k3s/pkg/registry/rbac/rest/storage_rbac.go

/*
Copyright 2016 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package rest

import (
	"fmt"
	"sync"
	"time"

	"github.com/golang/glog"

	"k8s.io/kubernetes/pkg/api"
	"k8s.io/kubernetes/pkg/api/rest"
	"k8s.io/kubernetes/pkg/apis/rbac"
	rbacapiv1alpha1 "k8s.io/kubernetes/pkg/apis/rbac/v1alpha1"
	rbacvalidation "k8s.io/kubernetes/pkg/apis/rbac/validation"
	rbacclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
	"k8s.io/kubernetes/pkg/genericapiserver"
	"k8s.io/kubernetes/pkg/registry/generic"
	"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
	clusterroleetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/etcd"
	clusterrolepolicybased "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased"
	"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
	clusterrolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/etcd"
	clusterrolebindingpolicybased "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased"
	"k8s.io/kubernetes/pkg/registry/rbac/role"
	roleetcd "k8s.io/kubernetes/pkg/registry/rbac/role/etcd"
	rolepolicybased "k8s.io/kubernetes/pkg/registry/rbac/role/policybased"
	"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
	rolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/rolebinding/etcd"
	rolebindingpolicybased "k8s.io/kubernetes/pkg/registry/rbac/rolebinding/policybased"
	utilruntime "k8s.io/kubernetes/pkg/util/runtime"
	"k8s.io/kubernetes/pkg/util/wait"
	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy"
)

type RESTStorageProvider struct{}

var _ genericapiserver.PostStartHookProvider = RESTStorageProvider{}

func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource genericapiserver.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (genericapiserver.APIGroupInfo, bool) {
	apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(rbac.GroupName)

	if apiResourceConfigSource.AnyResourcesForVersionEnabled(rbacapiv1alpha1.SchemeGroupVersion) {
		apiGroupInfo.VersionedResourcesStorageMap[rbacapiv1alpha1.SchemeGroupVersion.Version] = p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter)
		apiGroupInfo.GroupMeta.GroupVersion = rbacapiv1alpha1.SchemeGroupVersion
	}

	return apiGroupInfo, true
}

func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource genericapiserver.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {
	version := rbacapiv1alpha1.SchemeGroupVersion

	once := new(sync.Once)
	var (
		authorizationRuleResolver  rbacvalidation.AuthorizationRuleResolver
		rolesStorage               rest.StandardStorage
		roleBindingsStorage        rest.StandardStorage
		clusterRolesStorage        rest.StandardStorage
		clusterRoleBindingsStorage rest.StandardStorage
	)

	initializeStorage := func() {
		once.Do(func() {
			rolesStorage = roleetcd.NewREST(restOptionsGetter)
			roleBindingsStorage = rolebindingetcd.NewREST(restOptionsGetter)
			clusterRolesStorage = clusterroleetcd.NewREST(restOptionsGetter)
			clusterRoleBindingsStorage = clusterrolebindingetcd.NewREST(restOptionsGetter)

			authorizationRuleResolver = rbacvalidation.NewDefaultRuleResolver(
				role.AuthorizerAdapter{Registry: role.NewRegistry(rolesStorage)},
				rolebinding.AuthorizerAdapter{Registry: rolebinding.NewRegistry(roleBindingsStorage)},
				clusterrole.AuthorizerAdapter{Registry: clusterrole.NewRegistry(clusterRolesStorage)},
				clusterrolebinding.AuthorizerAdapter{Registry: clusterrolebinding.NewRegistry(clusterRoleBindingsStorage)},
			)
		})
	}

	storage := map[string]rest.Storage{}
	if apiResourceConfigSource.ResourceEnabled(version.WithResource("roles")) {
		initializeStorage()
		storage["roles"] = rolepolicybased.NewStorage(rolesStorage, authorizationRuleResolver)
	}
	if apiResourceConfigSource.ResourceEnabled(version.WithResource("rolebindings")) {
		initializeStorage()
		storage["rolebindings"] = rolebindingpolicybased.NewStorage(roleBindingsStorage, authorizationRuleResolver)
	}
	if apiResourceConfigSource.ResourceEnabled(version.WithResource("clusterroles")) {
		initializeStorage()
		storage["clusterroles"] = clusterrolepolicybased.NewStorage(clusterRolesStorage, authorizationRuleResolver)
	}
	if apiResourceConfigSource.ResourceEnabled(version.WithResource("clusterrolebindings")) {
		initializeStorage()
		storage["clusterrolebindings"] = clusterrolebindingpolicybased.NewStorage(clusterRoleBindingsStorage, authorizationRuleResolver)
	}
	return storage
}

func (p RESTStorageProvider) PostStartHook() (string, genericapiserver.PostStartHookFunc, error) {
	return "rbac/bootstrap-roles", PostStartHook, nil
}

func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
	// intializing roles is really important.  On some e2e runs, we've seen cases where etcd is down when the server
	// starts, the roles don't initialize, and nothing works.
	err := wait.Poll(1*time.Second, 30*time.Second, func() (done bool, err error) {
		clientset, err := rbacclient.NewForConfig(hookContext.LoopbackClientConfig)
		if err != nil {
			utilruntime.HandleError(fmt.Errorf("unable to initialize clusterroles: %v", err))
			return false, nil
		}

		existingClusterRoles, err := clientset.ClusterRoles().List(api.ListOptions{})
		if err != nil {
			utilruntime.HandleError(fmt.Errorf("unable to initialize clusterroles: %v", err))
			return false, nil
		}
		// only initialized on empty etcd
		if len(existingClusterRoles.Items) == 0 {
			for _, clusterRole := range append(bootstrappolicy.ClusterRoles(), bootstrappolicy.ControllerRoles()...) {
				if _, err := clientset.ClusterRoles().Create(&clusterRole); err != nil {
					// don't fail on failures, try to create as many as you can
					utilruntime.HandleError(fmt.Errorf("unable to initialize clusterroles: %v", err))
					continue
				}
				glog.Infof("Created clusterrole.%s/%s", rbac.GroupName, clusterRole.Name)
			}
		}

		existingClusterRoleBindings, err := clientset.ClusterRoleBindings().List(api.ListOptions{})
		if err != nil {
			utilruntime.HandleError(fmt.Errorf("unable to initialize clusterrolebindings: %v", err))
			return false, nil
		}
		// only initialized on empty etcd
		if len(existingClusterRoleBindings.Items) == 0 {
			for _, clusterRoleBinding := range append(bootstrappolicy.ClusterRoleBindings(), bootstrappolicy.ControllerRoleBindings()...) {
				if _, err := clientset.ClusterRoleBindings().Create(&clusterRoleBinding); err != nil {
					// don't fail on failures, try to create as many as you can
					utilruntime.HandleError(fmt.Errorf("unable to initialize clusterrolebindings: %v", err))
					continue
				}
				glog.Infof("Created clusterrolebinding.%s/%s", rbac.GroupName, clusterRoleBinding.Name)
			}
		}

		return true, nil
	})
	// if we're never able to make it through intialization, kill the API server
	if err != nil {
		return fmt.Errorf("unable to initialize roles: %v", err)
	}

	return nil
}

func (p RESTStorageProvider) GroupName() string {
	return rbac.GroupName
}
separate out api group storage registration 2016-07-27 14:29:31 +00:00			`/*`
			`Copyright 2016 The Kubernetes Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

move reststorage providers to their correct packages 2016-09-23 19:10:47 +00:00			`package rest`
separate out api group storage registration 2016-07-27 14:29:31 +00:00
			`import (`
add GenericAPIServer posthooks for initialization 2016-08-26 15:06:27 +00:00			`"fmt"`
separate out api group storage registration 2016-07-27 14:29:31 +00:00			`"sync"`
retry RBAC initialization for up to 30 seconds, kill server on failure 2016-12-22 13:19:11 +00:00			`"time"`
separate out api group storage registration 2016-07-27 14:29:31 +00:00
add GenericAPIServer posthooks for initialization 2016-08-26 15:06:27 +00:00			`"github.com/golang/glog"`

			`"k8s.io/kubernetes/pkg/api"`
separate out api group storage registration 2016-07-27 14:29:31 +00:00			`"k8s.io/kubernetes/pkg/api/rest"`
			`"k8s.io/kubernetes/pkg/apis/rbac"`
			`rbacapiv1alpha1 "k8s.io/kubernetes/pkg/apis/rbac/v1alpha1"`
			`rbacvalidation "k8s.io/kubernetes/pkg/apis/rbac/validation"`
include multiple versions in clientset update client-gen to use the term "internalversion" rather than "unversioned"; leave internal one unqualified; cleanup client-gen 2016-10-21 22:24:05 +00:00			`rbacclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"`
separate out api group storage registration 2016-07-27 14:29:31 +00:00			`"k8s.io/kubernetes/pkg/genericapiserver"`
Refactor REST storage to use generic defaults Signed-off-by: Monis Khan <mkhan@redhat.com> 2016-12-01 02:09:56 +00:00			`"k8s.io/kubernetes/pkg/registry/generic"`
separate RESTStorage by API group 2016-09-15 17:41:48 +00:00			`"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"`
			`clusterroleetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/etcd"`
			`clusterrolepolicybased "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/policybased"`
			`"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"`
			`clusterrolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/etcd"`
			`clusterrolebindingpolicybased "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/policybased"`
			`"k8s.io/kubernetes/pkg/registry/rbac/role"`
			`roleetcd "k8s.io/kubernetes/pkg/registry/rbac/role/etcd"`
			`rolepolicybased "k8s.io/kubernetes/pkg/registry/rbac/role/policybased"`
			`"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"`
			`rolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/rolebinding/etcd"`
			`rolebindingpolicybased "k8s.io/kubernetes/pkg/registry/rbac/rolebinding/policybased"`
add GenericAPIServer posthooks for initialization 2016-08-26 15:06:27 +00:00			`utilruntime "k8s.io/kubernetes/pkg/util/runtime"`
retry RBAC initialization for up to 30 seconds, kill server on failure 2016-12-22 13:19:11 +00:00			`"k8s.io/kubernetes/pkg/util/wait"`
add GenericAPIServer posthooks for initialization 2016-08-26 15:06:27 +00:00			`"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy"`
separate out api group storage registration 2016-07-27 14:29:31 +00:00			`)`

remove rbac super user 2016-12-05 16:28:59 +00:00			`type RESTStorageProvider struct{}`
separate out api group storage registration 2016-07-27 14:29:31 +00:00
remove non-reuseable bits of MasterServer 2016-10-27 18:24:11 +00:00			`var _ genericapiserver.PostStartHookProvider = RESTStorageProvider{}`
separate out api group storage registration 2016-07-27 14:29:31 +00:00
Refactor REST storage to use generic defaults Signed-off-by: Monis Khan <mkhan@redhat.com> 2016-12-01 02:09:56 +00:00			`func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource genericapiserver.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (genericapiserver.APIGroupInfo, bool) {`
separate out api group storage registration 2016-07-27 14:29:31 +00:00			`apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(rbac.GroupName)`

			`if apiResourceConfigSource.AnyResourcesForVersionEnabled(rbacapiv1alpha1.SchemeGroupVersion) {`
			`apiGroupInfo.VersionedResourcesStorageMap[rbacapiv1alpha1.SchemeGroupVersion.Version] = p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter)`
			`apiGroupInfo.GroupMeta.GroupVersion = rbacapiv1alpha1.SchemeGroupVersion`
			`}`

			`return apiGroupInfo, true`
			`}`

Refactor REST storage to use generic defaults Signed-off-by: Monis Khan <mkhan@redhat.com> 2016-12-01 02:09:56 +00:00			`func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource genericapiserver.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {`
separate out api group storage registration 2016-07-27 14:29:31 +00:00			`version := rbacapiv1alpha1.SchemeGroupVersion`

			`once := new(sync.Once)`
Refactor REST storage to use generic defaults Signed-off-by: Monis Khan <mkhan@redhat.com> 2016-12-01 02:09:56 +00:00			`var (`
			`authorizationRuleResolver rbacvalidation.AuthorizationRuleResolver`
			`rolesStorage rest.StandardStorage`
			`roleBindingsStorage rest.StandardStorage`
			`clusterRolesStorage rest.StandardStorage`
			`clusterRoleBindingsStorage rest.StandardStorage`
			`)`

