth proxy client ca
sudo
/bin/bash
-e
<<
EOF
sudo
/bin/bash
-e
<<
EOF
...
@@ -476,7 +476,7 @@ EOF
...
@@ -476,7 +476,7 @@ EOF
--requestheader-username-headers
=
X-Remote-User
\
--requestheader-username-headers
=
X-Remote-User
\
--requestheader-group-headers
=
X-Remote-Group
\
--requestheader-group-headers
=
X-Remote-Group
\
--requestheader-extra-headers-prefix
=
X-Remote-Extra-
\
--requestheader-extra-headers-prefix
=
X-Remote-Extra-
\
--requestheader-client-ca-file
=
${
CERT_DIR
}
/auth-proxy-client-ca.crt
\
--requestheader-client-ca-file
=
"
${
CERT_DIR
}
/auth-proxy-client-ca.crt"
\
--requestheader-allowed-names
=
system:auth-proxy
\
--requestheader-allowed-names
=
system:auth-proxy
\
--cors-allowed-origins
=
"
${
API_CORS_ALLOWED_ORIGINS
}
"
>
"
${
APISERVER_LOG
}
"
2>&1 &
--cors-allowed-origins
=
"
${
API_CORS_ALLOWED_ORIGINS
}
"
>
"
${
APISERVER_LOG
}
"
2>&1 &
APISERVER_PID
=
$!
APISERVER_PID
=
$!
...
@@ -486,6 +486,7 @@ EOF
...
@@ -486,6 +486,7 @@ EOF
kube::util::wait_for_url
"https://
${
API_HOST
}
:
${
API_SECURE_PORT
}
/version"
"apiserver: "
1
${
WAIT_FOR_URL_API_SERVER
}
||
exit
1
kube::util::wait_for_url
"https://
${
API_HOST
}
:
${
API_SECURE_PORT
}
/version"
"apiserver: "
1
${
WAIT_FOR_URL_API_SERVER
}
||
exit
1
# Create kubeconfigs for all components, using client certs
# Create kubeconfigs for all components, using client certs
write_client_kubeconfig admin
write_client_kubeconfig kubelet
write_client_kubeconfig kubelet
write_client_kubeconfig kube-proxy
write_client_kubeconfig kube-proxy
write_client_kubeconfig controller
write_client_kubeconfig controller
...
@@ -509,11 +510,23 @@ EOF
...
@@ -509,11 +510,23 @@ EOF
# start_discovery relies on certificates created by start_apiserver
# start_discovery relies on certificates created by start_apiserver
function
start_discovery
{
function
start_discovery
{
# TODO generate serving certificates
# TODO generate serving certificates
create_client_certkey client-ca discovery-auth system:discovery-auth
write_client_kubeconfig discovery-auth
# grant permission to run delegated authentication and authorization checks
kubectl create clusterrolebinding discovery:system:auth-delegator
--clusterrole
=
system:auth-delegator
--user
=
system:discovery-auth
DISCOVERY_SERVER_LOG
=
/tmp/kubernetes-discovery.log
DISCOVERY_SERVER_LOG
=
/tmp/kubernetes-discovery.log
${
CONTROLPLANE_SUDO
}
"
${
GO_OUT
}
/kubernetes-discovery"
\
${
CONTROLPLANE_SUDO
}
"
${
GO_OUT
}
/kubernetes-discovery"
\
--cert-dir
=
"
${
CERT_DIR
}
"
\
--cert-dir
=
"
${
CERT_DIR
}
"
\
--client-ca-file
=
"
${
CERT_DIR
}
/client-ca-bundle.crt"
\
--client-ca-file
=
"
${
CERT_DIR
}
/client-ca-bundle.crt"
\
--authentication-kubeconfig
=
"
${
CERT_DIR
}
/discovery-auth.kubeconfig"
\
--authorization-kubeconfig
=
"
${
CERT_DIR
}
/discovery-auth.kubeconfig"
\
--requestheader-username-headers
=
X-Remote-User
\
--requestheader-group-headers
=
X-Remote-Group
\
--requestheader-extra-headers-prefix
=
X-Remote-Extra-
\
--requestheader-client-ca-file
=
"
${
CERT_DIR
}
/auth-proxy-client-ca.crt"
\
--requestheader-allowed-names
=
system:auth-proxy
\
--bind-address
=
"
${
API_BIND_ADDR
}
"
\
--bind-address
=
"
${
API_BIND_ADDR
}
"
\
--secure-port
=
"
${
DISCOVERY_SECURE_PORT
}
"
\
--secure-port
=
"
${
DISCOVERY_SECURE_PORT
}
"
\
--tls-ca-file
=
"
${
ROOT_CA_FILE
}
"
\
--tls-ca-file
=
"
${
ROOT_CA_FILE
}
"
\
...
@@ -800,7 +813,7 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then
...
