github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cleanup auth logging, allow starting secured kubelet in local-up-cluster.sh

pull/6/head
Jordan Liggitt 2016-11-03 01:13:00 -04:00
parent c4eb04afa2
commit d3991aa7c6
No known key found for this signature in database
GPG Key ID: 24E7ADF9A3B42012
4 changed files with 31 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
hack/local-up-cluster.sh
View File

@ -340,6 +340,10 @@ function start_apiserver {
if [[ -n "${RUNTIME_CONFIG}" ]]; then if [[ -n "${RUNTIME_CONFIG}" ]]; then
runtime_config="--runtime-config=${RUNTIME_CONFIG}" runtime_config="--runtime-config=${RUNTIME_CONFIG}"
fi fi
client_ca_file_arg=""
if [[ -n "${CLIENT_CA_FILE:-}" ]]; then
client_ca_file_arg="--client-ca-file=${CLIENT_CA_FILE}"
fi
# Let the API server pick a default address when API_HOST # Let the API server pick a default address when API_HOST
# is set to 127.0.0.1 # is set to 127.0.0.1
@ -354,6 +358,7 @@ function start_apiserver {
APISERVER_LOG=/tmp/kube-apiserver.log APISERVER_LOG=/tmp/kube-apiserver.log
sudo -E "${GO_OUT}/hyperkube" apiserver ${anytoken_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\ sudo -E "${GO_OUT}/hyperkube" apiserver ${anytoken_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\
${client_ca_file_arg} \
${advertise_address} \ ${advertise_address} \
--v=${LOG_LEVEL} \ --v=${LOG_LEVEL} \
--cert-dir="${CERT_DIR}" \ --cert-dir="${CERT_DIR}" \
@ -382,9 +387,16 @@ clusters:
certificate-authority: ${ROOT_CA_FILE} certificate-authority: ${ROOT_CA_FILE}
server: https://${API_HOST}:${API_SECURE_PORT}/ server: https://${API_HOST}:${API_SECURE_PORT}/
name: local-up-cluster name: local-up-cluster
users:
- user:
token: ${KUBECONFIG_TOKEN:-}
client-certificate: ${KUBECONFIG_CLIENT_CERTIFICATE:-}
client-key: ${KUBECONFIG_CLIENT_KEY:-}
name: local-up-cluster
contexts: contexts:
- context: - context:
cluster: local-up-cluster cluster: local-up-cluster
user: local-up-cluster
name: service-to-apiserver name: service-to-apiserver
current-context: service-to-apiserver current-context: service-to-apiserver
EOF EOF
@ -441,6 +453,17 @@ function start_kubelet {
net_plugin_args="--network-plugin=${NET_PLUGIN}" net_plugin_args="--network-plugin=${NET_PLUGIN}"
fi fi
auth_args=""
if [[ -n "${KUBELET_AUTHORIZATION_WEBHOOK}" ]]; then
auth_args="${auth_args} --authorization-mode=Webhook"
fi
if [[ -n "${KUBELET_AUTHENTICATION_WEBHOOK}" ]]; then
auth_args="${auth_args} --authentication-token-webhook"
fi
if [[ -n "${CLIENT_CA_FILE:-}" ]]; then
auth_args="${auth_args} --client-ca-file=${CLIENT_CA_FILE}"
fi
net_plugin_dir_args="" net_plugin_dir_args=""
if [[ -n "${NET_PLUGIN_DIR}" ]]; then if [[ -n "${NET_PLUGIN_DIR}" ]]; then
net_plugin_dir_args="--network-plugin-dir=${NET_PLUGIN_DIR}" net_plugin_dir_args="--network-plugin-dir=${NET_PLUGIN_DIR}"
@ -475,6 +498,7 @@ function start_kubelet {
--cgroups-per-qos=${CGROUPS_PER_QOS} \ --cgroups-per-qos=${CGROUPS_PER_QOS} \
--cgroup-driver=${CGROUP_DRIVER} \ --cgroup-driver=${CGROUP_DRIVER} \
--cgroup-root=${CGROUP_ROOT} \ --cgroup-root=${CGROUP_ROOT} \
${auth_args} \
${dns_args} \ ${dns_args} \
${net_plugin_dir_args} \ ${net_plugin_dir_args} \
${net_plugin_args} \ ${net_plugin_args} \

2
pkg/genericapiserver/authorizer/authz.go
View File

@ -84,7 +84,7 @@ func (r *privilegedGroupAuthorizer) Authorize(attr authorizer.Attributes) (bool,
} }
} }
} }
return false, "Not in privileged list.", nil return false, "", nil
} }
// NewPrivilegedGroups is for use in loopback scenarios // NewPrivilegedGroups is for use in loopback scenarios

6
pkg/kubelet/server/server.go
View File

@ -223,15 +223,15 @@ func (s *Server) InstallAuthFilter() {
attrs := s.auth.GetRequestAttributes(u, req.Request) attrs := s.auth.GetRequestAttributes(u, req.Request)
// Authorize // Authorize
authorized, reason, err := s.auth.Authorize(attrs) authorized, _, err := s.auth.Authorize(attrs)
if err != nil { if err != nil {
msg := fmt.Sprintf("Error (user=%s, verb=%s, namespace=%s, resource=%s)", u.GetName(), attrs.GetVerb(), attrs.GetNamespace(), attrs.GetResource()) msg := fmt.Sprintf("Authorization error (user=%s, verb=%s, resource=%s, subresource=%s)", u.GetName(), attrs.GetVerb(), attrs.GetResource(), attrs.GetSubresource())
glog.Errorf(msg, err) glog.Errorf(msg, err)
resp.WriteErrorString(http.StatusInternalServerError, msg) resp.WriteErrorString(http.StatusInternalServerError, msg)
return return
} }
if !authorized { if !authorized {
msg := fmt.Sprintf("Forbidden (reason=%s, user=%s, verb=%s, namespace=%s, resource=%s)", reason, u.GetName(), attrs.GetVerb(), attrs.GetNamespace(), attrs.GetResource()) msg := fmt.Sprintf("Forbidden (user=%s, verb=%s, resource=%s, subresource=%s)", u.GetName(), attrs.GetVerb(), attrs.GetResource(), attrs.GetSubresource())
glog.V(2).Info(msg) glog.V(2).Info(msg)
resp.WriteErrorString(http.StatusForbidden, msg) resp.WriteErrorString(http.StatusForbidden, msg)
return return

6
test/integration/auth/accessreview_test.go
View File

@ -103,7 +103,7 @@ func TestSubjectAccessReview(t *testing.T) {
}, },
expectedStatus: authorizationapi.SubjectAccessReviewStatus{ expectedStatus: authorizationapi.SubjectAccessReviewStatus{
Allowed: false, Allowed: false,
Reason: "Not in privileged list.\nno", Reason: "no",
EvaluationError: "I'm sorry, Dave", EvaluationError: "I'm sorry, Dave",
}, },
}, },
@ -198,7 +198,7 @@ func TestSelfSubjectAccessReview(t *testing.T) {
}, },
expectedStatus: authorizationapi.SubjectAccessReviewStatus{ expectedStatus: authorizationapi.SubjectAccessReviewStatus{
Allowed: false, Allowed: false,
Reason: "Not in privileged list.\nno", Reason: "no",
EvaluationError: "I'm sorry, Dave", EvaluationError: "I'm sorry, Dave",
}, },
}, },
@ -284,7 +284,7 @@ func TestLocalSubjectAccessReview(t *testing.T) {
}, },
expectedStatus: authorizationapi.SubjectAccessReviewStatus{ expectedStatus: authorizationapi.SubjectAccessReviewStatus{
Allowed: false, Allowed: false,
Reason: "Not in privileged list.\nno", Reason: "no",
EvaluationError: "I'm sorry, Dave", EvaluationError: "I'm sorry, Dave",
}, },
}, },