From 454276c23ce39f261564e9cbebe0df8adab14a6d Mon Sep 17 00:00:00 2001
From: Yang Guo <ygg@google.com>
Date: Mon, 22 Jan 2018 16:18:34 -0800
Subject: [PATCH] Use SSH tunnel for webhook communication iff the webhook is
 deployed as a service

---
 cmd/kube-apiserver/app/server.go                |  8 +++++---
 .../plugin/webhook/config/authentication.go     | 17 +++++++++++------
 .../webhook/config/authentication_test.go       |  2 +-
 .../admission/plugin/webhook/config/client.go   |  4 ++--
 .../plugin/webhook/mutating/admission_test.go   |  2 +-
 .../plugin/webhook/validating/admission_test.go |  2 +-
 6 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go
index 2897197f0a..f2f1874969 100644
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@@ -460,15 +460,17 @@ func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transp
 	}
 
 	webhookAuthResolver := func(delegate webhookconfig.AuthenticationInfoResolver) webhookconfig.AuthenticationInfoResolver {
-		return webhookconfig.AuthenticationInfoResolverFunc(func(server string) (*rest.Config, error) {
+		return webhookconfig.AuthenticationInfoResolverFunc(func(server string, directRouting bool) (*rest.Config, error) {
 			if server == "kubernetes.default.svc" {
 				return genericConfig.LoopbackClientConfig, nil
 			}
-			ret, err := delegate.ClientConfigFor(server)
+			ret, err := delegate.ClientConfigFor(server, directRouting)
 			if err != nil {
 				return nil, err
 			}
-			if proxyTransport != nil && proxyTransport.Dial != nil {
+			if !directRouting && proxyTransport != nil && proxyTransport.Dial != nil {
+				// Use the SSH tunnels iff the webhook server is not directly
+				// routable from apiserver's network environment.
 				ret.Dial = proxyTransport.Dial
 			}
 			return ret, err
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/authentication.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/authentication.go
index dd956f140a..64aabb735e 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/authentication.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/authentication.go
@@ -31,17 +31,22 @@ import (
 // rest.Config generated by the resolver.
 type AuthenticationInfoResolverWrapper func(AuthenticationInfoResolver) AuthenticationInfoResolver
 
-// AuthenticationInfoResolver builds rest.Config base on the server name.
+// AuthenticationInfoResolver builds rest.Config base on the server name and
+// the directRouting flag indicating whether the webhook server is routable
+// directly from apiserver's network environment.
+//
+// TODO(yguo0905): Remove the directRouting flag once the SSH tunnels that is
+// used for the communication from master to nodes get removed.
 type AuthenticationInfoResolver interface {
-	ClientConfigFor(server string) (*rest.Config, error)
+	ClientConfigFor(server string, directRouting bool) (*rest.Config, error)
 }
 
 // AuthenticationInfoResolverFunc implements AuthenticationInfoResolver.
-type AuthenticationInfoResolverFunc func(server string) (*rest.Config, error)
+type AuthenticationInfoResolverFunc func(server string, directRouting bool) (*rest.Config, error)
 
 //ClientConfigFor implements AuthenticationInfoResolver.
-func (a AuthenticationInfoResolverFunc) ClientConfigFor(server string) (*rest.Config, error) {
-	return a(server)
+func (a AuthenticationInfoResolverFunc) ClientConfigFor(server string, directRouting bool) (*rest.Config, error) {
+	return a(server, directRouting)
 }
 
 type defaultAuthenticationInfoResolver struct {
@@ -67,7 +72,7 @@ func NewDefaultAuthenticationInfoResolver(kubeconfigFile string) (Authentication
 	return &defaultAuthenticationInfoResolver{kubeconfig: clientConfig}, nil
 }
 
-func (c *defaultAuthenticationInfoResolver) ClientConfigFor(server string) (*rest.Config, error) {
+func (c *defaultAuthenticationInfoResolver) ClientConfigFor(server string, directRouting bool) (*rest.Config, error) {
 	// exact match
 	if authConfig, ok := c.kubeconfig.AuthInfos[server]; ok {
 		return restConfigFromKubeconfig(authConfig)
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/authentication_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/authentication_test.go
index cd63bd94bb..b20ef2ed6b 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/authentication_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/authentication_test.go
@@ -114,7 +114,7 @@ func TestAuthenticationDetection(t *testing.T) {
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			resolver := defaultAuthenticationInfoResolver{kubeconfig: tc.kubeconfig}
-			actual, err := resolver.ClientConfigFor(tc.serverName)
+			actual, err := resolver.ClientConfigFor(tc.serverName, false)
 			if err != nil {
 				t.Fatal(err)
 			}
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/client.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/client.go
index 28fac414e1..d03dc92cfd 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/client.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/client.go
@@ -123,7 +123,7 @@ func (cm *ClientManager) HookClient(h *v1beta1.Webhook) (*rest.RESTClient, error
 
 	if svc := h.ClientConfig.Service; svc != nil {
 		serverName := svc.Name + "." + svc.Namespace + ".svc"
-		restConfig, err := cm.authInfoResolver.ClientConfigFor(serverName)
+		restConfig, err := cm.authInfoResolver.ClientConfigFor(serverName, false)
 		if err != nil {
 			return nil, err
 		}
@@ -162,7 +162,7 @@ func (cm *ClientManager) HookClient(h *v1beta1.Webhook) (*rest.RESTClient, error
 		return nil, &webhookerrors.ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Unparsable URL: %v", err)}
 	}
 
-	restConfig, err := cm.authInfoResolver.ClientConfigFor(u.Host)
+	restConfig, err := cm.authInfoResolver.ClientConfigFor(u.Host, true)
 	if err != nil {
 		return nil, err
 	}
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/admission_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/admission_test.go
index da9c79a3b9..8c9952d7ea 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/admission_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/admission_test.go
@@ -631,7 +631,7 @@ type fakeAuthenticationInfoResolver struct {
 	cachedCount *int32
 }
 
-func (c *fakeAuthenticationInfoResolver) ClientConfigFor(server string) (*rest.Config, error) {
+func (c *fakeAuthenticationInfoResolver) ClientConfigFor(server string, directRouting bool) (*rest.Config, error) {
 	atomic.AddInt32(c.cachedCount, 1)
 	return c.restConfig, nil
 }
diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/admission_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/admission_test.go
index 15271f040b..81df9a3a9a 100644
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/admission_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/admission_test.go
@@ -656,7 +656,7 @@ type fakeAuthenticationInfoResolver struct {
 	cachedCount *int32
 }
 
-func (c *fakeAuthenticationInfoResolver) ClientConfigFor(server string) (*rest.Config, error) {
+func (c *fakeAuthenticationInfoResolver) ClientConfigFor(server string, directRouting bool) (*rest.Config, error) {
 	atomic.AddInt32(c.cachedCount, 1)
 	return c.restConfig, nil
 }