github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

expose kubelet authentication and authorization builders

pull/6/head
deads2k 2017-05-02 14:55:56 -04:00
parent 2689f033a8
commit 0022223d8b
2 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
cmd/kubelet/app/auth.go
View File

@ -34,7 +34,8 @@ import (
"k8s.io/kubernetes/pkg/kubelet/server" "k8s.io/kubernetes/pkg/kubelet/server"
) )
func buildAuth(nodeName types.NodeName, client clientset.Interface, config componentconfig.KubeletConfiguration) (server.AuthInterface, error) { // BuildAuth creates an authenticator, an authorizer, and a matching authorizer attributes getter compatible with the kubelet's needs
func BuildAuth(nodeName types.NodeName, client clientset.Interface, config componentconfig.KubeletConfiguration) (server.AuthInterface, error) {
// Get clients, if provided // Get clients, if provided
var ( var (
tokenClient authenticationclient.TokenReviewInterface tokenClient authenticationclient.TokenReviewInterface
@ -45,14 +46,14 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo
sarClient = client.AuthorizationV1beta1().SubjectAccessReviews() sarClient = client.AuthorizationV1beta1().SubjectAccessReviews()
} }
authenticator, err := buildAuthn(tokenClient, config.Authentication) authenticator, err := BuildAuthn(tokenClient, config.Authentication)
if err != nil { if err != nil {
return nil, err return nil, err
} }
attributes := server.NewNodeAuthorizerAttributesGetter(nodeName) attributes := server.NewNodeAuthorizerAttributesGetter(nodeName)
authorizer, err := buildAuthz(sarClient, config.Authorization) authorizer, err := BuildAuthz(sarClient, config.Authorization)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -60,7 +61,8 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo
return server.NewKubeletAuth(authenticator, attributes, authorizer), nil return server.NewKubeletAuth(authenticator, attributes, authorizer), nil
} }
func buildAuthn(client authenticationclient.TokenReviewInterface, authn componentconfig.KubeletAuthentication) (authenticator.Request, error) { // BuildAuthn creates an authenticator compatible with the kubelet's needs
func BuildAuthn(client authenticationclient.TokenReviewInterface, authn componentconfig.KubeletAuthentication) (authenticator.Request, error) {
authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{ authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{
Anonymous: authn.Anonymous.Enabled, Anonymous: authn.Anonymous.Enabled,
CacheTTL: authn.Webhook.CacheTTL.Duration, CacheTTL: authn.Webhook.CacheTTL.Duration,
@ -78,7 +80,8 @@ func buildAuthn(client authenticationclient.TokenReviewInterface, authn componen
return authenticator, err return authenticator, err
} }
func buildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz componentconfig.KubeletAuthorization) (authorizer.Authorizer, error) { // BuildAuthz creates an authorizer compatible with the kubelet's needs
func BuildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz componentconfig.KubeletAuthorization) (authorizer.Authorizer, error) {
switch authz.Mode { switch authz.Mode {
case componentconfig.KubeletAuthorizationModeAlwaysAllow: case componentconfig.KubeletAuthorizationModeAlwaysAllow:
return authorizerfactory.NewAlwaysAllowAuthorizer(), nil return authorizerfactory.NewAlwaysAllowAuthorizer(), nil

2
cmd/kubelet/app/server.go
View File

@ -489,7 +489,7 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.KubeletDeps) (err error) {
} }
if kubeDeps.Auth == nil { if kubeDeps.Auth == nil {
auth, err := buildAuth(nodeName, kubeDeps.ExternalKubeClient, s.KubeletConfiguration) auth, err := BuildAuth(nodeName, kubeDeps.ExternalKubeClient, s.KubeletConfiguration)
if err != nil { if err != nil {
return err return err
} }