@@ -800,7 +813,7 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then
start_etcd
start_etcd
set_service_accounts
set_service_accounts
start_apiserver
start_apiserver
#
start_discovery
start_discovery
start_controller_manager
start_controller_manager
start_kubeproxy
start_kubeproxy
start_kubedns
start_kubedns
...
...
pkg/genericapiserver/config.go
View file @
798d3eda
...
@@ -343,6 +343,46 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti
...
@@ -343,6 +343,46 @@ func (c *Config) ApplyAuthenticationOptions(o *options.BuiltInAuthenticationOpti
return
c
,
nil
return
c
,
nil
}
}
func
(
c
*
Config
)
ApplyDelegatingAuthenticationOptions
(
o
*
options
.
DelegatingAuthenticationOptions
)
(
*
Config
,
error
)
{
if
o
==
nil
{
return
c
,
nil
}
cfg
,
err
:=
o
.
ToAuthenticationConfig
()
if
err
!=
nil
{
return
nil
,
err
}
authenticator
,
securityDefinitions
,
err
:=
cfg
.
New
()
if
err
!=
nil
{
return
nil
,
err
}
c
.
Authenticator
=
authenticator
c
.
OpenAPIConfig
.
SecurityDefinitions
=
securityDefinitions
c
.
SupportsBasicAuth
=
false
return
c
,
nil
}
func
(
c
*
Config
)
ApplyDelegatingAuthorizationOptions
(
o
*
options
.
DelegatingAuthorizationOptions
)
(
*
Config
,
error
)
{
if
o
==
nil
{
return
c
,
nil
}
cfg
,
err
:=
o
.
ToAuthorizationConfig
()
if
err
!=
nil
{
return
nil
,
err
}
authorizer
,
err
:=
cfg
.
New
()
if
err
!=
nil
{
return
nil
,
err
}
c
.
Authorizer
=
authorizer
return
c
,
nil
}
// ApplyOptions applies the run options to the method receiver and returns self
// ApplyOptions applies the run options to the method receiver and returns self
func
(
c
*
Config
)
ApplyOptions
(
options
*
options
.
ServerRunOptions
)
*
Config
{
func
(
c
*
Config
)
ApplyOptions
(
options
*
options
.
ServerRunOptions
)
*
Config
{
if
len
(
options
.
AuditLogPath
)
!=
0
{
if
len
(
options
.
AuditLogPath
)
!=
0
{
...
...
pkg/genericapiserver/options/authorization.go
View file @
798d3eda
...
@@ -111,8 +111,9 @@ type DelegatingAuthorizationOptions struct {
...
@@ -111,8 +111,9 @@ type DelegatingAuthorizationOptions struct {
func
NewDelegatingAuthorizationOptions
()
*
DelegatingAuthorizationOptions
{
func
NewDelegatingAuthorizationOptions
()
*
DelegatingAuthorizationOptions
{
return
&
DelegatingAuthorizationOptions
{
return
&
DelegatingAuthorizationOptions
{
AllowCacheTTL
:
5
*
time
.
Minute
,
// very low for responsiveness, but high enough to handle storms
DenyCacheTTL
:
30
*
time
.
Second
,
AllowCacheTTL
:
10
*
time
.
Second
,
DenyCacheTTL
:
10
*
time
.
Second
,
}
}
}
}
...
@@ -125,6 +126,14 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -125,6 +126,14 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
fs
.
StringVar
(
&
s
.
RemoteKubeConfigFile
,
"authorization-kubeconfig"
,
s
.
RemoteKubeConfigFile
,
""
+
fs
.
StringVar
(
&
s
.
RemoteKubeConfigFile
,
"authorization-kubeconfig"
,
s
.
RemoteKubeConfigFile
,
""
+
"kubeconfig file pointing at the 'core' kubernetes server with enough rights to create "
+
"kubeconfig file pointing at the 'core' kubernetes server with enough rights to create "
+
" subjectaccessreviews.authorization.k8s.io."
)
" subjectaccessreviews.authorization.k8s.io."
)
fs
.
DurationVar
(
&
s
.
AllowCacheTTL
,
"authorization-webhook-cache-authorized-ttl"
,
s
.
AllowCacheTTL
,
"The duration to cache 'authorized' responses from the webhook authorizer."
)
fs
.
DurationVar
(
&
s
.
DenyCacheTTL
,
"authorization-webhook-cache-unauthorized-ttl"
,
s
.
DenyCacheTTL
,
"The duration to cache 'unauthorized' responses from the webhook authorizer."
)
}
}
func
(
s
*
DelegatingAuthorizationOptions
)
ToAuthorizationConfig
()
(
authorizer
.
DelegatingAuthorizerConfig
,
error
)
{
func
(
s
*
DelegatingAuthorizationOptions
)
ToAuthorizationConfig
()
(
authorizer
.
DelegatingAuthorizerConfig
,
error
)
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment