github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/cmd/kube-apiserver/apiserver.go

254 lines
10 KiB
Go
Raw Normal View History

First commit
2014-06-06 23:40:48 +00:00
/*
Copyright 2014 Google Inc. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
Add a binary and scripts for running a local kubernetes cluster.
2014-06-11 23:02:08 +00:00
First commit
2014-06-06 23:40:48 +00:00
// apiserver is the main api server and master for the cluster.
// it is responsible for serving the cluster management API.
package main
import (
x509 request authenticator
2014-12-01 22:11:59 +00:00
"crypto/tls"
First commit
2014-06-06 23:40:48 +00:00
"flag"
Readability improvements.
2014-06-16 05:30:02 +00:00
"net"
Allow master's pod info getter to be faked. Wire up in integration tests in futile attempt to make travis pass.
2014-07-02 00:08:32 +00:00
"net/http"
Readability improvements.
2014-06-16 05:30:02 +00:00
"strconv"
Add basic Authorization. Added basic interface for authorizer implementations. Added default "authorize everything" and "authorize nothing implementations. Added authorization check immediately after authentication check. Added an integration test of authorization at the HTTP level of abstraction.
2014-10-16 21:18:16 +00:00
"strings"
integrate minion health checking and caching.
2014-07-18 03:54:54 +00:00
"time"
First commit
2014-06-06 23:40:48 +00:00
Extract RESTHandler and allow API groupings Prepare for running multiple API versions on the same HTTP server by decoupling some of the mechanics of apiserver. Define a new APIGroup object which represents a version of the API.
2014-08-09 21:12:55 +00:00
"github.com/GoogleCloudPlatform/kubernetes/pkg/apiserver"
Add a flag to reject privileged containers in the apiserver.
2014-09-16 14:04:12 +00:00
"github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities"
Allow master's pod info getter to be faked. Wire up in integration tests in futile attempt to make travis pass.
2014-07-02 00:08:32 +00:00
"github.com/GoogleCloudPlatform/kubernetes/pkg/client"
Add load balancing support to services.
2014-06-17 17:50:42 +00:00
"github.com/GoogleCloudPlatform/kubernetes/pkg/cloudprovider"
Refactor apiserver command; move logic to a package for reuse and eventual testing
2014-06-16 06:29:07 +00:00
"github.com/GoogleCloudPlatform/kubernetes/pkg/master"
Allow etcd config file to be passed to apiserver, kubelet, and proxy
2014-09-26 01:11:01 +00:00
"github.com/GoogleCloudPlatform/kubernetes/pkg/tools"
First commit
2014-06-06 23:40:48 +00:00
"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
Rename `pkg/version/flag` to `pkg/version/verflag` This avoids some conflict with the built-in `flag` module in Go. The module was already being renamed to `verflag` on import anyways, so we might as well just call it that. Tested: - hack/build-go.sh and ran the resulting binaries with -version args. Signed-off-by: Filipe Brandenburger <filbranden@google.com>
2014-08-30 06:19:32 +00:00
"github.com/GoogleCloudPlatform/kubernetes/pkg/version/verflag"
Allow etcd config file to be passed to apiserver, kubelet, and proxy
2014-09-26 01:11:01 +00:00
"github.com/coreos/go-etcd/etcd"
Switch to glog for logging, bridge logging to glog. 1) imported glog to third_party (previous commit) 2) add support for third_party/update.sh to update just one pkg 3) search-and-replace: s/log.Printf/glog.Infof/ s/log.Print/glog.Info/ s/log.Fatalf/glog.Fatalf/ s/log.Fatal/glog.Fatal/ 4) convert glog.Info.*, err into glog.Error* Adds some util interfaces to logging and calls them from each cmd, which will set the default log output to write to glog. Pass glog-wrapped Loggers to etcd for logging. Log files will go to /tmp - we should probably follow this up with a default log dir for each cmd. The glog lib is sort of weak in that it only flushes every 30 seconds, so we spin up our own flushing goroutine.
2014-06-25 03:51:57 +00:00
"github.com/golang/glog"
First commit
2014-06-06 23:40:48 +00:00
)
var (
Implement kubernetes & kubernetes-ro services
2014-10-28 00:56:33 +00:00
// Note: the weird ""+ in below lines seems to be the only way to get gofmt to
// arrange these text blocks sensibly. Grrr.
Switch models. No master election.
2014-10-28 23:49:52 +00:00
port = flag.Int("port", 8080, ""+
Implement kubernetes & kubernetes-ro services
2014-10-28 00:56:33 +00:00
"The port to listen on. Default 8080. It is assumed that firewall rules are "+
"set up such that this port is not reachable from outside of the cluster. It is "+
"further assumed that port 443 on the cluster's public address is proxied to this "+
"port. This is performed by nginx in the default setup.")
Flag-compatible IP type
2014-10-04 04:34:30 +00:00
address = util.IP(net.ParseIP("127.0.0.1"))
Implement kubernetes & kubernetes-ro services
2014-10-28 00:56:33 +00:00
publicAddressOverride = flag.String("public_address_override", "", ""+
"Public serving address. Read only port will be opened on this address, "+
"and it is assumed that port 443 at this address will be proxied/redirected "+
"to '-address':'-port'. If blank, the address in the first listed interface "+
"will be used.")
Switch models. No master election.
2014-10-28 23:49:52 +00:00
readOnlyPort = flag.Int("read_only_port", 7080, ""+
Implement kubernetes & kubernetes-ro services
2014-10-28 00:56:33 +00:00
"The port from which to serve read-only resources. If 0, don't serve on a "+
"read-only address. It is assumed that firewall rules are set up such that "+
"this port is not reachable from outside of the cluster.")
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports.
2014-11-06 00:05:06 +00:00
securePort = flag.Int("secure_port", 0, "The port from which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS ")
tlsCertFile = flag.String("tls_cert_file", "", "File containing x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert).")
tlsPrivateKeyFile = flag.String("tls_private_key_file", "", "File containing x509 private key matching --tls_cert_file.")
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
apiPrefix = flag.String("api_prefix", "/api", "The prefix for API requests on the server. Default '/api'.")
storageVersion = flag.String("storage_version", "", "The version to store resources with. Defaults to server preferred")
cloudProvider = flag.String("cloud_provider", "", "The provider for cloud services. Empty string for no provider.")
cloudConfigFile = flag.String("cloud_config", "", "The path to the cloud provider configuration file. Empty string for no configuration file.")
healthCheckMinions = flag.Bool("health_check_minions", true, "If true, health check minions and filter unhealthy ones. Default true.")
eventTTL = flag.Duration("event_ttl", 48*time.Hour, "Amount of time to retain events. Default 2 days.")
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports.
2014-11-06 00:05:06 +00:00
tokenAuthFile = flag.String("token_auth_file", "", "If set, the file that will be used to secure the secure port of the API server via token authentication.")
authorizationMode = flag.String("authorization_mode", "AlwaysAllow", "Selects how to do authorization on the secure port. One of: "+strings.Join(apiserver.AuthorizationModeChoices, ","))
authorizationPolicyFile = flag.String("authorization_policy_file", "", "File with authorization policy in csv format, used with --authorization_mode=ABAC, on the secure port.")
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
etcdServerList util.StringList
etcdConfigFile = flag.String("etcd_config", "", "The config file for the etcd client. Mutually exclusive with -etcd_servers.")
corsAllowedOriginList util.StringList
allowPrivileged = flag.Bool("allow_privileged", false, "If true, allow privileged containers.")
portalNet util.IPNet // TODO: make this a list
enableLogsSupport = flag.Bool("enable_logs_support", true, "Enables server endpoint for log collection")
kubeletConfig = client.KubeletConfig{
Refactor kubelet access and add SSL
2014-10-10 22:19:23 +00:00
Port: 10250,
EnableHttps: false,
}
First commit
2014-06-06 23:40:48 +00:00
)
func init() {
Flag-compatible IP type
2014-10-04 04:34:30 +00:00
flag.Var(&address, "address", "The IP address on to serve on (set to 0.0.0.0 for all interfaces)")
Allow etcd config file to be passed to apiserver, kubelet, and proxy
2014-09-26 01:11:01 +00:00
flag.Var(&etcdServerList, "etcd_servers", "List of etcd servers to watch (http://ip:port), comma separated. Mutually exclusive with -etcd_config")
Move CORS handler wrapping into cmd/apiserver and switch config flag to a list of allowed origins
2014-09-03 18:33:52 +00:00
flag.Var(&corsAllowedOriginList, "cors_allowed_origins", "List of allowed origins for CORS, comma separated. An allowed origin can be a regular expression to support subdomain matching. If this list is empty CORS will not be enabled.")
Core support for ip-per-service
2014-09-18 23:03:34 +00:00
flag.Var(&portalNet, "portal_net", "A CIDR notation IP range from which to assign portal IPs. This must not overlap with any IP ranges assigned to nodes for pods.")
Refactor kubelet access and add SSL
2014-10-10 22:19:23 +00:00
client.BindKubeletClientConfigFlags(flag.CommandLine, &kubeletConfig)
First commit
2014-06-06 23:40:48 +00:00
}
Core support for ip-per-service
2014-09-18 23:03:34 +00:00
// TODO: Longer term we should read this from some config store, rather than a flag.
func verifyPortalFlags() {
if portalNet.IP == nil {
glog.Fatal("No -portal_net specified")
}
}
Allow etcd config file to be passed to apiserver, kubelet, and proxy
2014-09-26 01:11:01 +00:00
func newEtcd(etcdConfigFile string, etcdServerList util.StringList) (helper tools.EtcdHelper, err error) {
var client tools.EtcdGetSet
if etcdConfigFile != "" {
client, err = etcd.NewClientFromFile(etcdConfigFile)
if err != nil {
return helper, err
}
} else {
client = etcd.NewClient(etcdServerList)
}
return master.NewEtcdHelper(client, *storageVersion)
}
First commit
2014-06-06 23:40:48 +00:00
func main() {
flag.Parse()
Switch to glog for logging, bridge logging to glog. 1) imported glog to third_party (previous commit) 2) add support for third_party/update.sh to update just one pkg 3) search-and-replace: s/log.Printf/glog.Infof/ s/log.Print/glog.Info/ s/log.Fatalf/glog.Fatalf/ s/log.Fatal/glog.Fatal/ 4) convert glog.Info.*, err into glog.Error* Adds some util interfaces to logging and calls them from each cmd, which will set the default log output to write to glog. Pass glog-wrapped Loggers to etcd for logging. Log files will go to /tmp - we should probably follow this up with a default log dir for each cmd. The glog lib is sort of weak in that it only flushes every 30 seconds, so we spin up our own flushing goroutine.
2014-06-25 03:51:57 +00:00
util.InitLogs()
defer util.FlushLogs()
First commit
2014-06-06 23:40:48 +00:00
Extract "pkg/version".PrintAndExitIfRequested() to its own package because it causes a runtime panic if a binary which has its own implementation of "-version" flag tries to reuse a package library which indirectly depend on "pkg/version". e.g. If such an user-defined binary tires to link "pkg/api" or "pkg/client", the binary fails with a runtime panic "flag redefined: version".
