Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
ab344da5
Unverified
Commit
ab344da5
authored
Feb 23, 2017
by
Lucas Käldström
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Move the authorization mode constants into a separate package
parent
1320021a
Hide whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
145 additions
and
29 deletions
+145
-29
BUILD
pkg/kubeapiserver/authorizer/BUILD
+6
-1
config.go
pkg/kubeapiserver/authorizer/config.go
+9
-16
config_test.go
pkg/kubeapiserver/authorizer/config_test.go
+7
-6
BUILD
pkg/kubeapiserver/authorizer/modes/BUILD
+35
-0
modes.go
pkg/kubeapiserver/authorizer/modes/modes.go
+37
-0
modes_test.go
pkg/kubeapiserver/authorizer/modes/modes_test.go
+45
-0
BUILD
pkg/kubeapiserver/options/BUILD
+1
-0
authentication.go
pkg/kubeapiserver/options/authentication.go
+2
-2
authorization.go
pkg/kubeapiserver/options/authorization.go
+3
-4
No files found.
pkg/kubeapiserver/authorizer/BUILD
View file @
ab344da5
...
...
@@ -16,6 +16,7 @@ go_test(
],
library = ":go_default_library",
tags = ["automanaged"],
deps = ["//pkg/kubeapiserver/authorizer/modes:go_default_library"],
)
go_library(
...
...
@@ -25,6 +26,7 @@ go_library(
deps = [
"//pkg/auth/authorizer/abac:go_default_library",
"//pkg/controller/informers:go_default_library",
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
"//plugin/pkg/auth/authorizer/rbac:go_default_library",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
...
...
@@ -42,6 +44,9 @@ filegroup(
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
srcs = [
":package-srcs",
"//pkg/kubeapiserver/authorizer/modes:all-srcs",
],
tags = ["automanaged"],
)
pkg/kubeapiserver/authorizer/config.go
View file @
ab344da5
...
...
@@ -27,17 +27,10 @@ import (
"k8s.io/apiserver/plugin/pkg/authorizer/webhook"
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
"k8s.io/kubernetes/pkg/controller/informers"
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
)
const
(
ModeAlwaysAllow
string
=
"AlwaysAllow"
ModeAlwaysDeny
string
=
"AlwaysDeny"
ModeABAC
string
=
"ABAC"
ModeWebhook
string
=
"Webhook"
ModeRBAC
string
=
"RBAC"
)
type
AuthorizationConfig
struct
{
AuthorizationModes
[]
string
...
...
@@ -79,11 +72,11 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
}
// Keep cases in sync with constant list above.
switch
authorizationMode
{
case
ModeAlwaysAllow
:
case
modes
.
ModeAlwaysAllow
:
authorizers
=
append
(
authorizers
,
authorizerfactory
.
NewAlwaysAllowAuthorizer
())
case
ModeAlwaysDeny
:
case
modes
.
ModeAlwaysDeny
:
authorizers
=
append
(
authorizers
,
authorizerfactory
.
NewAlwaysDenyAuthorizer
())
case
ModeABAC
:
case
modes
.
ModeABAC
:
if
config
.
PolicyFile
==
""
{
return
nil
,
errors
.
New
(
"ABAC's authorization policy file not passed"
)
}
...
...
@@ -92,7 +85,7 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
return
nil
,
err
}
authorizers
=
append
(
authorizers
,
abacAuthorizer
)
case
ModeWebhook
:
case
modes
.
ModeWebhook
:
if
config
.
WebhookConfigFile
==
""
{
return
nil
,
errors
.
New
(
"Webhook's configuration file not passed"
)
}
...
...
@@ -103,7 +96,7 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
return
nil
,
err
}
authorizers
=
append
(
authorizers
,
webhookAuthorizer
)
case
ModeRBAC
:
case
modes
.
ModeRBAC
:
rbacAuthorizer
:=
rbac
.
New
(
config
.
InformerFactory
.
Roles
()
.
Lister
(),
config
.
InformerFactory
.
RoleBindings
()
.
Lister
(),
...
...
@@ -117,13 +110,13 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
authorizerMap
[
authorizationMode
]
=
true
}
if
!
authorizerMap
[
ModeABAC
]
&&
config
.
PolicyFile
!=
""
{
if
!
authorizerMap
[
modes
.
ModeABAC
]
&&
config
.
PolicyFile
!=
""
{
return
nil
,
errors
.
New
(
"Cannot specify --authorization-policy-file without mode ABAC"
)
}
if
!
authorizerMap
[
ModeWebhook
]
&&
config
.
WebhookConfigFile
!=
""
{
if
!
authorizerMap
[
modes
.
ModeWebhook
]
&&
config
.
WebhookConfigFile
!=
""
{
return
nil
,
errors
.
New
(
"Cannot specify --authorization-webhook-config-file without mode Webhook"
)
}
if
!
authorizerMap
[
ModeRBAC
]
&&
config
.
RBACSuperUser
!=
""
{
if
!
authorizerMap
[
modes
.
ModeRBAC
]
&&
config
.
RBACSuperUser
!=
""
{
return
nil
,
errors
.
New
(
"Cannot specify --authorization-rbac-super-user without mode RBAC"
)
}
...
...
pkg/kubeapiserver/authorizer/config_test.go
View file @
ab344da5
...
...
@@ -17,6 +17,7 @@ limitations under the License.
package
authorizer
import
(
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
"testing"
)
...
...
@@ -39,19 +40,19 @@ func TestNew(t *testing.T) {
{
// ModeAlwaysAllow and ModeAlwaysDeny should return without authorizationPolicyFile
// but error if one is given
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
}},
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
modes
.
ModeAlwaysAllow
,
modes
.
ModeAlwaysDeny
}},
msg
:
"returned an error for valid config"
,
},
{
// ModeABAC requires a policy file
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
,
ModeABAC
}},
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
modes
.
ModeAlwaysAllow
,
modes
.
ModeAlwaysDeny
,
modes
.
ModeABAC
}},
wantErr
:
true
,
msg
:
"specifying ABAC with no policy file should return an error"
,
},
{
// ModeABAC should not error if a valid policy path is provided
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
,
ModeABAC
},
AuthorizationModes
:
[]
string
{
modes
.
ModeAlwaysAllow
,
modes
.
ModeAlwaysDeny
,
modes
.
ModeABAC
},
PolicyFile
:
examplePolicyFile
,
},
msg
:
"errored while using a valid policy file"
,
...
...
@@ -60,7 +61,7 @@ func TestNew(t *testing.T) {
// Authorization Policy file cannot be used without ModeABAC
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
},
AuthorizationModes
:
[]
string
{
modes
.
ModeAlwaysAllow
,
modes
.
ModeAlwaysDeny
},
PolicyFile
:
examplePolicyFile
,
},
wantErr
:
true
,
...
...
@@ -74,14 +75,14 @@ func TestNew(t *testing.T) {
},
{
// ModeWebhook requires at minimum a target.
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
ModeWebhook
}},
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
modes
.
ModeWebhook
}},
wantErr
:
true
,
msg
:
"should have errored when config was empty with ModeWebhook"
,
},
{
// Cannot provide webhook flags without ModeWebhook
config
:
AuthorizationConfig
{
AuthorizationModes
:
[]
string
{
ModeAlwaysAllow
},
AuthorizationModes
:
[]
string
{
modes
.
ModeAlwaysAllow
},
WebhookConfigFile
:
"authz_webhook_config.yml"
,
},
wantErr
:
true
,
...
...
pkg/kubeapiserver/authorizer/modes/BUILD
0 → 100644
View file @
ab344da5
package(default_visibility = ["//visibility:public"])
licenses(["notice"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
"go_test",
)
go_test(
name = "go_default_test",
srcs = ["modes_test.go"],
library = ":go_default_library",
tags = ["automanaged"],
)
go_library(
name = "go_default_library",
srcs = ["modes.go"],
tags = ["automanaged"],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)
pkg/kubeapiserver/authorizer/modes/modes.go
0 → 100644
View file @
ab344da5
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
modes
const
(
ModeAlwaysAllow
string
=
"AlwaysAllow"
ModeAlwaysDeny
string
=
"AlwaysDeny"
ModeABAC
string
=
"ABAC"
ModeWebhook
string
=
"Webhook"
ModeRBAC
string
=
"RBAC"
)
var
AuthorizationModeChoices
=
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
,
ModeABAC
,
ModeWebhook
,
ModeRBAC
}
// IsValidAuthorizationMode returns true if the given authorization mode is a valid one for the apiserver
func
IsValidAuthorizationMode
(
authzMode
string
)
bool
{
for
_
,
validMode
:=
range
AuthorizationModeChoices
{
if
authzMode
==
validMode
{
return
true
}
}
return
false
}
pkg/kubeapiserver/authorizer/modes/modes_test.go
0 → 100644
View file @
ab344da5
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
modes
import
"testing"
func
TestIsValidAuthorizationMode
(
t
*
testing
.
T
)
{
var
tests
=
[]
struct
{
authzMode
string
expected
bool
}{
{
""
,
false
},
{
"rBAC"
,
false
},
// not supported
{
"falsy value"
,
false
},
// not supported
{
"RBAC"
,
true
},
// supported
{
"ABAC"
,
true
},
// supported
{
"Webhook"
,
true
},
// supported
{
"AlwaysAllow"
,
true
},
// supported
{
"AlwaysDeny"
,
true
},
// supported
}
for
_
,
rt
:=
range
tests
{
actual
:=
IsValidAuthorizationMode
(
rt
.
authzMode
)
if
actual
!=
rt
.
expected
{
t
.
Errorf
(
"failed ValidAuthorizationMode:
\n\t
expected: %t
\n\t
actual: %t"
,
rt
.
expected
,
actual
,
)
}
}
}
pkg/kubeapiserver/options/BUILD
View file @
ab344da5
...
...
@@ -25,6 +25,7 @@ go_library(
"//pkg/controller/informers:go_default_library",
"//pkg/kubeapiserver/authenticator:go_default_library",
"//pkg/kubeapiserver/authorizer:go_default_library",
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
"//vendor:github.com/golang/glog",
"//vendor:github.com/spf13/pflag",
"//vendor:k8s.io/apimachinery/pkg/runtime/schema",
...
...
pkg/kubeapiserver/options/authentication.go
View file @
ab344da5
...
...
@@ -27,7 +27,7 @@ import (
genericapiserver
"k8s.io/apiserver/pkg/server"
genericoptions
"k8s.io/apiserver/pkg/server/options"
"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer
"
authzmodes
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes
"
)
type
BuiltInAuthenticationOptions
struct
{
...
...
@@ -353,7 +353,7 @@ func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltIn
if
o
.
Anonymous
.
Allow
{
found
:=
false
for
_
,
mode
:=
range
strings
.
Split
(
authorization
.
Mode
,
","
)
{
if
mode
==
auth
orizer
.
ModeAlwaysAllow
{
if
mode
==
auth
zmodes
.
ModeAlwaysAllow
{
found
=
true
break
}
...
...
pkg/kubeapiserver/options/authorization.go
View file @
ab344da5
...
...
@@ -24,10 +24,9 @@ import (
"k8s.io/kubernetes/pkg/controller/informers"
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
authzmodes
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
)
var
AuthorizationModeChoices
=
[]
string
{
authorizer
.
ModeAlwaysAllow
,
authorizer
.
ModeAlwaysDeny
,
authorizer
.
ModeABAC
,
authorizer
.
ModeWebhook
,
authorizer
.
ModeRBAC
}
type
BuiltInAuthorizationOptions
struct
{
Mode
string
PolicyFile
string
...
...
@@ -38,7 +37,7 @@ type BuiltInAuthorizationOptions struct {
func
NewBuiltInAuthorizationOptions
()
*
BuiltInAuthorizationOptions
{
return
&
BuiltInAuthorizationOptions
{
Mode
:
auth
orizer
.
ModeAlwaysAllow
,
Mode
:
auth
zmodes
.
ModeAlwaysAllow
,
WebhookCacheAuthorizedTTL
:
5
*
time
.
Minute
,
WebhookCacheUnauthorizedTTL
:
30
*
time
.
Second
,
}
...
...
@@ -52,7 +51,7 @@ func (s *BuiltInAuthorizationOptions) Validate() []error {
func
(
s
*
BuiltInAuthorizationOptions
)
AddFlags
(
fs
*
pflag
.
FlagSet
)
{
fs
.
StringVar
(
&
s
.
Mode
,
"authorization-mode"
,
s
.
Mode
,
""
+
"Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "
+
strings
.
Join
(
AuthorizationModeChoices
,
","
)
+
"."
)
strings
.
Join
(
authzmodes
.
AuthorizationModeChoices
,
","
)
+
"."
)
fs
.
StringVar
(
&
s
.
PolicyFile
,
"authorization-policy-file"
,
s
.
PolicyFile
,
""
+
"File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port."
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment