controller-manager: add authz/n to options, nil by default

2018-02-08 14:19:02 +01:00 · 2018-02-08 14:19:02 +01:00 · cecd663c21
parent f4564ea0b8
commit cecd663c21
4 changed files with 35 additions and 1 deletions
--- a/cmd/controller-manager/app/config.go
+++ b/cmd/controller-manager/app/config.go
@ -32,6 +32,8 @@ type Config struct {
 	SecureServing *apiserver.SecureServingInfo
 	// TODO: remove deprecated insecure serving
 	InsecureServing *InsecureServingInfo
+	Authentication  apiserver.AuthenticationInfo
+	Authorization   apiserver.AuthorizationInfo

 	// the general kube client
 	Client *clientset.Clientset
--- a/cmd/controller-manager/app/options/options.go
+++ b/cmd/controller-manager/app/options/options.go
@ -48,6 +48,8 @@ type GenericControllerManagerOptions struct {
 	SecureServing *apiserveroptions.SecureServingOptions
 	// TODO: remove insecure serving mode
 	InsecureServing *InsecureServingOptions
+	Authentication  *apiserveroptions.DelegatingAuthenticationOptions
+	Authorization   *apiserveroptions.DelegatingAuthorizationOptions

 	Master     string
 	Kubeconfig string
@ -75,6 +77,8 @@ func NewGenericControllerManagerOptions(componentConfig componentconfig.KubeCont
 			BindPort:    int(componentConfig.Port),
 			BindNetwork: "tcp",
 		},
+		Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions()
+		Authorization:  nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions()
 	}

 	// disable secure serving for now
@ -175,6 +179,8 @@ func (o *GenericControllerManagerOptions) AddFlags(fs *pflag.FlagSet) {
 	o.SecureServing.AddFlags(fs)
 	o.InsecureServing.AddFlags(fs)
 	o.InsecureServing.AddDeprecatedFlags(fs)
+	o.Authentication.AddFlags(fs)
+	o.Authorization.AddFlags(fs)
 }

 // ApplyTo fills up controller manager config with options and userAgent
@ -187,6 +193,12 @@ func (o *GenericControllerManagerOptions) ApplyTo(c *genericcontrollermanager.Co
 	if err := o.InsecureServing.ApplyTo(&c.InsecureServing, &c.ComponentConfig); err != nil {
 		return err
 	}
+	if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {
+		return err
+	}
+	if err := o.Authorization.ApplyTo(&c.Authorization); err != nil {
+		return err
+	}

 	var err error
 	c.Kubeconfig, err = clientcmd.BuildConfigFromFlags(o.Master, o.Kubeconfig)
@ -214,6 +226,8 @@ func (o *GenericControllerManagerOptions) Validate() []error {
 	errors := []error{}
 	errors = append(errors, o.SecureServing.Validate()...)
 	errors = append(errors, o.InsecureServing.Validate()...)
+	errors = append(errors, o.Authentication.Validate()...)
+	errors = append(errors, o.Authorization.Validate()...)

 	// TODO: validate component config, master and kubeconfig

--- a/cmd/controller-manager/app/serve.go
+++ b/cmd/controller-manager/app/serve.go
@ -24,7 +24,11 @@ import (

 	"github.com/prometheus/client_golang/prometheus"

+	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
+	apirequest "k8s.io/apiserver/pkg/endpoints/request"
+	genericfilters "k8s.io/apiserver/pkg/server/filters"
 	"k8s.io/apiserver/pkg/server/healthz"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/util/configz"
 )

@ -47,5 +51,15 @@ func Serve(c *CompletedConfig, serveFunc serveFunc, stopCh <-chan struct{}) erro
 	configz.InstallHandler(mux)
 	mux.Handle("/metrics", prometheus.Handler())

-	return serveFunc(mux, 0, stopCh)
+	requestContextMapper := apirequest.NewRequestContextMapper()
+	requestInfoResolver := &apirequest.RequestInfoFactory{}
+	failedHandler := genericapifilters.Unauthorized(requestContextMapper, legacyscheme.Codecs, false)
+
+	handler := genericapifilters.WithAuthorization(mux, requestContextMapper, c.Authorization.Authorizer, legacyscheme.Codecs)
+	handler = genericapifilters.WithAuthentication(handler, requestContextMapper, c.Authentication.Authenticator, failedHandler)
+	handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver, requestContextMapper)
+	handler = apirequest.WithRequestContext(handler, requestContextMapper)
+	handler = genericfilters.WithPanicRecovery(handler)
+
+	return serveFunc(handler, 0, stopCh)
 }
--- a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
@ -131,6 +131,10 @@ func (s *DelegatingAuthenticationOptions) Validate() []error {
 }

 func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
+	if s == nil {
+		return
+	}
+
 	fs.StringVar(&s.RemoteKubeConfigFile, "authentication-kubeconfig", s.RemoteKubeConfigFile, ""+
 		"kubeconfig file pointing at the 'core' kubernetes server with enough rights to create "+
 		"tokenaccessreviews.authentication.k8s.io.")