Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
f6b42fb8
Commit
f6b42fb8
authored
Oct 08, 2018
by
Darren Shepherd
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Remove RequestHeader and ClientCerts auth
parent
46a45a64
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
1 addition
and
420 deletions
+1
-420
server.go
cmd/kube-apiserver/app/server.go
+0
-18
authentication.go
pkg/kubeapiserver/options/authentication.go
+0
-43
client_ca_hook.go
pkg/master/client_ca_hook.go
+0
-137
master.go
pkg/master/master.go
+0
-5
config.go
staging/src/k8s.io/apiserver/pkg/server/config.go
+0
-21
authentication.go
...src/k8s.io/apiserver/pkg/server/options/authentication.go
+1
-196
No files found.
cmd/kube-apiserver/app/server.go
View file @
f6b42fb8
...
@@ -224,15 +224,6 @@ func CreateKubeAPIServerConfig(
...
@@ -224,15 +224,6 @@ func CreateKubeAPIServerConfig(
return
return
}
}
clientCA
,
lastErr
:=
readCAorNil
(
s
.
Authentication
.
ClientCert
.
ClientCA
)
if
lastErr
!=
nil
{
return
}
requestHeaderProxyCA
,
lastErr
:=
readCAorNil
(
s
.
Authentication
.
RequestHeader
.
ClientCAFile
)
if
lastErr
!=
nil
{
return
}
var
(
var
(
issuer
serviceaccount
.
TokenGenerator
issuer
serviceaccount
.
TokenGenerator
apiAudiences
[]
string
apiAudiences
[]
string
...
@@ -280,15 +271,6 @@ func CreateKubeAPIServerConfig(
...
@@ -280,15 +271,6 @@ func CreateKubeAPIServerConfig(
config
=
&
master
.
Config
{
config
=
&
master
.
Config
{
GenericConfig
:
genericConfig
,
GenericConfig
:
genericConfig
,
ExtraConfig
:
master
.
ExtraConfig
{
ExtraConfig
:
master
.
ExtraConfig
{
ClientCARegistrationHook
:
master
.
ClientCARegistrationHook
{
ClientCA
:
clientCA
,
RequestHeaderUsernameHeaders
:
s
.
Authentication
.
RequestHeader
.
UsernameHeaders
,
RequestHeaderGroupHeaders
:
s
.
Authentication
.
RequestHeader
.
GroupHeaders
,
RequestHeaderExtraHeaderPrefixes
:
s
.
Authentication
.
RequestHeader
.
ExtraHeaderPrefixes
,
RequestHeaderCA
:
requestHeaderProxyCA
,
RequestHeaderAllowedNames
:
s
.
Authentication
.
RequestHeader
.
AllowedNames
,
},
APIResourceConfigSource
:
storageFactory
.
APIResourceConfigSource
,
APIResourceConfigSource
:
storageFactory
.
APIResourceConfigSource
,
StorageFactory
:
storageFactory
,
StorageFactory
:
storageFactory
,
EventTTL
:
s
.
EventTTL
,
EventTTL
:
s
.
EventTTL
,
...
...
pkg/kubeapiserver/options/authentication.go
View file @
f6b42fb8
...
@@ -27,16 +27,13 @@ import (
...
@@ -27,16 +27,13 @@ import (
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/sets"
genericapiserver
"k8s.io/apiserver/pkg/server"
genericapiserver
"k8s.io/apiserver/pkg/server"
genericoptions
"k8s.io/apiserver/pkg/server/options"
"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
authzmodes
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
authzmodes
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
)
)
type
BuiltInAuthenticationOptions
struct
{
type
BuiltInAuthenticationOptions
struct
{
Anonymous
*
AnonymousAuthenticationOptions
Anonymous
*
AnonymousAuthenticationOptions
ClientCert
*
genericoptions
.
ClientCertAuthenticationOptions
PasswordFile
*
PasswordFileAuthenticationOptions
PasswordFile
*
PasswordFileAuthenticationOptions
RequestHeader
*
genericoptions
.
RequestHeaderAuthenticationOptions
ServiceAccounts
*
ServiceAccountAuthenticationOptions
ServiceAccounts
*
ServiceAccountAuthenticationOptions
TokenFile
*
TokenFileAuthenticationOptions
TokenFile
*
TokenFileAuthenticationOptions
WebHook
*
WebHookAuthenticationOptions
WebHook
*
WebHookAuthenticationOptions
...
@@ -80,9 +77,7 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions {
...
@@ -80,9 +77,7 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions {
func
(
s
*
BuiltInAuthenticationOptions
)
WithAll
()
*
BuiltInAuthenticationOptions
{
func
(
s
*
BuiltInAuthenticationOptions
)
WithAll
()
*
BuiltInAuthenticationOptions
{
return
s
.
return
s
.
WithAnonymous
()
.
WithAnonymous
()
.
WithClientCert
()
.
WithPasswordFile
()
.
WithPasswordFile
()
.
WithRequestHeader
()
.
WithServiceAccounts
()
.
WithServiceAccounts
()
.
WithTokenFile
()
.
WithTokenFile
()
.
WithWebHook
()
WithWebHook
()
...
@@ -93,21 +88,11 @@ func (s *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOpt
...
@@ -93,21 +88,11 @@ func (s *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOpt
return
s
return
s
}
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithClientCert
()
*
BuiltInAuthenticationOptions
{
s
.
ClientCert
=
&
genericoptions
.
ClientCertAuthenticationOptions
{}
return
s
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithPasswordFile
()
*
BuiltInAuthenticationOptions
{
func
(
s
*
BuiltInAuthenticationOptions
)
WithPasswordFile
()
*
BuiltInAuthenticationOptions
{
s
.
PasswordFile
=
&
PasswordFileAuthenticationOptions
{}
s
.
PasswordFile
=
&
PasswordFileAuthenticationOptions
{}
return
s
return
s
}
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithRequestHeader
()
*
BuiltInAuthenticationOptions
{
s
.
RequestHeader
=
&
genericoptions
.
RequestHeaderAuthenticationOptions
{}
return
s
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithServiceAccounts
()
*
BuiltInAuthenticationOptions
{
func
(
s
*
BuiltInAuthenticationOptions
)
WithServiceAccounts
()
*
BuiltInAuthenticationOptions
{
s
.
ServiceAccounts
=
&
ServiceAccountAuthenticationOptions
{
Lookup
:
true
}
s
.
ServiceAccounts
=
&
ServiceAccountAuthenticationOptions
{
Lookup
:
true
}
return
s
return
s
...
@@ -146,20 +131,12 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -146,20 +131,12 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated."
)
"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated."
)
}
}
if
s
.
ClientCert
!=
nil
{
s
.
ClientCert
.
AddFlags
(
fs
)
}
if
s
.
PasswordFile
!=
nil
{
if
s
.
PasswordFile
!=
nil
{
fs
.
StringVar
(
&
s
.
PasswordFile
.
BasicAuthFile
,
"basic-auth-file"
,
s
.
PasswordFile
.
BasicAuthFile
,
""
+
fs
.
StringVar
(
&
s
.
PasswordFile
.
BasicAuthFile
,
"basic-auth-file"
,
s
.
PasswordFile
.
BasicAuthFile
,
""
+
"If set, the file that will be used to admit requests to the secure port of the API server "
+
"If set, the file that will be used to admit requests to the secure port of the API server "
+
"via http basic authentication."
)
"via http basic authentication."
)
}
}
if
s
.
RequestHeader
!=
nil
{
s
.
RequestHeader
.
AddFlags
(
fs
)
}
if
s
.
ServiceAccounts
!=
nil
{
if
s
.
ServiceAccounts
!=
nil
{
fs
.
StringArrayVar
(
&
s
.
ServiceAccounts
.
KeyFiles
,
"service-account-key-file"
,
s
.
ServiceAccounts
.
KeyFiles
,
""
+
fs
.
StringArrayVar
(
&
s
.
ServiceAccounts
.
KeyFiles
,
"service-account-key-file"
,
s
.
ServiceAccounts
.
KeyFiles
,
""
+
"File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify "
+
"File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify "
+
...
@@ -210,18 +187,10 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au
...
@@ -210,18 +187,10 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au
ret
.
Anonymous
=
s
.
Anonymous
.
Allow
ret
.
Anonymous
=
s
.
Anonymous
.
Allow
}
}
if
s
.
ClientCert
!=
nil
{
ret
.
ClientCAFile
=
s
.
ClientCert
.
ClientCA
}
if
s
.
PasswordFile
!=
nil
{
if
s
.
PasswordFile
!=
nil
{
ret
.
BasicAuthFile
=
s
.
PasswordFile
.
BasicAuthFile
ret
.
BasicAuthFile
=
s
.
PasswordFile
.
BasicAuthFile
}
}
if
s
.
RequestHeader
!=
nil
{
ret
.
RequestHeaderConfig
=
s
.
RequestHeader
.
ToAuthenticationRequestHeaderConfig
()
}
if
s
.
ServiceAccounts
!=
nil
{
if
s
.
ServiceAccounts
!=
nil
{
ret
.
ServiceAccountKeyFiles
=
s
.
ServiceAccounts
.
KeyFiles
ret
.
ServiceAccountKeyFiles
=
s
.
ServiceAccounts
.
KeyFiles
ret
.
ServiceAccountLookup
=
s
.
ServiceAccounts
.
Lookup
ret
.
ServiceAccountLookup
=
s
.
ServiceAccounts
.
Lookup
...
@@ -255,18 +224,6 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
...
@@ -255,18 +224,6 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
return
nil
return
nil
}
}
var
err
error
if
o
.
ClientCert
!=
nil
{
if
err
=
c
.
Authentication
.
ApplyClientCert
(
o
.
ClientCert
.
ClientCA
,
c
.
SecureServing
);
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
}
if
o
.
RequestHeader
!=
nil
{
if
err
=
c
.
Authentication
.
ApplyClientCert
(
o
.
RequestHeader
.
ClientCAFile
,
c
.
SecureServing
);
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
}
c
.
Authentication
.
SupportsBasicAuth
=
o
.
PasswordFile
!=
nil
&&
len
(
o
.
PasswordFile
.
BasicAuthFile
)
>
0
c
.
Authentication
.
SupportsBasicAuth
=
o
.
PasswordFile
!=
nil
&&
len
(
o
.
PasswordFile
.
BasicAuthFile
)
>
0
return
nil
return
nil
...
...
pkg/master/client_ca_hook.go
deleted
100644 → 0
View file @
46a45a64
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
master
import
(
"encoding/json"
"fmt"
"time"
apierrors
"k8s.io/apimachinery/pkg/api/errors"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
utilruntime
"k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/apimachinery/pkg/util/wait"
genericapiserver
"k8s.io/apiserver/pkg/server"
api
"k8s.io/kubernetes/pkg/apis/core"
coreclient
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
)
type
ClientCARegistrationHook
struct
{
ClientCA
[]
byte
RequestHeaderUsernameHeaders
[]
string
RequestHeaderGroupHeaders
[]
string
RequestHeaderExtraHeaderPrefixes
[]
string
RequestHeaderCA
[]
byte
RequestHeaderAllowedNames
[]
string
}
func
(
h
ClientCARegistrationHook
)
PostStartHook
(
hookContext
genericapiserver
.
PostStartHookContext
)
error
{
// initializing CAs is important so that aggregated API servers can come up with "normal" config.
// We've seen lagging etcd before, so we want to retry this a few times before we decide to crashloop
// the API server on it.
err
:=
wait
.
Poll
(
1
*
time
.
Second
,
30
*
time
.
Second
,
func
()
(
done
bool
,
err
error
)
{
// retry building the config since sometimes the server can be in an in-between state which caused
// some kind of auto detection failure as I recall from other post start hooks.
// TODO see if this is still true and fix the RBAC one too if it isn't.
client
,
err
:=
coreclient
.
NewForConfig
(
hookContext
.
LoopbackClientConfig
)
if
err
!=
nil
{
utilruntime
.
HandleError
(
err
)
return
false
,
nil
}
return
h
.
tryToWriteClientCAs
(
client
)
})
// if we're never able to make it through initialization, kill the API server
if
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to initialize client CA configmap: %v"
,
err
)
}
return
nil
}
// tryToWriteClientCAs is here for unit testing with a fake client. This is a wait.ConditionFunc so the bool
// indicates if the condition was met. True when its finished, false when it should retry.
func
(
h
ClientCARegistrationHook
)
tryToWriteClientCAs
(
client
coreclient
.
CoreInterface
)
(
bool
,
error
)
{
if
err
:=
createNamespaceIfNeeded
(
client
,
metav1
.
NamespaceSystem
);
err
!=
nil
{
utilruntime
.
HandleError
(
err
)
return
false
,
nil
}
data
:=
map
[
string
]
string
{}
if
len
(
h
.
ClientCA
)
>
0
{
data
[
"client-ca-file"
]
=
string
(
h
.
ClientCA
)
}
if
len
(
h
.
RequestHeaderCA
)
>
0
{
var
err
error
// encoding errors aren't going to get better, so just fail on them.
data
[
"requestheader-username-headers"
],
err
=
jsonSerializeStringSlice
(
h
.
RequestHeaderUsernameHeaders
)
if
err
!=
nil
{
return
false
,
err
}
data
[
"requestheader-group-headers"
],
err
=
jsonSerializeStringSlice
(
h
.
RequestHeaderGroupHeaders
)
if
err
!=
nil
{
return
false
,
err
}
data
[
"requestheader-extra-headers-prefix"
],
err
=
jsonSerializeStringSlice
(
h
.
RequestHeaderExtraHeaderPrefixes
)
if
err
!=
nil
{
return
false
,
err
}
data
[
"requestheader-client-ca-file"
]
=
string
(
h
.
RequestHeaderCA
)
data
[
"requestheader-allowed-names"
],
err
=
jsonSerializeStringSlice
(
h
.
RequestHeaderAllowedNames
)
if
err
!=
nil
{
return
false
,
err
}
}
// write errors may work next time if we retry, so queue for retry
if
err
:=
writeConfigMap
(
client
,
"extension-apiserver-authentication"
,
data
);
err
!=
nil
{
utilruntime
.
HandleError
(
err
)
return
false
,
nil
}
return
true
,
nil
}
func
jsonSerializeStringSlice
(
in
[]
string
)
(
string
,
error
)
{
out
,
err
:=
json
.
Marshal
(
in
)
if
err
!=
nil
{
return
""
,
err
}
return
string
(
out
),
err
}
func
writeConfigMap
(
client
coreclient
.
ConfigMapsGetter
,
name
string
,
data
map
[
string
]
string
)
error
{
existing
,
err
:=
client
.
ConfigMaps
(
metav1
.
NamespaceSystem
)
.
Get
(
name
,
metav1
.
GetOptions
{})
if
apierrors
.
IsNotFound
(
err
)
{
_
,
err
:=
client
.
ConfigMaps
(
metav1
.
NamespaceSystem
)
.
Create
(
&
api
.
ConfigMap
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Namespace
:
metav1
.
NamespaceSystem
,
Name
:
name
},
Data
:
data
,
})
return
err
}
if
err
!=
nil
{
return
err
}
existing
.
Data
=
data
_
,
err
=
client
.
ConfigMaps
(
metav1
.
NamespaceSystem
)
.
Update
(
existing
)
return
err
}
pkg/master/master.go
View file @
f6b42fb8
...
@@ -90,8 +90,6 @@ const (
...
@@ -90,8 +90,6 @@ const (
)
)
type
ExtraConfig
struct
{
type
ExtraConfig
struct
{
ClientCARegistrationHook
ClientCARegistrationHook
APIResourceConfigSource
serverstorage
.
APIResourceConfigSource
APIResourceConfigSource
serverstorage
.
APIResourceConfigSource
StorageFactory
serverstorage
.
StorageFactory
StorageFactory
serverstorage
.
StorageFactory
EndpointReconcilerConfig
EndpointReconcilerConfig
EndpointReconcilerConfig
EndpointReconcilerConfig
...
@@ -178,8 +176,6 @@ type EndpointReconcilerConfig struct {
...
@@ -178,8 +176,6 @@ type EndpointReconcilerConfig struct {
// Master contains state for a Kubernetes cluster master/api server.
// Master contains state for a Kubernetes cluster master/api server.
type
Master
struct
{
type
Master
struct
{
GenericAPIServer
*
genericapiserver
.
GenericAPIServer
GenericAPIServer
*
genericapiserver
.
GenericAPIServer
ClientCARegistrationHook
ClientCARegistrationHook
}
}
func
(
c
*
Config
)
createMasterCountReconciler
()
reconcilers
.
EndpointReconciler
{
func
(
c
*
Config
)
createMasterCountReconciler
()
reconcilers
.
EndpointReconciler
{
...
@@ -342,7 +338,6 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
...
@@ -342,7 +338,6 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
}
}
m
.
InstallAPIs
(
c
.
ExtraConfig
.
APIResourceConfigSource
,
c
.
GenericConfig
.
RESTOptionsGetter
,
restStorageProviders
...
)
m
.
InstallAPIs
(
c
.
ExtraConfig
.
APIResourceConfigSource
,
c
.
GenericConfig
.
RESTOptionsGetter
,
restStorageProviders
...
)
m
.
GenericAPIServer
.
AddPostStartHookOrDie
(
"ca-registration"
,
c
.
ExtraConfig
.
ClientCARegistrationHook
.
PostStartHook
)
m
.
GenericAPIServer
.
AddPostStartHookOrDie
(
"start-kube-apiserver-informers"
,
func
(
context
genericapiserver
.
PostStartHookContext
)
error
{
m
.
GenericAPIServer
.
AddPostStartHookOrDie
(
"start-kube-apiserver-informers"
,
func
(
context
genericapiserver
.
PostStartHookContext
)
error
{
if
c
.
ExtraConfig
.
InternalInformers
!=
nil
{
if
c
.
ExtraConfig
.
InternalInformers
!=
nil
{
c
.
ExtraConfig
.
InternalInformers
.
Start
(
context
.
StopCh
)
c
.
ExtraConfig
.
InternalInformers
.
Start
(
context
.
StopCh
)
...
...
staging/src/k8s.io/apiserver/pkg/server/config.go
View file @
f6b42fb8
...
@@ -56,8 +56,6 @@ import (
...
@@ -56,8 +56,6 @@ import (
"k8s.io/apiserver/pkg/util/logs"
"k8s.io/apiserver/pkg/util/logs"
"k8s.io/client-go/informers"
"k8s.io/client-go/informers"
restclient
"k8s.io/client-go/rest"
restclient
"k8s.io/client-go/rest"
certutil
"k8s.io/client-go/util/cert"
// install apis
// install apis
_
"k8s.io/apiserver/pkg/apis/apiserver/install"
_
"k8s.io/apiserver/pkg/apis/apiserver/install"
)
)
...
@@ -256,25 +254,6 @@ func NewRecommendedConfig(codecs serializer.CodecFactory) *RecommendedConfig {
...
@@ -256,25 +254,6 @@ func NewRecommendedConfig(codecs serializer.CodecFactory) *RecommendedConfig {
}
}
}
}
func
(
c
*
AuthenticationInfo
)
ApplyClientCert
(
clientCAFile
string
,
servingInfo
*
SecureServingInfo
)
error
{
if
servingInfo
!=
nil
{
if
len
(
clientCAFile
)
>
0
{
clientCAs
,
err
:=
certutil
.
CertsFromFile
(
clientCAFile
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
if
servingInfo
.
ClientCA
==
nil
{
servingInfo
.
ClientCA
=
x509
.
NewCertPool
()
}
for
_
,
cert
:=
range
clientCAs
{
servingInfo
.
ClientCA
.
AddCert
(
cert
)
}
}
}
return
nil
}
type
completedConfig
struct
{
type
completedConfig
struct
{
*
Config
*
Config
...
...
staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
View file @
f6b42fb8
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment