mirror of https://github.com/k3s-io/k3s
scheduler: add https+authn+authz to options, set to nil for now
Dr. Stefan Schimanski
parent
abc8c98e35
commit
2af0bdb00f
|
|
@ -17,6 +17,7 @@ limitations under the License.
|
|||
package config
|
||||
|
||||
import (
|
||||
apiserver "k8s.io/apiserver/pkg/server"
|
||||
"k8s.io/client-go/informers"
|
||||
coreinformers "k8s.io/client-go/informers/core/v1"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
|
|
@ -34,6 +35,9 @@ type Config struct {
|
|||
|
||||
InsecureServing *app.InsecureServingInfo // nil will disable serving on an insecure port
|
||||
InsecureMetricsServing *app.InsecureServingInfo // non-nil if metrics should be served independently
|
||||
Authentication apiserver.AuthenticationInfo
|
||||
Authorization apiserver.AuthorizationInfo
|
||||
SecureServing *apiserver.SecureServingInfo
|
||||
|
||||
Client clientset.Interface
|
||||
InformerFactory informers.SharedInformerFactory
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ import (
|
|||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/uuid"
|
||||
apiserveroptions "k8s.io/apiserver/pkg/server/options"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/client-go/informers"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
|
|
@ -52,7 +53,10 @@ type Options struct {
|
|||
// The default values. These are overridden if ConfigFile is set or by values in InsecureServing.
|
||||
ComponentConfig componentconfig.KubeSchedulerConfiguration
|
||||
|
||||
SecureServing *apiserveroptions.SecureServingOptions
|
||||
CombinedInsecureServing *CombinedInsecureServingOptions
|
||||
Authentication *apiserveroptions.DelegatingAuthenticationOptions
|
||||
Authorization *apiserveroptions.DelegatingAuthorizationOptions
|
||||
Deprecated *DeprecatedOptions
|
||||
|
||||
// ConfigFile is the location of the scheduler server's configuration file.
|
||||
|
|
@ -78,6 +82,7 @@ func NewOptions() (*Options, error) {
|
|||
|
||||
o := &Options{
|
||||
ComponentConfig: *cfg,
|
||||
SecureServing: nil, // TODO: enable with apiserveroptions.NewSecureServingOptions()
|
||||
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
||||
Healthz: &controlleroptions.InsecureServingOptions{
|
||||
BindNetwork: "tcp",
|
||||
|
|
@ -88,6 +93,8 @@ func NewOptions() (*Options, error) {
|
|||
BindPort: hport,
|
||||
BindAddress: hhost,
|
||||
},
|
||||
Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions()
|
||||
Authorization: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions()
|
||||
Deprecated: &DeprecatedOptions{
|
||||
UseLegacyPolicyConfig: false,
|
||||
PolicyConfigMapNamespace: metav1.NamespaceSystem,
|
||||
|
|
@ -125,7 +132,10 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
|
|||
fs.StringVar(&o.WriteConfigTo, "write-config-to", o.WriteConfigTo, "If set, write the configuration values to this file and exit.")
|
||||
fs.StringVar(&o.Master, "master", o.Master, "The address of the Kubernetes API server (overrides any value in kubeconfig)")
|
||||
|
||||
o.SecureServing.AddFlags(fs)
|
||||
o.CombinedInsecureServing.AddFlags(fs)
|
||||
o.Authentication.AddFlags(fs)
|
||||
o.Authorization.AddFlags(fs)
|
||||
o.Deprecated.AddFlags(fs, &o.ComponentConfig)
|
||||
|
||||
leaderelectionconfig.BindFlags(&o.ComponentConfig.LeaderElection.LeaderElectionConfiguration, fs)
|
||||
|
|
@ -163,14 +173,23 @@ func (o *Options) ApplyTo(c *schedulerappconfig.Config) error {
|
|||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
if err := o.SecureServing.ApplyTo(&c.SecureServing); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {
|
||||
return err
|
||||
}
|
||||
return o.Authorization.ApplyTo(&c.Authorization)
|
||||
}
|
||||
|
||||
// Validate validates all the required options.
|
||||
func (o *Options) Validate() []error {
|
||||
var errs []error
|
||||
|
||||
errs = append(errs, o.SecureServing.Validate()...)
|
||||
errs = append(errs, o.CombinedInsecureServing.Validate()...)
|
||||
errs = append(errs, o.Authentication.Validate()...)
|
||||
errs = append(errs, o.Authorization.Validate()...)
|
||||
errs = append(errs, o.Deprecated.Validate()...)
|
||||
|
||||
return errs
|
||||
|
|
|
|||
|
|
@ -30,6 +30,8 @@ import (
|
|||
utilerrors "k8s.io/apimachinery/pkg/util/errors"
|
||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
|
||||
apirequest "k8s.io/apiserver/pkg/endpoints/request"
|
||||
genericfilters "k8s.io/apiserver/pkg/server/filters"
|
||||
|
|
@ -42,6 +44,7 @@ import (
|
|||
"k8s.io/client-go/tools/leaderelection"
|
||||
schedulerserverconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
|
||||
"k8s.io/kubernetes/cmd/kube-scheduler/app/options"
|
||||
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
||||
"k8s.io/kubernetes/pkg/apis/componentconfig"
|
||||
"k8s.io/kubernetes/pkg/controller"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
|
|
@ -149,7 +152,8 @@ func Run(c schedulerserverconfig.CompletedConfig, stopCh <-chan struct{}) error
|
|||
|
||||
// Start up the healthz server.
|
||||
if c.InsecureServing != nil {
|
||||
handler := buildHandlerChain(newHealthzHandler(&c.ComponentConfig, c.InsecureMetricsServing != nil))
|
||||
separateMetrics := c.InsecureMetricsServing != nil
|
||||
handler := buildHandlerChain(newHealthzHandler(&c.ComponentConfig, separateMetrics), nil, nil)
|
||||
// TODO: fail early as all other Kubernetes binaries
|
||||
go wait.Until(func() {
|
||||
if err := c.InsecureServing.Serve(handler, 0, stopCh); err != nil {
|
||||
|
|
@ -158,7 +162,7 @@ func Run(c schedulerserverconfig.CompletedConfig, stopCh <-chan struct{}) error
|
|||
}, 5*time.Second, stopCh)
|
||||
}
|
||||
if c.InsecureServing != nil {
|
||||
handler := buildHandlerChain(newMetricsHandler(&c.ComponentConfig))
|
||||
handler := buildHandlerChain(newMetricsHandler(&c.ComponentConfig), nil, nil)
|
||||
// TODO: fail early as all other Kubernetes binaries
|
||||
go wait.Until(func() {
|
||||
if err := c.InsecureServing.Serve(handler, 0, stopCh); err != nil {
|
||||
|
|
@ -166,6 +170,13 @@ func Run(c schedulerserverconfig.CompletedConfig, stopCh <-chan struct{}) error
|
|||
}
|
||||
}, 5*time.Second, stopCh)
|
||||
}
|
||||
if c.SecureServing != nil {
|
||||
handler := buildHandlerChain(newHealthzHandler(&c.ComponentConfig, false), c.Authentication.Authenticator, c.Authorization.Authorizer)
|
||||
if err := c.SecureServing.Serve(handler, 0, stopCh); err != nil {
|
||||
// fail early for secure handlers, removing the old error loop from above
|
||||
return fmt.Errorf("failed to start healthz server: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// Start all informers.
|
||||
go c.PodInformer.Informer().Run(stopCh)
|
||||
|
|
@ -205,9 +216,13 @@ func Run(c schedulerserverconfig.CompletedConfig, stopCh <-chan struct{}) error
|
|||
}
|
||||
|
||||
// buildHandlerChain wraps the given handler with the standard filters.
|
||||
func buildHandlerChain(handler http.Handler) http.Handler {
|
||||
func buildHandlerChain(handler http.Handler, authn authenticator.Request, authz authorizer.Authorizer) http.Handler {
|
||||
requestInfoResolver := &apirequest.RequestInfoFactory{}
|
||||
failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false)
|
||||
|
||||
handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver)
|
||||
handler = genericapifilters.WithAuthorization(handler, authz, legacyscheme.Codecs)
|
||||
handler = genericapifilters.WithAuthentication(handler, authn, failedHandler)
|
||||
handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver)
|
||||
handler = genericfilters.WithPanicRecovery(handler)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue