From 0022223d8b6db647da4c791a62d6d10d64d74343 Mon Sep 17 00:00:00 2001 From: deads2k Date: Tue, 2 May 2017 14:55:56 -0400 Subject: [PATCH] expose kubelet authentication and authorization builders --- cmd/kubelet/app/auth.go | 13 ++++++++----- cmd/kubelet/app/server.go | 2 +- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/cmd/kubelet/app/auth.go b/cmd/kubelet/app/auth.go index d8f0f388ea..ab0a47ec03 100644 --- a/cmd/kubelet/app/auth.go +++ b/cmd/kubelet/app/auth.go @@ -34,7 +34,8 @@ import ( "k8s.io/kubernetes/pkg/kubelet/server" ) -func buildAuth(nodeName types.NodeName, client clientset.Interface, config componentconfig.KubeletConfiguration) (server.AuthInterface, error) { +// BuildAuth creates an authenticator, an authorizer, and a matching authorizer attributes getter compatible with the kubelet's needs +func BuildAuth(nodeName types.NodeName, client clientset.Interface, config componentconfig.KubeletConfiguration) (server.AuthInterface, error) { // Get clients, if provided var ( tokenClient authenticationclient.TokenReviewInterface @@ -45,14 +46,14 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo sarClient = client.AuthorizationV1beta1().SubjectAccessReviews() } - authenticator, err := buildAuthn(tokenClient, config.Authentication) + authenticator, err := BuildAuthn(tokenClient, config.Authentication) if err != nil { return nil, err } attributes := server.NewNodeAuthorizerAttributesGetter(nodeName) - authorizer, err := buildAuthz(sarClient, config.Authorization) + authorizer, err := BuildAuthz(sarClient, config.Authorization) if err != nil { return nil, err } @@ -60,7 +61,8 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo return server.NewKubeletAuth(authenticator, attributes, authorizer), nil } -func buildAuthn(client authenticationclient.TokenReviewInterface, authn componentconfig.KubeletAuthentication) (authenticator.Request, error) { +// BuildAuthn creates an authenticator compatible with the kubelet's needs +func BuildAuthn(client authenticationclient.TokenReviewInterface, authn componentconfig.KubeletAuthentication) (authenticator.Request, error) { authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{ Anonymous: authn.Anonymous.Enabled, CacheTTL: authn.Webhook.CacheTTL.Duration, @@ -78,7 +80,8 @@ func buildAuthn(client authenticationclient.TokenReviewInterface, authn componen return authenticator, err } -func buildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz componentconfig.KubeletAuthorization) (authorizer.Authorizer, error) { +// BuildAuthz creates an authorizer compatible with the kubelet's needs +func BuildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz componentconfig.KubeletAuthorization) (authorizer.Authorizer, error) { switch authz.Mode { case componentconfig.KubeletAuthorizationModeAlwaysAllow: return authorizerfactory.NewAlwaysAllowAuthorizer(), nil diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 92a41383de..b40cff066c 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -489,7 +489,7 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.KubeletDeps) (err error) { } if kubeDeps.Auth == nil { - auth, err := buildAuth(nodeName, kubeDeps.ExternalKubeClient, s.KubeletConfiguration) + auth, err := BuildAuth(nodeName, kubeDeps.ExternalKubeClient, s.KubeletConfiguration) if err != nil { return err }