Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
b4eaf625
Commit
b4eaf625
authored
Jul 12, 2016
by
Eric Chiang
Committed by
Eric Chiang
Aug 18, 2016
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
pkg/genericapiserver/options: don't import pkg/apiserver
Refactor the authorization options for the API server so pkg/apiserver isn't directly imported by the options package.
parent
ff9980e2
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
150 additions
and
96 deletions
+150
-96
server.go
cmd/kube-apiserver/app/server.go
+16
-7
server.go
federation/cmd/federation-apiserver/app/server.go
+46
-2
authz.go
pkg/genericapiserver/authorizer/authz.go
+12
-27
authz_test.go
pkg/genericapiserver/authorizer/authz_test.go
+11
-9
server_run_options.go
pkg/genericapiserver/options/server_run_options.go
+61
-47
auth_test.go
test/integration/auth/auth_test.go
+2
-2
master_utils.go
test/integration/framework/master_utils.go
+2
-2
No files found.
cmd/kube-apiserver/app/server.go
View file @
b4eaf625
...
...
@@ -46,6 +46,8 @@ import (
"k8s.io/kubernetes/pkg/controller/framework/informers"
serviceaccountcontroller
"k8s.io/kubernetes/pkg/controller/serviceaccount"
"k8s.io/kubernetes/pkg/genericapiserver"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
genericoptions
"k8s.io/kubernetes/pkg/genericapiserver/options"
genericvalidation
"k8s.io/kubernetes/pkg/genericapiserver/validation"
kubeletclient
"k8s.io/kubernetes/pkg/kubelet/client"
"k8s.io/kubernetes/pkg/master"
...
...
@@ -225,7 +227,14 @@ func Run(s *options.APIServer) error {
return
false
}
if
modeEnabled
(
apiserver
.
ModeRBAC
)
{
authorizationConfig
:=
authorizer
.
AuthorizationConfig
{
PolicyFile
:
s
.
AuthorizationPolicyFile
,
WebhookConfigFile
:
s
.
AuthorizationWebhookConfigFile
,
WebhookCacheAuthorizedTTL
:
s
.
AuthorizationWebhookCacheAuthorizedTTL
,
WebhookCacheUnauthorizedTTL
:
s
.
AuthorizationWebhookCacheUnauthorizedTTL
,
RBACSuperUser
:
s
.
AuthorizationRBACSuperUser
,
}
if
modeEnabled
(
genericoptions
.
ModeRBAC
)
{
mustGetRESTOptions
:=
func
(
resource
string
)
generic
.
RESTOptions
{
config
,
err
:=
storageFactory
.
NewConfig
(
rbac
.
Resource
(
resource
))
if
err
!=
nil
{
...
...
@@ -235,13 +244,13 @@ func Run(s *options.APIServer) error {
}
// For initial bootstrapping go directly to etcd to avoid privillege escalation check.
s
.
A
uthorizationConfig
.
RBACRoleRegistry
=
role
.
NewRegistry
(
roleetcd
.
NewREST
(
mustGetRESTOptions
(
"roles"
)))
s
.
A
uthorizationConfig
.
RBACRoleBindingRegistry
=
rolebinding
.
NewRegistry
(
rolebindingetcd
.
NewREST
(
mustGetRESTOptions
(
"rolebindings"
)))
s
.
A
uthorizationConfig
.
RBACClusterRoleRegistry
=
clusterrole
.
NewRegistry
(
clusterroleetcd
.
NewREST
(
mustGetRESTOptions
(
"clusterroles"
)))
s
.
A
uthorizationConfig
.
RBACClusterRoleBindingRegistry
=
clusterrolebinding
.
NewRegistry
(
clusterrolebindingetcd
.
NewREST
(
mustGetRESTOptions
(
"clusterrolebindings"
)))
a
uthorizationConfig
.
RBACRoleRegistry
=
role
.
NewRegistry
(
roleetcd
.
NewREST
(
mustGetRESTOptions
(
"roles"
)))
a
uthorizationConfig
.
RBACRoleBindingRegistry
=
rolebinding
.
NewRegistry
(
rolebindingetcd
.
NewREST
(
mustGetRESTOptions
(
"rolebindings"
)))
a
uthorizationConfig
.
RBACClusterRoleRegistry
=
clusterrole
.
NewRegistry
(
clusterroleetcd
.
NewREST
(
mustGetRESTOptions
(
"clusterroles"
)))
a
uthorizationConfig
.
RBACClusterRoleBindingRegistry
=
clusterrolebinding
.
NewRegistry
(
clusterrolebindingetcd
.
NewREST
(
mustGetRESTOptions
(
"clusterrolebindings"
)))
}
authorizer
,
err
:=
a
piserver
.
NewAuthorizerFromAuthorizationConfig
(
authorizationModeNames
,
s
.
A
uthorizationConfig
)
authorizer
,
err
:=
a
uthorizer
.
NewAuthorizerFromAuthorizationConfig
(
authorizationModeNames
,
a
uthorizationConfig
)
if
err
!=
nil
{
glog
.
Fatalf
(
"Invalid Authorization Config: %v"
,
err
)
}
...
...
@@ -265,7 +274,7 @@ func Run(s *options.APIServer) error {
genericConfig
.
Authenticator
=
authenticator
genericConfig
.
SupportsBasicAuth
=
len
(
s
.
BasicAuthFile
)
>
0
genericConfig
.
Authorizer
=
authorizer
genericConfig
.
AuthorizerRBACSuperUser
=
s
.
Authorization
Config
.
RBACSuperUser
genericConfig
.
AuthorizerRBACSuperUser
=
s
.
AuthorizationRBACSuperUser
genericConfig
.
AdmissionControl
=
admissionController
genericConfig
.
APIResourceConfigSource
=
storageFactory
.
APIResourceConfigSource
genericConfig
.
MasterServiceNamespace
=
s
.
MasterServiceNamespace
...
...
federation/cmd/federation-apiserver/app/server.go
View file @
b4eaf625
...
...
@@ -31,13 +31,23 @@ import (
"k8s.io/kubernetes/pkg/admission"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api/unversioned"
"k8s.io/kubernetes/pkg/apis
erver
"
"k8s.io/kubernetes/pkg/apis
/rbac
"
"k8s.io/kubernetes/pkg/apiserver/authenticator"
"k8s.io/kubernetes/pkg/controller/framework/informers"
"k8s.io/kubernetes/pkg/genericapiserver"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
genericoptions
"k8s.io/kubernetes/pkg/genericapiserver/options"
genericvalidation
"k8s.io/kubernetes/pkg/genericapiserver/validation"
"k8s.io/kubernetes/pkg/registry/cachesize"
"k8s.io/kubernetes/pkg/registry/clusterrole"
clusterroleetcd
"k8s.io/kubernetes/pkg/registry/clusterrole/etcd"
"k8s.io/kubernetes/pkg/registry/clusterrolebinding"
clusterrolebindingetcd
"k8s.io/kubernetes/pkg/registry/clusterrolebinding/etcd"
"k8s.io/kubernetes/pkg/registry/generic"
"k8s.io/kubernetes/pkg/registry/role"
roleetcd
"k8s.io/kubernetes/pkg/registry/role/etcd"
"k8s.io/kubernetes/pkg/registry/rolebinding"
rolebindingetcd
"k8s.io/kubernetes/pkg/registry/rolebinding/etcd"
"k8s.io/kubernetes/pkg/util/wait"
)
...
...
@@ -113,7 +123,40 @@ func Run(s *options.ServerRunOptions) error {
}
authorizationModeNames
:=
strings
.
Split
(
s
.
AuthorizationMode
,
","
)
authorizer
,
err
:=
apiserver
.
NewAuthorizerFromAuthorizationConfig
(
authorizationModeNames
,
s
.
AuthorizationConfig
)
modeEnabled
:=
func
(
mode
string
)
bool
{
for
_
,
m
:=
range
authorizationModeNames
{
if
m
==
mode
{
return
true
}
}
return
false
}
authorizationConfig
:=
authorizer
.
AuthorizationConfig
{
PolicyFile
:
s
.
AuthorizationPolicyFile
,
WebhookConfigFile
:
s
.
AuthorizationWebhookConfigFile
,
WebhookCacheAuthorizedTTL
:
s
.
AuthorizationWebhookCacheAuthorizedTTL
,
WebhookCacheUnauthorizedTTL
:
s
.
AuthorizationWebhookCacheUnauthorizedTTL
,
RBACSuperUser
:
s
.
AuthorizationRBACSuperUser
,
}
if
modeEnabled
(
genericoptions
.
ModeRBAC
)
{
mustGetRESTOptions
:=
func
(
resource
string
)
generic
.
RESTOptions
{
config
,
err
:=
storageFactory
.
NewConfig
(
rbac
.
Resource
(
resource
))
if
err
!=
nil
{
glog
.
Fatalf
(
"Unable to get %s storage: %v"
,
resource
,
err
)
}
return
generic
.
RESTOptions
{
StorageConfig
:
config
,
Decorator
:
generic
.
UndecoratedStorage
,
ResourcePrefix
:
storageFactory
.
ResourcePrefix
(
rbac
.
Resource
(
resource
))}
}
// For initial bootstrapping go directly to etcd to avoid privillege escalation check.
authorizationConfig
.
RBACRoleRegistry
=
role
.
NewRegistry
(
roleetcd
.
NewREST
(
mustGetRESTOptions
(
"roles"
)))
authorizationConfig
.
RBACRoleBindingRegistry
=
rolebinding
.
NewRegistry
(
rolebindingetcd
.
NewREST
(
mustGetRESTOptions
(
"rolebindings"
)))
authorizationConfig
.
RBACClusterRoleRegistry
=
clusterrole
.
NewRegistry
(
clusterroleetcd
.
NewREST
(
mustGetRESTOptions
(
"clusterroles"
)))
authorizationConfig
.
RBACClusterRoleBindingRegistry
=
clusterrolebinding
.
NewRegistry
(
clusterrolebindingetcd
.
NewREST
(
mustGetRESTOptions
(
"clusterrolebindings"
)))
}
authorizer
,
err
:=
authorizer
.
NewAuthorizerFromAuthorizationConfig
(
authorizationModeNames
,
authorizationConfig
)
if
err
!=
nil
{
glog
.
Fatalf
(
"Invalid Authorization Config: %v"
,
err
)
}
...
...
@@ -136,6 +179,7 @@ func Run(s *options.ServerRunOptions) error {
genericConfig
.
Authenticator
=
authenticator
genericConfig
.
SupportsBasicAuth
=
len
(
s
.
BasicAuthFile
)
>
0
genericConfig
.
Authorizer
=
authorizer
genericConfig
.
AuthorizerRBACSuperUser
=
s
.
AuthorizationRBACSuperUser
genericConfig
.
AdmissionControl
=
admissionController
genericConfig
.
APIResourceConfigSource
=
storageFactory
.
APIResourceConfigSource
genericConfig
.
MasterServiceNamespace
=
s
.
MasterServiceNamespace
...
...
pkg/
apiserv
er/authz.go
→
pkg/
genericapiserver/authoriz
er/authz.go
View file @
b4eaf625
/*
Copyright 201
4
The Kubernetes Authors.
Copyright 201
6
The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
...
...
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
package
a
piserv
er
package
a
uthoriz
er
import
(
"errors"
...
...
@@ -24,6 +24,7 @@ import (
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
"k8s.io/kubernetes/pkg/auth/authorizer/union"
"k8s.io/kubernetes/pkg/genericapiserver/options"
"k8s.io/kubernetes/pkg/registry/clusterrole"
"k8s.io/kubernetes/pkg/registry/clusterrolebinding"
"k8s.io/kubernetes/pkg/registry/role"
...
