diff --git a/cmd/controller-manager/app/config.go b/cmd/controller-manager/app/config.go index b62550e390..d67841562e 100644 --- a/cmd/controller-manager/app/config.go +++ b/cmd/controller-manager/app/config.go @@ -32,6 +32,8 @@ type Config struct { SecureServing *apiserver.SecureServingInfo // TODO: remove deprecated insecure serving InsecureServing *InsecureServingInfo + Authentication apiserver.AuthenticationInfo + Authorization apiserver.AuthorizationInfo // the general kube client Client *clientset.Clientset diff --git a/cmd/controller-manager/app/options/options.go b/cmd/controller-manager/app/options/options.go index 82393c7ba6..8f468f4d1c 100644 --- a/cmd/controller-manager/app/options/options.go +++ b/cmd/controller-manager/app/options/options.go @@ -48,6 +48,8 @@ type GenericControllerManagerOptions struct { SecureServing *apiserveroptions.SecureServingOptions // TODO: remove insecure serving mode InsecureServing *InsecureServingOptions + Authentication *apiserveroptions.DelegatingAuthenticationOptions + Authorization *apiserveroptions.DelegatingAuthorizationOptions Master string Kubeconfig string @@ -75,6 +77,8 @@ func NewGenericControllerManagerOptions(componentConfig componentconfig.KubeCont BindPort: int(componentConfig.Port), BindNetwork: "tcp", }, + Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions() + Authorization: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions() } // disable secure serving for now @@ -175,6 +179,8 @@ func (o *GenericControllerManagerOptions) AddFlags(fs *pflag.FlagSet) { o.SecureServing.AddFlags(fs) o.InsecureServing.AddFlags(fs) o.InsecureServing.AddDeprecatedFlags(fs) + o.Authentication.AddFlags(fs) + o.Authorization.AddFlags(fs) } // ApplyTo fills up controller manager config with options and userAgent @@ -187,6 +193,12 @@ func (o *GenericControllerManagerOptions) ApplyTo(c *genericcontrollermanager.Co if err := o.InsecureServing.ApplyTo(&c.InsecureServing, &c.ComponentConfig); err != nil { return err } + if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil { + return err + } + if err := o.Authorization.ApplyTo(&c.Authorization); err != nil { + return err + } var err error c.Kubeconfig, err = clientcmd.BuildConfigFromFlags(o.Master, o.Kubeconfig) @@ -214,6 +226,8 @@ func (o *GenericControllerManagerOptions) Validate() []error { errors := []error{} errors = append(errors, o.SecureServing.Validate()...) errors = append(errors, o.InsecureServing.Validate()...) + errors = append(errors, o.Authentication.Validate()...) + errors = append(errors, o.Authorization.Validate()...) // TODO: validate component config, master and kubeconfig diff --git a/cmd/controller-manager/app/serve.go b/cmd/controller-manager/app/serve.go index 93c8aad43d..f75777ed26 100644 --- a/cmd/controller-manager/app/serve.go +++ b/cmd/controller-manager/app/serve.go @@ -24,7 +24,11 @@ import ( "github.com/prometheus/client_golang/prometheus" + genericapifilters "k8s.io/apiserver/pkg/endpoints/filters" + apirequest "k8s.io/apiserver/pkg/endpoints/request" + genericfilters "k8s.io/apiserver/pkg/server/filters" "k8s.io/apiserver/pkg/server/healthz" + "k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/util/configz" ) @@ -47,5 +51,15 @@ func Serve(c *CompletedConfig, serveFunc serveFunc, stopCh <-chan struct{}) erro configz.InstallHandler(mux) mux.Handle("/metrics", prometheus.Handler()) - return serveFunc(mux, 0, stopCh) + requestContextMapper := apirequest.NewRequestContextMapper() + requestInfoResolver := &apirequest.RequestInfoFactory{} + failedHandler := genericapifilters.Unauthorized(requestContextMapper, legacyscheme.Codecs, false) + + handler := genericapifilters.WithAuthorization(mux, requestContextMapper, c.Authorization.Authorizer, legacyscheme.Codecs) + handler = genericapifilters.WithAuthentication(handler, requestContextMapper, c.Authentication.Authenticator, failedHandler) + handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver, requestContextMapper) + handler = apirequest.WithRequestContext(handler, requestContextMapper) + handler = genericfilters.WithPanicRecovery(handler) + + return serveFunc(handler, 0, stopCh) } diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go index c516a6bba4..04e1ea815e 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go @@ -131,6 +131,10 @@ func (s *DelegatingAuthenticationOptions) Validate() []error { } func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { + if s == nil { + return + } + fs.StringVar(&s.RemoteKubeConfigFile, "authentication-kubeconfig", s.RemoteKubeConfigFile, ""+ "kubeconfig file pointing at the 'core' kubernetes server with enough rights to create "+ "tokenaccessreviews.authentication.k8s.io.")