2014-08-01 05:55:44 +00:00
verflag.PrintAndExitIfRequested()
Core support for ip-per-service
2014-09-18 23:03:34 +00:00
verifyPortalFlags()
First commit
2014-06-06 23:40:48 +00:00
Allow etcd config file to be passed to apiserver, kubelet, and proxy
2014-09-26 01:11:01 +00:00
if (*etcdConfigFile != "" && len(etcdServerList) != 0) || (*etcdConfigFile == "" && len(etcdServerList) == 0) {
glog.Fatalf("specify either -etcd_servers or -etcd_config")
Remove unused and not completely correct code
2014-08-15 23:42:37 +00:00
}
Refactor to clean up names.
2014-09-16 22:18:33 +00:00
capabilities.Initialize(capabilities.Capabilities{
Add a flag to reject privileged containers in the apiserver.
2014-09-16 14:04:12 +00:00
AllowPrivileged: *allowPrivileged,
})
Separate minion controller from master.
2014-10-22 01:21:44 +00:00
cloud := cloudprovider.InitCloudProvider(*cloudProvider, *cloudConfigFile)
First commit
2014-06-06 23:40:48 +00:00
Refactor kubelet access and add SSL
2014-10-10 22:19:23 +00:00
kubeletClient, err := client.NewKubeletClient(&kubeletConfig)
if err != nil {
glog.Fatalf("Failure to start kubelet client: %v", err)
Allow master's pod info getter to be faked. Wire up in integration tests in futile attempt to make travis pass.
2014-07-02 00:08:32 +00:00
}
Refactor the client (again) to better support auth * Allows consumers to provide their own transports for common cases. * Supports KUBE_API_VERSION on test cases for controlling which api version they test against * Provides a common flag registration method for CLIs that need to connect to an API server (to avoid duplicating flags) * Ensures errors are properly returned by the server * Add a Context field to client.Config
2014-09-30 00:15:00 +00:00
// TODO: expose same flags as client.BindClientConfigFlags but for a server
clientConfig := &client.Config{
Flag-compatible IP type
2014-10-04 04:34:30 +00:00
Host: net.JoinHostPort(address.String(), strconv.Itoa(int(*port))),
Refactor the client (again) to better support auth * Allows consumers to provide their own transports for common cases. * Supports KUBE_API_VERSION on test cases for controlling which api version they test against * Provides a common flag registration method for CLIs that need to connect to an API server (to avoid duplicating flags) * Ensures errors are properly returned by the server * Add a Context field to client.Config
2014-09-30 00:15:00 +00:00
Version: *storageVersion,
}
client, err := client.New(clientConfig)
Client should validate the incoming host value Convert host:port and URLs passed to client.New() into the proper values, and return an error if the value is invalid. Change CLI to return an error if -master is invalid. Remove Client.rawRequest which was not in use, and fix the involved tests. Add NewOrDie Preserves the behavior of the client to not auth when a non-https URL is passed (although in the future this should be corrected).
2014-08-28 13:56:38 +00:00
if err != nil {
glog.Fatalf("Invalid server address: %v", err)
}
Make the service reconciller use the API, not a PodRegistry
2014-07-18 20:22:26 +00:00
Allow etcd config file to be passed to apiserver, kubelet, and proxy
2014-09-26 01:11:01 +00:00
helper, err := newEtcd(*etcdConfigFile, etcdServerList)
Allow server and client to take api version as argument * Defaults to v1beta1 * apiserver takes -storage_version which controls etcd storage version and the version of the client used to connect to other apiservers * Changed signature of client.New to add version parameter * All controller code and component code prefers the oldest (most common) server version
2014-09-11 23:01:29 +00:00
if err != nil {
Allow etcd config file to be passed to apiserver, kubelet, and proxy
2014-09-26 01:11:01 +00:00
glog.Fatalf("Invalid storage version or misconfigured etcd: %v", err)
Allow server and client to take api version as argument * Defaults to v1beta1 * apiserver takes -storage_version which controls etcd storage version and the version of the client used to connect to other apiservers * Changed signature of client.New to add version parameter * All controller code and component code prefers the oldest (most common) server version
2014-09-11 23:01:29 +00:00
}
Core support for ip-per-service
2014-09-18 23:03:34 +00:00
n := net.IPNet(portalNet)
Authorization based on namespace, kind, readonly. Also, pass Authorizer into master.Config.
2014-11-02 06:50:00 +00:00
Make master take authenticator.Request interface instead of tokenfile
2014-11-19 15:31:43 +00:00
authenticator, err := apiserver.NewAuthenticatorFromTokenFile(*tokenAuthFile)
if err != nil {
glog.Fatalf("Invalid Authentication Config: %v", err)
}
Basic ACL file. Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2014-10-06 23:11:04 +00:00
authorizer, err := apiserver.NewAuthorizerFromAuthorizationConfig(*authorizationMode, *authorizationPolicyFile)
Authorization based on namespace, kind, readonly. Also, pass Authorizer into master.Config.
2014-11-02 06:50:00 +00:00
if err != nil {
glog.Fatalf("Invalid Authorization Config: %v", err)
}
Implement kubernetes & kubernetes-ro services
2014-10-28 00:56:33 +00:00
config := &master.Config{
Separate minion controller from master.
2014-10-22 01:21:44 +00:00
Client: client,
Cloud: cloud,
EtcdHelper: helper,
HealthCheckMinions: *healthCheckMinions,
EventTTL: *eventTTL,
KubeletClient: kubeletClient,
Move handler setup: cmd/apiserver -> pkg/master Moved CORS handler setup and authorizer setup. Will allow for integration test of authorization.
2014-10-23 23:55:14 +00:00
PortalNet: &n,
EnableLogsSupport: *enableLogsSupport,
EnableUISupport: true,
APIPrefix: *apiPrefix,
CorsAllowedOriginList: corsAllowedOriginList,
Separate minion controller from master.
2014-10-22 01:21:44 +00:00
ReadOnlyPort: *readOnlyPort,
ReadWritePort: *port,
PublicAddress: *publicAddressOverride,
Make master take authenticator.Request interface instead of tokenfile
2014-11-19 15:31:43 +00:00
Authenticator: authenticator,
Authorization based on namespace, kind, readonly. Also, pass Authorizer into master.Config.
2014-11-02 06:50:00 +00:00
Authorizer: authorizer,
Implement kubernetes & kubernetes-ro services
2014-10-28 00:56:33 +00:00
}
m := master.New(config)
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports.
2014-11-06 00:05:06 +00:00
// We serve on 3 ports. See docs/reaching_the_api.md
Implement kubernetes & kubernetes-ro services
2014-10-28 00:56:33 +00:00
roLocation := ""
Add read-only, rate limited endpoint
2014-10-20 22:23:28 +00:00
if *readOnlyPort != 0 {
Implement kubernetes & kubernetes-ro services
2014-10-28 00:56:33 +00:00
roLocation = net.JoinHostPort(config.PublicAddress, strconv.Itoa(config.ReadOnlyPort))
}
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports.
2014-11-06 00:05:06 +00:00
secureLocation := ""
if *securePort != 0 {
secureLocation = net.JoinHostPort(config.PublicAddress, strconv.Itoa(*securePort))
}
Implement kubernetes & kubernetes-ro services
2014-10-28 00:56:33 +00:00
rwLocation := net.JoinHostPort(address.String(), strconv.Itoa(int(*port)))
// See the flag commentary to understand our assumptions when opening the read-only and read-write ports.
if roLocation != "" {
Add read-only, rate limited endpoint
2014-10-20 22:23:28 +00:00
// Allow 1 read-only request per second, allow up to 20 in a burst before enforcing.
rl := util.NewTokenBucketRateLimiter(1.0, 20)
readOnlyServer := &http.Server{
Implement kubernetes & kubernetes-ro services
2014-10-28 00:56:33 +00:00
Addr: roLocation,
Return InsecureHandler from master. Subsequent changes will make use of both m.Handler and m.InsecureHandler for different ports.
2014-11-06 17:11:31 +00:00
Handler: apiserver.RecoverPanics(apiserver.ReadOnly(apiserver.RateLimit(rl, m.InsecureHandler))),
Add read-only, rate limited endpoint
2014-10-20 22:23:28 +00:00
ReadTimeout: 5 * time.Minute,
WriteTimeout: 5 * time.Minute,
MaxHeaderBytes: 1 << 20,
}
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports.
2014-11-06 00:05:06 +00:00
glog.Infof("Serving read-only insecurely on %s", roLocation)
Add read-only, rate limited endpoint
2014-10-20 22:23:28 +00:00
go func() {
defer util.HandleCrash()
Allow (delayed) apiserver starting when network interface isn't available immediately.
2014-11-05 20:07:33 +00:00
for {
if err := readOnlyServer.ListenAndServe(); err != nil {
glog.Errorf("Unable to listen for read only traffic (%v); will try again.", err)
}
time.Sleep(15 * time.Second)
}
Add read-only, rate limited endpoint
2014-10-20 22:23:28 +00:00
}()
}
Move CORS handler wrapping into cmd/apiserver and switch config flag to a list of allowed origins
2014-09-03 18:33:52 +00:00
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports.
2014-11-06 00:05:06 +00:00
if secureLocation != "" {
secureServer := &http.Server{
Addr: secureLocation,
Handler: apiserver.RecoverPanics(m.Handler),
ReadTimeout: 5 * time.Minute,
WriteTimeout: 5 * time.Minute,
MaxHeaderBytes: 1 << 20,
x509 request authenticator
2014-12-01 22:11:59 +00:00
TLSConfig: &tls.Config{
// Populate PeerCertificates in requests, but don't reject connections without certificates
// This allows certificates to be validated by authenticators, while still allowing other auth types
ClientAuth: tls.RequestClientCert,
},
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports.
2014-11-06 00:05:06 +00:00
}
glog.Infof("Serving securely on %s", secureLocation)
go func() {
defer util.HandleCrash()
for {
if err := secureServer.ListenAndServeTLS(*tlsCertFile, *tlsPrivateKeyFile); err != nil {
glog.Errorf("Unable to listen for secure (%v); will try again.", err)
}
time.Sleep(15 * time.Second)
}
}()
}
Extract RESTHandler and allow API groupings Prepare for running multiple API versions on the same HTTP server by decoupling some of the mechanics of apiserver. Define a new APIGroup object which represents a version of the API.
2014-08-09 21:12:55 +00:00
s := &http.Server{
Implement kubernetes & kubernetes-ro services
2014-10-28 00:56:33 +00:00
Addr: rwLocation,
Return InsecureHandler from master. Subsequent changes will make use of both m.Handler and m.InsecureHandler for different ports.
2014-11-06 17:11:31 +00:00
Handler: apiserver.RecoverPanics(m.InsecureHandler),
Make global http timeout longer than most operations We have a few long running operations today (sync=true, watch) that exceed the original default http.Server timeout. We should set the timeout to a high enough limit that more granular controls can be implemented.
2014-08-18 17:32:29 +00:00
ReadTimeout: 5 * time.Minute,
WriteTimeout: 5 * time.Minute,
Extract RESTHandler and allow API groupings Prepare for running multiple API versions on the same HTTP server by decoupling some of the mechanics of apiserver. Define a new APIGroup object which represents a version of the API.
2014-08-09 21:12:55 +00:00
MaxHeaderBytes: 1 << 20,
}
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports.
2014-11-06 00:05:06 +00:00
glog.Infof("Serving insecurely on %s", rwLocation)
Extract RESTHandler and allow API groupings Prepare for running multiple API versions on the same HTTP server by decoupling some of the mechanics of apiserver. Define a new APIGroup object which represents a version of the API.
2014-08-09 21:12:55 +00:00
glog.Fatal(s.ListenAndServe())
First commit
2014-06-06 23:40:48 +00:00
}