2017-03-09 19:39:56 +00:00
|
|
|
/*
|
|
|
|
|
Copyright 2016 The Kubernetes Authors.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package server
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"net/http"
|
|
|
|
|
|
2017-03-31 04:16:27 +00:00
|
|
|
"k8s.io/apiserver/pkg/authentication/user"
|
2017-03-09 19:39:56 +00:00
|
|
|
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
|
|
|
|
|
"k8s.io/apiserver/pkg/server"
|
|
|
|
|
genericfilters "k8s.io/apiserver/pkg/server/filters"
|
|
|
|
|
)
|
|
|
|
|
|
2018-08-06 14:31:23 +00:00
|
|
|
// DeprecatedInsecureServingInfo is required to serve http. HTTP does NOT include authentication or authorization.
|
2017-03-09 19:39:56 +00:00
|
|
|
// You shouldn't be using this. It makes sig-auth sad.
|
2018-08-06 14:31:23 +00:00
|
|
|
// DeprecatedInsecureServingInfo *ServingInfo
|
2017-03-09 19:39:56 +00:00
|
|
|
|
2018-04-18 15:12:15 +00:00
|
|
|
func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
|
2017-05-24 17:23:06 +00:00
|
|
|
handler := apiHandler
|
2018-07-05 11:57:17 +00:00
|
|
|
handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
|
2018-04-18 15:12:15 +00:00
|
|
|
handler = genericapifilters.WithAuthentication(handler, insecureSuperuser{}, nil)
|
2017-03-09 19:39:56 +00:00
|
|
|
handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
|
2018-04-18 15:12:15 +00:00
|
|
|
handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)
|
|
|
|
|
handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc)
|
|
|
|
|
handler = genericfilters.WithWaitGroup(handler, c.LongRunningFunc, c.HandlerChainWaitGroup)
|
|
|
|
|
handler = genericapifilters.WithRequestInfo(handler, server.NewRequestInfoResolver(c))
|
2017-11-02 11:29:31 +00:00
|
|
|
handler = genericfilters.WithPanicRecovery(handler)
|
2017-03-09 19:39:56 +00:00
|
|
|
|
|
|
|
|
return handler
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-31 04:16:27 +00:00
|
|
|
// insecureSuperuser implements authenticator.Request to always return a superuser.
|
|
|
|
|
// This is functionally equivalent to skipping authentication and authorization,
|
|
|
|
|
// but allows apiserver code to stop special-casing a nil user to skip authorization checks.
|
|
|
|
|
type insecureSuperuser struct{}
|
|
|
|
|
|
|
|
|
|
func (insecureSuperuser) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
|
|
|
|
|
return &user.DefaultInfo{
|
|
|
|
|
Name: "system:unsecured",
|
|
|
|
|
Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
|
|
|
|
|
}, true, nil
|
|
|
|
|
}
|
