mirror of https://github.com/k3s-io/k3s
kube-controller-manager: disable authn/z on insecure port
This is the old behaviour and we did not intent to change it due to enabled authn/z in general. As the kube-apiserver this sets the "system:unsecured" user info.pull/8/head
Dr. Stefan Schimanski
parent
e209b643a7
commit
8aa0eefce8
|
|
@ -39,8 +39,13 @@ func BuildHandlerChain(apiHandler http.Handler, authorizationInfo *apiserver.Aut
|
|||
requestInfoResolver := &apirequest.RequestInfoFactory{}
|
||||
failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false)
|
||||
|
||||
handler := genericapifilters.WithAuthorization(apiHandler, authorizationInfo.Authorizer, legacyscheme.Codecs)
|
||||
handler = genericapifilters.WithAuthentication(handler, authenticationInfo.Authenticator, failedHandler)
|
||||
handler := apiHandler
|
||||
if authorizationInfo != nil {
|
||||
handler = genericapifilters.WithAuthorization(apiHandler, authorizationInfo.Authorizer, legacyscheme.Codecs)
|
||||
}
|
||||
if authenticationInfo != nil {
|
||||
handler = genericapifilters.WithAuthentication(handler, authenticationInfo.Authenticator, failedHandler)
|
||||
}
|
||||
handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver)
|
||||
handler = genericfilters.WithPanicRecovery(handler)
|
||||
|
||||
|
|
|
|||
|
|
@ -111,6 +111,7 @@ go_library(
|
|||
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/server/mux:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/util/flag:go_default_library",
|
||||
|
|
|
|||
|
|
@ -25,19 +25,19 @@ import (
|
|||
"fmt"
|
||||
"io/ioutil"
|
||||
"math/rand"
|
||||
"net/http"
|
||||
"os"
|
||||
"time"
|
||||
|
||||
"github.com/golang/glog"
|
||||
"github.com/spf13/cobra"
|
||||
|
||||
"net/http"
|
||||
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/uuid"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/apiserver/pkg/server"
|
||||
"k8s.io/apiserver/pkg/server/mux"
|
||||
apiserverflag "k8s.io/apiserver/pkg/util/flag"
|
||||
cacheddiscovery "k8s.io/client-go/discovery/cached"
|
||||
|
|
@ -160,7 +160,8 @@ func Run(c *config.CompletedConfig, stopCh <-chan struct{}) error {
|
|||
}
|
||||
if c.InsecureServing != nil {
|
||||
unsecuredMux = genericcontrollermanager.NewBaseHandler(&c.ComponentConfig.Debugging)
|
||||
handler := genericcontrollermanager.BuildHandlerChain(unsecuredMux, &c.Authorization, &c.Authentication)
|
||||
insecureSuperuserAuthn := server.AuthenticationInfo{Authenticator: &server.InsecureSuperuser{}}
|
||||
handler := genericcontrollermanager.BuildHandlerChain(unsecuredMux, nil, &insecureSuperuserAuthn)
|
||||
if err := c.InsecureServing.Serve(handler, 0, stopCh); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,7 +10,6 @@ go_library(
|
|||
srcs = ["insecure_handler.go"],
|
||||
importpath = "k8s.io/kubernetes/pkg/kubeapiserver/server",
|
||||
deps = [
|
||||
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/endpoints/filters:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/server/filters:go_default_library",
|
||||
|
|
|
|||
|
|
@ -19,7 +19,6 @@ package server
|
|||
import (
|
||||
"net/http"
|
||||
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
|
||||
"k8s.io/apiserver/pkg/server"
|
||||
genericfilters "k8s.io/apiserver/pkg/server/filters"
|
||||
|
|
@ -32,7 +31,7 @@ import (
|
|||
func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
|
||||
handler := apiHandler
|
||||
handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
|
||||
handler = genericapifilters.WithAuthentication(handler, insecureSuperuser{}, nil)
|
||||
handler = genericapifilters.WithAuthentication(handler, server.InsecureSuperuser{}, nil)
|
||||
handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
|
||||
handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)
|
||||
handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc)
|
||||
|
|
@ -42,15 +41,3 @@ func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.H
|
|||
|
||||
return handler
|
||||
}
|
||||
|
||||
// insecureSuperuser implements authenticator.Request to always return a superuser.
|
||||
// This is functionally equivalent to skipping authentication and authorization,
|
||||
// but allows apiserver code to stop special-casing a nil user to skip authorization checks.
|
||||
type insecureSuperuser struct{}
|
||||
|
||||
func (insecureSuperuser) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
|
||||
return &user.DefaultInfo{
|
||||
Name: "system:unsecured",
|
||||
Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
|
||||
}, true, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ import (
|
|||
|
||||
"github.com/golang/glog"
|
||||
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/client-go/rest"
|
||||
)
|
||||
|
||||
|
|
@ -70,3 +71,15 @@ func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config,
|
|||
Burst: 100,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// InsecureSuperuser implements authenticator.Request to always return a superuser.
|
||||
// This is functionally equivalent to skipping authentication and authorization,
|
||||
// but allows apiserver code to stop special-casing a nil user to skip authorization checks.
|
||||
type InsecureSuperuser struct{}
|
||||
|
||||
func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
|
||||
return &user.DefaultInfo{
|
||||
Name: "system:unsecured",
|
||||
Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
|
||||
}, true, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -176,6 +176,11 @@ users:
|
|||
"--kubeconfig", apiserverConfig.Name(),
|
||||
"--leader-elect=false",
|
||||
}, "/healthz", true, false, intPtr(http.StatusOK), nil},
|
||||
{"/metrics without auhn/z", []string{
|
||||
"--kubeconfig", apiserverConfig.Name(),
|
||||
"--kubeconfig", apiserverConfig.Name(),
|
||||
"--leader-elect=false",
|
||||
}, "/metrics", true, false, intPtr(http.StatusForbidden), intPtr(http.StatusOK)},
|
||||
{"authorization skipped for /healthz with authn/authz", []string{
|
||||
"--port=0",
|
||||
"--authentication-kubeconfig", apiserverConfig.Name(),
|
||||
|
|
@ -199,12 +204,11 @@ users:
|
|||
"--leader-elect=false",
|
||||
}, "/metrics", false, false, intPtr(http.StatusForbidden), nil},
|
||||
{"not authorized /metrics with BROKEN authn/authz", []string{
|
||||
"--port=0",
|
||||
"--authentication-kubeconfig", apiserverConfig.Name(),
|
||||
"--authorization-kubeconfig", brokenApiserverConfig.Name(),
|
||||
"--kubeconfig", apiserverConfig.Name(),
|
||||
"--leader-elect=false",
|
||||
}, "/metrics", false, false, intPtr(http.StatusInternalServerError), nil},
|
||||
}, "/metrics", false, false, intPtr(http.StatusInternalServerError), intPtr(http.StatusOK)},
|
||||
{"always-allowed /metrics with BROKEN authn/authz", []string{
|
||||
"--port=0",
|
||||
"--authentication-skip-lookup", // to survive unaccessible extensions-apiserver-authentication configmap
|
||||
|
|
|
|||
Loading…
Reference in New Issue