Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
ce6ecbbc
Commit
ce6ecbbc
authored
Oct 16, 2017
by
Dr. Stefan Schimanski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Remove all api.Scheme references by using explicit package aliases
parent
2b201ead
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
47 additions
and
47 deletions
+47
-47
conversion_test.go
pkg/apis/abac/v0/conversion_test.go
+12
-12
register.go
pkg/apis/abac/v0/register.go
+3
-3
conversion_test.go
pkg/apis/abac/v1beta1/conversion_test.go
+8
-8
register.go
pkg/apis/abac/v1beta1/register.go
+3
-3
abac.go
pkg/auth/authorizer/abac/abac.go
+11
-11
abac_test.go
pkg/auth/authorizer/abac/abac_test.go
+5
-5
latest.go
plugin/pkg/scheduler/api/latest/latest.go
+3
-3
register.go
plugin/pkg/scheduler/api/v1/register.go
+2
-2
No files found.
pkg/apis/abac/v0/conversion_test.go
View file @
ce6ecbbc
...
...
@@ -21,64 +21,64 @@ import (
"testing"
"k8s.io/apiserver/pkg/authentication/user"
api
"k8s.io/kubernetes/pkg/apis/abac"
"k8s.io/kubernetes/pkg/apis/abac"
"k8s.io/kubernetes/pkg/apis/abac/v0"
)
func
TestV0Conversion
(
t
*
testing
.
T
)
{
testcases
:=
map
[
string
]
struct
{
old
*
v0
.
Policy
expected
*
a
pi
.
Policy
expected
*
a
bac
.
Policy
}{
// a completely empty policy rule allows everything to all users
"empty"
:
{
old
:
&
v0
.
Policy
{},
expected
:
&
a
pi
.
Policy
{
Spec
:
api
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
,
Readonly
:
false
,
NonResourcePath
:
"*"
,
Namespace
:
"*"
,
Resource
:
"*"
,
APIGroup
:
"*"
}},
expected
:
&
a
bac
.
Policy
{
Spec
:
abac
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
,
Readonly
:
false
,
NonResourcePath
:
"*"
,
Namespace
:
"*"
,
Resource
:
"*"
,
APIGroup
:
"*"
}},
},
// specifying a user is preserved
"user"
:
{
old
:
&
v0
.
Policy
{
User
:
"bob"
},
expected
:
&
a
pi
.
Policy
{
Spec
:
api
.
PolicySpec
{
User
:
"bob"
,
Readonly
:
false
,
NonResourcePath
:
"*"
,
Namespace
:
"*"
,
Resource
:
"*"
,
APIGroup
:
"*"
}},
expected
:
&
a
bac
.
Policy
{
Spec
:
abac
.
PolicySpec
{
User
:
"bob"
,
Readonly
:
false
,
NonResourcePath
:
"*"
,
Namespace
:
"*"
,
Resource
:
"*"
,
APIGroup
:
"*"
}},
},
// specifying a group is preserved (and no longer matches all users)
"group"
:
{
old
:
&
v0
.
Policy
{
Group
:
"mygroup"
},
expected
:
&
a
pi
.
Policy
{
Spec
:
api
.
PolicySpec
{
Group
:
"mygroup"
,
Readonly
:
false
,
NonResourcePath
:
"*"
,
Namespace
:
"*"
,
Resource
:
"*"
,
APIGroup
:
"*"
}},
expected
:
&
a
bac
.
Policy
{
Spec
:
abac
.
PolicySpec
{
Group
:
"mygroup"
,
Readonly
:
false
,
NonResourcePath
:
"*"
,
Namespace
:
"*"
,
Resource
:
"*"
,
APIGroup
:
"*"
}},
},
// specifying * for user or group maps to all authenticated subjects
"* user"
:
{
old
:
&
v0
.
Policy
{
User
:
"*"
},
expected
:
&
a
pi
.
Policy
{
Spec
:
api
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
,
Readonly
:
false
,
NonResourcePath
:
"*"
,
Namespace
:
"*"
,
Resource
:
"*"
,
APIGroup
:
"*"
}},
expected
:
&
a
bac
.
Policy
{
Spec
:
abac
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
,
Readonly
:
false
,
NonResourcePath
:
"*"
,
Namespace
:
"*"
,
Resource
:
"*"
,
APIGroup
:
"*"
}},
},
"* group"
:
{
old
:
&
v0
.
Policy
{
Group
:
"*"
},
expected
:
&
a
pi
.
Policy
{
Spec
:
api
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
,
Readonly
:
false
,
NonResourcePath
:
"*"
,
Namespace
:
"*"
,
Resource
:
"*"
,
APIGroup
:
"*"
}},
expected
:
&
a
bac
.
Policy
{
Spec
:
abac
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
,
Readonly
:
false
,
NonResourcePath
:
"*"
,
Namespace
:
"*"
,
Resource
:
"*"
,
APIGroup
:
"*"
}},
},
// specifying a namespace removes the * match on non-resource path
"namespace"
:
{
old
:
&
v0
.
Policy
{
Namespace
:
"myns"
},
expected
:
&
a
pi
.
Policy
{
Spec
:
api
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
,
Readonly
:
false
,
NonResourcePath
:
""
,
Namespace
:
"myns"
,
Resource
:
"*"
,
APIGroup
:
"*"
}},
expected
:
&
a
bac
.
Policy
{
Spec
:
abac
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
,
Readonly
:
false
,
NonResourcePath
:
""
,
Namespace
:
"myns"
,
Resource
:
"*"
,
APIGroup
:
"*"
}},
},
// specifying a resource removes the * match on non-resource path
"resource"
:
{
old
:
&
v0
.
Policy
{
Resource
:
"myresource"
},
expected
:
&
a
pi
.
Policy
{
Spec
:
api
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
,
Readonly
:
false
,
NonResourcePath
:
""
,
Namespace
:
"*"
,
Resource
:
"myresource"
,
APIGroup
:
"*"
}},
expected
:
&
a
bac
.
Policy
{
Spec
:
abac
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
,
Readonly
:
false
,
NonResourcePath
:
""
,
Namespace
:
"*"
,
Resource
:
"myresource"
,
APIGroup
:
"*"
}},
},
// specifying a namespace+resource removes the * match on non-resource path
"namespace+resource"
:
{
old
:
&
v0
.
Policy
{
Namespace
:
"myns"
,
Resource
:
"myresource"
},
expected
:
&
a
pi
.
Policy
{
Spec
:
api
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
,
Readonly
:
false
,
NonResourcePath
:
""
,
Namespace
:
"myns"
,
Resource
:
"myresource"
,
APIGroup
:
"*"
}},
expected
:
&
a
bac
.
Policy
{
Spec
:
abac
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
,
Readonly
:
false
,
NonResourcePath
:
""
,
Namespace
:
"myns"
,
Resource
:
"myresource"
,
APIGroup
:
"*"
}},
},
}
for
k
,
tc
:=
range
testcases
{
internal
:=
&
a
pi
.
Policy
{}
if
err
:=
a
pi
.
Scheme
.
Convert
(
tc
.
old
,
internal
,
nil
);
err
!=
nil
{
internal
:=
&
a
bac
.
Policy
{}
if
err
:=
a
bac
.
Scheme
.
Convert
(
tc
.
old
,
internal
,
nil
);
err
!=
nil
{
t
.
Errorf
(
"%s: unexpected error: %v"
,
k
,
err
)
}
if
!
reflect
.
DeepEqual
(
internal
,
tc
.
expected
)
{
...
...
pkg/apis/abac/v0/register.go
View file @
ce6ecbbc
...
...
@@ -19,7 +19,7 @@ package v0
import
(
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
api
"k8s.io/kubernetes/pkg/apis/abac"
"k8s.io/kubernetes/pkg/apis/abac"
)
const
GroupName
=
"abac.authorization.kubernetes.io"
...
...
@@ -29,11 +29,11 @@ var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v0"}
func
init
()
{
// TODO: Delete this init function, abac should not have its own scheme.
if
err
:=
addKnownTypes
(
a
pi
.
Scheme
);
err
!=
nil
{
if
err
:=
addKnownTypes
(
a
bac
.
Scheme
);
err
!=
nil
{
// Programmer error.
panic
(
err
)
}
if
err
:=
addConversionFuncs
(
a
pi
.
Scheme
);
err
!=
nil
{
if
err
:=
addConversionFuncs
(
a
bac
.
Scheme
);
err
!=
nil
{
// Programmer error.
panic
(
err
)
}
...
...
pkg/apis/abac/v1beta1/conversion_test.go
View file @
ce6ecbbc
...
...
@@ -21,40 +21,40 @@ import (
"testing"
"k8s.io/apiserver/pkg/authentication/user"
api
"k8s.io/kubernetes/pkg/apis/abac"
"k8s.io/kubernetes/pkg/apis/abac"
"k8s.io/kubernetes/pkg/apis/abac/v1beta1"
)
func
TestV1Beta1Conversion
(
t
*
testing
.
T
)
{
testcases
:=
map
[
string
]
struct
{
old
*
v1beta1
.
Policy
expected
*
a
pi
.
Policy
expected
*
a
bac
.
Policy
}{
// specifying a user is preserved
"user"
:
{
old
:
&
v1beta1
.
Policy
{
Spec
:
v1beta1
.
PolicySpec
{
User
:
"bob"
}},
expected
:
&
a
pi
.
Policy
{
Spec
:
api
.
PolicySpec
{
User
:
"bob"
}},
expected
:
&
a
bac
.
Policy
{
Spec
:
abac
.
PolicySpec
{
User
:
"bob"
}},
},
// specifying a group is preserved
"group"
:
{
old
:
&
v1beta1
.
Policy
{
Spec
:
v1beta1
.
PolicySpec
{
Group
:
"mygroup"
}},
expected
:
&
a
pi
.
Policy
{
Spec
:
api
.
PolicySpec
{
Group
:
"mygroup"
}},
expected
:
&
a
bac
.
Policy
{
Spec
:
abac
.
PolicySpec
{
Group
:
"mygroup"
}},
},
// specifying * for user or group maps to all authenticated subjects
"* user"
:
{
old
:
&
v1beta1
.
Policy
{
Spec
:
v1beta1
.
PolicySpec
{
User
:
"*"
}},
expected
:
&
a
pi
.
Policy
{
Spec
:
api
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
}},
expected
:
&
a
bac
.
Policy
{
Spec
:
abac
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
}},
},
"* group"
:
{
old
:
&
v1beta1
.
Policy
{
Spec
:
v1beta1
.
PolicySpec
{
Group
:
"*"
}},
expected
:
&
a
pi
.
Policy
{
Spec
:
api
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
}},
expected
:
&
a
bac
.
Policy
{
Spec
:
abac
.
PolicySpec
{
Group
:
user
.
AllAuthenticated
}},
},
}
for
k
,
tc
:=
range
testcases
{
internal
:=
&
a
pi
.
Policy
{}
if
err
:=
a
pi
.
Scheme
.
Convert
(
tc
.
old
,
internal
,
nil
);
err
!=
nil
{
internal
:=
&
a
bac
.
Policy
{}
if
err
:=
a
bac
.
Scheme
.
Convert
(
tc
.
old
,
internal
,
nil
);
err
!=
nil
{
t
.
Errorf
(
"%s: unexpected error: %v"
,
k
,
err
)
}
if
!
reflect
.
DeepEqual
(
internal
,
tc
.
expected
)
{
...
...
pkg/apis/abac/v1beta1/register.go
View file @
ce6ecbbc
...
...
@@ -19,7 +19,7 @@ package v1beta1
import
(
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
api
"k8s.io/kubernetes/pkg/apis/abac"
"k8s.io/kubernetes/pkg/apis/abac"
)
const
GroupName
=
"abac.authorization.kubernetes.io"
...
...
@@ -29,11 +29,11 @@ var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1
func
init
()
{
// TODO: delete this, abac should not have its own scheme.
if
err
:=
addKnownTypes
(
a
pi
.
Scheme
);
err
!=
nil
{
if
err
:=
addKnownTypes
(
a
bac
.
Scheme
);
err
!=
nil
{
// Programmer error.
panic
(
err
)
}
if
err
:=
addConversionFuncs
(
a
pi
.
Scheme
);
err
!=
nil
{
if
err
:=
addConversionFuncs
(
a
bac
.
Scheme
);
err
!=
nil
{
// Programmer error.
panic
(
err
)
}
...
...
pkg/auth/authorizer/abac/abac.go
View file @
ce6ecbbc
...
...
@@ -30,7 +30,7 @@ import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
api
"k8s.io/kubernetes/pkg/apis/abac"
"k8s.io/kubernetes/pkg/apis/abac"
_
"k8s.io/kubernetes/pkg/apis/abac/latest"
"k8s.io/kubernetes/pkg/apis/abac/v0"
)
...
...
@@ -49,7 +49,7 @@ func (p policyLoadError) Error() string {
return
fmt
.
Sprintf
(
"error reading policy file %s: %v"
,
p
.
path
,
p
.
err
)
}
type
policyList
[]
*
a
pi
.
Policy
type
policyList
[]
*
a
bac
.
Policy
// TODO: Have policies be created via an API call and stored in REST storage.
func
NewFromFile
(
path
string
)
(
policyList
,
error
)
{
...
...
@@ -64,13 +64,13 @@ func NewFromFile(path string) (policyList, error) {
scanner
:=
bufio
.
NewScanner
(
file
)
pl
:=
make
(
policyList
,
0
)
decoder
:=
a
pi
.
Codecs
.
UniversalDecoder
()
decoder
:=
a
bac
.
Codecs
.
UniversalDecoder
()
i
:=
0
unversionedLines
:=
0
for
scanner
.
Scan
()
{
i
++
p
:=
&
a
pi
.
Policy
{}
p
:=
&
a
bac
.
Policy
{}
b
:=
scanner
.
Bytes
()
// skip comment lines and blank lines
...
...
@@ -90,14 +90,14 @@ func NewFromFile(path string) (policyList, error) {
if
err
:=
runtime
.
DecodeInto
(
decoder
,
b
,
oldPolicy
);
err
!=
nil
{
return
nil
,
policyLoadError
{
path
,
i
,
b
,
err
}
}
if
err
:=
a
pi
.
Scheme
.
Convert
(
oldPolicy
,
p
,
nil
);
err
!=
nil
{
if
err
:=
a
bac
.
Scheme
.
Convert
(
oldPolicy
,
p
,
nil
);
err
!=
nil
{
return
nil
,
policyLoadError
{
path
,
i
,
b
,
err
}
}
pl
=
append
(
pl
,
p
)
continue
}
decodedPolicy
,
ok
:=
decodedObj
.
(
*
a
pi
.
Policy
)
decodedPolicy
,
ok
:=
decodedObj
.
(
*
a
bac
.
Policy
)
if
!
ok
{
return
nil
,
policyLoadError
{
path
,
i
,
b
,
fmt
.
Errorf
(
"unrecognized object: %#v"
,
decodedObj
)}
}
...
...
@@ -114,7 +114,7 @@ func NewFromFile(path string) (policyList, error) {
return
pl
,
nil
}
func
matches
(
p
a
pi
.
Policy
,
a
authorizer
.
Attributes
)
bool
{
func
matches
(
p
a
bac
.
Policy
,
a
authorizer
.
Attributes
)
bool
{
if
subjectMatches
(
p
,
a
.
GetUser
())
{
if
verbMatches
(
p
,
a
)
{
// Resource and non-resource requests are mutually exclusive, at most one will match a policy
...
...
@@ -130,7 +130,7 @@ func matches(p api.Policy, a authorizer.Attributes) bool {
}
// subjectMatches returns true if specified user and group properties in the policy match the attributes
func
subjectMatches
(
p
a
pi
.
Policy
,
user
user
.
Info
)
bool
{
func
subjectMatches
(
p
a
bac
.
Policy
,
user
user
.
Info
)
bool
{
matched
:=
false
if
user
==
nil
{
...
...
@@ -171,7 +171,7 @@ func subjectMatches(p api.Policy, user user.Info) bool {
return
matched
}
func
verbMatches
(
p
a
pi
.
Policy
,
a
authorizer
.
Attributes
)
bool
{
func
verbMatches
(
p
a
bac
.
Policy
,
a
authorizer
.
Attributes
)
bool
{
// TODO: match on verb
// All policies allow read only requests
...
...
@@ -187,7 +187,7 @@ func verbMatches(p api.Policy, a authorizer.Attributes) bool {
return
false
}
func
nonResourceMatches
(
p
a
pi
.
Policy
,
a
authorizer
.
Attributes
)
bool
{
func
nonResourceMatches
(
p
a
bac
.
Policy
,
a
authorizer
.
Attributes
)
bool
{
// A non-resource policy cannot match a resource request
if
!
a
.
IsResourceRequest
()
{
// Allow wildcard match
...
...
@@ -206,7 +206,7 @@ func nonResourceMatches(p api.Policy, a authorizer.Attributes) bool {
return
false
}
func
resourceMatches
(
p
a
pi
.
Policy
,
a
authorizer
.
Attributes
)
bool
{
func
resourceMatches
(
p
a
bac
.
Policy
,
a
authorizer
.
Attributes
)
bool
{
// A resource policy cannot match a non-resource request
if
a
.
IsResourceRequest
()
{
if
p
.
Spec
.
Namespace
==
"*"
||
p
.
Spec
.
Namespace
==
a
.
GetNamespace
()
{
...
...
pkg/auth/authorizer/abac/abac_test.go
View file @
ce6ecbbc
...
...
@@ -25,7 +25,7 @@ import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
api
"k8s.io/kubernetes/pkg/apis/abac"
"k8s.io/kubernetes/pkg/apis/abac"
"k8s.io/kubernetes/pkg/apis/abac/v0"
"k8s.io/kubernetes/pkg/apis/abac/v1beta1"
)
...
...
@@ -799,8 +799,8 @@ func TestSubjectMatches(t *testing.T) {
}
for
k
,
tc
:=
range
testCases
{
policy
:=
&
a
pi
.
Policy
{}
if
err
:=
a
pi
.
Scheme
.
Convert
(
tc
.
Policy
,
policy
,
nil
);
err
!=
nil
{
policy
:=
&
a
bac
.
Policy
{}
if
err
:=
a
bac
.
Scheme
.
Convert
(
tc
.
Policy
,
policy
,
nil
);
err
!=
nil
{
t
.
Errorf
(
"%s: error converting: %v"
,
k
,
err
)
continue
}
...
...
@@ -1254,8 +1254,8 @@ func TestPolicy(t *testing.T) {
},
}
for
_
,
test
:=
range
tests
{
policy
:=
&
a
pi
.
Policy
{}
if
err
:=
a
pi
.
Scheme
.
Convert
(
test
.
policy
,
policy
,
nil
);
err
!=
nil
{
policy
:=
&
a
bac
.
Policy
{}
if
err
:=
a
bac
.
Scheme
.
Convert
(
test
.
policy
,
policy
,
nil
);
err
!=
nil
{
t
.
Errorf
(
"%s: error converting: %v"
,
test
.
name
,
err
)
continue
}
...
...
plugin/pkg/scheduler/api/latest/latest.go
View file @
ce6ecbbc
...
...
@@ -21,7 +21,7 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/runtime/serializer/json"
"k8s.io/apimachinery/pkg/runtime/serializer/versioning"
"k8s.io/kubernetes/plugin/pkg/scheduler/api"
schedulerapi
"k8s.io/kubernetes/plugin/pkg/scheduler/api"
_
"k8s.io/kubernetes/plugin/pkg/scheduler/api/v1"
)
...
...
@@ -42,9 +42,9 @@ var Versions = []string{"v1"}
var
Codec
runtime
.
Codec
func
init
()
{
jsonSerializer
:=
json
.
NewSerializer
(
json
.
DefaultMetaFactory
,
api
.
Scheme
,
api
.
Scheme
,
true
)
jsonSerializer
:=
json
.
NewSerializer
(
json
.
DefaultMetaFactory
,
schedulerapi
.
Scheme
,
scheduler
api
.
Scheme
,
true
)
Codec
=
versioning
.
NewDefaultingCodecForScheme
(
api
.
Scheme
,
scheduler
api
.
Scheme
,
jsonSerializer
,
jsonSerializer
,
schema
.
GroupVersion
{
Version
:
Version
},
...
...
plugin/pkg/scheduler/api/v1/register.go
View file @
ce6ecbbc
...
...
@@ -19,7 +19,7 @@ package v1
import
(
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/kubernetes/plugin/pkg/scheduler/api"
schedulerapi
"k8s.io/kubernetes/plugin/pkg/scheduler/api"
)
// SchemeGroupVersion is group version used to register these objects
...
...
@@ -27,7 +27,7 @@ import (
var
SchemeGroupVersion
=
schema
.
GroupVersion
{
Group
:
""
,
Version
:
"v1"
}
func
init
()
{
if
err
:=
addKnownTypes
(
api
.
Scheme
);
err
!=
nil
{
if
err
:=
addKnownTypes
(
scheduler
api
.
Scheme
);
err
!=
nil
{
// Programmer error.
panic
(
err
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment