From e7d0983707e02a583462a360c6a91e4409abad78 Mon Sep 17 00:00:00 2001 From: yue9944882 <291271447@qq.com> Date: Thu, 9 Aug 2018 21:27:23 +0800 Subject: [PATCH] externalize pv informer in node authorizer --- pkg/kubeapiserver/authorizer/config.go | 2 +- plugin/pkg/auth/authorizer/node/BUILD | 2 +- plugin/pkg/auth/authorizer/node/graph.go | 4 ++-- .../auth/authorizer/node/graph_populator.go | 6 +++--- .../authorizer/node/node_authorizer_test.go | 18 +++++++++--------- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go index 71c4dcdc00..1e0b650cb8 100644 --- a/pkg/kubeapiserver/authorizer/config.go +++ b/pkg/kubeapiserver/authorizer/config.go @@ -76,7 +76,7 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR graph, config.InformerFactory.Core().InternalVersion().Nodes(), config.VersionedInformerFactory.Core().V1().Pods(), - config.InformerFactory.Core().InternalVersion().PersistentVolumes(), + config.VersionedInformerFactory.Core().V1().PersistentVolumes(), config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(), ) nodeAuthorizer := node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules()) diff --git a/plugin/pkg/auth/authorizer/node/BUILD b/plugin/pkg/auth/authorizer/node/BUILD index 2719325fa4..98d4ecb307 100644 --- a/plugin/pkg/auth/authorizer/node/BUILD +++ b/plugin/pkg/auth/authorizer/node/BUILD @@ -40,7 +40,7 @@ go_library( ], importpath = "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node", deps = [ - "//pkg/api/persistentvolume:go_default_library", + "//pkg/api/v1/persistentvolume:go_default_library", "//pkg/api/v1/pod:go_default_library", "//pkg/apis/core:go_default_library", "//pkg/apis/storage:go_default_library", diff --git a/plugin/pkg/auth/authorizer/node/graph.go b/plugin/pkg/auth/authorizer/node/graph.go index 240ac6e9ae..2b96db103e 100644 --- a/plugin/pkg/auth/authorizer/node/graph.go +++ b/plugin/pkg/auth/authorizer/node/graph.go @@ -20,7 +20,7 @@ import ( "sync" corev1 "k8s.io/api/core/v1" - pvutil "k8s.io/kubernetes/pkg/api/persistentvolume" + pvutil "k8s.io/kubernetes/pkg/api/v1/persistentvolume" podutil "k8s.io/kubernetes/pkg/api/v1/pod" api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/third_party/forked/gonum/graph" @@ -365,7 +365,7 @@ func (g *Graph) DeletePod(name, namespace string) { // secret -> pv // // pv -> pvc -func (g *Graph) AddPV(pv *api.PersistentVolume) { +func (g *Graph) AddPV(pv *corev1.PersistentVolume) { g.lock.Lock() defer g.lock.Unlock() diff --git a/plugin/pkg/auth/authorizer/node/graph_populator.go b/plugin/pkg/auth/authorizer/node/graph_populator.go index dcb7b732cf..9910ce0d3c 100644 --- a/plugin/pkg/auth/authorizer/node/graph_populator.go +++ b/plugin/pkg/auth/authorizer/node/graph_populator.go @@ -39,7 +39,7 @@ func AddGraphEventHandlers( graph *Graph, nodes coreinformers.NodeInformer, pods corev1informers.PodInformer, - pvs coreinformers.PersistentVolumeInformer, + pvs corev1informers.PersistentVolumeInformer, attachments storageinformers.VolumeAttachmentInformer, ) { g := &graphPopulator{ @@ -175,7 +175,7 @@ func (g *graphPopulator) addPV(obj interface{}) { } func (g *graphPopulator) updatePV(oldObj, obj interface{}) { - pv := obj.(*api.PersistentVolume) + pv := obj.(*corev1.PersistentVolume) // TODO: skip add if uid, pvc, and secrets are all identical between old and new g.graph.AddPV(pv) } @@ -184,7 +184,7 @@ func (g *graphPopulator) deletePV(obj interface{}) { if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok { obj = tombstone.Obj } - pv, ok := obj.(*api.PersistentVolume) + pv, ok := obj.(*corev1.PersistentVolume) if !ok { glog.Infof("unexpected type %T", obj) return diff --git a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go index 85a472c1bb..04b3d6167c 100644 --- a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go +++ b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go @@ -684,7 +684,7 @@ func BenchmarkAuthorization(b *testing.B) { } } -func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*api.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) { +func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*corev1.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) { p := &graphPopulator{} p.graph = graph for _, node := range nodes { @@ -705,10 +705,10 @@ func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*api.Pe // the secret/configmap/pvc/node references in the pod and pv objects are named to indicate the connections between the objects. // for example, secret0-pod0-node0 is a secret referenced by pod0 which is bound to node0. // when populated into the graph, the node authorizer should allow node0 to access that secret, but not node1. -func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*api.PersistentVolume, []*storagev1beta1.VolumeAttachment) { +func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*corev1.PersistentVolume, []*storagev1beta1.VolumeAttachment) { nodes := make([]*api.Node, 0, opts.nodes) pods := make([]*corev1.Pod, 0, opts.nodes*opts.podsPerNode) - pvs := make([]*api.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces)) + pvs := make([]*corev1.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces)) attachments := make([]*storagev1beta1.VolumeAttachment, 0, opts.nodes*opts.attachmentsPerNode) for n := 0; n < opts.nodes; n++ { @@ -743,10 +743,10 @@ func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*api.Persisten } for i := 0; i < opts.uniquePVCsPerPod; i++ { - pv := &api.PersistentVolume{} + pv := &corev1.PersistentVolume{} pv.Name = fmt.Sprintf("pv%d-%s-%s", i, pod.Name, pod.Namespace) - pv.Spec.FlexVolume = &api.FlexPersistentVolumeSource{SecretRef: &api.SecretReference{Name: fmt.Sprintf("secret-%s", pv.Name)}} - pv.Spec.ClaimRef = &api.ObjectReference{Name: fmt.Sprintf("pvc%d-%s", i, pod.Name), Namespace: pod.Namespace} + pv.Spec.FlexVolume = &corev1.FlexPersistentVolumeSource{SecretRef: &corev1.SecretReference{Name: fmt.Sprintf("secret-%s", pv.Name)}} + pv.Spec.ClaimRef = &corev1.ObjectReference{Name: fmt.Sprintf("pvc%d-%s", i, pod.Name), Namespace: pod.Namespace} pvs = append(pvs, pv) pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{ @@ -754,10 +754,10 @@ func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*api.Persisten }}) } for i := 0; i < opts.sharedPVCsPerPod; i++ { - pv := &api.PersistentVolume{} + pv := &corev1.PersistentVolume{} pv.Name = fmt.Sprintf("pv%d-shared-%s", i, pod.Namespace) - pv.Spec.FlexVolume = &api.FlexPersistentVolumeSource{SecretRef: &api.SecretReference{Name: fmt.Sprintf("secret-%s", pv.Name)}} - pv.Spec.ClaimRef = &api.ObjectReference{Name: fmt.Sprintf("pvc%d-shared", i), Namespace: pod.Namespace} + pv.Spec.FlexVolume = &corev1.FlexPersistentVolumeSource{SecretRef: &corev1.SecretReference{Name: fmt.Sprintf("secret-%s", pv.Name)}} + pv.Spec.ClaimRef = &corev1.ObjectReference{Name: fmt.Sprintf("pvc%d-shared", i), Namespace: pod.Namespace} pvs = append(pvs, pv) pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{