Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
e1638f11
Commit
e1638f11
authored
Oct 04, 2016
by
deads2k
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
run authorization from a cache
parent
2c4e618b
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
30 additions
and
114 deletions
+30
-114
server.go
cmd/kube-apiserver/app/server.go
+11
-47
server.go
federation/cmd/federation-apiserver/app/server.go
+11
-46
authz.go
pkg/genericapiserver/authorizer/authz.go
+6
-12
rbac.go
plugin/pkg/auth/authorizer/rbac/rbac.go
+2
-9
No files found.
cmd/kube-apiserver/app/server.go
View file @
e1638f11
...
...
@@ -39,7 +39,6 @@ import (
"k8s.io/kubernetes/pkg/apis/autoscaling"
"k8s.io/kubernetes/pkg/apis/batch"
"k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/apiserver"
"k8s.io/kubernetes/pkg/apiserver/authenticator"
"k8s.io/kubernetes/pkg/apiserver/openapi"
...
...
@@ -52,20 +51,10 @@ import (
generatedopenapi
"k8s.io/kubernetes/pkg/generated/openapi"
"k8s.io/kubernetes/pkg/genericapiserver"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
genericoptions
"k8s.io/kubernetes/pkg/genericapiserver/options"
genericvalidation
"k8s.io/kubernetes/pkg/genericapiserver/validation"
kubeletclient
"k8s.io/kubernetes/pkg/kubelet/client"
"k8s.io/kubernetes/pkg/master"
"k8s.io/kubernetes/pkg/registry/cachesize"
"k8s.io/kubernetes/pkg/registry/generic"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
clusterroleetcd
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole/etcd"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
clusterrolebindingetcd
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/etcd"
"k8s.io/kubernetes/pkg/registry/rbac/role"
roleetcd
"k8s.io/kubernetes/pkg/registry/rbac/role/etcd"
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
rolebindingetcd
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding/etcd"
"k8s.io/kubernetes/pkg/serviceaccount"
"k8s.io/kubernetes/pkg/util/wait"
authenticatorunion
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union"
...
...
@@ -246,16 +235,16 @@ func Run(s *options.APIServer) error {
glog
.
Fatalf
(
"Invalid Authentication Config: %v"
,
err
)
}
authorizationModeNames
:=
strings
.
Split
(
s
.
AuthorizationMode
,
","
)
modeEnabled
:=
func
(
mode
string
)
bool
{
for
_
,
m
:=
range
authorizationModeNames
{
if
m
==
mode
{
return
true
}
}
return
false
privilegedLoopbackToken
:=
uuid
.
NewRandom
()
.
String
()
selfClientConfig
,
err
:=
s
.
NewSelfClientConfig
(
privilegedLoopbackToken
)
if
err
!=
nil
{
glog
.
Fatalf
(
"Failed to create clientset: %v"
,
err
)
}
client
,
err
:=
s
.
NewSelfClient
(
privilegedLoopbackToken
)
if
err
!=
nil
{
glog
.
Errorf
(
"Failed to create clientset: %v"
,
err
)
}
sharedInformers
:=
informers
.
NewSharedInformerFactory
(
client
,
10
*
time
.
Minute
)
authorizationConfig
:=
authorizer
.
AuthorizationConfig
{
PolicyFile
:
s
.
AuthorizationPolicyFile
,
...
...
@@ -263,39 +252,15 @@ func Run(s *options.APIServer) error {
WebhookCacheAuthorizedTTL
:
s
.
AuthorizationWebhookCacheAuthorizedTTL
,
WebhookCacheUnauthorizedTTL
:
s
.
AuthorizationWebhookCacheUnauthorizedTTL
,
RBACSuperUser
:
s
.
AuthorizationRBACSuperUser
,
InformerFactory
:
sharedInformers
,
}
if
modeEnabled
(
genericoptions
.
ModeRBAC
)
{
mustGetRESTOptions
:=
func
(
resource
string
)
generic
.
RESTOptions
{
config
,
err
:=
storageFactory
.
NewConfig
(
rbac
.
Resource
(
resource
))
if
err
!=
nil
{
glog
.
Fatalf
(
"Unable to get %s storage: %v"
,
resource
,
err
)
}
return
generic
.
RESTOptions
{
StorageConfig
:
config
,
Decorator
:
generic
.
UndecoratedStorage
,
ResourcePrefix
:
storageFactory
.
ResourcePrefix
(
rbac
.
Resource
(
resource
))}
}
// For initial bootstrapping go directly to etcd to avoid privillege escalation check.
authorizationConfig
.
RBACRoleRegistry
=
role
.
NewRegistry
(
roleetcd
.
NewREST
(
mustGetRESTOptions
(
"roles"
)))
authorizationConfig
.
RBACRoleBindingRegistry
=
rolebinding
.
NewRegistry
(
rolebindingetcd
.
NewREST
(
mustGetRESTOptions
(
"rolebindings"
)))
authorizationConfig
.
RBACClusterRoleRegistry
=
clusterrole
.
NewRegistry
(
clusterroleetcd
.
NewREST
(
mustGetRESTOptions
(
"clusterroles"
)))
authorizationConfig
.
RBACClusterRoleBindingRegistry
=
clusterrolebinding
.
NewRegistry
(
clusterrolebindingetcd
.
NewREST
(
mustGetRESTOptions
(
"clusterrolebindings"
)))
}
authorizationModeNames
:=
strings
.
Split
(
s
.
AuthorizationMode
,
","
)
apiAuthorizer
,
err
:=
authorizer
.
NewAuthorizerFromAuthorizationConfig
(
authorizationModeNames
,
authorizationConfig
)
if
err
!=
nil
{
glog
.
Fatalf
(
"Invalid Authorization Config: %v"
,
err
)
}
admissionControlPluginNames
:=
strings
.
Split
(
s
.
AdmissionControl
,
","
)
privilegedLoopbackToken
:=
uuid
.
NewRandom
()
.
String
()
selfClientConfig
,
err
:=
s
.
NewSelfClientConfig
(
privilegedLoopbackToken
)
if
err
!=
nil
{
glog
.
Fatalf
(
"Failed to create clientset: %v"
,
err
)
}
client
,
err
:=
s
.
NewSelfClient
(
privilegedLoopbackToken
)
if
err
!=
nil
{
glog
.
Errorf
(
"Failed to create clientset: %v"
,
err
)
}
// TODO(dims): We probably need to add an option "EnableLoopbackToken"
if
apiAuthenticator
!=
nil
{
...
...
@@ -314,7 +279,6 @@ func Run(s *options.APIServer) error {
apiAuthorizer
=
authorizerunion
.
New
(
tokenAuthorizer
,
apiAuthorizer
)
}
sharedInformers
:=
informers
.
NewSharedInformerFactory
(
client
,
10
*
time
.
Minute
)
pluginInitializer
:=
admission
.
NewPluginInitializer
(
sharedInformers
,
apiAuthorizer
)
admissionController
,
err
:=
admission
.
NewFromPlugins
(
client
,
admissionControlPluginNames
,
s
.
AdmissionControlConfigFile
,
pluginInitializer
)
...
...
federation/cmd/federation-apiserver/app/server.go
View file @
e1638f11
...
...
@@ -32,7 +32,6 @@ import (
"k8s.io/kubernetes/pkg/admission"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api/unversioned"
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/apiserver/authenticator"
apiserveropenapi
"k8s.io/kubernetes/pkg/apiserver/openapi"
authorizerunion
"k8s.io/kubernetes/pkg/auth/authorizer/union"
...
...
@@ -41,19 +40,10 @@ import (
"k8s.io/kubernetes/pkg/generated/openapi"
"k8s.io/kubernetes/pkg/genericapiserver"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
genericoptions
"k8s.io/kubernetes/pkg/genericapiserver/options"
genericvalidation
"k8s.io/kubernetes/pkg/genericapiserver/validation"
"k8s.io/kubernetes/pkg/registry/cachesize"
"k8s.io/kubernetes/pkg/registry/generic"
"k8s.io/kubernetes/pkg/registry/generic/registry"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
clusterroleetcd
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole/etcd"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
clusterrolebindingetcd
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/etcd"
"k8s.io/kubernetes/pkg/registry/rbac/role"
roleetcd
"k8s.io/kubernetes/pkg/registry/rbac/role/etcd"
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
rolebindingetcd
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding/etcd"
"k8s.io/kubernetes/pkg/routes"
"k8s.io/kubernetes/pkg/util/wait"
authenticatorunion
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union"
...
...
@@ -136,16 +126,16 @@ func Run(s *options.ServerRunOptions) error {
glog
.
Fatalf
(
"Invalid Authentication Config: %v"
,
err
)
}
authorizationModeNames
:=
strings
.
Split
(
s
.
AuthorizationMode
,
","
)
modeEnabled
:=
func
(
mode
string
)
bool
{
for
_
,
m
:=
range
authorizationModeNames
{
if
m
==
mode
{
return
true
}
}
return
false
privilegedLoopbackToken
:=
uuid
.
NewRandom
()
.
String
()
selfClientConfig
,
err
:=
s
.
NewSelfClientConfig
(
privilegedLoopbackToken
)
if
err
!=
nil
{
glog
.
Fatalf
(
"Failed to create clientset: %v"
,
err
)
}
client
,
err
:=
s
.
NewSelfClient
(
privilegedLoopbackToken
)
if
err
!=
nil
{
glog
.
Errorf
(
"Failed to create clientset: %v"
,
err
)
}
sharedInformers
:=
informers
.
NewSharedInformerFactory
(
client
,
10
*
time
.
Minute
)
authorizationConfig
:=
authorizer
.
AuthorizationConfig
{
PolicyFile
:
s
.
AuthorizationPolicyFile
,
...
...
@@ -153,39 +143,15 @@ func Run(s *options.ServerRunOptions) error {
WebhookCacheAuthorizedTTL
:
s
.
AuthorizationWebhookCacheAuthorizedTTL
,
WebhookCacheUnauthorizedTTL
:
s
.
AuthorizationWebhookCacheUnauthorizedTTL
,
RBACSuperUser
:
s
.
AuthorizationRBACSuperUser
,
InformerFactory
:
sharedInformers
,
}
if
modeEnabled
(
genericoptions
.
ModeRBAC
)
{
mustGetRESTOptions
:=
func
(
resource
string
)
generic
.
RESTOptions
{
config
,
err
:=
storageFactory
.
NewConfig
(
rbac
.
Resource
(
resource
))
if
err
!=
nil
{
glog
.
Fatalf
(
"Unable to get %s storage: %v"
,
resource
,
err
)
}
return
generic
.
RESTOptions
{
StorageConfig
:
config
,
Decorator
:
generic
.
UndecoratedStorage
,
ResourcePrefix
:
storageFactory
.
ResourcePrefix
(
rbac
.
Resource
(
resource
))}
}
// For initial bootstrapping go directly to etcd to avoid privillege escalation check.
authorizationConfig
.
RBACRoleRegistry
=
role
.
NewRegistry
(
roleetcd
.
NewREST
(
mustGetRESTOptions
(
"roles"
)))
authorizationConfig
.
RBACRoleBindingRegistry
=
rolebinding
.
NewRegistry
(
rolebindingetcd
.
NewREST
(
mustGetRESTOptions
(
"rolebindings"
)))
authorizationConfig
.
RBACClusterRoleRegistry
=
clusterrole
.
NewRegistry
(
clusterroleetcd
.
NewREST
(
mustGetRESTOptions
(
"clusterroles"
)))
authorizationConfig
.
RBACClusterRoleBindingRegistry
=
clusterrolebinding
.
NewRegistry
(
clusterrolebindingetcd
.
NewREST
(
mustGetRESTOptions
(
"clusterrolebindings"
)))
}
authorizationModeNames
:=
strings
.
Split
(
s
.
AuthorizationMode
,
","
)
apiAuthorizer
,
err
:=
authorizer
.
NewAuthorizerFromAuthorizationConfig
(
authorizationModeNames
,
authorizationConfig
)
if
err
!=
nil
{
glog
.
Fatalf
(
"Invalid Authorization Config: %v"
,
err
)
}
admissionControlPluginNames
:=
strings
.
Split
(
s
.
AdmissionControl
,
","
)
privilegedLoopbackToken
:=
uuid
.
NewRandom
()
.
String
()
selfClientConfig
,
err
:=
s
.
NewSelfClientConfig
(
privilegedLoopbackToken
)
if
err
!=
nil
{
glog
.
Fatalf
(
"Failed to create clientset: %v"
,
err
)
}
client
,
err
:=
s
.
NewSelfClient
(
privilegedLoopbackToken
)
if
err
!=
nil
{
glog
.
Errorf
(
"Failed to create clientset: %v"
,
err
)
}
// TODO(dims): We probably need to add an option "EnableLoopbackToken"
if
apiAuthenticator
!=
nil
{
...
...
@@ -204,7 +170,6 @@ func Run(s *options.ServerRunOptions) error {
apiAuthorizer
=
authorizerunion
.
New
(
tokenAuthorizer
,
apiAuthorizer
)
}
sharedInformers
:=
informers
.
NewSharedInformerFactory
(
client
,
10
*
time
.
Minute
)
pluginInitializer
:=
admission
.
NewPluginInitializer
(
sharedInformers
,
apiAuthorizer
)
admissionController
,
err
:=
admission
.
NewFromPlugins
(
client
,
admissionControlPluginNames
,
s
.
AdmissionControlConfigFile
,
pluginInitializer
)
...
...
pkg/genericapiserver/authorizer/authz.go
View file @
e1638f11
...
...
@@ -24,11 +24,8 @@ import (
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
"k8s.io/kubernetes/pkg/auth/authorizer/union"
"k8s.io/kubernetes/pkg/controller/informers"
"k8s.io/kubernetes/pkg/genericapiserver/options"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
"k8s.io/kubernetes/pkg/registry/rbac/role"
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/webhook"
)
...
...
@@ -117,10 +114,7 @@ type AuthorizationConfig struct {
// User which can bootstrap role policies
RBACSuperUser
string
RBACClusterRoleRegistry
clusterrole
.
Registry
RBACClusterRoleBindingRegistry
clusterrolebinding
.
Registry
RBACRoleRegistry
role
.
Registry
RBACRoleBindingRegistry
rolebinding
.
Registry
InformerFactory
informers
.
SharedInformerFactory
}
// NewAuthorizerFromAuthorizationConfig returns the right sort of union of multiple authorizer.Authorizer objects
...
...
@@ -167,10 +161,10 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au
authorizers
=
append
(
authorizers
,
webhookAuthorizer
)
case
options
.
ModeRBAC
:
rbacAuthorizer
:=
rbac
.
New
(
config
.
RBACRoleRegistry
,
config
.
RBACRoleBindingRegistry
,
config
.
RBACClusterRoleRegistry
,
config
.
RBACClusterRoleBindingRegistry
,
config
.
InformerFactory
.
Roles
()
.
Lister
()
,
config
.
InformerFactory
.
RoleBindings
()
.
Lister
()
,
config
.
InformerFactory
.
ClusterRoles
()
.
Lister
()
,
config
.
InformerFactory
.
ClusterRoleBindings
()
.
Lister
()
,
config
.
RBACSuperUser
,
)
authorizers
=
append
(
authorizers
,
rbacAuthorizer
)
...
...
plugin/pkg/auth/authorizer/rbac/rbac.go
View file @
e1638f11
...
...
@@ -22,10 +22,6 @@ import (
"k8s.io/kubernetes/pkg/apis/rbac/validation"
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/user"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
"k8s.io/kubernetes/pkg/registry/rbac/role"
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
)
type
RequestToRuleMapper
interface
{
...
...
@@ -55,14 +51,11 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo
return
false
,
""
,
ruleResolutionError
}
func
New
(
role
Registry
role
.
Registry
,
roleBindingRegistry
rolebinding
.
Registry
,
clusterRoleRegistry
clusterrole
.
Registry
,
clusterRoleBindingRegistry
clusterrolebinding
.
Registry
,
superUser
string
)
*
RBACAuthorizer
{
func
New
(
role
s
validation
.
RoleGetter
,
roleBindings
validation
.
RoleBindingLister
,
clusterRoles
validation
.
ClusterRoleGetter
,
clusterRoleBindings
validation
.
ClusterRoleBindingLister
,
superUser
string
)
*
RBACAuthorizer
{
authorizer
:=
&
RBACAuthorizer
{
superUser
:
superUser
,
authorizationRuleResolver
:
validation
.
NewDefaultRuleResolver
(
role
.
AuthorizerAdapter
{
Registry
:
roleRegistry
},
rolebinding
.
AuthorizerAdapter
{
Registry
:
roleBindingRegistry
},
clusterrole
.
AuthorizerAdapter
{
Registry
:
clusterRoleRegistry
},
clusterrolebinding
.
AuthorizerAdapter
{
Registry
:
clusterRoleBindingRegistry
},
roles
,
roleBindings
,
clusterRoles
,
clusterRoleBindings
,
),
}
return
authorizer
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment