Commit dffe50f8 authored by Dr. Stefan Schimanski's avatar Dr. Stefan Schimanski

apiserver: allow disabling authz/n via options

parent 1bcea541
...@@ -30,7 +30,6 @@ import ( ...@@ -30,7 +30,6 @@ import (
"k8s.io/apiextensions-apiserver/pkg/cmd/server" "k8s.io/apiextensions-apiserver/pkg/cmd/server"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
genericapiserver "k8s.io/apiserver/pkg/server" genericapiserver "k8s.io/apiserver/pkg/server"
"k8s.io/client-go/dynamic" "k8s.io/client-go/dynamic"
) )
...@@ -44,7 +43,8 @@ func DefaultServerConfig() (*extensionsapiserver.Config, error) { ...@@ -44,7 +43,8 @@ func DefaultServerConfig() (*extensionsapiserver.Config, error) {
options := server.NewCustomResourceDefinitionsServerOptions(os.Stdout, os.Stderr) options := server.NewCustomResourceDefinitionsServerOptions(os.Stdout, os.Stderr)
options.RecommendedOptions.Audit.LogOptions.Path = "-" options.RecommendedOptions.Audit.LogOptions.Path = "-"
options.RecommendedOptions.SecureServing.BindPort = port options.RecommendedOptions.SecureServing.BindPort = port
options.RecommendedOptions.Authentication.SkipInClusterLookup = true options.RecommendedOptions.Authentication = nil // disable
options.RecommendedOptions.Authorization = nil // disable
options.RecommendedOptions.SecureServing.BindAddress = net.ParseIP("127.0.0.1") options.RecommendedOptions.SecureServing.BindAddress = net.ParseIP("127.0.0.1")
etcdURL, ok := os.LookupEnv("KUBE_INTEGRATION_ETCD_URL") etcdURL, ok := os.LookupEnv("KUBE_INTEGRATION_ETCD_URL")
if !ok { if !ok {
...@@ -53,26 +53,12 @@ func DefaultServerConfig() (*extensionsapiserver.Config, error) { ...@@ -53,26 +53,12 @@ func DefaultServerConfig() (*extensionsapiserver.Config, error) {
options.RecommendedOptions.Etcd.StorageConfig.ServerList = []string{etcdURL} options.RecommendedOptions.Etcd.StorageConfig.ServerList = []string{etcdURL}
options.RecommendedOptions.Etcd.StorageConfig.Prefix = uuid.New() options.RecommendedOptions.Etcd.StorageConfig.Prefix = uuid.New()
// TODO stop copying this
// because there isn't currently a way to disable authentication or authorization from options
// explode options.Config here
genericConfig := genericapiserver.NewConfig(extensionsapiserver.Codecs) genericConfig := genericapiserver.NewConfig(extensionsapiserver.Codecs)
genericConfig.Authenticator = nil
genericConfig.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
if err := options.RecommendedOptions.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil { if err := options.RecommendedOptions.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
return nil, fmt.Errorf("error creating self-signed certificates: %v", err) return nil, fmt.Errorf("error creating self-signed certificates: %v", err)
} }
if err := options.RecommendedOptions.Etcd.ApplyTo(genericConfig); err != nil { if err := options.RecommendedOptions.ApplyTo(genericConfig); err != nil {
return nil, err
}
if err := options.RecommendedOptions.SecureServing.ApplyTo(genericConfig); err != nil {
return nil, err
}
if err := options.RecommendedOptions.Audit.ApplyTo(genericConfig); err != nil {
return nil, err
}
if err := options.RecommendedOptions.Features.ApplyTo(genericConfig); err != nil {
return nil, err return nil, err
} }
......
...@@ -143,6 +143,11 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -143,6 +143,11 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
} }
func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error { func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
if s == nil {
c.Authenticator = nil
return nil
}
clientCA, err := s.getClientCA() clientCA, err := s.getClientCA()
if err != nil { if err != nil {
return err return err
......
...@@ -71,6 +71,11 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -71,6 +71,11 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
} }
func (s *DelegatingAuthorizationOptions) ApplyTo(c *server.Config) error { func (s *DelegatingAuthorizationOptions) ApplyTo(c *server.Config) error {
if s == nil {
c.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
return nil
}
cfg, err := s.ToAuthorizationConfig() cfg, err := s.ToAuthorizationConfig()
if err != nil { if err != nil {
return err return err
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment