Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
67c5df71
Commit
67c5df71
authored
Oct 08, 2018
by
Darren Shepherd
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Remove RequestHeader and ClientCerts auth
parent
153b97ae
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
2 additions
and
447 deletions
+2
-447
server.go
cmd/kube-apiserver/app/server.go
+0
-18
config.go
pkg/kubeapiserver/authenticator/config.go
+0
-20
authentication.go
pkg/kubeapiserver/options/authentication.go
+1
-43
client_ca_hook.go
pkg/master/client_ca_hook.go
+0
-140
master.go
pkg/master/master.go
+0
-6
config.go
staging/src/k8s.io/apiserver/pkg/server/config.go
+0
-21
authentication.go
...src/k8s.io/apiserver/pkg/server/options/authentication.go
+1
-199
No files found.
cmd/kube-apiserver/app/server.go
View file @
67c5df71
...
...
@@ -264,27 +264,9 @@ func CreateKubeAPIServerConfig(
return
}
clientCA
,
lastErr
:=
readCAorNil
(
s
.
Authentication
.
ClientCert
.
ClientCA
)
if
lastErr
!=
nil
{
return
}
requestHeaderProxyCA
,
lastErr
:=
readCAorNil
(
s
.
Authentication
.
RequestHeader
.
ClientCAFile
)
if
lastErr
!=
nil
{
return
}
config
=
&
master
.
Config
{
GenericConfig
:
genericConfig
,
ExtraConfig
:
master
.
ExtraConfig
{
ClientCARegistrationHook
:
master
.
ClientCARegistrationHook
{
ClientCA
:
clientCA
,
RequestHeaderUsernameHeaders
:
s
.
Authentication
.
RequestHeader
.
UsernameHeaders
,
RequestHeaderGroupHeaders
:
s
.
Authentication
.
RequestHeader
.
GroupHeaders
,
RequestHeaderExtraHeaderPrefixes
:
s
.
Authentication
.
RequestHeader
.
ExtraHeaderPrefixes
,
RequestHeaderCA
:
requestHeaderProxyCA
,
RequestHeaderAllowedNames
:
s
.
Authentication
.
RequestHeader
.
AllowedNames
,
},
APIResourceConfigSource
:
storageFactory
.
APIResourceConfigSource
,
StorageFactory
:
storageFactory
,
EventTTL
:
s
.
EventTTL
,
...
...
pkg/kubeapiserver/authenticator/config.go
View file @
67c5df71
...
...
@@ -20,11 +20,9 @@ import (
"time"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
"k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/anonymous"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/request/headerrequest"
"k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/request/websocket"
"k8s.io/apiserver/pkg/authentication/request/x509"
...
...
@@ -58,8 +56,6 @@ type Config struct {
TokenSuccessCacheTTL
time
.
Duration
TokenFailureCacheTTL
time
.
Duration
RequestHeaderConfig
*
authenticatorfactory
.
RequestHeaderConfig
// TODO, this is the only non-serializable part of the entire config. Factor it out into a clientconfig
ServiceAccountTokenGetter
serviceaccount
.
ServiceAccountTokenGetter
}
...
...
@@ -70,22 +66,6 @@ func (config Config) New() (authenticator.Request, error) {
var
authenticators
[]
authenticator
.
Request
var
tokenAuthenticators
[]
authenticator
.
Token
// front-proxy, BasicAuth methods, local first, then remote
// Add the front proxy authenticator if requested
if
config
.
RequestHeaderConfig
!=
nil
{
requestHeaderAuthenticator
,
err
:=
headerrequest
.
NewSecure
(
config
.
RequestHeaderConfig
.
ClientCA
,
config
.
RequestHeaderConfig
.
AllowedClientNames
,
config
.
RequestHeaderConfig
.
UsernameHeaders
,
config
.
RequestHeaderConfig
.
GroupHeaders
,
config
.
RequestHeaderConfig
.
ExtraHeaderPrefixes
,
)
if
err
!=
nil
{
return
nil
,
err
}
authenticators
=
append
(
authenticators
,
authenticator
.
WrapAudienceAgnosticRequest
(
config
.
APIAudiences
,
requestHeaderAuthenticator
))
}
// basic auth
if
len
(
config
.
BasicAuthFile
)
>
0
{
basicAuth
,
err
:=
newAuthenticatorFromBasicAuthFile
(
config
.
BasicAuthFile
)
...
...
pkg/kubeapiserver/options/authentication.go
View file @
67c5df71
...
...
@@ -28,7 +28,6 @@ import (
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/authenticator"
genericapiserver
"k8s.io/apiserver/pkg/server"
genericoptions
"k8s.io/apiserver/pkg/server/options"
kubeauthenticator
"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
authzmodes
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
)
...
...
@@ -36,9 +35,7 @@ import (
type
BuiltInAuthenticationOptions
struct
{
APIAudiences
[]
string
Anonymous
*
AnonymousAuthenticationOptions
ClientCert
*
genericoptions
.
ClientCertAuthenticationOptions
PasswordFile
*
PasswordFileAuthenticationOptions
RequestHeader
*
genericoptions
.
RequestHeaderAuthenticationOptions
ServiceAccounts
*
ServiceAccountAuthenticationOptions
TokenFile
*
TokenFileAuthenticationOptions
WebHook
*
WebHookAuthenticationOptions
...
...
@@ -81,9 +78,7 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions {
func
(
s
*
BuiltInAuthenticationOptions
)
WithAll
()
*
BuiltInAuthenticationOptions
{
return
s
.
WithAnonymous
()
.
WithClientCert
()
.
WithPasswordFile
()
.
WithRequestHeader
()
.
WithServiceAccounts
()
.
WithTokenFile
()
.
WithWebHook
()
...
...
@@ -94,21 +89,11 @@ func (s *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOpt
return
s
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithClientCert
()
*
BuiltInAuthenticationOptions
{
s
.
ClientCert
=
&
genericoptions
.
ClientCertAuthenticationOptions
{}
return
s
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithPasswordFile
()
*
BuiltInAuthenticationOptions
{
s
.
PasswordFile
=
&
PasswordFileAuthenticationOptions
{}
return
s
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithRequestHeader
()
*
BuiltInAuthenticationOptions
{
s
.
RequestHeader
=
&
genericoptions
.
RequestHeaderAuthenticationOptions
{}
return
s
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithServiceAccounts
()
*
BuiltInAuthenticationOptions
{
s
.
ServiceAccounts
=
&
ServiceAccountAuthenticationOptions
{
Lookup
:
true
}
return
s
...
...
@@ -153,20 +138,12 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated."
)
}
if
s
.
ClientCert
!=
nil
{
s
.
ClientCert
.
AddFlags
(
fs
)
}
if
s
.
PasswordFile
!=
nil
{
fs
.
StringVar
(
&
s
.
PasswordFile
.
BasicAuthFile
,
"basic-auth-file"
,
s
.
PasswordFile
.
BasicAuthFile
,
""
+
"If set, the file that will be used to admit requests to the secure port of the API server "
+
"via http basic authentication."
)
}
if
s
.
RequestHeader
!=
nil
{
s
.
RequestHeader
.
AddFlags
(
fs
)
}
if
s
.
ServiceAccounts
!=
nil
{
fs
.
StringArrayVar
(
&
s
.
ServiceAccounts
.
KeyFiles
,
"service-account-key-file"
,
s
.
ServiceAccounts
.
KeyFiles
,
""
+
"File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify "
+
...
...
@@ -219,19 +196,12 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() kubeauthenticato
ret
.
Anonymous
=
s
.
Anonymous
.
Allow
}
if
s
.
ClientCert
!=
nil
{
ret
.
ClientCAFile
=
s
.
ClientCert
.
ClientCA
}
if
s
.
PasswordFile
!=
nil
{
ret
.
BasicAuthFile
=
s
.
PasswordFile
.
BasicAuthFile
}
if
s
.
RequestHeader
!=
nil
{
ret
.
RequestHeaderConfig
=
s
.
RequestHeader
.
ToAuthenticationRequestHeaderConfig
()
}
ret
.
APIAudiences
=
s
.
APIAudiences
if
s
.
ServiceAccounts
!=
nil
{
if
s
.
ServiceAccounts
.
Issuer
!=
""
&&
len
(
s
.
APIAudiences
)
==
0
{
ret
.
APIAudiences
=
authenticator
.
Audiences
{
s
.
ServiceAccounts
.
Issuer
}
...
...
@@ -267,18 +237,6 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
return
nil
}
var
err
error
if
o
.
ClientCert
!=
nil
{
if
err
=
c
.
Authentication
.
ApplyClientCert
(
o
.
ClientCert
.
ClientCA
,
c
.
SecureServing
);
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
}
if
o
.
RequestHeader
!=
nil
{
if
err
=
c
.
Authentication
.
ApplyClientCert
(
o
.
RequestHeader
.
ClientCAFile
,
c
.
SecureServing
);
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
}
c
.
Authentication
.
SupportsBasicAuth
=
o
.
PasswordFile
!=
nil
&&
len
(
o
.
PasswordFile
.
BasicAuthFile
)
>
0
c
.
Authentication
.
APIAudiences
=
o
.
APIAudiences
...
...
pkg/master/client_ca_hook.go
deleted
100644 → 0
View file @
153b97ae
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
master
import
(
"encoding/json"
"fmt"
"reflect"
"time"
corev1
"k8s.io/api/core/v1"
apierrors
"k8s.io/apimachinery/pkg/api/errors"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
utilruntime
"k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/apimachinery/pkg/util/wait"
genericapiserver
"k8s.io/apiserver/pkg/server"
corev1client
"k8s.io/client-go/kubernetes/typed/core/v1"
)
type
ClientCARegistrationHook
struct
{
ClientCA
[]
byte
RequestHeaderUsernameHeaders
[]
string
RequestHeaderGroupHeaders
[]
string
RequestHeaderExtraHeaderPrefixes
[]
string
RequestHeaderCA
[]
byte
RequestHeaderAllowedNames
[]
string
}
func
(
h
ClientCARegistrationHook
)
PostStartHook
(
hookContext
genericapiserver
.
PostStartHookContext
)
error
{
// initializing CAs is important so that aggregated API servers can come up with "normal" config.
// We've seen lagging etcd before, so we want to retry this a few times before we decide to crashloop
// the API server on it.
err
:=
wait
.
Poll
(
1
*
time
.
Second
,
30
*
time
.
Second
,
func
()
(
done
bool
,
err
error
)
{
// retry building the config since sometimes the server can be in an in-between state which caused
// some kind of auto detection failure as I recall from other post start hooks.
// TODO see if this is still true and fix the RBAC one too if it isn't.
client
,
err
:=
corev1client
.
NewForConfig
(
hookContext
.
LoopbackClientConfig
)
if
err
!=
nil
{
utilruntime
.
HandleError
(
err
)
return
false
,
nil
}
return
h
.
tryToWriteClientCAs
(
client
)
})
// if we're never able to make it through initialization, kill the API server
if
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to initialize client CA configmap: %v"
,
err
)
}
return
nil
}
// tryToWriteClientCAs is here for unit testing with a fake client. This is a wait.ConditionFunc so the bool
// indicates if the condition was met. True when its finished, false when it should retry.
func
(
h
ClientCARegistrationHook
)
tryToWriteClientCAs
(
client
corev1client
.
CoreV1Interface
)
(
bool
,
error
)
{
if
err
:=
createNamespaceIfNeeded
(
client
,
metav1
.
NamespaceSystem
);
err
!=
nil
{
utilruntime
.
HandleError
(
err
)
return
false
,
nil
}
data
:=
map
[
string
]
string
{}
if
len
(
h
.
ClientCA
)
>
0
{
data
[
"client-ca-file"
]
=
string
(
h
.
ClientCA
)
}
if
len
(
h
.
RequestHeaderCA
)
>
0
{
var
err
error
// encoding errors aren't going to get better, so just fail on them.
data
[
"requestheader-username-headers"
],
err
=
jsonSerializeStringSlice
(
h
.
RequestHeaderUsernameHeaders
)
if
err
!=
nil
{
return
false
,
err
}
data
[
"requestheader-group-headers"
],
err
=
jsonSerializeStringSlice
(
h
.
RequestHeaderGroupHeaders
)
if
err
!=
nil
{
return
false
,
err
}
data
[
"requestheader-extra-headers-prefix"
],
err
=
jsonSerializeStringSlice
(
h
.
RequestHeaderExtraHeaderPrefixes
)
if
err
!=
nil
{
return
false
,
err
}
data
[
"requestheader-client-ca-file"
]
=
string
(
h
.
RequestHeaderCA
)
data
[
"requestheader-allowed-names"
],
err
=
jsonSerializeStringSlice
(
h
.
RequestHeaderAllowedNames
)
if
err
!=
nil
{
return
false
,
err
}
}
// write errors may work next time if we retry, so queue for retry
if
err
:=
writeConfigMap
(
client
,
"extension-apiserver-authentication"
,
data
);
err
!=
nil
{
utilruntime
.
HandleError
(
err
)
return
false
,
nil
}
return
true
,
nil
}
func
jsonSerializeStringSlice
(
in
[]
string
)
(
string
,
error
)
{
out
,
err
:=
json
.
Marshal
(
in
)
if
err
!=
nil
{
return
""
,
err
}
return
string
(
out
),
err
}
func
writeConfigMap
(
client
corev1client
.
ConfigMapsGetter
,
name
string
,
data
map
[
string
]
string
)
error
{
existing
,
err
:=
client
.
ConfigMaps
(
metav1
.
NamespaceSystem
)
.
Get
(
name
,
metav1
.
GetOptions
{})
if
apierrors
.
IsNotFound
(
err
)
{
_
,
err
:=
client
.
ConfigMaps
(
metav1
.
NamespaceSystem
)
.
Create
(
&
corev1
.
ConfigMap
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Namespace
:
metav1
.
NamespaceSystem
,
Name
:
name
},
Data
:
data
,
})
return
err
}
if
err
!=
nil
{
return
err
}
if
!
reflect
.
DeepEqual
(
existing
.
Data
,
data
)
{
existing
.
Data
=
data
_
,
err
=
client
.
ConfigMaps
(
metav1
.
NamespaceSystem
)
.
Update
(
existing
)
}
return
err
}
pkg/master/master.go
View file @
67c5df71
...
...
@@ -90,8 +90,6 @@ const (
)
type
ExtraConfig
struct
{
ClientCARegistrationHook
ClientCARegistrationHook
APIResourceConfigSource
serverstorage
.
APIResourceConfigSource
StorageFactory
serverstorage
.
StorageFactory
EndpointReconcilerConfig
EndpointReconcilerConfig
...
...
@@ -176,8 +174,6 @@ type EndpointReconcilerConfig struct {
// Master contains state for a Kubernetes cluster master/api server.
type
Master
struct
{
GenericAPIServer
*
genericapiserver
.
GenericAPIServer
ClientCARegistrationHook
ClientCARegistrationHook
}
func
(
c
*
Config
)
createMasterCountReconciler
()
reconcilers
.
EndpointReconciler
{
...
...
@@ -332,8 +328,6 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
}
m
.
InstallAPIs
(
c
.
ExtraConfig
.
APIResourceConfigSource
,
c
.
GenericConfig
.
RESTOptionsGetter
,
restStorageProviders
...
)
m
.
GenericAPIServer
.
AddPostStartHookOrDie
(
"ca-registration"
,
c
.
ExtraConfig
.
ClientCARegistrationHook
.
PostStartHook
)
return
m
,
nil
}
...
...
staging/src/k8s.io/apiserver/pkg/server/config.go
View file @
67c5df71
...
...
@@ -56,8 +56,6 @@ import (
"k8s.io/apiserver/pkg/util/logs"
"k8s.io/client-go/informers"
restclient
"k8s.io/client-go/rest"
certutil
"k8s.io/client-go/util/cert"
// install apis
_
"k8s.io/apiserver/pkg/apis/apiserver/install"
)
...
...
@@ -259,25 +257,6 @@ func NewRecommendedConfig(codecs serializer.CodecFactory) *RecommendedConfig {
}
}
func
(
c
*
AuthenticationInfo
)
ApplyClientCert
(
clientCAFile
string
,
servingInfo
*
SecureServingInfo
)
error
{
if
servingInfo
!=
nil
{
if
len
(
clientCAFile
)
>
0
{
clientCAs
,
err
:=
certutil
.
CertsFromFile
(
clientCAFile
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"unable to load client CA file: %v"
,
err
)
}
if
servingInfo
.
ClientCA
==
nil
{
servingInfo
.
ClientCA
=
x509
.
NewCertPool
()
}
for
_
,
cert
:=
range
clientCAs
{
servingInfo
.
ClientCA
.
AddCert
(
cert
)
}
}
}
return
nil
}
type
completedConfig
struct
{
*
Config
...
...
staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
View file @
67c5df71
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment