Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
7a67403f
Commit
7a67403f
authored
Oct 07, 2018
by
Darren Shepherd
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Remove ABAC
parent
8d4c7c0c
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
1 addition
and
372 deletions
+1
-372
BUILD
pkg/auth/authorizer/abac/BUILD
+0
-60
abac.go
pkg/auth/authorizer/abac/abac.go
+0
-273
abac_test.go
pkg/auth/authorizer/abac/abac_test.go
+0
-0
example_policy_file.jsonl
pkg/auth/authorizer/abac/example_policy_file.jsonl
+0
-12
config.go
pkg/kubeapiserver/authorizer/config.go
+0
-11
modes.go
pkg/kubeapiserver/authorizer/modes/modes.go
+1
-2
authorization.go
pkg/kubeapiserver/options/authorization.go
+0
-14
No files found.
pkg/auth/authorizer/abac/BUILD
deleted
100644 → 0
View file @
8d4c7c0c
package(default_visibility = ["//visibility:public"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
"go_test",
)
go_library(
name = "go_default_library",
srcs = ["abac.go"],
importpath = "k8s.io/kubernetes/pkg/auth/authorizer/abac",
deps = [
"//pkg/apis/abac:go_default_library",
"//pkg/apis/abac/latest:go_default_library",
"//pkg/apis/abac/v0:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
],
)
filegroup(
name = "example_policy",
testonly = True,
srcs = [
"example_policy_file.jsonl",
],
)
go_test(
name = "go_default_test",
srcs = ["abac_test.go"],
data = [
":example_policy",
],
embed = [":go_default_library"],
deps = [
"//pkg/apis/abac:go_default_library",
"//pkg/apis/abac/v0:go_default_library",
"//pkg/apis/abac/v1beta1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)
pkg/auth/authorizer/abac/abac.go
deleted
100644 → 0
View file @
8d4c7c0c
/*
Copyright 2014 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
abac
// Policy authorizes Kubernetes API actions using an Attribute-based access
// control scheme.
import
(
"bufio"
"fmt"
"os"
"strings"
"github.com/golang/glog"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/kubernetes/pkg/apis/abac"
_
"k8s.io/kubernetes/pkg/apis/abac/latest"
"k8s.io/kubernetes/pkg/apis/abac/v0"
)
type
policyLoadError
struct
{
path
string
line
int
data
[]
byte
err
error
}
func
(
p
policyLoadError
)
Error
()
string
{
if
p
.
line
>=
0
{
return
fmt
.
Sprintf
(
"error reading policy file %s, line %d: %s: %v"
,
p
.
path
,
p
.
line
,
string
(
p
.
data
),
p
.
err
)
}
return
fmt
.
Sprintf
(
"error reading policy file %s: %v"
,
p
.
path
,
p
.
err
)
}
type
policyList
[]
*
abac
.
Policy
// TODO: Have policies be created via an API call and stored in REST storage.
func
NewFromFile
(
path
string
)
(
policyList
,
error
)
{
// File format is one map per line. This allows easy concatenation of files,
// comments in files, and identification of errors by line number.
file
,
err
:=
os
.
Open
(
path
)
if
err
!=
nil
{
return
nil
,
err
}
defer
file
.
Close
()
scanner
:=
bufio
.
NewScanner
(
file
)
pl
:=
make
(
policyList
,
0
)
decoder
:=
abac
.
Codecs
.
UniversalDecoder
()
i
:=
0
unversionedLines
:=
0
for
scanner
.
Scan
()
{
i
++
p
:=
&
abac
.
Policy
{}
b
:=
scanner
.
Bytes
()
// skip comment lines and blank lines
trimmed
:=
strings
.
TrimSpace
(
string
(
b
))
if
len
(
trimmed
)
==
0
||
strings
.
HasPrefix
(
trimmed
,
"#"
)
{
continue
}
decodedObj
,
_
,
err
:=
decoder
.
Decode
(
b
,
nil
,
nil
)
if
err
!=
nil
{
if
!
(
runtime
.
IsMissingVersion
(
err
)
||
runtime
.
IsMissingKind
(
err
)
||
runtime
.
IsNotRegisteredError
(
err
))
{
return
nil
,
policyLoadError
{
path
,
i
,
b
,
err
}
}
unversionedLines
++
// Migrate unversioned policy object
oldPolicy
:=
&
v0
.
Policy
{}
if
err
:=
runtime
.
DecodeInto
(
decoder
,
b
,
oldPolicy
);
err
!=
nil
{
return
nil
,
policyLoadError
{
path
,
i
,
b
,
err
}
}
if
err
:=
abac
.
Scheme
.
Convert
(
oldPolicy
,
p
,
nil
);
err
!=
nil
{
return
nil
,
policyLoadError
{
path
,
i
,
b
,
err
}
}
pl
=
append
(
pl
,
p
)
continue
}
decodedPolicy
,
ok
:=
decodedObj
.
(
*
abac
.
Policy
)
if
!
ok
{
return
nil
,
policyLoadError
{
path
,
i
,
b
,
fmt
.
Errorf
(
"unrecognized object: %#v"
,
decodedObj
)}
}
pl
=
append
(
pl
,
decodedPolicy
)
}
if
unversionedLines
>
0
{
glog
.
Warningf
(
"Policy file %s contained unversioned rules. See docs/admin/authorization.md#abac-mode for ABAC file format details."
,
path
)
}
if
err
:=
scanner
.
Err
();
err
!=
nil
{
return
nil
,
policyLoadError
{
path
,
-
1
,
nil
,
err
}
}
return
pl
,
nil
}
func
matches
(
p
abac
.
Policy
,
a
authorizer
.
Attributes
)
bool
{
if
subjectMatches
(
p
,
a
.
GetUser
())
{
if
verbMatches
(
p
,
a
)
{
// Resource and non-resource requests are mutually exclusive, at most one will match a policy
if
resourceMatches
(
p
,
a
)
{
return
true
}
if
nonResourceMatches
(
p
,
a
)
{
return
true
}
}
}
return
false
}
// subjectMatches returns true if specified user and group properties in the policy match the attributes
func
subjectMatches
(
p
abac
.
Policy
,
user
user
.
Info
)
bool
{
matched
:=
false
if
user
==
nil
{
return
false
}
username
:=
user
.
GetName
()
groups
:=
user
.
GetGroups
()
// If the policy specified a user, ensure it matches
if
len
(
p
.
Spec
.
User
)
>
0
{
if
p
.
Spec
.
User
==
"*"
{
matched
=
true
}
else
{
matched
=
p
.
Spec
.
User
==
username
if
!
matched
{
return
false
}
}
}
// If the policy specified a group, ensure it matches
if
len
(
p
.
Spec
.
Group
)
>
0
{
if
p
.
Spec
.
Group
==
"*"
{
matched
=
true
}
else
{
matched
=
false
for
_
,
group
:=
range
groups
{
if
p
.
Spec
.
Group
==
group
{
matched
=
true
}
}
if
!
matched
{
return
false
}
}
}
return
matched
}
func
verbMatches
(
p
abac
.
Policy
,
a
authorizer
.
Attributes
)
bool
{
// TODO: match on verb
// All policies allow read only requests
if
a
.
IsReadOnly
()
{
return
true
}
// Allow if policy is not readonly
if
!
p
.
Spec
.
Readonly
{
return
true
}
return
false
}
func
nonResourceMatches
(
p
abac
.
Policy
,
a
authorizer
.
Attributes
)
bool
{
// A non-resource policy cannot match a resource request
if
!
a
.
IsResourceRequest
()
{
// Allow wildcard match
if
p
.
Spec
.
NonResourcePath
==
"*"
{
return
true
}
// Allow exact match
if
p
.
Spec
.
NonResourcePath
==
a
.
GetPath
()
{
return
true
}
// Allow a trailing * subpath match
if
strings
.
HasSuffix
(
p
.
Spec
.
NonResourcePath
,
"*"
)
&&
strings
.
HasPrefix
(
a
.
GetPath
(),
strings
.
TrimRight
(
p
.
Spec
.
NonResourcePath
,
"*"
))
{
return
true
}
}
return
false
}
func
resourceMatches
(
p
abac
.
Policy
,
a
authorizer
.
Attributes
)
bool
{
// A resource policy cannot match a non-resource request
if
a
.
IsResourceRequest
()
{
if
p
.
Spec
.
Namespace
==
"*"
||
p
.
Spec
.
Namespace
==
a
.
GetNamespace
()
{
if
p
.
Spec
.
Resource
==
"*"
||
p
.
Spec
.
Resource
==
a
.
GetResource
()
{
if
p
.
Spec
.
APIGroup
==
"*"
||
p
.
Spec
.
APIGroup
==
a
.
GetAPIGroup
()
{
return
true
}
}
}
}
return
false
}
// Authorizer implements authorizer.Authorize
func
(
pl
policyList
)
Authorize
(
a
authorizer
.
Attributes
)
(
authorizer
.
Decision
,
string
,
error
)
{
for
_
,
p
:=
range
pl
{
if
matches
(
*
p
,
a
)
{
return
authorizer
.
DecisionAllow
,
""
,
nil
}
}
return
authorizer
.
DecisionNoOpinion
,
"no ABAC policy matched"
,
nil
// TODO: Benchmark how much time policy matching takes with a medium size
// policy file, compared to other steps such as encoding/decoding.
// Then, add Caching only if needed.
}
func
(
pl
policyList
)
RulesFor
(
user
user
.
Info
,
namespace
string
)
([]
authorizer
.
ResourceRuleInfo
,
[]
authorizer
.
NonResourceRuleInfo
,
bool
,
error
)
{
var
(
resourceRules
[]
authorizer
.
ResourceRuleInfo
nonResourceRules
[]
authorizer
.
NonResourceRuleInfo
)
for
_
,
p
:=
range
pl
{
if
subjectMatches
(
*
p
,
user
)
{
if
p
.
Spec
.
Namespace
==
"*"
||
p
.
Spec
.
Namespace
==
namespace
{
if
len
(
p
.
Spec
.
Resource
)
>
0
{
r
:=
authorizer
.
DefaultResourceRuleInfo
{
Verbs
:
getVerbs
(
p
.
Spec
.
Readonly
),
APIGroups
:
[]
string
{
p
.
Spec
.
APIGroup
},
Resources
:
[]
string
{
p
.
Spec
.
Resource
},
}
var
resourceRule
authorizer
.
ResourceRuleInfo
=
&
r
resourceRules
=
append
(
resourceRules
,
resourceRule
)
}
if
len
(
p
.
Spec
.
NonResourcePath
)
>
0
{
r
:=
authorizer
.
DefaultNonResourceRuleInfo
{
Verbs
:
getVerbs
(
p
.
Spec
.
Readonly
),
NonResourceURLs
:
[]
string
{
p
.
Spec
.
NonResourcePath
},
}
var
nonResourceRule
authorizer
.
NonResourceRuleInfo
=
&
r
nonResourceRules
=
append
(
nonResourceRules
,
nonResourceRule
)
}
}
}
}
return
resourceRules
,
nonResourceRules
,
false
,
nil
}
func
getVerbs
(
isReadOnly
bool
)
[]
string
{
if
isReadOnly
{
return
[]
string
{
"get"
,
"list"
,
"watch"
}
}
return
[]
string
{
"*"
}
}
pkg/auth/authorizer/abac/abac_test.go
deleted
100644 → 0
View file @
8d4c7c0c
This diff is collapsed.
Click to expand it.
pkg/auth/authorizer/abac/example_policy_file.jsonl
deleted
100644 → 0
View file @
8d4c7c0c
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group":"system:authenticated", "nonResourcePath": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group":"system:unauthenticated", "nonResourcePath": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*" }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "namespace": "*", "resource": "pods", "readonly": true }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "namespace": "*", "resource": "bindings" }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "pods", "readonly": true }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "services", "readonly": true }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "endpoints", "readonly": true }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "events" }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"alice", "namespace": "projectCaribou", "resource": "*", "apiGroup": "*" }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"bob", "namespace": "projectCaribou", "resource": "*", "apiGroup": "*", "readonly": true }}
\ No newline at end of file
pkg/kubeapiserver/authorizer/config.go
View file @
7a67403f
...
@@ -25,7 +25,6 @@ import (
...
@@ -25,7 +25,6 @@ import (
"k8s.io/apiserver/pkg/authorization/union"
"k8s.io/apiserver/pkg/authorization/union"
"k8s.io/apiserver/plugin/pkg/authorizer/webhook"
"k8s.io/apiserver/plugin/pkg/authorizer/webhook"
versionedinformers
"k8s.io/client-go/informers"
versionedinformers
"k8s.io/client-go/informers"
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
"k8s.io/kubernetes/pkg/auth/nodeidentifier"
"k8s.io/kubernetes/pkg/auth/nodeidentifier"
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/node"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/node"
...
@@ -38,9 +37,6 @@ type AuthorizationConfig struct {
...
@@ -38,9 +37,6 @@ type AuthorizationConfig struct {
// Options for ModeABAC
// Options for ModeABAC
// Path to an ABAC policy file.
PolicyFile
string
// Options for ModeWebhook
// Options for ModeWebhook
// Kubeconfig file for Webhook authorization plugin.
// Kubeconfig file for Webhook authorization plugin.
...
@@ -88,13 +84,6 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
...
@@ -88,13 +84,6 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
alwaysDenyAuthorizer
:=
authorizerfactory
.
NewAlwaysDenyAuthorizer
()
alwaysDenyAuthorizer
:=
authorizerfactory
.
NewAlwaysDenyAuthorizer
()
authorizers
=
append
(
authorizers
,
alwaysDenyAuthorizer
)
authorizers
=
append
(
authorizers
,
alwaysDenyAuthorizer
)
ruleResolvers
=
append
(
ruleResolvers
,
alwaysDenyAuthorizer
)
ruleResolvers
=
append
(
ruleResolvers
,
alwaysDenyAuthorizer
)
case
modes
.
ModeABAC
:
abacAuthorizer
,
err
:=
abac
.
NewFromFile
(
config
.
PolicyFile
)
if
err
!=
nil
{
return
nil
,
nil
,
err
}
authorizers
=
append
(
authorizers
,
abacAuthorizer
)
ruleResolvers
=
append
(
ruleResolvers
,
abacAuthorizer
)
case
modes
.
ModeWebhook
:
case
modes
.
ModeWebhook
:
webhookAuthorizer
,
err
:=
webhook
.
New
(
config
.
WebhookConfigFile
,
webhookAuthorizer
,
err
:=
webhook
.
New
(
config
.
WebhookConfigFile
,
config
.
WebhookCacheAuthorizedTTL
,
config
.
WebhookCacheAuthorizedTTL
,
...
...
pkg/kubeapiserver/authorizer/modes/modes.go
View file @
7a67403f
...
@@ -21,13 +21,12 @@ import "k8s.io/apimachinery/pkg/util/sets"
...
@@ -21,13 +21,12 @@ import "k8s.io/apimachinery/pkg/util/sets"
const
(
const
(
ModeAlwaysAllow
string
=
"AlwaysAllow"
ModeAlwaysAllow
string
=
"AlwaysAllow"
ModeAlwaysDeny
string
=
"AlwaysDeny"
ModeAlwaysDeny
string
=
"AlwaysDeny"
ModeABAC
string
=
"ABAC"
ModeWebhook
string
=
"Webhook"
ModeWebhook
string
=
"Webhook"
ModeRBAC
string
=
"RBAC"
ModeRBAC
string
=
"RBAC"
ModeNode
string
=
"Node"
ModeNode
string
=
"Node"
)
)
var
AuthorizationModeChoices
=
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
,
Mode
ABAC
,
Mode
Webhook
,
ModeRBAC
,
ModeNode
}
var
AuthorizationModeChoices
=
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
,
ModeWebhook
,
ModeRBAC
,
ModeNode
}
// IsValidAuthorizationMode returns true if the given authorization mode is a valid one for the apiserver
// IsValidAuthorizationMode returns true if the given authorization mode is a valid one for the apiserver
func
IsValidAuthorizationMode
(
authzMode
string
)
bool
{
func
IsValidAuthorizationMode
(
authzMode
string
)
bool
{
...
...
pkg/kubeapiserver/options/authorization.go
View file @
7a67403f
...
@@ -31,7 +31,6 @@ import (
...
@@ -31,7 +31,6 @@ import (
type
BuiltInAuthorizationOptions
struct
{
type
BuiltInAuthorizationOptions
struct
{
Modes
[]
string
Modes
[]
string
PolicyFile
string
WebhookConfigFile
string
WebhookConfigFile
string
WebhookCacheAuthorizedTTL
time
.
Duration
WebhookCacheAuthorizedTTL
time
.
Duration
WebhookCacheUnauthorizedTTL
time
.
Duration
WebhookCacheUnauthorizedTTL
time
.
Duration
...
@@ -61,11 +60,6 @@ func (s *BuiltInAuthorizationOptions) Validate() []error {
...
@@ -61,11 +60,6 @@ func (s *BuiltInAuthorizationOptions) Validate() []error {
if
!
allowedModes
.
Has
(
mode
)
{
if
!
allowedModes
.
Has
(
mode
)
{
allErrors
=
append
(
allErrors
,
fmt
.
Errorf
(
"authorization-mode %q is not a valid mode"
,
mode
))
allErrors
=
append
(
allErrors
,
fmt
.
Errorf
(
"authorization-mode %q is not a valid mode"
,
mode
))
}
}
if
mode
==
authzmodes
.
ModeABAC
{
if
s
.
PolicyFile
==
""
{
allErrors
=
append
(
allErrors
,
fmt
.
Errorf
(
"authorization-mode ABAC's authorization policy file not passed"
))
}
}
if
mode
==
authzmodes
.
ModeWebhook
{
if
mode
==
authzmodes
.
ModeWebhook
{
if
s
.
WebhookConfigFile
==
""
{
if
s
.
WebhookConfigFile
==
""
{
allErrors
=
append
(
allErrors
,
fmt
.
Errorf
(
"authorization-mode Webhook's authorization config file not passed"
))
allErrors
=
append
(
allErrors
,
fmt
.
Errorf
(
"authorization-mode Webhook's authorization config file not passed"
))
...
@@ -73,10 +67,6 @@ func (s *BuiltInAuthorizationOptions) Validate() []error {
...
@@ -73,10 +67,6 @@ func (s *BuiltInAuthorizationOptions) Validate() []error {
}
}
}
}
if
s
.
PolicyFile
!=
""
&&
!
modes
.
Has
(
authzmodes
.
ModeABAC
)
{
allErrors
=
append
(
allErrors
,
fmt
.
Errorf
(
"cannot specify --authorization-policy-file without mode ABAC"
))
}
if
s
.
WebhookConfigFile
!=
""
&&
!
modes
.
Has
(
authzmodes
.
ModeWebhook
)
{
if
s
.
WebhookConfigFile
!=
""
&&
!
modes
.
Has
(
authzmodes
.
ModeWebhook
)
{
allErrors
=
append
(
allErrors
,
fmt
.
Errorf
(
"cannot specify --authorization-webhook-config-file without mode Webhook"
))
allErrors
=
append
(
allErrors
,
fmt
.
Errorf
(
"cannot specify --authorization-webhook-config-file without mode Webhook"
))
}
}
...
@@ -93,9 +83,6 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -93,9 +83,6 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
"Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "
+
"Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "
+
strings
.
Join
(
authzmodes
.
AuthorizationModeChoices
,
","
)
+
"."
)
strings
.
Join
(
authzmodes
.
AuthorizationModeChoices
,
","
)
+
"."
)
fs
.
StringVar
(
&
s
.
PolicyFile
,
"authorization-policy-file"
,
s
.
PolicyFile
,
""
+
"File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port."
)
fs
.
StringVar
(
&
s
.
WebhookConfigFile
,
"authorization-webhook-config-file"
,
s
.
WebhookConfigFile
,
""
+
fs
.
StringVar
(
&
s
.
WebhookConfigFile
,
"authorization-webhook-config-file"
,
s
.
WebhookConfigFile
,
""
+
"File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. "
+
"File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. "
+
"The API server will query the remote service to determine access on the API server's secure port."
)
"The API server will query the remote service to determine access on the API server's secure port."
)
...
@@ -112,7 +99,6 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -112,7 +99,6 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
func
(
s
*
BuiltInAuthorizationOptions
)
ToAuthorizationConfig
(
versionedInformerFactory
versionedinformers
.
SharedInformerFactory
)
authorizer
.
AuthorizationConfig
{
func
(
s
*
BuiltInAuthorizationOptions
)
ToAuthorizationConfig
(
versionedInformerFactory
versionedinformers
.
SharedInformerFactory
)
authorizer
.
AuthorizationConfig
{
return
authorizer
.
AuthorizationConfig
{
return
authorizer
.
AuthorizationConfig
{
AuthorizationModes
:
s
.
Modes
,
AuthorizationModes
:
s
.
Modes
,
PolicyFile
:
s
.
PolicyFile
,
WebhookConfigFile
:
s
.
WebhookConfigFile
,
WebhookConfigFile
:
s
.
WebhookConfigFile
,
WebhookCacheAuthorizedTTL
:
s
.
WebhookCacheAuthorizedTTL
,
WebhookCacheAuthorizedTTL
:
s
.
WebhookCacheAuthorizedTTL
,
WebhookCacheUnauthorizedTTL
:
s
.
WebhookCacheUnauthorizedTTL
,
WebhookCacheUnauthorizedTTL
:
s
.
WebhookCacheUnauthorizedTTL
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment