From d3991aa7c6a105947088f828ecc5acd0946fb72c Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <jliggitt@redhat.com>
Date: Thu, 3 Nov 2016 01:13:00 -0400
Subject: [PATCH] Cleanup auth logging, allow starting secured kubelet in
 local-up-cluster.sh

---
 hack/local-up-cluster.sh                   | 24 ++++++++++++++++++++++
 pkg/genericapiserver/authorizer/authz.go   |  2 +-
 pkg/kubelet/server/server.go               |  6 +++---
 test/integration/auth/accessreview_test.go |  6 +++---
 4 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh
index 4a07e71106..3c4027381b 100755
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -340,6 +340,10 @@ function start_apiserver {
     if [[ -n "${RUNTIME_CONFIG}" ]]; then
       runtime_config="--runtime-config=${RUNTIME_CONFIG}"
     fi
+    client_ca_file_arg=""
+    if [[ -n "${CLIENT_CA_FILE:-}" ]]; then
+      client_ca_file_arg="--client-ca-file=${CLIENT_CA_FILE}"
+    fi
 
     # Let the API server pick a default address when API_HOST
     # is set to 127.0.0.1
@@ -354,6 +358,7 @@ function start_apiserver {
 
     APISERVER_LOG=/tmp/kube-apiserver.log
     sudo -E "${GO_OUT}/hyperkube" apiserver ${anytoken_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\
+      ${client_ca_file_arg} \
       ${advertise_address} \
       --v=${LOG_LEVEL} \
       --cert-dir="${CERT_DIR}" \
@@ -382,9 +387,16 @@ clusters:
       certificate-authority: ${ROOT_CA_FILE}
       server: https://${API_HOST}:${API_SECURE_PORT}/
     name: local-up-cluster
+users:
+  - user:
+      token: ${KUBECONFIG_TOKEN:-}
+      client-certificate: ${KUBECONFIG_CLIENT_CERTIFICATE:-}
+      client-key: ${KUBECONFIG_CLIENT_KEY:-}
+    name: local-up-cluster
 contexts:
   - context:
       cluster: local-up-cluster
+      user: local-up-cluster
     name: service-to-apiserver
 current-context: service-to-apiserver
 EOF
@@ -441,6 +453,17 @@ function start_kubelet {
         net_plugin_args="--network-plugin=${NET_PLUGIN}"
       fi
 
+      auth_args=""
+      if [[ -n "${KUBELET_AUTHORIZATION_WEBHOOK}" ]]; then
+        auth_args="${auth_args} --authorization-mode=Webhook"
+      fi
+      if [[ -n "${KUBELET_AUTHENTICATION_WEBHOOK}" ]]; then
+        auth_args="${auth_args} --authentication-token-webhook"
+      fi
+      if [[ -n "${CLIENT_CA_FILE:-}" ]]; then
+        auth_args="${auth_args} --client-ca-file=${CLIENT_CA_FILE}"
+      fi
+
       net_plugin_dir_args=""
       if [[ -n "${NET_PLUGIN_DIR}" ]]; then
         net_plugin_dir_args="--network-plugin-dir=${NET_PLUGIN_DIR}"
@@ -475,6 +498,7 @@ function start_kubelet {
         --cgroups-per-qos=${CGROUPS_PER_QOS} \
         --cgroup-driver=${CGROUP_DRIVER} \
         --cgroup-root=${CGROUP_ROOT} \
+        ${auth_args} \
         ${dns_args} \
         ${net_plugin_dir_args} \
         ${net_plugin_args} \
diff --git a/pkg/genericapiserver/authorizer/authz.go b/pkg/genericapiserver/authorizer/authz.go
index fb41ba75d5..7088b155b1 100644
--- a/pkg/genericapiserver/authorizer/authz.go
+++ b/pkg/genericapiserver/authorizer/authz.go
@@ -84,7 +84,7 @@ func (r *privilegedGroupAuthorizer) Authorize(attr authorizer.Attributes) (bool,
 			}
 		}
 	}
-	return false, "Not in privileged list.", nil
+	return false, "", nil
 }
 
 // NewPrivilegedGroups is for use in loopback scenarios
diff --git a/pkg/kubelet/server/server.go b/pkg/kubelet/server/server.go
index ec609c0d05..b499ad1138 100644
--- a/pkg/kubelet/server/server.go
+++ b/pkg/kubelet/server/server.go
@@ -223,15 +223,15 @@ func (s *Server) InstallAuthFilter() {
 		attrs := s.auth.GetRequestAttributes(u, req.Request)
 
 		// Authorize
-		authorized, reason, err := s.auth.Authorize(attrs)
+		authorized, _, err := s.auth.Authorize(attrs)
 		if err != nil {
-			msg := fmt.Sprintf("Error (user=%s, verb=%s, namespace=%s, resource=%s)", u.GetName(), attrs.GetVerb(), attrs.GetNamespace(), attrs.GetResource())
+			msg := fmt.Sprintf("Authorization error (user=%s, verb=%s, resource=%s, subresource=%s)", u.GetName(), attrs.GetVerb(), attrs.GetResource(), attrs.GetSubresource())
 			glog.Errorf(msg, err)
 			resp.WriteErrorString(http.StatusInternalServerError, msg)
 			return
 		}
 		if !authorized {
-			msg := fmt.Sprintf("Forbidden (reason=%s, user=%s, verb=%s, namespace=%s, resource=%s)", reason, u.GetName(), attrs.GetVerb(), attrs.GetNamespace(), attrs.GetResource())
+			msg := fmt.Sprintf("Forbidden (user=%s, verb=%s, resource=%s, subresource=%s)", u.GetName(), attrs.GetVerb(), attrs.GetResource(), attrs.GetSubresource())
 			glog.V(2).Info(msg)
 			resp.WriteErrorString(http.StatusForbidden, msg)
 			return
diff --git a/test/integration/auth/accessreview_test.go b/test/integration/auth/accessreview_test.go
index 3e769804c6..6b28c85547 100644
--- a/test/integration/auth/accessreview_test.go
+++ b/test/integration/auth/accessreview_test.go
@@ -103,7 +103,7 @@ func TestSubjectAccessReview(t *testing.T) {
 			},
 			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
 				Allowed:         false,
-				Reason:          "Not in privileged list.\nno",
+				Reason:          "no",
 				EvaluationError: "I'm sorry, Dave",
 			},
 		},
@@ -198,7 +198,7 @@ func TestSelfSubjectAccessReview(t *testing.T) {
 			},
 			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
 				Allowed:         false,
-				Reason:          "Not in privileged list.\nno",
+				Reason:          "no",
 				EvaluationError: "I'm sorry, Dave",
 			},
 		},
@@ -284,7 +284,7 @@ func TestLocalSubjectAccessReview(t *testing.T) {
 			},
 			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
 				Allowed:         false,
-				Reason:          "Not in privileged list.\nno",
+				Reason:          "no",
 				EvaluationError: "I'm sorry, Dave",
 			},
 		},