kube-controller-manager: enable delegated authz/authn if secure port is enabled

2018-08-07 11:11:23 +02:00 · 2018-08-07 11:11:23 +02:00 · 5fa8b4b2ae
parent eb27b61cdb
commit 5fa8b4b2ae
2 changed files with 29 additions and 7 deletions
--- a/cmd/kube-controller-manager/app/options/options.go
+++ b/cmd/kube-controller-manager/app/options/options.go
@ -185,10 +185,14 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
 			BindPort:    int(componentConfig.KubeCloudShared.Port),
 			BindNetwork: "tcp",
 		},
-		Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions()
-		Authorization:  nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions()
+		Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(),
+		Authorization:  apiserveroptions.NewDelegatingAuthorizationOptions(),
 	}

+	s.Authentication.RemoteKubeConfigFileOptional = true
+	s.Authorization.RemoteKubeConfigFileOptional = true
+	s.Authorization.AlwaysAllowPaths = []string{"/healthz"}
+
 	s.SecureServing.ServerCert.CertDirectory = "/var/run/kubernetes"
 	s.SecureServing.ServerCert.PairName = "kube-controller-manager"
 	s.SecureServing.BindPort = ports.KubeControllerManagerPort
@ -349,12 +353,14 @@ func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config) e
 	if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil {
 		return err
 	}
+	if s.SecureServing.BindPort != 0 || s.SecureServing.Listener != nil {
 		if err := s.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {
 			return err
 		}
 		if err := s.Authorization.ApplyTo(&c.Authorization); err != nil {
 			return err
 		}
+	}

 	// sync back to component config
 	// TODO: find more elegant way than syncing back the values.
--- a/cmd/kube-controller-manager/app/options/options_test.go
+++ b/cmd/kube-controller-manager/app/options/options_test.go
@ -264,6 +264,22 @@ func TestAddFlags(t *testing.T) {
 			BindPort:    int(10000),
 			BindNetwork: "tcp",
 		},
+		Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
+			CacheTTL:   10 * time.Second,
+			ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
+			RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{
+				UsernameHeaders:     []string{"x-remote-user"},
+				GroupHeaders:        []string{"x-remote-group"},
+				ExtraHeaderPrefixes: []string{"x-remote-extra-"},
+			},
+			RemoteKubeConfigFileOptional: true,
+		},
+		Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
+			AllowCacheTTL:                10 * time.Second,
+			DenyCacheTTL:                 10 * time.Second,
+			RemoteKubeConfigFileOptional: true,
+			AlwaysAllowPaths:             []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
+		},
 		Kubeconfig: "/kubeconfig",
 		Master:     "192.168.4.20",
 	}