Merge pull request #67497 from yue9944882/refactor/externalize-node-informer-clientset

Automatic merge from submit-queue (batch tested with PRs 67661, 67497, 66523, 67622, 67632). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Externalize node informers for node authz the pull will completely externalize node authz together with #67194 ref: #66680 **Release note**: ```release-note NONE ```
2018-08-21 13:00:01 -07:00 · 2018-08-21 13:00:01 -07:00 · 138fdc3d77
parent 1a27e69a39 f624a4efb8
commit 138fdc3d77
11 changed files with 18 additions and 35 deletions
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@ -526,7 +526,7 @@ func buildGenericConfig(
 		return
 	}

-	genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, sharedInformers, versionedInformers)
+	genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, versionedInformers)
 	if err != nil {
 		lastErr = fmt.Errorf("invalid authorization config: %v", err)
 		return
@ -634,8 +634,8 @@ func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset
 }

 // BuildAuthorizer constructs the authorizer
-func BuildAuthorizer(s *options.ServerRunOptions, sharedInformers informers.SharedInformerFactory, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, error) {
-	authorizationConfig := s.Authorization.ToAuthorizationConfig(sharedInformers, versionedInformers)
+func BuildAuthorizer(s *options.ServerRunOptions, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, error) {
+	authorizationConfig := s.Authorization.ToAuthorizationConfig(versionedInformers)
 	return authorizationConfig.New()
 }

--- a/pkg/kubeapiserver/authorizer/BUILD
+++ b/pkg/kubeapiserver/authorizer/BUILD
@ -12,7 +12,6 @@ go_library(
    deps = [
        "//pkg/auth/authorizer/abac:go_default_library",
        "//pkg/auth/nodeidentifier:go_default_library",
-        "//pkg/client/informers/informers_generated/internalversion:go_default_library",
        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
        "//plugin/pkg/auth/authorizer/node:go_default_library",
        "//plugin/pkg/auth/authorizer/rbac:go_default_library",
--- a/pkg/kubeapiserver/authorizer/config.go
+++ b/pkg/kubeapiserver/authorizer/config.go
@ -27,7 +27,6 @@ import (
 	versionedinformers "k8s.io/client-go/informers"
 	"k8s.io/kubernetes/pkg/auth/authorizer/abac"
 	"k8s.io/kubernetes/pkg/auth/nodeidentifier"
-	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
 	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/node"
 	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
@ -51,7 +50,6 @@ type AuthorizationConfig struct {
 	// TTL for caching of unauthorized responses from the webhook server.
 	WebhookCacheUnauthorizedTTL time.Duration

-	InformerFactory          informers.SharedInformerFactory
 	VersionedInformerFactory versionedinformers.SharedInformerFactory
 }

@ -74,7 +72,7 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
 			graph := node.NewGraph()
 			node.AddGraphEventHandlers(
 				graph,
-				config.InformerFactory.Core().InternalVersion().Nodes(),
+				config.VersionedInformerFactory.Core().V1().Nodes(),
 				config.VersionedInformerFactory.Core().V1().Pods(),
 				config.VersionedInformerFactory.Core().V1().PersistentVolumes(),
 				config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(),
--- a/pkg/kubeapiserver/options/BUILD
+++ b/pkg/kubeapiserver/options/BUILD
@ -21,7 +21,6 @@ go_library(
    importpath = "k8s.io/kubernetes/pkg/kubeapiserver/options",
    deps = [
        "//pkg/api/legacyscheme:go_default_library",
-        "//pkg/client/informers/informers_generated/internalversion:go_default_library",
        "//pkg/cloudprovider/providers:go_default_library",
        "//pkg/features:go_default_library",
        "//pkg/kubeapiserver/authenticator:go_default_library",
--- a/pkg/kubeapiserver/options/authorization.go
+++ b/pkg/kubeapiserver/options/authorization.go
@ -25,7 +25,6 @@ import (

 	"k8s.io/apimachinery/pkg/util/sets"
 	versionedinformers "k8s.io/client-go/informers"
-	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
 	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
 	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 )
@ -110,14 +109,13 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
 		"The duration to cache 'unauthorized' responses from the webhook authorizer.")
 }

-func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory, versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig {
+func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig {
 	return authorizer.AuthorizationConfig{
 		AuthorizationModes:          s.Modes,
 		PolicyFile:                  s.PolicyFile,
 		WebhookConfigFile:           s.WebhookConfigFile,
 		WebhookCacheAuthorizedTTL:   s.WebhookCacheAuthorizedTTL,
 		WebhookCacheUnauthorizedTTL: s.WebhookCacheUnauthorizedTTL,
-		InformerFactory:             informerFactory,
 		VersionedInformerFactory:    versionedInformerFactory,
 	}
 }
--- a/plugin/pkg/auth/authorizer/node/BUILD
+++ b/plugin/pkg/auth/authorizer/node/BUILD
@ -15,7 +15,6 @@ go_test(
    ],
    embed = [":go_default_library"],
    deps = [
-        "//pkg/apis/core:go_default_library",
        "//pkg/auth/nodeidentifier:go_default_library",
        "//pkg/features:go_default_library",
        "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
@ -45,7 +44,6 @@ go_library(
        "//pkg/apis/core:go_default_library",
        "//pkg/apis/storage:go_default_library",
        "//pkg/auth/nodeidentifier:go_default_library",
-        "//pkg/client/informers/informers_generated/internalversion/core/internalversion:go_default_library",
        "//pkg/features:go_default_library",
        "//plugin/pkg/auth/authorizer/rbac:go_default_library",
        "//staging/src/k8s.io/api/core/v1:go_default_library",
--- a/plugin/pkg/auth/authorizer/node/graph.go
+++ b/plugin/pkg/auth/authorizer/node/graph.go
@ -22,7 +22,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	pvutil "k8s.io/kubernetes/pkg/api/v1/persistentvolume"
 	podutil "k8s.io/kubernetes/pkg/api/v1/pod"
-	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/third_party/forked/gonum/graph"
 	"k8s.io/kubernetes/third_party/forked/gonum/graph/simple"
 )
@ -318,7 +317,7 @@ func (g *Graph) AddPod(pod *corev1.Pod) {
 	// Short-circuit adding edges to other resources for mirror pods.
 	// A node must never be able to create a pod that grants them permissions on other API objects.
 	// The NodeRestriction admission plugin prevents creation of such pods, but short-circuiting here gives us defense in depth.
-	if _, isMirrorPod := pod.Annotations[api.MirrorPodAnnotationKey]; isMirrorPod {
+	if _, isMirrorPod := pod.Annotations[corev1.MirrorPodAnnotationKey]; isMirrorPod {
 		return
 	}

--- a/plugin/pkg/auth/authorizer/node/graph_populator.go
+++ b/plugin/pkg/auth/authorizer/node/graph_populator.go
@ -26,8 +26,6 @@ import (
 	corev1informers "k8s.io/client-go/informers/core/v1"
 	storageinformers "k8s.io/client-go/informers/storage/v1beta1"
 	"k8s.io/client-go/tools/cache"
-	api "k8s.io/kubernetes/pkg/apis/core"
-	coreinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/core/internalversion"
 	"k8s.io/kubernetes/pkg/features"
 )

@ -37,7 +35,7 @@ type graphPopulator struct {

 func AddGraphEventHandlers(
 	graph *Graph,
-	nodes coreinformers.NodeInformer,
+	nodes corev1informers.NodeInformer,
 	pods corev1informers.PodInformer,
 	pvs corev1informers.PersistentVolumeInformer,
 	attachments storageinformers.VolumeAttachmentInformer,
@ -80,10 +78,10 @@ func (g *graphPopulator) addNode(obj interface{}) {
 }

 func (g *graphPopulator) updateNode(oldObj, obj interface{}) {
-	node := obj.(*api.Node)
-	var oldNode *api.Node
+	node := obj.(*corev1.Node)
+	var oldNode *corev1.Node
 	if oldObj != nil {
-		oldNode = oldObj.(*api.Node)
+		oldNode = oldObj.(*corev1.Node)
 	}

 	// we only set up rules for ConfigMap today, because that is the only reference type
@ -119,7 +117,7 @@ func (g *graphPopulator) deleteNode(obj interface{}) {
 	if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
 		obj = tombstone.Obj
 	}
-	node, ok := obj.(*api.Node)
+	node, ok := obj.(*corev1.Node)
 	if !ok {
 		glog.Infof("unexpected type %T", obj)
 		return
--- a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go
+++ b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go
@ -33,7 +33,6 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/auth/nodeidentifier"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy"
@ -684,7 +683,7 @@ func BenchmarkAuthorization(b *testing.B) {
 	}
 }

-func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*corev1.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) {
+func populate(graph *Graph, nodes []*corev1.Node, pods []*corev1.Pod, pvs []*corev1.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) {
 	p := &graphPopulator{}
 	p.graph = graph
 	for _, node := range nodes {
@ -705,8 +704,8 @@ func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*corev1
 // the secret/configmap/pvc/node references in the pod and pv objects are named to indicate the connections between the objects.
 // for example, secret0-pod0-node0 is a secret referenced by pod0 which is bound to node0.
 // when populated into the graph, the node authorizer should allow node0 to access that secret, but not node1.
-func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*corev1.PersistentVolume, []*storagev1beta1.VolumeAttachment) {
-	nodes := make([]*api.Node, 0, opts.nodes)
+func generate(opts sampleDataOpts) ([]*corev1.Node, []*corev1.Pod, []*corev1.PersistentVolume, []*storagev1beta1.VolumeAttachment) {
+	nodes := make([]*corev1.Node, 0, opts.nodes)
 	pods := make([]*corev1.Pod, 0, opts.nodes*opts.podsPerNode)
 	pvs := make([]*corev1.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces))
 	attachments := make([]*storagev1beta1.VolumeAttachment, 0, opts.nodes*opts.attachmentsPerNode)
@ -775,11 +774,11 @@ func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*corev1.Persis
 		}

 		name := fmt.Sprintf("%s-configmap", nodeName)
-		nodes = append(nodes, &api.Node{
+		nodes = append(nodes, &corev1.Node{
 			ObjectMeta: metav1.ObjectMeta{Name: nodeName},
-			Spec: api.NodeSpec{
-				ConfigSource: &api.NodeConfigSource{
-					ConfigMap: &api.ConfigMapNodeConfigSource{
+			Spec: corev1.NodeSpec{
+				ConfigSource: &corev1.NodeConfigSource{
+					ConfigMap: &corev1.ConfigMapNodeConfigSource{
 						Name:             name,
 						Namespace:        "ns0",
 						UID:              types.UID(fmt.Sprintf("ns0-%s", name)),
--- a/test/integration/auth/BUILD
+++ b/test/integration/auth/BUILD
@ -30,7 +30,6 @@ go_test(
        "//pkg/auth/authorizer/abac:go_default_library",
        "//pkg/auth/nodeidentifier:go_default_library",
        "//pkg/client/clientset_generated/internalclientset:go_default_library",
-        "//pkg/client/informers/informers_generated/internalversion:go_default_library",
        "//pkg/controller/serviceaccount:go_default_library",
        "//pkg/features:go_default_library",
        "//pkg/kubeapiserver/authorizer:go_default_library",
--- a/test/integration/auth/node_test.go
+++ b/test/integration/auth/node_test.go
@ -42,7 +42,6 @@ import (
 	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/auth/nodeidentifier"
 	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
-	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
 	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
 	"k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
@ -75,7 +74,6 @@ func TestNodeAuthorizer(t *testing.T) {
 	// Build client config, clientset, and informers
 	clientConfig := &restclient.Config{Host: apiServer.URL, ContentConfig: restclient.ContentConfig{NegotiatedSerializer: legacyscheme.Codecs}}
 	superuserClient, superuserClientExternal := clientsetForToken(tokenMaster, clientConfig)
-	informerFactory := informers.NewSharedInformerFactory(superuserClient, time.Minute)
 	versionedInformerFactory := versionedinformers.NewSharedInformerFactory(superuserClientExternal, time.Minute)

 	// Enabled CSIPersistentVolume feature at startup so volumeattachments get watched
@ -87,7 +85,6 @@ func TestNodeAuthorizer(t *testing.T) {
 	// Set up Node+RBAC authorizer
 	authorizerConfig := &authorizer.AuthorizationConfig{
 		AuthorizationModes:       []string{"Node", "RBAC"},
-		InformerFactory:          informerFactory,
 		VersionedInformerFactory: versionedInformerFactory,
 	}
 	nodeRBACAuthorizer, _, err := authorizerConfig.New()
@ -114,7 +111,6 @@ func TestNodeAuthorizer(t *testing.T) {
 	// Start the informers
 	stopCh := make(chan struct{})
 	defer close(stopCh)
-	informerFactory.Start(stopCh)
 	versionedInformerFactory.Start(stopCh)

 	// Wait for a healthy server