...
@@ -32,11 +33,6 @@ import (
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/webhook"
)
// Attributes implements authorizer.Attributes interface.
type
Attributes
struct
{
// TODO: add fields and methods when authorizer.Attributes is completed.
}
// alwaysAllowAuthorizer is an implementation of authorizer.Attributes
// which always says yes to an authorization request.
// It is useful in tests and when using kubernetes in an open manner.
...
...
@@ -76,17 +72,6 @@ func NewAlwaysFailAuthorizer() authorizer.Authorizer {
return
new
(
alwaysFailAuthorizer
)
}
const
(
ModeAlwaysAllow
string
=
"AlwaysAllow"
ModeAlwaysDeny
string
=
"AlwaysDeny"
ModeABAC
string
=
"ABAC"
ModeWebhook
string
=
"Webhook"
ModeRBAC
string
=
"RBAC"
)
// Keep this list in sync with constant list above.
var
AuthorizationModeChoices
=
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
,
ModeABAC
,
ModeWebhook
,
ModeRBAC
}
type
AuthorizationConfig
struct
{
// Options for ModeABAC
...
...
@@ -115,7 +100,7 @@ type AuthorizationConfig struct {
// NewAuthorizerFromAuthorizationConfig returns the right sort of union of multiple authorizer.Authorizer objects
// based on the authorizationMode or an error. authorizationMode should be a comma separated values
// of AuthorizationModeChoices.
// of
options.
AuthorizationModeChoices.
func
NewAuthorizerFromAuthorizationConfig
(
authorizationModes
[]
string
,
config
AuthorizationConfig
)
(
authorizer
.
Authorizer
,
error
)
{
if
len
(
authorizationModes
)
==
0
{
...
...
@@ -131,11 +116,11 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au
}
// Keep cases in sync with constant list above.
switch
authorizationMode
{
case
ModeAlwaysAllow
:
case
options
.
ModeAlwaysAllow
:
authorizers
=
append
(
authorizers
,
NewAlwaysAllowAuthorizer
())
case
ModeAlwaysDeny
:
case
options
.
ModeAlwaysDeny
:
authorizers
=
append
(
authorizers
,
NewAlwaysDenyAuthorizer
())
case
ModeABAC
:
case
options
.
ModeABAC
:
if
config
.
PolicyFile
==
""
{
return
nil
,
errors
.
New
(
"ABAC's authorization policy file not passed"
)
}
...
...
@@ -144,7 +129,7 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au
return
nil
,
err
}
authorizers
=
append
(
authorizers
,
abacAuthorizer
)
case
ModeWebhook
:
case
options
.
ModeWebhook
:
if
config
.
WebhookConfigFile
==
""
{
return
nil
,
errors
.
New
(
"Webhook's configuration file not passed"
)
}
...
...
@@ -155,7 +140,7 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au
return
nil
,
err
}
authorizers
=
append
(
authorizers
,
webhookAuthorizer
)
case
ModeRBAC
:
case
options
.
ModeRBAC
:
rbacAuthorizer
:=
rbac
.
New
(
config
.
RBACRoleRegistry
,
config
.
RBACRoleBindingRegistry
,
...
...
@@ -170,13 +155,13 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au
authorizerMap
[
authorizationMode
]
=
true
}
if
!
authorizerMap
[
ModeABAC
]
&&
config
.
PolicyFile
!=
""
{
if
!
authorizerMap
[
options
.
ModeABAC
]
&&
config
.
PolicyFile
!=
""
{
return
nil
,
errors
.
New
(
"Cannot specify --authorization-policy-file without mode ABAC"
)
}
if
!
authorizerMap
[
ModeWebhook
]
&&
config
.
WebhookConfigFile
!=
""
{
if
!
authorizerMap
[
options
.
ModeWebhook
]
&&
config
.
WebhookConfigFile
!=
""
{
return
nil
,
errors
.
New
(
"Cannot specify --authorization-webhook-config-file without mode Webhook"
)
}
if
!
authorizerMap
[
ModeRBAC
]
&&
config
.
RBACSuperUser
!=
""
{
if
!
authorizerMap
[
options
.
ModeRBAC
]
&&
config
.
RBACSuperUser
!=
""
{
return
nil
,
errors
.
New
(
"Cannot specify --authorization-rbac-super-user without mode RBAC"
)
}
...
...
pkg/
apiserv
er/authz_test.go
→
pkg/
genericapiserver/authoriz
er/authz_test.go
View file @
b4eaf625
/*
Copyright 201
4
The Kubernetes Authors.
Copyright 201
6
The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
...
...
@@ -14,10 +14,12 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
package
a
piserv
er
package
a
uthoriz
er
import
(
"testing"
"k8s.io/kubernetes/pkg/genericapiserver/options"
)
// NewAlwaysAllowAuthorizer must return a struct which implements authorizer.Authorizer
...
...
@@ -42,7 +44,7 @@ func TestNewAlwaysDenyAuthorizer(t *testing.T) {
// validates that errors are returned only when proper.
func
TestNewAuthorizerFromAuthorizationConfig
(
t
*
testing
.
T
)
{
examplePolicyFile
:=
"../auth/authorizer/abac/example_policy_file.jsonl"
examplePolicyFile
:=
"../
../
auth/authorizer/abac/example_policy_file.jsonl"
tests
:=
[]
struct
{
modes
[]
string
...
...
@@ -59,25 +61,25 @@ func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) {
{
// ModeAlwaysAllow and ModeAlwaysDeny should return without authorizationPolicyFile
// but error if one is given
modes
:
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
},
modes
:
[]
string
{
options
.
ModeAlwaysAllow
,
options
.
ModeAlwaysDeny
},
msg
:
"returned an error for valid config"
,
},
{
// ModeABAC requires a policy file
modes
:
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
,
ModeABAC
},
modes
:
[]
string
{
options
.
ModeAlwaysAllow
,
options
.
ModeAlwaysDeny
,
options
.
ModeABAC
},
wantErr
:
true
,
msg
:
"specifying ABAC with no policy file should return an error"
,
},
{
// ModeABAC should not error if a valid policy path is provided
modes
:
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
,
ModeABAC
},
modes
:
[]
string
{
options
.
ModeAlwaysAllow
,
options
.
ModeAlwaysDeny
,
options
.
ModeABAC
},
config
:
AuthorizationConfig
{
PolicyFile
:
examplePolicyFile
},
msg
:
"errored while using a valid policy file"
,
},
{
// Authorization Policy file cannot be used without ModeABAC
modes
:
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
},
modes
:
[]
string
{
options
.
ModeAlwaysAllow
,
options
.
ModeAlwaysDeny
},
config
:
AuthorizationConfig
{
PolicyFile
:
examplePolicyFile
},
wantErr
:
true
,
msg
:
"should have errored when Authorization Policy File is used without ModeABAC"
,
...
...
@@ -91,13 +93,13 @@ func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) {
},
{
// ModeWebhook requires at minimum a target.
modes
:
[]
string
{
ModeWebhook
},
modes
:
[]
string
{
options
.
ModeWebhook
},
wantErr
:
true
,
msg
:
"should have errored when config was empty with ModeWebhook"
,
},
{
// Cannot provide webhook flags without ModeWebhook
modes
:
[]
string
{
ModeAlwaysAllow
},
modes
:
[]
string
{
options
.
ModeAlwaysAllow
},
config
:
AuthorizationConfig
{
WebhookConfigFile
:
"authz_webhook_config.yml"
},
wantErr
:
true
,
msg
:
"should have errored when Webhook config file is used without ModeWebhook"
,
...
...
pkg/genericapiserver/options/server_run_options.go
View file @
b4eaf625
...
...
@@ -27,7 +27,6 @@ import (
"k8s.io/kubernetes/pkg/api/unversioned"
apiutil
"k8s.io/kubernetes/pkg/api/util"
"k8s.io/kubernetes/pkg/apimachinery/registered"
"k8s.io/kubernetes/pkg/apiserver"
clientset
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
"k8s.io/kubernetes/pkg/client/restclient"
"k8s.io/kubernetes/pkg/storage/storagebackend"
...
...
@@ -47,6 +46,16 @@ const (
var
DefaultServiceNodePortRange
=
utilnet
.
PortRange
{
Base
:
30000
,
Size
:
2768
}
const
(
ModeAlwaysAllow
string
=
"AlwaysAllow"
ModeAlwaysDeny
string
=
"AlwaysDeny"
ModeABAC
string
=
"ABAC"
ModeWebhook
string
=
"Webhook"
ModeRBAC
string
=
"RBAC"
)
var
AuthorizationModeChoices
=
[]
string
{
ModeAlwaysAllow
,
ModeAlwaysDeny
,
ModeABAC
,
ModeWebhook
,
ModeRBAC
}
// ServerRunOptions contains the options while running a generic api server.
type
ServerRunOptions
struct
{
APIGroupPrefix
string
...
...
@@ -54,17 +63,24 @@ type ServerRunOptions struct {
AdmissionControl
string
AdmissionControlConfigFile
string
AdvertiseAddress
net
.
IP
AuthorizationConfig
apiserver
.
AuthorizationConfig
AuthorizationMode
string
BasicAuthFile
string
BindAddress
net
.
IP
CertDirectory
string
ClientCAFile
string
CloudConfigFile
string
CloudProvider
string
CorsAllowedOriginList
[]
string
DefaultStorageMediaType
string
DeleteCollectionWorkers
int
// Authorization mode and associated flags.
AuthorizationMode
string
AuthorizationPolicyFile
string
AuthorizationWebhookConfigFile
string
AuthorizationWebhookCacheAuthorizedTTL
time
.
Duration
AuthorizationWebhookCacheUnauthorizedTTL
time
.
Duration
AuthorizationRBACSuperUser
string
BasicAuthFile
string
BindAddress
net
.
IP
CertDirectory
string
ClientCAFile
string
CloudConfigFile
string
CloudProvider
string
CorsAllowedOriginList
[]
string
DefaultStorageMediaType
string
DeleteCollectionWorkers
int
// Used to specify the storage version that should be used for the legacy v1 api group.
DeprecatedStorageVersion
string
AuditLogPath
string
...
...
@@ -110,33 +126,31 @@ type ServerRunOptions struct {
func
NewServerRunOptions
()
*
ServerRunOptions
{
return
&
ServerRunOptions
{
APIGroupPrefix
:
"/apis"
,
APIPrefix
:
"/api"
,
AdmissionControl
:
"AlwaysAdmit"
,
AuthorizationMode
:
"AlwaysAllow"
,
AuthorizationConfig
:
apiserver
.
AuthorizationConfig
{
WebhookCacheAuthorizedTTL
:
5
*
time
.
Minute
,
WebhookCacheUnauthorizedTTL
:
30
*
time
.
Second
,
},
BindAddress
:
net
.
ParseIP
(
"0.0.0.0"
),
CertDirectory
:
"/var/run/kubernetes"
,
DefaultStorageMediaType
:
"application/json"
,
DefaultStorageVersions
:
registered
.
AllPreferredGroupVersions
(),
DeleteCollectionWorkers
:
1
,
EnableLogsSupport
:
true
,
EnableProfiling
:
true
,
EnableWatchCache
:
true
,
InsecureBindAddress
:
net
.
ParseIP
(
"127.0.0.1"
),
InsecurePort
:
8080
,
LongRunningRequestRE
:
defaultLongRunningRequestRE
,
MasterCount
:
1
,
MasterServiceNamespace
:
api
.
NamespaceDefault
,
MaxRequestsInFlight
:
400
,
MinRequestTimeout
:
1800
,
RuntimeConfig
:
make
(
config
.
ConfigurationMap
),
SecurePort
:
6443
,
ServiceNodePortRange
:
DefaultServiceNodePortRange
,
StorageVersions
:
registered
.
AllPreferredGroupVersions
(),
APIGroupPrefix
:
"/apis"
,
APIPrefix
:
"/api"
,
AdmissionControl
:
"AlwaysAdmit"
,
AuthorizationMode
:
"AlwaysAllow"
,
AuthorizationWebhookCacheAuthorizedTTL
:
5
*
time
.
Minute
,
AuthorizationWebhookCacheUnauthorizedTTL
:
30
*
time
.
Second
,
BindAddress
:
net
.
ParseIP
(
"0.0.0.0"
),
CertDirectory
:
"/var/run/kubernetes"
,
DefaultStorageMediaType
:
"application/json"
,
DefaultStorageVersions
:
registered
.
AllPreferredGroupVersions
(),
DeleteCollectionWorkers
:
1
,
EnableLogsSupport
:
true
,
EnableProfiling
:
true
,
EnableWatchCache
:
true
,
InsecureBindAddress
:
net
.
ParseIP
(
"127.0.0.1"
),
InsecurePort
:
8080
,
LongRunningRequestRE
:
defaultLongRunningRequestRE
,
MasterCount
:
1
,
MasterServiceNamespace
:
api
.
NamespaceDefault
,
MaxRequestsInFlight
:
400
,
MinRequestTimeout
:
1800
,
RuntimeConfig
:
make
(
config
.
ConfigurationMap
),
SecurePort
:
6443
,
ServiceNodePortRange
:
DefaultServiceNodePortRange
,
StorageVersions
:
registered
.
AllPreferredGroupVersions
(),
}
}
...
...
@@ -238,24 +252,24 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
fs
.
StringVar
(
&
s
.
AuthorizationMode
,
"authorization-mode"
,
s
.
AuthorizationMode
,
""
+
"Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "
+
strings
.
Join
(
apiserver
.
AuthorizationModeChoices
,
","
)
+
"."
)
strings
.
Join
(
AuthorizationModeChoices
,
","
)
+
"."
)
fs
.
StringVar
(
&
s
.
Authorization
Config
.
PolicyFile
,
"authorization-policy-file"
,
s
.
AuthorizationConfig
.
PolicyFile
,
""
+
fs
.
StringVar
(
&
s
.
Authorization
PolicyFile
,
"authorization-policy-file"
,
s
.
Authorization
PolicyFile
,
""
+
"File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port."
)
fs
.
StringVar
(
&
s
.
Authorization
Config
.
WebhookConfigFile
,
"authorization-webhook-config-file"
,
s
.
AuthorizationConfig
.
WebhookConfigFile
,
""
+
fs
.
StringVar
(
&
s
.
Authorization
WebhookConfigFile
,
"authorization-webhook-config-file"
,
s
.
Authorization
WebhookConfigFile
,
""
+
"File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. "
+
"The API server will query the remote service to determine access on the API server's secure port."
)
fs
.
DurationVar
(
&
s
.
Authorization
Config
.
WebhookCacheAuthorizedTTL
,
"authorization-webhook-cache-authorized-ttl"
,
s
.
Authorization
Config
.
WebhookCacheAuthorizedTTL
,
fs
.
DurationVar
(
&
s
.
AuthorizationWebhookCacheAuthorizedTTL
,
"authorization-webhook-cache-authorized-ttl"
,
s
.
AuthorizationWebhookCacheAuthorizedTTL
,
"The duration to cache 'authorized' responses from the webhook authorizer. Default is 5m."
)
fs
.
DurationVar
(
&
s
.
Authorization
Config
.
WebhookCacheUnauthorizedTTL
,
"authorization-webhook-cache-unauthorized-ttl"
,
s
.
Authorization
Config
.
WebhookCacheUnauthorizedTTL
,
fs
.
DurationVar
(
&
s
.
AuthorizationWebhookCacheUnauthorizedTTL
,
"authorization-webhook-cache-unauthorized-ttl"
,
s
.
AuthorizationWebhookCacheUnauthorizedTTL
,
"The duration to cache 'unauthorized' responses from the webhook authorizer. Default is 30s."
)
fs
.
StringVar
(
&
s
.
Authorization
Config
.
RBACSuperUser
,
"authorization-rbac-super-user"
,
s
.
AuthorizationConfig
.
RBACSuperUser
,
""
+
fs
.
StringVar
(
&
s
.
Authorization
RBACSuperUser
,
"authorization-rbac-super-user"
,
s
.
Authorization
RBACSuperUser
,
""
+
"If specified, a username which avoids RBAC authorization checks and role binding "
+
"privilege escalation checks, to be used with --authorization-mode=RBAC."
)
...
...
test/integration/auth/auth_test.go
View file @
b4eaf625
...
...
@@ -41,13 +41,13 @@ import (
authenticationv1beta1
"k8s.io/kubernetes/pkg/apis/authentication/v1beta1"
"k8s.io/kubernetes/pkg/apis/autoscaling"
"k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/apiserver"
"k8s.io/kubernetes/pkg/auth/authenticator"
"k8s.io/kubernetes/pkg/auth/authenticator/bearertoken"
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
"k8s.io/kubernetes/pkg/auth/user"
"k8s.io/kubernetes/pkg/client/unversioned/clientcmd/api/v1"
apiserverauthorizer
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
"k8s.io/kubernetes/pkg/serviceaccount"
"k8s.io/kubernetes/plugin/pkg/admission/admit"
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/tokentest"
...
...
@@ -500,7 +500,7 @@ func getPreviousResourceVersionKey(url, id string) string {
func
TestAuthModeAlwaysDeny
(
t
*
testing
.
T
)
{
// Set up a master
masterConfig
:=
framework
.
NewIntegrationTestMasterConfig
()
masterConfig
.
Authorizer
=
apiserver
.
NewAlwaysDenyAuthorizer
()
masterConfig
.
Authorizer
=
apiserver
authorizer
.
NewAlwaysDenyAuthorizer
()
_
,
s
:=
framework
.
RunAMaster
(
masterConfig
)
defer
s
.
Close
()
...
...
test/integration/framework/master_utils.go
View file @
b4eaf625
...
...
@@ -37,7 +37,6 @@ import (
"k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/apis/policy"
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/apiserver"
clientset
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
"k8s.io/kubernetes/pkg/client/record"
"k8s.io/kubernetes/pkg/client/restclient"
...
...
@@ -46,6 +45,7 @@ import (
replicationcontroller
"k8s.io/kubernetes/pkg/controller/replication"
"k8s.io/kubernetes/pkg/fields"
"k8s.io/kubernetes/pkg/genericapiserver"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
"k8s.io/kubernetes/pkg/kubectl"
kubeletclient
"k8s.io/kubernetes/pkg/kubelet/client"
"k8s.io/kubernetes/pkg/master"
...
...
@@ -203,7 +203,7 @@ func NewMasterConfig() *master.Config {
APIResourceConfigSource
:
master
.
DefaultAPIResourceConfigSource
(),
APIPrefix
:
"/api"
,
APIGroupPrefix
:
"/apis"
,
Authorizer
:
a
piserv
er
.
NewAlwaysAllowAuthorizer
(),
Authorizer
:
a
uthoriz
er
.
NewAlwaysAllowAuthorizer
(),
AdmissionControl
:
admit
.
NewAlwaysAdmit
(),
Serializer
:
api
.
Codecs
,
EnableWatchCache
:
true
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment