github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

controller-manager: add authz/n to options, nil by default

pull/6/head
Dr. Stefan Schimanski 2018-02-08 14:19:02 +01:00
parent f4564ea0b8
commit cecd663c21
4 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/controller-manager/app/config.go
View File

@ -32,6 +32,8 @@ type Config struct {
SecureServing *apiserver.SecureServingInfo SecureServing *apiserver.SecureServingInfo
// TODO: remove deprecated insecure serving // TODO: remove deprecated insecure serving
InsecureServing *InsecureServingInfo InsecureServing *InsecureServingInfo
Authentication apiserver.AuthenticationInfo
Authorization apiserver.AuthorizationInfo
// the general kube client // the general kube client
Client *clientset.Clientset Client *clientset.Clientset

14
cmd/controller-manager/app/options/options.go
View File

@ -48,6 +48,8 @@ type GenericControllerManagerOptions struct {
SecureServing *apiserveroptions.SecureServingOptions SecureServing *apiserveroptions.SecureServingOptions
// TODO: remove insecure serving mode // TODO: remove insecure serving mode
InsecureServing *InsecureServingOptions InsecureServing *InsecureServingOptions
Authentication *apiserveroptions.DelegatingAuthenticationOptions
Authorization *apiserveroptions.DelegatingAuthorizationOptions
Master string Master string
Kubeconfig string Kubeconfig string
@ -75,6 +77,8 @@ func NewGenericControllerManagerOptions(componentConfig componentconfig.KubeCont
BindPort: int(componentConfig.Port), BindPort: int(componentConfig.Port),
BindNetwork: "tcp", BindNetwork: "tcp",
}, },
Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions()
Authorization: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions()
} }
// disable secure serving for now // disable secure serving for now
@ -175,6 +179,8 @@ func (o *GenericControllerManagerOptions) AddFlags(fs *pflag.FlagSet) {
o.SecureServing.AddFlags(fs) o.SecureServing.AddFlags(fs)
o.InsecureServing.AddFlags(fs) o.InsecureServing.AddFlags(fs)
o.InsecureServing.AddDeprecatedFlags(fs) o.InsecureServing.AddDeprecatedFlags(fs)
o.Authentication.AddFlags(fs)
o.Authorization.AddFlags(fs)
} }
// ApplyTo fills up controller manager config with options and userAgent // ApplyTo fills up controller manager config with options and userAgent
@ -187,6 +193,12 @@ func (o *GenericControllerManagerOptions) ApplyTo(c *genericcontrollermanager.Co
if err := o.InsecureServing.ApplyTo(&c.InsecureServing, &c.ComponentConfig); err != nil { if err := o.InsecureServing.ApplyTo(&c.InsecureServing, &c.ComponentConfig); err != nil {
return err return err
} }
if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {
return err
}
if err := o.Authorization.ApplyTo(&c.Authorization); err != nil {
return err
}
var err error var err error
c.Kubeconfig, err = clientcmd.BuildConfigFromFlags(o.Master, o.Kubeconfig) c.Kubeconfig, err = clientcmd.BuildConfigFromFlags(o.Master, o.Kubeconfig)
@ -214,6 +226,8 @@ func (o *GenericControllerManagerOptions) Validate() []error {
errors := []error{} errors := []error{}
errors = append(errors, o.SecureServing.Validate()...) errors = append(errors, o.SecureServing.Validate()...)
errors = append(errors, o.InsecureServing.Validate()...) errors = append(errors, o.InsecureServing.Validate()...)
errors = append(errors, o.Authentication.Validate()...)
errors = append(errors, o.Authorization.Validate()...)
// TODO: validate component config, master and kubeconfig // TODO: validate component config, master and kubeconfig

16
cmd/controller-manager/app/serve.go
View File

@ -24,7 +24,11 @@ import (
"github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus"
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
apirequest "k8s.io/apiserver/pkg/endpoints/request"
genericfilters "k8s.io/apiserver/pkg/server/filters"
"k8s.io/apiserver/pkg/server/healthz" "k8s.io/apiserver/pkg/server/healthz"
"k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/util/configz" "k8s.io/kubernetes/pkg/util/configz"
) )
@ -47,5 +51,15 @@ func Serve(c *CompletedConfig, serveFunc serveFunc, stopCh <-chan struct{}) erro
configz.InstallHandler(mux) configz.InstallHandler(mux)
mux.Handle("/metrics", prometheus.Handler()) mux.Handle("/metrics", prometheus.Handler())
return serveFunc(mux, 0, stopCh) requestContextMapper := apirequest.NewRequestContextMapper()
requestInfoResolver := &apirequest.RequestInfoFactory{}
failedHandler := genericapifilters.Unauthorized(requestContextMapper, legacyscheme.Codecs, false)
handler := genericapifilters.WithAuthorization(mux, requestContextMapper, c.Authorization.Authorizer, legacyscheme.Codecs)
handler = genericapifilters.WithAuthentication(handler, requestContextMapper, c.Authentication.Authenticator, failedHandler)
handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver, requestContextMapper)
handler = apirequest.WithRequestContext(handler, requestContextMapper)
handler = genericfilters.WithPanicRecovery(handler)
return serveFunc(handler, 0, stopCh)
} }

4
staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
View File

@ -131,6 +131,10 @@ func (s *DelegatingAuthenticationOptions) Validate() []error {
} }
func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
if s == nil {
return
}
fs.StringVar(&s.RemoteKubeConfigFile, "authentication-kubeconfig", s.RemoteKubeConfigFile, ""+ fs.StringVar(&s.RemoteKubeConfigFile, "authentication-kubeconfig", s.RemoteKubeConfigFile, ""+
"kubeconfig file pointing at the 'core' kubernetes server with enough rights to create "+ "kubeconfig file pointing at the 'core' kubernetes server with enough rights to create "+
"tokenaccessreviews.authentication.k8s.io.") "tokenaccessreviews.authentication.k8s.io.")