From 60dfa6c9d74ff725b212b578ef666e9679aa77c2 Mon Sep 17 00:00:00 2001 From: xilabao Date: Fri, 10 Feb 2017 14:14:40 +0800 Subject: [PATCH] add check to authorization config --- cmd/kubeadm/app/constants/constants.go | 3 +++ cmd/kubeadm/app/master/manifests.go | 24 +++++++++++------------- cmd/kubeadm/app/preflight/checks.go | 23 +++++++++++++++++++++++ 3 files changed, 37 insertions(+), 13 deletions(-) diff --git a/cmd/kubeadm/app/constants/constants.go b/cmd/kubeadm/app/constants/constants.go index b1ce960942..3132fd895a 100644 --- a/cmd/kubeadm/app/constants/constants.go +++ b/cmd/kubeadm/app/constants/constants.go @@ -19,6 +19,9 @@ package constants import "time" const ( + AuthorizationPolicyFile = "abac_policy.json" + AuthorizationWebhookConfigFile = "webhook_authz.conf" + CACertAndKeyBaseName = "ca" CACertName = "ca.crt" CAKeyName = "ca.key" diff --git a/cmd/kubeadm/app/master/manifests.go b/cmd/kubeadm/app/master/manifests.go index e831277f2e..a005620745 100644 --- a/cmd/kubeadm/app/master/manifests.go +++ b/cmd/kubeadm/app/master/manifests.go @@ -39,17 +39,15 @@ const ( DefaultClusterName = "kubernetes" DefaultCloudConfigPath = "/etc/kubernetes/cloud-config" - etcd = "etcd" - apiServer = "apiserver" - controllerManager = "controller-manager" - scheduler = "scheduler" - proxy = "proxy" - kubeAPIServer = "kube-apiserver" - kubeControllerManager = "kube-controller-manager" - kubeScheduler = "kube-scheduler" - kubeProxy = "kube-proxy" - authorizationPolicyFile = "abac_policy.json" - authorizationWebhookConfigFile = "webhook_authz.conf" + etcd = "etcd" + apiServer = "apiserver" + controllerManager = "controller-manager" + scheduler = "scheduler" + proxy = "proxy" + kubeAPIServer = "kube-apiserver" + kubeControllerManager = "kube-controller-manager" + kubeScheduler = "kube-scheduler" + kubeProxy = "kube-proxy" ) // WriteStaticPodManifests builds manifest objects based on user provided configuration and then dumps it to disk @@ -325,9 +323,9 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [ command = append(command, "--authorization-mode="+cfg.AuthorizationMode) switch cfg.AuthorizationMode { case kubeadmconstants.AuthzModeABAC: - command = append(command, "--authorization-policy-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, authorizationPolicyFile)) + command = append(command, "--authorization-policy-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationPolicyFile)) case kubeadmconstants.AuthzModeWebhook: - command = append(command, "--authorization-webhook-config-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, authorizationWebhookConfigFile)) + command = append(command, "--authorization-webhook-config-file="+path.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationWebhookConfigFile)) } } diff --git a/cmd/kubeadm/app/preflight/checks.go b/cmd/kubeadm/app/preflight/checks.go index 544720a13f..d3e802f9b8 100644 --- a/cmd/kubeadm/app/preflight/checks.go +++ b/cmd/kubeadm/app/preflight/checks.go @@ -186,6 +186,19 @@ func (fac FileAvailableCheck) Check() (warnings, errors []error) { return nil, errors } +// FileExistingCheck checks that the given file does not already exist. +type FileExistingCheck struct { + Path string +} + +func (fac FileExistingCheck) Check() (warnings, errors []error) { + errors = []error{} + if _, err := os.Stat(fac.Path); err != nil { + errors = append(errors, fmt.Errorf("%s doesn't exist", fac.Path)) + } + return nil, errors +} + // FileContentCheck checks that the given file contains the string Content. type FileContentCheck struct { Path string @@ -348,6 +361,16 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error { ) } + // Check the config for authorization mode + switch cfg.AuthorizationMode { + case kubeadmconstants.AuthzModeABAC: + authorizationPolicyPath := filepath.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationPolicyFile) + checks = append(checks, FileExistingCheck{Path: authorizationPolicyPath}) + case kubeadmconstants.AuthzModeWebhook: + authorizationWebhookConfigPath := filepath.Join(kubeadmapi.GlobalEnvParams.KubernetesDir, kubeadmconstants.AuthorizationWebhookConfigFile) + checks = append(checks, FileExistingCheck{Path: authorizationWebhookConfigPath}) + } + return RunChecks(checks, os.Stderr) }