From 2af0bdb00f61619b0ae697efe0716196bb1a6bda Mon Sep 17 00:00:00 2001 From: "Dr. Stefan Schimanski" Date: Sat, 24 Feb 2018 16:02:27 +0100 Subject: [PATCH] scheduler: add https+authn+authz to options, set to nil for now --- cmd/kube-scheduler/app/config/config.go | 4 ++++ cmd/kube-scheduler/app/options/options.go | 21 ++++++++++++++++++++- cmd/kube-scheduler/app/server.go | 21 ++++++++++++++++++--- 3 files changed, 42 insertions(+), 4 deletions(-) diff --git a/cmd/kube-scheduler/app/config/config.go b/cmd/kube-scheduler/app/config/config.go index 6c7598f86b..e57f9c224c 100644 --- a/cmd/kube-scheduler/app/config/config.go +++ b/cmd/kube-scheduler/app/config/config.go @@ -17,6 +17,7 @@ limitations under the License. package config import ( + apiserver "k8s.io/apiserver/pkg/server" "k8s.io/client-go/informers" coreinformers "k8s.io/client-go/informers/core/v1" clientset "k8s.io/client-go/kubernetes" @@ -34,6 +35,9 @@ type Config struct { InsecureServing *app.InsecureServingInfo // nil will disable serving on an insecure port InsecureMetricsServing *app.InsecureServingInfo // non-nil if metrics should be served independently + Authentication apiserver.AuthenticationInfo + Authorization apiserver.AuthorizationInfo + SecureServing *apiserver.SecureServingInfo Client clientset.Interface InformerFactory informers.SharedInformerFactory diff --git a/cmd/kube-scheduler/app/options/options.go b/cmd/kube-scheduler/app/options/options.go index 43c8c815c9..871c7d8c51 100644 --- a/cmd/kube-scheduler/app/options/options.go +++ b/cmd/kube-scheduler/app/options/options.go @@ -28,6 +28,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/uuid" + apiserveroptions "k8s.io/apiserver/pkg/server/options" utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/client-go/informers" clientset "k8s.io/client-go/kubernetes" @@ -52,7 +53,10 @@ type Options struct { // The default values. These are overridden if ConfigFile is set or by values in InsecureServing. ComponentConfig componentconfig.KubeSchedulerConfiguration + SecureServing *apiserveroptions.SecureServingOptions CombinedInsecureServing *CombinedInsecureServingOptions + Authentication *apiserveroptions.DelegatingAuthenticationOptions + Authorization *apiserveroptions.DelegatingAuthorizationOptions Deprecated *DeprecatedOptions // ConfigFile is the location of the scheduler server's configuration file. @@ -78,6 +82,7 @@ func NewOptions() (*Options, error) { o := &Options{ ComponentConfig: *cfg, + SecureServing: nil, // TODO: enable with apiserveroptions.NewSecureServingOptions() CombinedInsecureServing: &CombinedInsecureServingOptions{ Healthz: &controlleroptions.InsecureServingOptions{ BindNetwork: "tcp", @@ -88,6 +93,8 @@ func NewOptions() (*Options, error) { BindPort: hport, BindAddress: hhost, }, + Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions() + Authorization: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions() Deprecated: &DeprecatedOptions{ UseLegacyPolicyConfig: false, PolicyConfigMapNamespace: metav1.NamespaceSystem, @@ -125,7 +132,10 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&o.WriteConfigTo, "write-config-to", o.WriteConfigTo, "If set, write the configuration values to this file and exit.") fs.StringVar(&o.Master, "master", o.Master, "The address of the Kubernetes API server (overrides any value in kubeconfig)") + o.SecureServing.AddFlags(fs) o.CombinedInsecureServing.AddFlags(fs) + o.Authentication.AddFlags(fs) + o.Authorization.AddFlags(fs) o.Deprecated.AddFlags(fs, &o.ComponentConfig) leaderelectionconfig.BindFlags(&o.ComponentConfig.LeaderElection.LeaderElectionConfiguration, fs) @@ -163,14 +173,23 @@ func (o *Options) ApplyTo(c *schedulerappconfig.Config) error { } } - return nil + if err := o.SecureServing.ApplyTo(&c.SecureServing); err != nil { + return err + } + if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil { + return err + } + return o.Authorization.ApplyTo(&c.Authorization) } // Validate validates all the required options. func (o *Options) Validate() []error { var errs []error + errs = append(errs, o.SecureServing.Validate()...) errs = append(errs, o.CombinedInsecureServing.Validate()...) + errs = append(errs, o.Authentication.Validate()...) + errs = append(errs, o.Authorization.Validate()...) errs = append(errs, o.Deprecated.Validate()...) return errs diff --git a/cmd/kube-scheduler/app/server.go b/cmd/kube-scheduler/app/server.go index 13af496e03..09d07959bd 100644 --- a/cmd/kube-scheduler/app/server.go +++ b/cmd/kube-scheduler/app/server.go @@ -30,6 +30,8 @@ import ( utilerrors "k8s.io/apimachinery/pkg/util/errors" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/apiserver/pkg/authentication/authenticator" + "k8s.io/apiserver/pkg/authorization/authorizer" genericapifilters "k8s.io/apiserver/pkg/endpoints/filters" apirequest "k8s.io/apiserver/pkg/endpoints/request" genericfilters "k8s.io/apiserver/pkg/server/filters" @@ -42,6 +44,7 @@ import ( "k8s.io/client-go/tools/leaderelection" schedulerserverconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config" "k8s.io/kubernetes/cmd/kube-scheduler/app/options" + "k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/apis/componentconfig" "k8s.io/kubernetes/pkg/controller" "k8s.io/kubernetes/pkg/features" @@ -149,7 +152,8 @@ func Run(c schedulerserverconfig.CompletedConfig, stopCh <-chan struct{}) error // Start up the healthz server. if c.InsecureServing != nil { - handler := buildHandlerChain(newHealthzHandler(&c.ComponentConfig, c.InsecureMetricsServing != nil)) + separateMetrics := c.InsecureMetricsServing != nil + handler := buildHandlerChain(newHealthzHandler(&c.ComponentConfig, separateMetrics), nil, nil) // TODO: fail early as all other Kubernetes binaries go wait.Until(func() { if err := c.InsecureServing.Serve(handler, 0, stopCh); err != nil { @@ -158,7 +162,7 @@ func Run(c schedulerserverconfig.CompletedConfig, stopCh <-chan struct{}) error }, 5*time.Second, stopCh) } if c.InsecureServing != nil { - handler := buildHandlerChain(newMetricsHandler(&c.ComponentConfig)) + handler := buildHandlerChain(newMetricsHandler(&c.ComponentConfig), nil, nil) // TODO: fail early as all other Kubernetes binaries go wait.Until(func() { if err := c.InsecureServing.Serve(handler, 0, stopCh); err != nil { @@ -166,6 +170,13 @@ func Run(c schedulerserverconfig.CompletedConfig, stopCh <-chan struct{}) error } }, 5*time.Second, stopCh) } + if c.SecureServing != nil { + handler := buildHandlerChain(newHealthzHandler(&c.ComponentConfig, false), c.Authentication.Authenticator, c.Authorization.Authorizer) + if err := c.SecureServing.Serve(handler, 0, stopCh); err != nil { + // fail early for secure handlers, removing the old error loop from above + return fmt.Errorf("failed to start healthz server: %v", err) + } + } // Start all informers. go c.PodInformer.Informer().Run(stopCh) @@ -205,9 +216,13 @@ func Run(c schedulerserverconfig.CompletedConfig, stopCh <-chan struct{}) error } // buildHandlerChain wraps the given handler with the standard filters. -func buildHandlerChain(handler http.Handler) http.Handler { +func buildHandlerChain(handler http.Handler, authn authenticator.Request, authz authorizer.Authorizer) http.Handler { requestInfoResolver := &apirequest.RequestInfoFactory{} + failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false) + handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver) + handler = genericapifilters.WithAuthorization(handler, authz, legacyscheme.Codecs) + handler = genericapifilters.WithAuthentication(handler, authn, failedHandler) handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver) handler = genericfilters.WithPanicRecovery(handler)