			`initializeStorage := func() {`
separate out api group storage registration 2016-07-27 14:29:31 +00:00			`once.Do(func() {`
Refactor REST storage to use generic defaults Signed-off-by: Monis Khan <mkhan@redhat.com> 2016-12-01 02:09:56 +00:00			`rolesStorage = roleetcd.NewREST(restOptionsGetter)`
			`roleBindingsStorage = rolebindingetcd.NewREST(restOptionsGetter)`
			`clusterRolesStorage = clusterroleetcd.NewREST(restOptionsGetter)`
			`clusterRoleBindingsStorage = clusterrolebindingetcd.NewREST(restOptionsGetter)`

separate out api group storage registration 2016-07-27 14:29:31 +00:00			`authorizationRuleResolver = rbacvalidation.NewDefaultRuleResolver(`
Refactor REST storage to use generic defaults Signed-off-by: Monis Khan <mkhan@redhat.com> 2016-12-01 02:09:56 +00:00			`role.AuthorizerAdapter{Registry: role.NewRegistry(rolesStorage)},`
			`rolebinding.AuthorizerAdapter{Registry: rolebinding.NewRegistry(roleBindingsStorage)},`
			`clusterrole.AuthorizerAdapter{Registry: clusterrole.NewRegistry(clusterRolesStorage)},`
			`clusterrolebinding.AuthorizerAdapter{Registry: clusterrolebinding.NewRegistry(clusterRoleBindingsStorage)},`
separate out api group storage registration 2016-07-27 14:29:31 +00:00			`)`
			`})`
			`}`

			`storage := map[string]rest.Storage{}`
			`if apiResourceConfigSource.ResourceEnabled(version.WithResource("roles")) {`
Refactor REST storage to use generic defaults Signed-off-by: Monis Khan <mkhan@redhat.com> 2016-12-01 02:09:56 +00:00			`initializeStorage()`
			`storage["roles"] = rolepolicybased.NewStorage(rolesStorage, authorizationRuleResolver)`
separate out api group storage registration 2016-07-27 14:29:31 +00:00			`}`
			`if apiResourceConfigSource.ResourceEnabled(version.WithResource("rolebindings")) {`
Refactor REST storage to use generic defaults Signed-off-by: Monis Khan <mkhan@redhat.com> 2016-12-01 02:09:56 +00:00			`initializeStorage()`
			`storage["rolebindings"] = rolebindingpolicybased.NewStorage(roleBindingsStorage, authorizationRuleResolver)`
separate out api group storage registration 2016-07-27 14:29:31 +00:00			`}`
			`if apiResourceConfigSource.ResourceEnabled(version.WithResource("clusterroles")) {`
Refactor REST storage to use generic defaults Signed-off-by: Monis Khan <mkhan@redhat.com> 2016-12-01 02:09:56 +00:00			`initializeStorage()`
			`storage["clusterroles"] = clusterrolepolicybased.NewStorage(clusterRolesStorage, authorizationRuleResolver)`
separate out api group storage registration 2016-07-27 14:29:31 +00:00			`}`
			`if apiResourceConfigSource.ResourceEnabled(version.WithResource("clusterrolebindings")) {`
Refactor REST storage to use generic defaults Signed-off-by: Monis Khan <mkhan@redhat.com> 2016-12-01 02:09:56 +00:00			`initializeStorage()`
			`storage["clusterrolebindings"] = clusterrolebindingpolicybased.NewStorage(clusterRoleBindingsStorage, authorizationRuleResolver)`
separate out api group storage registration 2016-07-27 14:29:31 +00:00			`}`
			`return storage`
			`}`
add GenericAPIServer posthooks for initialization 2016-08-26 15:06:27 +00:00
remove non-reuseable bits of MasterServer 2016-10-27 18:24:11 +00:00			`func (p RESTStorageProvider) PostStartHook() (string, genericapiserver.PostStartHookFunc, error) {`
pass loopback config to posthooks 2016-09-29 19:10:04 +00:00			`return "rbac/bootstrap-roles", PostStartHook, nil`
add GenericAPIServer posthooks for initialization 2016-08-26 15:06:27 +00:00			`}`

pass loopback config to posthooks 2016-09-29 19:10:04 +00:00			`func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {`
retry RBAC initialization for up to 30 seconds, kill server on failure 2016-12-22 13:19:11 +00:00			`// intializing roles is really important. On some e2e runs, we've seen cases where etcd is down when the server`
			`// starts, the roles don't initialize, and nothing works.`
			`err := wait.Poll(1time.Second, 30time.Second, func() (done bool, err error) {`
			`clientset, err := rbacclient.NewForConfig(hookContext.LoopbackClientConfig)`
			`if err != nil {`
pass loopback config to posthooks 2016-09-29 19:10:04 +00:00			`utilruntime.HandleError(fmt.Errorf("unable to initialize clusterroles: %v", err))`
retry RBAC initialization for up to 30 seconds, kill server on failure 2016-12-22 13:19:11 +00:00			`return false, nil`
add GenericAPIServer posthooks for initialization 2016-08-26 15:06:27 +00:00			`}`
pass loopback config to posthooks 2016-09-29 19:10:04 +00:00
retry RBAC initialization for up to 30 seconds, kill server on failure 2016-12-22 13:19:11 +00:00			`existingClusterRoles, err := clientset.ClusterRoles().List(api.ListOptions{})`
			`if err != nil {`
			`utilruntime.HandleError(fmt.Errorf("unable to initialize clusterroles: %v", err))`
			`return false, nil`
			`}`
			`// only initialized on empty etcd`
			`if len(existingClusterRoles.Items) == 0 {`
			`for _, clusterRole := range append(bootstrappolicy.ClusterRoles(), bootstrappolicy.ControllerRoles()...) {`
			`if _, err := clientset.ClusterRoles().Create(&clusterRole); err != nil {`
			`// don't fail on failures, try to create as many as you can`
			`utilruntime.HandleError(fmt.Errorf("unable to initialize clusterroles: %v", err))`
			`continue`
			`}`
			`glog.Infof("Created clusterrole.%s/%s", rbac.GroupName, clusterRole.Name)`
			`}`
			`}`
add clusterrolebindings to bootstrapping 2016-10-04 14:34:01 +00:00
retry RBAC initialization for up to 30 seconds, kill server on failure 2016-12-22 13:19:11 +00:00			`existingClusterRoleBindings, err := clientset.ClusterRoleBindings().List(api.ListOptions{})`
			`if err != nil {`
add clusterrolebindings to bootstrapping 2016-10-04 14:34:01 +00:00			`utilruntime.HandleError(fmt.Errorf("unable to initialize clusterrolebindings: %v", err))`
retry RBAC initialization for up to 30 seconds, kill server on failure 2016-12-22 13:19:11 +00:00			`return false, nil`
			`}`
			`// only initialized on empty etcd`
			`if len(existingClusterRoleBindings.Items) == 0 {`
			`for _, clusterRoleBinding := range append(bootstrappolicy.ClusterRoleBindings(), bootstrappolicy.ControllerRoleBindings()...) {`
			`if _, err := clientset.ClusterRoleBindings().Create(&clusterRoleBinding); err != nil {`
			`// don't fail on failures, try to create as many as you can`
			`utilruntime.HandleError(fmt.Errorf("unable to initialize clusterrolebindings: %v", err))`
			`continue`
			`}`
			`glog.Infof("Created clusterrolebinding.%s/%s", rbac.GroupName, clusterRoleBinding.Name)`
			`}`
add clusterrolebindings to bootstrapping 2016-10-04 14:34:01 +00:00			`}`
retry RBAC initialization for up to 30 seconds, kill server on failure 2016-12-22 13:19:11 +00:00
			`return true, nil`
			`})`
			`// if we're never able to make it through intialization, kill the API server`
			`if err != nil {`
			`return fmt.Errorf("unable to initialize roles: %v", err)`
add clusterrolebindings to bootstrapping 2016-10-04 14:34:01 +00:00			`}`

pass loopback config to posthooks 2016-09-29 19:10:04 +00:00			`return nil`
add GenericAPIServer posthooks for initialization 2016-08-26 15:06:27 +00:00			`}`
remove non-reuseable bits of MasterServer 2016-10-27 18:24:11 +00:00
			`func (p RESTStorageProvider) GroupName() string {`
			`return rbac.GroupName`
			`}`