Cleanup auth logging, allow starting secured kubelet in local-up-cluster.sh

2016-11-03 01:13:00 -04:00 · 2016-11-03 01:13:00 -04:00 · d3991aa7c6
parent c4eb04afa2
commit d3991aa7c6
4 changed files with 31 additions and 7 deletions
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@ -340,6 +340,10 @@ function start_apiserver {
    if [[ -n "${RUNTIME_CONFIG}" ]]; then
      runtime_config="--runtime-config=${RUNTIME_CONFIG}"
    fi
+    client_ca_file_arg=""
+    if [[ -n "${CLIENT_CA_FILE:-}" ]]; then
+      client_ca_file_arg="--client-ca-file=${CLIENT_CA_FILE}"
+    fi

    # Let the API server pick a default address when API_HOST
    # is set to 127.0.0.1
@ -354,6 +358,7 @@ function start_apiserver {

    APISERVER_LOG=/tmp/kube-apiserver.log
    sudo -E "${GO_OUT}/hyperkube" apiserver ${anytoken_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\
+      ${client_ca_file_arg} \
      ${advertise_address} \
      --v=${LOG_LEVEL} \
      --cert-dir="${CERT_DIR}" \
@ -382,9 +387,16 @@ clusters:
      certificate-authority: ${ROOT_CA_FILE}
      server: https://${API_HOST}:${API_SECURE_PORT}/
    name: local-up-cluster
+users:
+  - user:
+      token: ${KUBECONFIG_TOKEN:-}
+      client-certificate: ${KUBECONFIG_CLIENT_CERTIFICATE:-}
+      client-key: ${KUBECONFIG_CLIENT_KEY:-}
+    name: local-up-cluster
 contexts:
  - context:
      cluster: local-up-cluster
+      user: local-up-cluster
    name: service-to-apiserver
 current-context: service-to-apiserver
 EOF
@ -441,6 +453,17 @@ function start_kubelet {
        net_plugin_args="--network-plugin=${NET_PLUGIN}"
      fi

+      auth_args=""
+      if [[ -n "${KUBELET_AUTHORIZATION_WEBHOOK}" ]]; then
+        auth_args="${auth_args} --authorization-mode=Webhook"
+      fi
+      if [[ -n "${KUBELET_AUTHENTICATION_WEBHOOK}" ]]; then
+        auth_args="${auth_args} --authentication-token-webhook"
+      fi
+      if [[ -n "${CLIENT_CA_FILE:-}" ]]; then
+        auth_args="${auth_args} --client-ca-file=${CLIENT_CA_FILE}"
+      fi
+
      net_plugin_dir_args=""
      if [[ -n "${NET_PLUGIN_DIR}" ]]; then
        net_plugin_dir_args="--network-plugin-dir=${NET_PLUGIN_DIR}"
@ -475,6 +498,7 @@ function start_kubelet {
        --cgroups-per-qos=${CGROUPS_PER_QOS} \
        --cgroup-driver=${CGROUP_DRIVER} \
        --cgroup-root=${CGROUP_ROOT} \
+        ${auth_args} \
        ${dns_args} \
        ${net_plugin_dir_args} \
        ${net_plugin_args} \
--- a/pkg/genericapiserver/authorizer/authz.go
+++ b/pkg/genericapiserver/authorizer/authz.go
@ -84,7 +84,7 @@ func (r *privilegedGroupAuthorizer) Authorize(attr authorizer.Attributes) (bool,
 			}
 		}
 	}
-	return false, "Not in privileged list.", nil
+	return false, "", nil
 }

 // NewPrivilegedGroups is for use in loopback scenarios
--- a/pkg/kubelet/server/server.go
+++ b/pkg/kubelet/server/server.go
@ -223,15 +223,15 @@ func (s *Server) InstallAuthFilter() {
 		attrs := s.auth.GetRequestAttributes(u, req.Request)

 		// Authorize
-		authorized, reason, err := s.auth.Authorize(attrs)
+		authorized, _, err := s.auth.Authorize(attrs)
 		if err != nil {
-			msg := fmt.Sprintf("Error (user=%s, verb=%s, namespace=%s, resource=%s)", u.GetName(), attrs.GetVerb(), attrs.GetNamespace(), attrs.GetResource())
+			msg := fmt.Sprintf("Authorization error (user=%s, verb=%s, resource=%s, subresource=%s)", u.GetName(), attrs.GetVerb(), attrs.GetResource(), attrs.GetSubresource())
 			glog.Errorf(msg, err)
 			resp.WriteErrorString(http.StatusInternalServerError, msg)
 			return
 		}
 		if !authorized {
-			msg := fmt.Sprintf("Forbidden (reason=%s, user=%s, verb=%s, namespace=%s, resource=%s)", reason, u.GetName(), attrs.GetVerb(), attrs.GetNamespace(), attrs.GetResource())
+			msg := fmt.Sprintf("Forbidden (user=%s, verb=%s, resource=%s, subresource=%s)", u.GetName(), attrs.GetVerb(), attrs.GetResource(), attrs.GetSubresource())
 			glog.V(2).Info(msg)
 			resp.WriteErrorString(http.StatusForbidden, msg)
 			return
--- a/test/integration/auth/accessreview_test.go
+++ b/test/integration/auth/accessreview_test.go
@ -103,7 +103,7 @@ func TestSubjectAccessReview(t *testing.T) {
 			},
 			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
 				Allowed:         false,
-				Reason:          "Not in privileged list.\nno",
+				Reason:          "no",
 				EvaluationError: "I'm sorry, Dave",
 			},
 		},
@ -198,7 +198,7 @@ func TestSelfSubjectAccessReview(t *testing.T) {
 			},
 			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
 				Allowed:         false,
-				Reason:          "Not in privileged list.\nno",
+				Reason:          "no",
 				EvaluationError: "I'm sorry, Dave",
 			},
 		},
@ -284,7 +284,7 @@ func TestLocalSubjectAccessReview(t *testing.T) {
 			},
 			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
 				Allowed:         false,
-				Reason:          "Not in privileged list.\nno",
+				Reason:          "no",
 				EvaluationError: "I'm sorry, Dave",
 			},
 		},