diff --git a/cmd/controller-manager/app/serve.go b/cmd/controller-manager/app/serve.go index a7bd56d08f..5405121ac3 100644 --- a/cmd/controller-manager/app/serve.go +++ b/cmd/controller-manager/app/serve.go @@ -39,8 +39,13 @@ func BuildHandlerChain(apiHandler http.Handler, authorizationInfo *apiserver.Aut requestInfoResolver := &apirequest.RequestInfoFactory{} failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false) - handler := genericapifilters.WithAuthorization(apiHandler, authorizationInfo.Authorizer, legacyscheme.Codecs) - handler = genericapifilters.WithAuthentication(handler, authenticationInfo.Authenticator, failedHandler) + handler := apiHandler + if authorizationInfo != nil { + handler = genericapifilters.WithAuthorization(apiHandler, authorizationInfo.Authorizer, legacyscheme.Codecs) + } + if authenticationInfo != nil { + handler = genericapifilters.WithAuthentication(handler, authenticationInfo.Authenticator, failedHandler) + } handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver) handler = genericfilters.WithPanicRecovery(handler) diff --git a/cmd/kube-controller-manager/app/BUILD b/cmd/kube-controller-manager/app/BUILD index d7b8a488ce..080e2082f1 100644 --- a/cmd/kube-controller-manager/app/BUILD +++ b/cmd/kube-controller-manager/app/BUILD @@ -111,6 +111,7 @@ go_library( "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/uuid:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/server:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server/mux:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/flag:go_default_library", diff --git a/cmd/kube-controller-manager/app/controllermanager.go b/cmd/kube-controller-manager/app/controllermanager.go index 25769b4eaa..f3e87e123d 100644 --- a/cmd/kube-controller-manager/app/controllermanager.go +++ b/cmd/kube-controller-manager/app/controllermanager.go @@ -25,19 +25,19 @@ import ( "fmt" "io/ioutil" "math/rand" + "net/http" "os" "time" "github.com/golang/glog" "github.com/spf13/cobra" - "net/http" - "k8s.io/apimachinery/pkg/runtime/schema" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/apiserver/pkg/server" "k8s.io/apiserver/pkg/server/mux" apiserverflag "k8s.io/apiserver/pkg/util/flag" cacheddiscovery "k8s.io/client-go/discovery/cached" @@ -160,7 +160,8 @@ func Run(c *config.CompletedConfig, stopCh <-chan struct{}) error { } if c.InsecureServing != nil { unsecuredMux = genericcontrollermanager.NewBaseHandler(&c.ComponentConfig.Debugging) - handler := genericcontrollermanager.BuildHandlerChain(unsecuredMux, &c.Authorization, &c.Authentication) + insecureSuperuserAuthn := server.AuthenticationInfo{Authenticator: &server.InsecureSuperuser{}} + handler := genericcontrollermanager.BuildHandlerChain(unsecuredMux, nil, &insecureSuperuserAuthn) if err := c.InsecureServing.Serve(handler, 0, stopCh); err != nil { return err } diff --git a/pkg/kubeapiserver/server/BUILD b/pkg/kubeapiserver/server/BUILD index c1bb7c1186..65a86fb843 100644 --- a/pkg/kubeapiserver/server/BUILD +++ b/pkg/kubeapiserver/server/BUILD @@ -10,7 +10,6 @@ go_library( srcs = ["insecure_handler.go"], importpath = "k8s.io/kubernetes/pkg/kubeapiserver/server", deps = [ - "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//staging/src/k8s.io/apiserver/pkg/endpoints/filters:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server/filters:go_default_library", diff --git a/pkg/kubeapiserver/server/insecure_handler.go b/pkg/kubeapiserver/server/insecure_handler.go index b0879035f6..754aff49b2 100644 --- a/pkg/kubeapiserver/server/insecure_handler.go +++ b/pkg/kubeapiserver/server/insecure_handler.go @@ -19,7 +19,6 @@ package server import ( "net/http" - "k8s.io/apiserver/pkg/authentication/user" genericapifilters "k8s.io/apiserver/pkg/endpoints/filters" "k8s.io/apiserver/pkg/server" genericfilters "k8s.io/apiserver/pkg/server/filters" @@ -32,7 +31,7 @@ import ( func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler { handler := apiHandler handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc) - handler = genericapifilters.WithAuthentication(handler, insecureSuperuser{}, nil) + handler = genericapifilters.WithAuthentication(handler, server.InsecureSuperuser{}, nil) handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true") handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout) handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc) @@ -42,15 +41,3 @@ func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.H return handler } - -// insecureSuperuser implements authenticator.Request to always return a superuser. -// This is functionally equivalent to skipping authentication and authorization, -// but allows apiserver code to stop special-casing a nil user to skip authorization checks. -type insecureSuperuser struct{} - -func (insecureSuperuser) AuthenticateRequest(req *http.Request) (user.Info, bool, error) { - return &user.DefaultInfo{ - Name: "system:unsecured", - Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated}, - }, true, nil -} diff --git a/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go b/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go index 3e88dd49db..2af16bf9b7 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go +++ b/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go @@ -23,6 +23,7 @@ import ( "github.com/golang/glog" + "k8s.io/apiserver/pkg/authentication/user" "k8s.io/client-go/rest" ) @@ -70,3 +71,15 @@ func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, Burst: 100, }, nil } + +// InsecureSuperuser implements authenticator.Request to always return a superuser. +// This is functionally equivalent to skipping authentication and authorization, +// but allows apiserver code to stop special-casing a nil user to skip authorization checks. +type InsecureSuperuser struct{} + +func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (user.Info, bool, error) { + return &user.DefaultInfo{ + Name: "system:unsecured", + Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated}, + }, true, nil +} diff --git a/test/integration/kube_controller_manager/serving_test.go b/test/integration/kube_controller_manager/serving_test.go index 80a21e25c6..0669289bc8 100644 --- a/test/integration/kube_controller_manager/serving_test.go +++ b/test/integration/kube_controller_manager/serving_test.go @@ -176,6 +176,11 @@ users: "--kubeconfig", apiserverConfig.Name(), "--leader-elect=false", }, "/healthz", true, false, intPtr(http.StatusOK), nil}, + {"/metrics without auhn/z", []string{ + "--kubeconfig", apiserverConfig.Name(), + "--kubeconfig", apiserverConfig.Name(), + "--leader-elect=false", + }, "/metrics", true, false, intPtr(http.StatusForbidden), intPtr(http.StatusOK)}, {"authorization skipped for /healthz with authn/authz", []string{ "--port=0", "--authentication-kubeconfig", apiserverConfig.Name(), @@ -199,12 +204,11 @@ users: "--leader-elect=false", }, "/metrics", false, false, intPtr(http.StatusForbidden), nil}, {"not authorized /metrics with BROKEN authn/authz", []string{ - "--port=0", "--authentication-kubeconfig", apiserverConfig.Name(), "--authorization-kubeconfig", brokenApiserverConfig.Name(), "--kubeconfig", apiserverConfig.Name(), "--leader-elect=false", - }, "/metrics", false, false, intPtr(http.StatusInternalServerError), nil}, + }, "/metrics", false, false, intPtr(http.StatusInternalServerError), intPtr(http.StatusOK)}, {"always-allowed /metrics with BROKEN authn/authz", []string{ "--port=0", "--authentication-skip-lookup", // to survive unaccessible extensions-apiserver-authentication configmap