Unverified Commit bd6b71d0 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #59582 from sttts/sttts-ctrl-mgr-auth

Automatic merge from submit-queue (batch tested with PRs 59653, 58812, 59582, 59665, 59511). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. controller-manager: switch to options+config pattern and add https+auth This PR switch the {kube,cloud}-controller-managers to use the Options+Config struct pattern for bootstrapping, as we use it throughout all apiservers. This allows us to easily plug in https and authn/z support. Fixes parts of https://github.com/kubernetes/kubernetes/issues/59483 This is equivalent to https://github.com/kubernetes/kubernetes/pull/59408 after squashing. ```release-note Deprecate insecure HTTP port of kube-controller-manager and cloud-controller-manager. Use `--secure-port` and `--bind-address` instead. ```
parents f7e57573 5483ab76
...@@ -13,7 +13,7 @@ filegroup( ...@@ -13,7 +13,7 @@ filegroup(
":package-srcs", ":package-srcs",
"//cmd/clicheck:all-srcs", "//cmd/clicheck:all-srcs",
"//cmd/cloud-controller-manager:all-srcs", "//cmd/cloud-controller-manager:all-srcs",
"//cmd/controller-manager/app/options:all-srcs", "//cmd/controller-manager/app:all-srcs",
"//cmd/gendocs:all-srcs", "//cmd/gendocs:all-srcs",
"//cmd/genkubedocs:all-srcs", "//cmd/genkubedocs:all-srcs",
"//cmd/genman:all-srcs", "//cmd/genman:all-srcs",
......
...@@ -10,8 +10,9 @@ go_library( ...@@ -10,8 +10,9 @@ go_library(
srcs = ["controllermanager.go"], srcs = ["controllermanager.go"],
importpath = "k8s.io/kubernetes/cmd/cloud-controller-manager/app", importpath = "k8s.io/kubernetes/cmd/cloud-controller-manager/app",
deps = [ deps = [
"//cmd/cloud-controller-manager/app/config:go_default_library",
"//cmd/cloud-controller-manager/app/options:go_default_library", "//cmd/cloud-controller-manager/app/options:go_default_library",
"//pkg/api/legacyscheme:go_default_library", "//cmd/controller-manager/app:go_default_library",
"//pkg/cloudprovider:go_default_library", "//pkg/cloudprovider:go_default_library",
"//pkg/controller:go_default_library", "//pkg/controller:go_default_library",
"//pkg/controller/cloud:go_default_library", "//pkg/controller/cloud:go_default_library",
...@@ -20,17 +21,12 @@ go_library( ...@@ -20,17 +21,12 @@ go_library(
"//pkg/util/configz:go_default_library", "//pkg/util/configz:go_default_library",
"//pkg/version/verflag:go_default_library", "//pkg/version/verflag:go_default_library",
"//vendor/github.com/golang/glog:go_default_library", "//vendor/github.com/golang/glog:go_default_library",
"//vendor/github.com/prometheus/client_golang/prometheus:go_default_library",
"//vendor/github.com/spf13/cobra:go_default_library", "//vendor/github.com/spf13/cobra:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
"//vendor/k8s.io/apiserver/pkg/server/healthz:go_default_library",
"//vendor/k8s.io/client-go/informers:go_default_library", "//vendor/k8s.io/client-go/informers:go_default_library",
"//vendor/k8s.io/client-go/kubernetes:go_default_library", "//vendor/k8s.io/client-go/kubernetes:go_default_library",
"//vendor/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
"//vendor/k8s.io/client-go/rest:go_default_library", "//vendor/k8s.io/client-go/rest:go_default_library",
"//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
"//vendor/k8s.io/client-go/tools/leaderelection:go_default_library", "//vendor/k8s.io/client-go/tools/leaderelection:go_default_library",
"//vendor/k8s.io/client-go/tools/leaderelection/resourcelock:go_default_library", "//vendor/k8s.io/client-go/tools/leaderelection/resourcelock:go_default_library",
"//vendor/k8s.io/client-go/tools/record:go_default_library", "//vendor/k8s.io/client-go/tools/record:go_default_library",
...@@ -48,6 +44,7 @@ filegroup( ...@@ -48,6 +44,7 @@ filegroup(
name = "all-srcs", name = "all-srcs",
srcs = [ srcs = [
":package-srcs", ":package-srcs",
"//cmd/cloud-controller-manager/app/config:all-srcs",
"//cmd/cloud-controller-manager/app/options:all-srcs", "//cmd/cloud-controller-manager/app/options:all-srcs",
], ],
tags = ["automanaged"], tags = ["automanaged"],
......
load("@io_bazel_rules_go//go:def.bzl", "go_library")
go_library(
name = "go_default_library",
srcs = ["config.go"],
importpath = "k8s.io/kubernetes/cmd/cloud-controller-manager/app/config",
visibility = ["//visibility:public"],
deps = ["//cmd/controller-manager/app:go_default_library"],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
visibility = ["//visibility:public"],
)
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package app
import (
"time"
genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
)
// ExtraConfig are part of Config, also can place your custom config here.
type ExtraConfig struct {
NodeStatusUpdateFrequency time.Duration
}
// Config is the main context object for the cloud controller manager.
type Config struct {
Generic genericcontrollermanager.Config
Extra ExtraConfig
}
type completedConfig struct {
Generic genericcontrollermanager.CompletedConfig
Extra *ExtraConfig
}
// CompletedConfig same as Config, just to swap private object.
type CompletedConfig struct {
// Embed a private pointer that cannot be instantiated outside of this package.
*completedConfig
}
// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
func (c *Config) Complete() *CompletedConfig {
cc := completedConfig{
c.Generic.Complete(),
&c.Extra,
}
return &CompletedConfig{&cc}
}
...@@ -11,12 +11,14 @@ go_library( ...@@ -11,12 +11,14 @@ go_library(
srcs = ["options.go"], srcs = ["options.go"],
importpath = "k8s.io/kubernetes/cmd/cloud-controller-manager/app/options", importpath = "k8s.io/kubernetes/cmd/cloud-controller-manager/app/options",
deps = [ deps = [
"//cmd/cloud-controller-manager/app/config:go_default_library",
"//cmd/controller-manager/app/options:go_default_library", "//cmd/controller-manager/app/options:go_default_library",
"//pkg/client/leaderelectionconfig:go_default_library", "//pkg/client/leaderelectionconfig:go_default_library",
"//pkg/features:go_default_library", "//pkg/features:go_default_library",
"//pkg/master/ports:go_default_library", "//pkg/master/ports:go_default_library",
"//vendor/github.com/spf13/pflag:go_default_library", "//vendor/github.com/spf13/pflag:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library", "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
], ],
) )
...@@ -45,5 +47,6 @@ go_test( ...@@ -45,5 +47,6 @@ go_test(
"//vendor/github.com/spf13/pflag:go_default_library", "//vendor/github.com/spf13/pflag:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//vendor/k8s.io/apiserver/pkg/server/options:go_default_library",
], ],
) )
...@@ -17,10 +17,13 @@ limitations under the License. ...@@ -17,10 +17,13 @@ limitations under the License.
package options package options
import ( import (
"fmt"
"time" "time"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
cloudcontrollerconfig "k8s.io/kubernetes/cmd/cloud-controller-manager/app/config"
cmoptions "k8s.io/kubernetes/cmd/controller-manager/app/options" cmoptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
"k8s.io/kubernetes/pkg/client/leaderelectionconfig" "k8s.io/kubernetes/pkg/client/leaderelectionconfig"
"k8s.io/kubernetes/pkg/master/ports" "k8s.io/kubernetes/pkg/master/ports"
...@@ -31,39 +34,81 @@ import ( ...@@ -31,39 +34,81 @@ import (
"github.com/spf13/pflag" "github.com/spf13/pflag"
) )
// CloudControllerManagerServer is the main context object for the controller manager. // CloudControllerManagerOptions is the main context object for the controller manager.
type CloudControllerManagerServer struct { type CloudControllerManagerOptions struct {
cmoptions.ControllerManagerServer Generic cmoptions.GenericControllerManagerOptions
// NodeStatusUpdateFrequency is the frequency at which the controller updates nodes' status // NodeStatusUpdateFrequency is the frequency at which the controller updates nodes' status
NodeStatusUpdateFrequency metav1.Duration NodeStatusUpdateFrequency metav1.Duration
} }
// NewCloudControllerManagerServer creates a new ExternalCMServer with a default config. // NewCloudControllerManagerOptions creates a new ExternalCMServer with a default config.
func NewCloudControllerManagerServer() *CloudControllerManagerServer { func NewCloudControllerManagerOptions() *CloudControllerManagerOptions {
s := CloudControllerManagerServer{ componentConfig := cmoptions.NewDefaultControllerManagerComponentConfig(ports.InsecureCloudControllerManagerPort)
s := CloudControllerManagerOptions{
// The common/default are kept in 'cmd/kube-controller-manager/app/options/util.go'. // The common/default are kept in 'cmd/kube-controller-manager/app/options/util.go'.
// Please make common changes there and put anything cloud specific here. // Please make common changes there and put anything cloud specific here.
ControllerManagerServer: cmoptions.ControllerManagerServer{ Generic: cmoptions.NewGenericControllerManagerOptions(componentConfig),
KubeControllerManagerConfiguration: cmoptions.GetDefaultControllerOptions(ports.CloudControllerManagerPort),
},
NodeStatusUpdateFrequency: metav1.Duration{Duration: 5 * time.Minute}, NodeStatusUpdateFrequency: metav1.Duration{Duration: 5 * time.Minute},
} }
s.LeaderElection.LeaderElect = true s.Generic.ComponentConfig.LeaderElection.LeaderElect = true
s.Generic.SecureServing.ServerCert.CertDirectory = "/var/run/kubernetes"
s.Generic.SecureServing.ServerCert.PairName = "cloud-controller-manager"
return &s return &s
} }
// AddFlags adds flags for a specific ExternalCMServer to the specified FlagSet // AddFlags adds flags for a specific ExternalCMServer to the specified FlagSet
func (s *CloudControllerManagerServer) AddFlags(fs *pflag.FlagSet) { func (o *CloudControllerManagerOptions) AddFlags(fs *pflag.FlagSet) {
cmoptions.AddDefaultControllerFlags(&s.ControllerManagerServer, fs) o.Generic.AddFlags(fs)
fs.StringVar(&s.CloudProvider, "cloud-provider", s.CloudProvider, "The provider of cloud services. Cannot be empty.")
fs.DurationVar(&s.NodeStatusUpdateFrequency.Duration, "node-status-update-frequency", s.NodeStatusUpdateFrequency.Duration, "Specifies how often the controller updates nodes' status.") fs.StringVar(&o.Generic.ComponentConfig.CloudProvider, "cloud-provider", o.Generic.ComponentConfig.CloudProvider, "The provider of cloud services. Cannot be empty.")
fs.DurationVar(&o.NodeStatusUpdateFrequency.Duration, "node-status-update-frequency", o.NodeStatusUpdateFrequency.Duration, "Specifies how often the controller updates nodes' status.")
// TODO: remove --service-account-private-key-file 6 months after 1.8 is released (~1.10) // TODO: remove --service-account-private-key-file 6 months after 1.8 is released (~1.10)
fs.StringVar(&s.ServiceAccountKeyFile, "service-account-private-key-file", s.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.") fs.StringVar(&o.Generic.ComponentConfig.ServiceAccountKeyFile, "service-account-private-key-file", o.Generic.ComponentConfig.ServiceAccountKeyFile, "Filename containing a PEM-encoded private RSA or ECDSA key used to sign service account tokens.")
fs.MarkDeprecated("service-account-private-key-file", "This flag is currently no-op and will be deleted.") fs.MarkDeprecated("service-account-private-key-file", "This flag is currently no-op and will be deleted.")
fs.Int32Var(&s.ConcurrentServiceSyncs, "concurrent-service-syncs", s.ConcurrentServiceSyncs, "The number of services that are allowed to sync concurrently. Larger number = more responsive service management, but more CPU (and network) load") fs.Int32Var(&o.Generic.ComponentConfig.ConcurrentServiceSyncs, "concurrent-service-syncs", o.Generic.ComponentConfig.ConcurrentServiceSyncs, "The number of services that are allowed to sync concurrently. Larger number = more responsive service management, but more CPU (and network) load")
leaderelectionconfig.BindFlags(&s.LeaderElection, fs) leaderelectionconfig.BindFlags(&o.Generic.ComponentConfig.LeaderElection, fs)
utilfeature.DefaultFeatureGate.AddFlag(fs) utilfeature.DefaultFeatureGate.AddFlag(fs)
} }
// ApplyTo fills up cloud controller manager config with options.
func (o *CloudControllerManagerOptions) ApplyTo(c *cloudcontrollerconfig.Config) error {
if err := o.Generic.ApplyTo(&c.Generic, "cloud-controller-manager"); err != nil {
return err
}
c.Extra.NodeStatusUpdateFrequency = o.NodeStatusUpdateFrequency.Duration
return nil
}
// Validate is used to validate config before launching the cloud controller manager
func (o *CloudControllerManagerOptions) Validate() error {
errors := []error{}
errors = append(errors, o.Generic.Validate()...)
if len(o.Generic.ComponentConfig.CloudProvider) == 0 {
errors = append(errors, fmt.Errorf("--cloud-provider cannot be empty"))
}
return utilerrors.NewAggregate(errors)
}
// Config return a cloud controller manager config objective
func (o CloudControllerManagerOptions) Config() (*cloudcontrollerconfig.Config, error) {
if err := o.Validate(); err != nil {
return nil, err
}
c := &cloudcontrollerconfig.Config{}
if err := o.ApplyTo(c); err != nil {
return nil, err
}
return c, nil
}
...@@ -17,6 +17,7 @@ limitations under the License. ...@@ -17,6 +17,7 @@ limitations under the License.
package options package options
import ( import (
"net"
"reflect" "reflect"
"testing" "testing"
"time" "time"
...@@ -25,13 +26,14 @@ import ( ...@@ -25,13 +26,14 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/diff" "k8s.io/apimachinery/pkg/util/diff"
apiserveroptions "k8s.io/apiserver/pkg/server/options"
cmoptions "k8s.io/kubernetes/cmd/controller-manager/app/options" cmoptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
"k8s.io/kubernetes/pkg/apis/componentconfig" "k8s.io/kubernetes/pkg/apis/componentconfig"
) )
func TestAddFlags(t *testing.T) { func TestAddFlags(t *testing.T) {
f := pflag.NewFlagSet("addflagstest", pflag.ContinueOnError) f := pflag.NewFlagSet("addflagstest", pflag.ContinueOnError)
s := NewCloudControllerManagerServer() s := NewCloudControllerManagerOptions()
s.AddFlags(f) s.AddFlags(f)
args := []string{ args := []string{
...@@ -62,16 +64,19 @@ func TestAddFlags(t *testing.T) { ...@@ -62,16 +64,19 @@ func TestAddFlags(t *testing.T) {
"--route-reconciliation-period=30s", "--route-reconciliation-period=30s",
"--min-resync-period=100m", "--min-resync-period=100m",
"--use-service-account-credentials=false", "--use-service-account-credentials=false",
"--cert-dir=/a/b/c",
"--bind-address=192.168.4.21",
"--secure-port=10001",
} }
f.Parse(args) f.Parse(args)
expected := &CloudControllerManagerServer{ expected := &CloudControllerManagerOptions{
ControllerManagerServer: cmoptions.ControllerManagerServer{ Generic: cmoptions.GenericControllerManagerOptions{
KubeControllerManagerConfiguration: componentconfig.KubeControllerManagerConfiguration{ ComponentConfig: componentconfig.KubeControllerManagerConfiguration{
CloudProvider: "gce", CloudProvider: "gce",
CloudConfigFile: "/cloud-config", CloudConfigFile: "/cloud-config",
Port: 10000, Port: 10253, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
Address: "192.168.4.10", Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
ConcurrentEndpointSyncs: 5, ConcurrentEndpointSyncs: 5,
ConcurrentRSSyncs: 5, ConcurrentRSSyncs: 5,
ConcurrentResourceQuotaSyncs: 5, ConcurrentResourceQuotaSyncs: 5,
...@@ -138,6 +143,19 @@ func TestAddFlags(t *testing.T) { ...@@ -138,6 +143,19 @@ func TestAddFlags(t *testing.T) {
CIDRAllocatorType: "RangeAllocator", CIDRAllocatorType: "RangeAllocator",
Controllers: []string{"*"}, Controllers: []string{"*"},
}, },
SecureServing: &apiserveroptions.SecureServingOptions{
BindPort: 10001,
BindAddress: net.ParseIP("192.168.4.21"),
ServerCert: apiserveroptions.GeneratableKeyCert{
CertDirectory: "/a/b/c",
PairName: "cloud-controller-manager",
},
},
InsecureServing: &cmoptions.InsecureServingOptions{
BindAddress: net.ParseIP("192.168.4.10"),
BindPort: int(10000),
BindNetwork: "tcp",
},
Kubeconfig: "/kubeconfig", Kubeconfig: "/kubeconfig",
Master: "192.168.4.20", Master: "192.168.4.20",
}, },
......
load("@io_bazel_rules_go//go:def.bzl", "go_library")
go_library(
name = "go_default_library",
srcs = [
"config.go",
"insecure_serving.go",
"serve.go",
],
importpath = "k8s.io/kubernetes/cmd/controller-manager/app",
visibility = ["//visibility:public"],
deps = [
"//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/componentconfig:go_default_library",
"//pkg/util/configz:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
"//vendor/github.com/prometheus/client_golang/prometheus:go_default_library",
"//vendor/k8s.io/apiserver/pkg/endpoints/filters:go_default_library",
"//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
"//vendor/k8s.io/apiserver/pkg/server:go_default_library",
"//vendor/k8s.io/apiserver/pkg/server/filters:go_default_library",
"//vendor/k8s.io/apiserver/pkg/server/healthz:go_default_library",
"//vendor/k8s.io/client-go/kubernetes:go_default_library",
"//vendor/k8s.io/client-go/rest:go_default_library",
"//vendor/k8s.io/client-go/tools/record:go_default_library",
],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [
":package-srcs",
"//cmd/controller-manager/app/options:all-srcs",
],
tags = ["automanaged"],
visibility = ["//visibility:public"],
)
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package app
import (
apiserver "k8s.io/apiserver/pkg/server"
clientset "k8s.io/client-go/kubernetes"
restclient "k8s.io/client-go/rest"
"k8s.io/client-go/tools/record"
"k8s.io/kubernetes/pkg/apis/componentconfig"
)
// Config is the main context object for the controller manager.
type Config struct {
// TODO: split up the component config. This is not generic.
ComponentConfig componentconfig.KubeControllerManagerConfiguration
SecureServing *apiserver.SecureServingInfo
// TODO: remove deprecated insecure serving
InsecureServing *InsecureServingInfo
Authentication apiserver.AuthenticationInfo
Authorization apiserver.AuthorizationInfo
// the general kube client
Client *clientset.Clientset
// the client only used for leader election
LeaderElectionClient *clientset.Clientset
// the rest config for the master
Kubeconfig *restclient.Config
// the event sink
EventRecorder record.EventRecorder
}
type completedConfig struct {
*Config
}
// CompletedConfig same as Config, just to swap private object.
type CompletedConfig struct {
// Embed a private pointer that cannot be instantiated outside of this package.
*completedConfig
}
// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
func (c *Config) Complete() CompletedConfig {
cc := completedConfig{c}
return CompletedConfig{&cc}
}
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package app
import (
"net"
"net/http"
"time"
"github.com/golang/glog"
"k8s.io/apiserver/pkg/server"
)
// InsecureServingInfo is the main context object for the insecure http server.
type InsecureServingInfo struct {
// Listener is the secure server network listener.
Listener net.Listener
}
// Serve starts an insecure http server with the given handler. It fails only if
// the initial listen call fails. It does not block.
func (s *InsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error {
insecureServer := &http.Server{
Addr: s.Listener.Addr().String(),
Handler: handler,
MaxHeaderBytes: 1 << 20,
}
glog.Infof("Serving insecurely on %s", s.Listener.Addr())
return server.RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh)
}
...@@ -2,15 +2,28 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library") ...@@ -2,15 +2,28 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library")
go_library( go_library(
name = "go_default_library", name = "go_default_library",
srcs = ["utils.go"], srcs = [
"insecure_serving.go",
"options.go",
],
importpath = "k8s.io/kubernetes/cmd/controller-manager/app/options", importpath = "k8s.io/kubernetes/cmd/controller-manager/app/options",
visibility = ["//visibility:public"], visibility = ["//visibility:public"],
deps = [ deps = [
"//cmd/controller-manager/app:go_default_library",
"//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/componentconfig:go_default_library", "//pkg/apis/componentconfig:go_default_library",
"//pkg/client/leaderelectionconfig:go_default_library", "//pkg/client/leaderelectionconfig:go_default_library",
"//vendor/github.com/cloudflare/cfssl/helpers:go_default_library", "//vendor/github.com/cloudflare/cfssl/helpers:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
"//vendor/github.com/spf13/pflag:go_default_library", "//vendor/github.com/spf13/pflag:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apiserver/pkg/server/options:go_default_library",
"//vendor/k8s.io/client-go/kubernetes:go_default_library",
"//vendor/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
"//vendor/k8s.io/client-go/rest:go_default_library",
"//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
"//vendor/k8s.io/client-go/tools/record:go_default_library",
], ],
) )
......
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package options
import (
"fmt"
"net"
"github.com/spf13/pflag"
"k8s.io/apiserver/pkg/server/options"
genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
"k8s.io/kubernetes/pkg/apis/componentconfig"
)
// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
// No one should be using these anymore.
type InsecureServingOptions struct {
BindAddress net.IP
BindPort int
// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
// "tcp4", and "tcp6".
BindNetwork string
// Listener is the secure server network listener.
// either Listener or BindAddress/BindPort/BindNetwork is set,
// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
Listener net.Listener
}
// Validate ensures that the insecure port values within the range of the port.
func (s *InsecureServingOptions) Validate() []error {
errors := []error{}
if s == nil {
return nil
}
if s.BindPort < 0 || s.BindPort > 32767 {
errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 32767, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
}
return errors
}
// AddFlags adds flags related to insecure serving for controller manager to the specified FlagSet.
func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
if s == nil {
return
}
}
// AddDeprecatedFlags adds deprecated flags related to insecure serving for controller manager to the specified FlagSet.
// TODO: remove it until kops stop using `--address`
func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
if s == nil {
return
}
fs.IPVar(&s.BindAddress, "address", s.BindAddress,
"DEPRECATED: the IP address on which to listen for the --port port. See --bind-address instead.")
// MarkDeprecated hides the flag from the help. We don't want that:
// fs.MarkDeprecated("address", "see --bind-address instead.")
fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: the port on which to serve HTTP insecurely without authentication and authorization. If 0, don't serve HTTPS at all. See --secure-port instead.")
// MarkDeprecated hides the flag from the help. We don't want that:
// fs.MarkDeprecated("port", "see --secure-port instead.")
}
// ApplyTo adds InsecureServingOptions to the insecureserverinfo amd kube-controller manager configuration.
// Note: the double pointer allows to set the *InsecureServingInfo to nil without referencing the struct hosting this pointer.
func (s *InsecureServingOptions) ApplyTo(c **genericcontrollermanager.InsecureServingInfo, cfg *componentconfig.KubeControllerManagerConfiguration) error {
if s == nil {
return nil
}
if s.BindPort <= 0 {
return nil
}
if s.Listener == nil {
var err error
addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort))
s.Listener, s.BindPort, err = options.CreateListener(s.BindNetwork, addr)
if err != nil {
return fmt.Errorf("failed to create listener: %v", err)
}
}
*c = &genericcontrollermanager.InsecureServingInfo{
Listener: s.Listener,
}
// sync back to component config
// TODO: find more elegant way than synching back the values.
cfg.Port = int32(s.BindPort)
cfg.Address = s.BindAddress.String()
return nil
}
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package options
import (
"github.com/cloudflare/cfssl/helpers"
"time"
"github.com/spf13/pflag"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/kubernetes/pkg/apis/componentconfig"
"k8s.io/kubernetes/pkg/client/leaderelectionconfig"
)
// ControllerManagerServer is the common structure for a controller manager. It works with GetDefaultControllerOptions
// and AddDefaultControllerFlags to create the common components of kube-controller-manager and cloud-controller-manager.
type ControllerManagerServer struct {
componentconfig.KubeControllerManagerConfiguration
Master string
Kubeconfig string
}
const (
// These defaults are deprecated and exported so that we can warn if
// they are being used.
// DefaultClusterSigningCertFile is deprecated. Do not use.
DefaultClusterSigningCertFile = "/etc/kubernetes/ca/ca.pem"
// DefaultClusterSigningKeyFile is deprecated. Do not use.
DefaultClusterSigningKeyFile = "/etc/kubernetes/ca/ca.key"
)
// GetDefaultControllerOptions returns common/default configuration values for both
// the kube-controller-manager and the cloud-contoller-manager. Any common changes should
// be made here. Any individual changes should be made in that controller.
func GetDefaultControllerOptions(port int32) componentconfig.KubeControllerManagerConfiguration {
return componentconfig.KubeControllerManagerConfiguration{
Controllers: []string{"*"},
Port: port,
Address: "0.0.0.0",
ConcurrentEndpointSyncs: 5,
ConcurrentServiceSyncs: 1,
ConcurrentRCSyncs: 5,
ConcurrentRSSyncs: 5,
ConcurrentDaemonSetSyncs: 2,
ConcurrentJobSyncs: 5,
ConcurrentResourceQuotaSyncs: 5,
ConcurrentDeploymentSyncs: 5,
ConcurrentNamespaceSyncs: 10,
ConcurrentSATokenSyncs: 5,
RouteReconciliationPeriod: metav1.Duration{Duration: 10 * time.Second},
ResourceQuotaSyncPeriod: metav1.Duration{Duration: 5 * time.Minute},
NamespaceSyncPeriod: metav1.Duration{Duration: 5 * time.Minute},
PVClaimBinderSyncPeriod: metav1.Duration{Duration: 15 * time.Second},
HorizontalPodAutoscalerSyncPeriod: metav1.Duration{Duration: 30 * time.Second},
HorizontalPodAutoscalerUpscaleForbiddenWindow: metav1.Duration{Duration: 3 * time.Minute},
HorizontalPodAutoscalerDownscaleForbiddenWindow: metav1.Duration{Duration: 5 * time.Minute},
HorizontalPodAutoscalerTolerance: 0.1,
DeploymentControllerSyncPeriod: metav1.Duration{Duration: 30 * time.Second},
MinResyncPeriod: metav1.Duration{Duration: 12 * time.Hour},
RegisterRetryCount: 10,
PodEvictionTimeout: metav1.Duration{Duration: 5 * time.Minute},
NodeMonitorGracePeriod: metav1.Duration{Duration: 40 * time.Second},
NodeStartupGracePeriod: metav1.Duration{Duration: 60 * time.Second},
NodeMonitorPeriod: metav1.Duration{Duration: 5 * time.Second},
ClusterName: "kubernetes",
NodeCIDRMaskSize: 24,
ConfigureCloudRoutes: true,
TerminatedPodGCThreshold: 12500,
VolumeConfiguration: componentconfig.VolumeConfiguration{
EnableHostPathProvisioning: false,
EnableDynamicProvisioning: true,
PersistentVolumeRecyclerConfiguration: componentconfig.PersistentVolumeRecyclerConfiguration{
MaximumRetry: 3,
MinimumTimeoutNFS: 300,
IncrementTimeoutNFS: 30,
MinimumTimeoutHostPath: 60,
IncrementTimeoutHostPath: 30,
},
FlexVolumePluginDir: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/",
},
ContentType: "application/vnd.kubernetes.protobuf",
KubeAPIQPS: 20.0,
KubeAPIBurst: 30,
LeaderElection: leaderelectionconfig.DefaultLeaderElectionConfiguration(),
ControllerStartInterval: metav1.Duration{Duration: 0 * time.Second},
EnableGarbageCollector: true,
ConcurrentGCSyncs: 20,
ClusterSigningCertFile: DefaultClusterSigningCertFile,
ClusterSigningKeyFile: DefaultClusterSigningKeyFile,
ClusterSigningDuration: metav1.Duration{Duration: helpers.OneYear},
ReconcilerSyncLoopPeriod: metav1.Duration{Duration: 60 * time.Second},
EnableTaintManager: true,
HorizontalPodAutoscalerUseRESTClients: true,
}
}
// AddDefaultControllerFlags adds common/default flags for both the kube and cloud Controller Manager Server to the
// specified FlagSet. Any common changes should be made here. Any individual changes should be made in that controller.
func AddDefaultControllerFlags(s *ControllerManagerServer, fs *pflag.FlagSet) {
fs.Int32Var(&s.Port, "port", s.Port, "The port that the controller-manager's http service runs on.")
fs.Var(componentconfig.IPVar{Val: &s.Address}, "address", "The IP address to serve on (set to 0.0.0.0 for all interfaces).")
fs.BoolVar(&s.UseServiceAccountCredentials, "use-service-account-credentials", s.UseServiceAccountCredentials, "If true, use individual service account credentials for each controller.")
fs.StringVar(&s.CloudConfigFile, "cloud-config", s.CloudConfigFile, "The path to the cloud provider configuration file. Empty string for no configuration file.")
fs.BoolVar(&s.AllowUntaggedCloud, "allow-untagged-cloud", false, "Allow the cluster to run without the cluster-id on cloud instances. This is a legacy mode of operation and a cluster-id will be required in the future.")
fs.MarkDeprecated("allow-untagged-cloud", "This flag is deprecated and will be removed in a future release. A cluster-id will be required on cloud instances.")
fs.DurationVar(&s.RouteReconciliationPeriod.Duration, "route-reconciliation-period", s.RouteReconciliationPeriod.Duration, "The period for reconciling routes created for Nodes by cloud provider.")
fs.DurationVar(&s.MinResyncPeriod.Duration, "min-resync-period", s.MinResyncPeriod.Duration, "The resync period in reflectors will be random between MinResyncPeriod and 2*MinResyncPeriod.")
fs.DurationVar(&s.NodeMonitorPeriod.Duration, "node-monitor-period", s.NodeMonitorPeriod.Duration,
"The period for syncing NodeStatus in NodeController.")
fs.BoolVar(&s.EnableProfiling, "profiling", true, "Enable profiling via web interface host:port/debug/pprof/")
fs.BoolVar(&s.EnableContentionProfiling, "contention-profiling", false, "Enable lock contention profiling, if profiling is enabled.")
fs.StringVar(&s.ClusterName, "cluster-name", s.ClusterName, "The instance prefix for the cluster.")
fs.StringVar(&s.ClusterCIDR, "cluster-cidr", s.ClusterCIDR, "CIDR Range for Pods in cluster. Requires --allocate-node-cidrs to be true")
fs.BoolVar(&s.AllocateNodeCIDRs, "allocate-node-cidrs", false, "Should CIDRs for Pods be allocated and set on the cloud provider.")
fs.StringVar(&s.CIDRAllocatorType, "cidr-allocator-type", "RangeAllocator", "Type of CIDR allocator to use")
fs.BoolVar(&s.ConfigureCloudRoutes, "configure-cloud-routes", true, "Should CIDRs allocated by allocate-node-cidrs be configured on the cloud provider.")
fs.StringVar(&s.Master, "master", s.Master, "The address of the Kubernetes API server (overrides any value in kubeconfig).")
fs.StringVar(&s.Kubeconfig, "kubeconfig", s.Kubeconfig, "Path to kubeconfig file with authorization and master location information.")
fs.StringVar(&s.ContentType, "kube-api-content-type", s.ContentType, "Content type of requests sent to apiserver.")
fs.Float32Var(&s.KubeAPIQPS, "kube-api-qps", s.KubeAPIQPS, "QPS to use while talking with kubernetes apiserver.")
fs.Int32Var(&s.KubeAPIBurst, "kube-api-burst", s.KubeAPIBurst, "Burst to use while talking with kubernetes apiserver.")
fs.DurationVar(&s.ControllerStartInterval.Duration, "controller-start-interval", s.ControllerStartInterval.Duration, "Interval between starting controller managers.")
}
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package app
import (
"net/http"
"net/http/pprof"
goruntime "runtime"
"time"
"github.com/prometheus/client_golang/prometheus"
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
apirequest "k8s.io/apiserver/pkg/endpoints/request"
genericfilters "k8s.io/apiserver/pkg/server/filters"
"k8s.io/apiserver/pkg/server/healthz"
"k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/util/configz"
)
type serveFunc func(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error
// Serve creates a base handler chain for a controller manager. It runs the
// the chain with the given serveFunc.
func Serve(c *CompletedConfig, serveFunc serveFunc, stopCh <-chan struct{}) error {
mux := http.NewServeMux()
healthz.InstallHandler(mux)
if c.ComponentConfig.EnableProfiling {
mux.HandleFunc("/debug/pprof/", pprof.Index)
mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
if c.ComponentConfig.EnableContentionProfiling {
goruntime.SetBlockProfileRate(1)
}
}
configz.InstallHandler(mux)
mux.Handle("/metrics", prometheus.Handler())
requestContextMapper := apirequest.NewRequestContextMapper()
requestInfoResolver := &apirequest.RequestInfoFactory{}
failedHandler := genericapifilters.Unauthorized(requestContextMapper, legacyscheme.Codecs, false)
handler := genericapifilters.WithAuthorization(mux, requestContextMapper, c.Authorization.Authorizer, legacyscheme.Codecs)
handler = genericapifilters.WithAuthentication(handler, requestContextMapper, c.Authentication.Authenticator, failedHandler)
handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver, requestContextMapper)
handler = apirequest.WithRequestContext(handler, requestContextMapper)
handler = genericfilters.WithPanicRecovery(handler)
return serveFunc(handler, 0, stopCh)
}
...@@ -42,7 +42,7 @@ import ( ...@@ -42,7 +42,7 @@ import (
type ServerRunOptions struct { type ServerRunOptions struct {
GenericServerRunOptions *genericoptions.ServerRunOptions GenericServerRunOptions *genericoptions.ServerRunOptions
Etcd *genericoptions.EtcdOptions Etcd *genericoptions.EtcdOptions
SecureServing *genericoptions.SecureServingOptions SecureServing *genericoptions.SecureServingOptionsWithLoopback
InsecureServing *kubeoptions.InsecureServingOptions InsecureServing *kubeoptions.InsecureServingOptions
Audit *genericoptions.AuditOptions Audit *genericoptions.AuditOptions
Features *genericoptions.FeatureOptions Features *genericoptions.FeatureOptions
......
...@@ -26,6 +26,7 @@ import ( ...@@ -26,6 +26,7 @@ import (
"k8s.io/apimachinery/pkg/util/diff" "k8s.io/apimachinery/pkg/util/diff"
apiserveroptions "k8s.io/apiserver/pkg/server/options" apiserveroptions "k8s.io/apiserver/pkg/server/options"
genericoptions "k8s.io/apiserver/pkg/server/options"
"k8s.io/apiserver/pkg/storage/storagebackend" "k8s.io/apiserver/pkg/storage/storagebackend"
utilflag "k8s.io/apiserver/pkg/util/flag" utilflag "k8s.io/apiserver/pkg/util/flag"
auditwebhook "k8s.io/apiserver/plugin/pkg/audit/webhook" auditwebhook "k8s.io/apiserver/plugin/pkg/audit/webhook"
...@@ -137,14 +138,14 @@ func TestAddFlags(t *testing.T) { ...@@ -137,14 +138,14 @@ func TestAddFlags(t *testing.T) {
EnableWatchCache: true, EnableWatchCache: true,
DefaultWatchCacheSize: 100, DefaultWatchCacheSize: 100,
}, },
SecureServing: &apiserveroptions.SecureServingOptions{ SecureServing: genericoptions.WithLoopback(&apiserveroptions.SecureServingOptions{
BindAddress: net.ParseIP("192.168.10.20"), BindAddress: net.ParseIP("192.168.10.20"),
BindPort: 6443, BindPort: 6443,
ServerCert: apiserveroptions.GeneratableKeyCert{ ServerCert: apiserveroptions.GeneratableKeyCert{
CertDirectory: "/var/run/kubernetes", CertDirectory: "/var/run/kubernetes",
PairName: "apiserver", PairName: "apiserver",
}, },
}, }),
InsecureServing: &kubeoptions.InsecureServingOptions{ InsecureServing: &kubeoptions.InsecureServingOptions{
BindAddress: net.ParseIP("127.0.0.1"), BindAddress: net.ParseIP("127.0.0.1"),
BindPort: 8080, BindPort: 8080,
......
...@@ -449,12 +449,12 @@ func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transp ...@@ -449,12 +449,12 @@ func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transp
) )
} }
genericConfig.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, storageFactory, client, sharedInformers) genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, storageFactory, client, sharedInformers)
if err != nil { if err != nil {
return nil, nil, nil, nil, nil, fmt.Errorf("invalid authentication config: %v", err) return nil, nil, nil, nil, nil, fmt.Errorf("invalid authentication config: %v", err)
} }
genericConfig.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, sharedInformers, versionedInformers) genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, sharedInformers, versionedInformers)
if err != nil { if err != nil {
return nil, nil, nil, nil, nil, fmt.Errorf("invalid authorization config: %v", err) return nil, nil, nil, nil, nil, fmt.Errorf("invalid authorization config: %v", err)
} }
...@@ -633,7 +633,7 @@ func BuildStorageFactory(s *options.ServerRunOptions, apiResourceConfig *servers ...@@ -633,7 +633,7 @@ func BuildStorageFactory(s *options.ServerRunOptions, apiResourceConfig *servers
func defaultOptions(s *options.ServerRunOptions) error { func defaultOptions(s *options.ServerRunOptions) error {
// set defaults // set defaults
if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing); err != nil { if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing.SecureServingOptions); err != nil {
return err return err
} }
if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil { if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil {
......
...@@ -25,7 +25,9 @@ go_library( ...@@ -25,7 +25,9 @@ go_library(
], ],
importpath = "k8s.io/kubernetes/cmd/kube-controller-manager/app", importpath = "k8s.io/kubernetes/cmd/kube-controller-manager/app",
deps = [ deps = [
"//cmd/controller-manager/app:go_default_library",
"//cmd/controller-manager/app/options:go_default_library", "//cmd/controller-manager/app/options:go_default_library",
"//cmd/kube-controller-manager/app/config:go_default_library",
"//cmd/kube-controller-manager/app/options:go_default_library", "//cmd/kube-controller-manager/app/options:go_default_library",
"//pkg/api/legacyscheme:go_default_library", "//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/apps/install:go_default_library", "//pkg/apis/apps/install:go_default_library",
...@@ -110,7 +112,6 @@ go_library( ...@@ -110,7 +112,6 @@ go_library(
"//pkg/volume/util:go_default_library", "//pkg/volume/util:go_default_library",
"//pkg/volume/vsphere_volume:go_default_library", "//pkg/volume/vsphere_volume:go_default_library",
"//vendor/github.com/golang/glog:go_default_library", "//vendor/github.com/golang/glog:go_default_library",
"//vendor/github.com/prometheus/client_golang/prometheus:go_default_library",
"//vendor/github.com/spf13/cobra:go_default_library", "//vendor/github.com/spf13/cobra:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library", "//vendor/k8s.io/api/core/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/meta:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/meta:go_default_library",
...@@ -119,20 +120,16 @@ go_library( ...@@ -119,20 +120,16 @@ go_library(
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
"//vendor/k8s.io/apiserver/pkg/server/healthz:go_default_library",
"//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library", "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
"//vendor/k8s.io/client-go/discovery:go_default_library", "//vendor/k8s.io/client-go/discovery:go_default_library",
"//vendor/k8s.io/client-go/discovery/cached:go_default_library", "//vendor/k8s.io/client-go/discovery/cached:go_default_library",
"//vendor/k8s.io/client-go/dynamic:go_default_library", "//vendor/k8s.io/client-go/dynamic:go_default_library",
"//vendor/k8s.io/client-go/informers:go_default_library", "//vendor/k8s.io/client-go/informers:go_default_library",
"//vendor/k8s.io/client-go/kubernetes:go_default_library", "//vendor/k8s.io/client-go/kubernetes:go_default_library",
"//vendor/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
"//vendor/k8s.io/client-go/rest:go_default_library", "//vendor/k8s.io/client-go/rest:go_default_library",
"//vendor/k8s.io/client-go/scale:go_default_library", "//vendor/k8s.io/client-go/scale:go_default_library",
"//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
"//vendor/k8s.io/client-go/tools/leaderelection:go_default_library", "//vendor/k8s.io/client-go/tools/leaderelection:go_default_library",
"//vendor/k8s.io/client-go/tools/leaderelection/resourcelock:go_default_library", "//vendor/k8s.io/client-go/tools/leaderelection/resourcelock:go_default_library",
"//vendor/k8s.io/client-go/tools/record:go_default_library",
"//vendor/k8s.io/client-go/util/cert:go_default_library", "//vendor/k8s.io/client-go/util/cert:go_default_library",
"//vendor/k8s.io/metrics/pkg/client/clientset_generated/clientset/typed/metrics/v1beta1:go_default_library", "//vendor/k8s.io/metrics/pkg/client/clientset_generated/clientset/typed/metrics/v1beta1:go_default_library",
"//vendor/k8s.io/metrics/pkg/client/custom_metrics:go_default_library", "//vendor/k8s.io/metrics/pkg/client/custom_metrics:go_default_library",
...@@ -150,6 +147,7 @@ filegroup( ...@@ -150,6 +147,7 @@ filegroup(
name = "all-srcs", name = "all-srcs",
srcs = [ srcs = [
":package-srcs", ":package-srcs",
"//cmd/kube-controller-manager/app/config:all-srcs",
"//cmd/kube-controller-manager/app/options:all-srcs", "//cmd/kube-controller-manager/app/options:all-srcs",
], ],
tags = ["automanaged"], tags = ["automanaged"],
......
...@@ -38,7 +38,7 @@ func startHPAController(ctx ControllerContext) (bool, error) { ...@@ -38,7 +38,7 @@ func startHPAController(ctx ControllerContext) (bool, error) {
return false, nil return false, nil
} }
if ctx.Options.HorizontalPodAutoscalerUseRESTClients { if ctx.ComponentConfig.HorizontalPodAutoscalerUseRESTClients {
// use the new-style clients if support for custom metrics is enabled // use the new-style clients if support for custom metrics is enabled
return startHPAControllerWithRESTClient(ctx) return startHPAControllerWithRESTClient(ctx)
} }
...@@ -88,7 +88,7 @@ func startHPAControllerWithMetricsClient(ctx ControllerContext, metricsClient me ...@@ -88,7 +88,7 @@ func startHPAControllerWithMetricsClient(ctx ControllerContext, metricsClient me
replicaCalc := podautoscaler.NewReplicaCalculator( replicaCalc := podautoscaler.NewReplicaCalculator(
metricsClient, metricsClient,
hpaClient.CoreV1(), hpaClient.CoreV1(),
ctx.Options.HorizontalPodAutoscalerTolerance, ctx.ComponentConfig.HorizontalPodAutoscalerTolerance,
) )
go podautoscaler.NewHorizontalController( go podautoscaler.NewHorizontalController(
hpaClientGoClient.CoreV1(), hpaClientGoClient.CoreV1(),
...@@ -97,9 +97,9 @@ func startHPAControllerWithMetricsClient(ctx ControllerContext, metricsClient me ...@@ -97,9 +97,9 @@ func startHPAControllerWithMetricsClient(ctx ControllerContext, metricsClient me
restMapper, restMapper,
replicaCalc, replicaCalc,
ctx.InformerFactory.Autoscaling().V1().HorizontalPodAutoscalers(), ctx.InformerFactory.Autoscaling().V1().HorizontalPodAutoscalers(),
ctx.Options.HorizontalPodAutoscalerSyncPeriod.Duration, ctx.ComponentConfig.HorizontalPodAutoscalerSyncPeriod.Duration,
ctx.Options.HorizontalPodAutoscalerUpscaleForbiddenWindow.Duration, ctx.ComponentConfig.HorizontalPodAutoscalerUpscaleForbiddenWindow.Duration,
ctx.Options.HorizontalPodAutoscalerDownscaleForbiddenWindow.Duration, ctx.ComponentConfig.HorizontalPodAutoscalerDownscaleForbiddenWindow.Duration,
).Run(ctx.Stop) ).Run(ctx.Stop)
return true, nil return true, nil
} }
...@@ -36,7 +36,7 @@ func startJobController(ctx ControllerContext) (bool, error) { ...@@ -36,7 +36,7 @@ func startJobController(ctx ControllerContext) (bool, error) {
ctx.InformerFactory.Core().V1().Pods(), ctx.InformerFactory.Core().V1().Pods(),
ctx.InformerFactory.Batch().V1().Jobs(), ctx.InformerFactory.Batch().V1().Jobs(),
ctx.ClientBuilder.ClientOrDie("job-controller"), ctx.ClientBuilder.ClientOrDie("job-controller"),
).Run(int(ctx.Options.ConcurrentJobSyncs), ctx.Stop) ).Run(int(ctx.ComponentConfig.ConcurrentJobSyncs), ctx.Stop)
return true, nil return true, nil
} }
......
...@@ -37,7 +37,7 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) { ...@@ -37,7 +37,7 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) {
if !ctx.AvailableResources[schema.GroupVersionResource{Group: "certificates.k8s.io", Version: "v1beta1", Resource: "certificatesigningrequests"}] { if !ctx.AvailableResources[schema.GroupVersionResource{Group: "certificates.k8s.io", Version: "v1beta1", Resource: "certificatesigningrequests"}] {
return false, nil return false, nil
} }
if ctx.Options.ClusterSigningCertFile == "" || ctx.Options.ClusterSigningKeyFile == "" { if ctx.ComponentConfig.ClusterSigningCertFile == "" || ctx.ComponentConfig.ClusterSigningKeyFile == "" {
return false, nil return false, nil
} }
...@@ -52,15 +52,15 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) { ...@@ -52,15 +52,15 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) {
// bail out of startController without logging. // bail out of startController without logging.
var keyFileExists, keyUsesDefault, certFileExists, certUsesDefault bool var keyFileExists, keyUsesDefault, certFileExists, certUsesDefault bool
_, err := os.Stat(ctx.Options.ClusterSigningCertFile) _, err := os.Stat(ctx.ComponentConfig.ClusterSigningCertFile)
certFileExists = !os.IsNotExist(err) certFileExists = !os.IsNotExist(err)
certUsesDefault = (ctx.Options.ClusterSigningCertFile == cmoptions.DefaultClusterSigningCertFile) certUsesDefault = (ctx.ComponentConfig.ClusterSigningCertFile == cmoptions.DefaultClusterSigningCertFile)
_, err = os.Stat(ctx.Options.ClusterSigningKeyFile) _, err = os.Stat(ctx.ComponentConfig.ClusterSigningKeyFile)
keyFileExists = !os.IsNotExist(err) keyFileExists = !os.IsNotExist(err)
keyUsesDefault = (ctx.Options.ClusterSigningKeyFile == cmoptions.DefaultClusterSigningKeyFile) keyUsesDefault = (ctx.ComponentConfig.ClusterSigningKeyFile == cmoptions.DefaultClusterSigningKeyFile)
switch { switch {
case (keyFileExists && keyUsesDefault) || (certFileExists && certUsesDefault): case (keyFileExists && keyUsesDefault) || (certFileExists && certUsesDefault):
...@@ -84,9 +84,9 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) { ...@@ -84,9 +84,9 @@ func startCSRSigningController(ctx ControllerContext) (bool, error) {
signer, err := signer.NewCSRSigningController( signer, err := signer.NewCSRSigningController(
c, c,
ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(), ctx.InformerFactory.Certificates().V1beta1().CertificateSigningRequests(),
ctx.Options.ClusterSigningCertFile, ctx.ComponentConfig.ClusterSigningCertFile,
ctx.Options.ClusterSigningKeyFile, ctx.ComponentConfig.ClusterSigningKeyFile,
ctx.Options.ClusterSigningDuration.Duration, ctx.ComponentConfig.ClusterSigningDuration.Duration,
) )
if err != nil { if err != nil {
return false, fmt.Errorf("failed to start certificate controller: %v", err) return false, fmt.Errorf("failed to start certificate controller: %v", err)
......
load("@io_bazel_rules_go//go:def.bzl", "go_library")
go_library(
name = "go_default_library",
srcs = ["config.go"],
importpath = "k8s.io/kubernetes/cmd/kube-controller-manager/app/config",
visibility = ["//visibility:public"],
deps = ["//cmd/controller-manager/app:go_default_library"],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
visibility = ["//visibility:public"],
)
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package config
import (
"time"
genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
)
// ExtraConfig are part of Config, also can place your custom config here.
type ExtraConfig struct {
NodeStatusUpdateFrequency time.Duration
}
// Config is the main context object for the controller manager.
type Config struct {
Generic genericcontrollermanager.Config
Extra ExtraConfig
}
type completedConfig struct {
Generic genericcontrollermanager.CompletedConfig
Extra *ExtraConfig
}
// CompletedConfig same as Config, just to swap private object.
type CompletedConfig struct {
// Embed a private pointer that cannot be instantiated outside of this package.
*completedConfig
}
// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
func (c *Config) Complete() *CompletedConfig {
cc := completedConfig{
c.Generic.Complete(),
&c.Extra,
}
return &CompletedConfig{&cc}
}
...@@ -43,7 +43,7 @@ func startDaemonSetController(ctx ControllerContext) (bool, error) { ...@@ -43,7 +43,7 @@ func startDaemonSetController(ctx ControllerContext) (bool, error) {
if err != nil { if err != nil {
return true, fmt.Errorf("error creating DaemonSets controller: %v", err) return true, fmt.Errorf("error creating DaemonSets controller: %v", err)
} }
go dsc.Run(int(ctx.Options.ConcurrentDaemonSetSyncs), ctx.Stop) go dsc.Run(int(ctx.ComponentConfig.ConcurrentDaemonSetSyncs), ctx.Stop)
return true, nil return true, nil
} }
...@@ -60,7 +60,7 @@ func startDeploymentController(ctx ControllerContext) (bool, error) { ...@@ -60,7 +60,7 @@ func startDeploymentController(ctx ControllerContext) (bool, error) {
if err != nil { if err != nil {
return true, fmt.Errorf("error creating Deployment controller: %v", err) return true, fmt.Errorf("error creating Deployment controller: %v", err)
} }
go dc.Run(int(ctx.Options.ConcurrentDeploymentSyncs), ctx.Stop) go dc.Run(int(ctx.ComponentConfig.ConcurrentDeploymentSyncs), ctx.Stop)
return true, nil return true, nil
} }
...@@ -73,6 +73,6 @@ func startReplicaSetController(ctx ControllerContext) (bool, error) { ...@@ -73,6 +73,6 @@ func startReplicaSetController(ctx ControllerContext) (bool, error) {
ctx.InformerFactory.Core().V1().Pods(), ctx.InformerFactory.Core().V1().Pods(),
ctx.ClientBuilder.ClientOrDie("replicaset-controller"), ctx.ClientBuilder.ClientOrDie("replicaset-controller"),
replicaset.BurstReplicas, replicaset.BurstReplicas,
).Run(int(ctx.Options.ConcurrentRSSyncs), ctx.Stop) ).Run(int(ctx.ComponentConfig.ConcurrentRSSyncs), ctx.Stop)
return true, nil return true, nil
} }
...@@ -12,6 +12,7 @@ go_library( ...@@ -12,6 +12,7 @@ go_library(
importpath = "k8s.io/kubernetes/cmd/kube-controller-manager/app/options", importpath = "k8s.io/kubernetes/cmd/kube-controller-manager/app/options",
deps = [ deps = [
"//cmd/controller-manager/app/options:go_default_library", "//cmd/controller-manager/app/options:go_default_library",
"//cmd/kube-controller-manager/app/config:go_default_library",
"//pkg/apis/componentconfig:go_default_library", "//pkg/apis/componentconfig:go_default_library",
"//pkg/client/leaderelectionconfig:go_default_library", "//pkg/client/leaderelectionconfig:go_default_library",
"//pkg/controller/garbagecollector:go_default_library", "//pkg/controller/garbagecollector:go_default_library",
...@@ -49,5 +50,6 @@ go_test( ...@@ -49,5 +50,6 @@ go_test(
"//vendor/github.com/spf13/pflag:go_default_library", "//vendor/github.com/spf13/pflag:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//vendor/k8s.io/apiserver/pkg/server/options:go_default_library",
], ],
) )
...@@ -17,6 +17,7 @@ limitations under the License. ...@@ -17,6 +17,7 @@ limitations under the License.
package options package options
import ( import (
"net"
"reflect" "reflect"
"sort" "sort"
"testing" "testing"
...@@ -26,13 +27,14 @@ import ( ...@@ -26,13 +27,14 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/diff" "k8s.io/apimachinery/pkg/util/diff"
apiserveroptions "k8s.io/apiserver/pkg/server/options"
cmoptions "k8s.io/kubernetes/cmd/controller-manager/app/options" cmoptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
"k8s.io/kubernetes/pkg/apis/componentconfig" "k8s.io/kubernetes/pkg/apis/componentconfig"
) )
func TestAddFlags(t *testing.T) { func TestAddFlags(t *testing.T) {
f := pflag.NewFlagSet("addflagstest", pflag.ContinueOnError) f := pflag.NewFlagSet("addflagstest", pflag.ContinueOnError)
s := NewCMServer() s := NewKubeControllerManagerOptions()
s.AddFlags(f, []string{""}, []string{""}) s.AddFlags(f, []string{""}, []string{""})
args := []string{ args := []string{
...@@ -103,17 +105,20 @@ func TestAddFlags(t *testing.T) { ...@@ -103,17 +105,20 @@ func TestAddFlags(t *testing.T) {
"--terminated-pod-gc-threshold=12000", "--terminated-pod-gc-threshold=12000",
"--unhealthy-zone-threshold=0.6", "--unhealthy-zone-threshold=0.6",
"--use-service-account-credentials=true", "--use-service-account-credentials=true",
"--cert-dir=/a/b/c",
"--bind-address=192.168.4.21",
"--secure-port=10001",
} }
f.Parse(args) f.Parse(args)
// Sort GCIgnoredResources because it's built from a map, which means the // Sort GCIgnoredResources because it's built from a map, which means the
// insertion order is random. // insertion order is random.
sort.Sort(sortedGCIgnoredResources(s.GCIgnoredResources)) sort.Sort(sortedGCIgnoredResources(s.Generic.ComponentConfig.GCIgnoredResources))
expected := &CMServer{ expected := &KubeControllerManagerOptions{
ControllerManagerServer: cmoptions.ControllerManagerServer{ Generic: cmoptions.GenericControllerManagerOptions{
KubeControllerManagerConfiguration: componentconfig.KubeControllerManagerConfiguration{ ComponentConfig: componentconfig.KubeControllerManagerConfiguration{
Port: 10000, Port: 10252, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
Address: "192.168.4.10", Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
AllocateNodeCIDRs: true, AllocateNodeCIDRs: true,
CloudConfigFile: "/cloud-config", CloudConfigFile: "/cloud-config",
CloudProvider: "gce", CloudProvider: "gce",
...@@ -204,6 +209,19 @@ func TestAddFlags(t *testing.T) { ...@@ -204,6 +209,19 @@ func TestAddFlags(t *testing.T) {
HorizontalPodAutoscalerUseRESTClients: true, HorizontalPodAutoscalerUseRESTClients: true,
UseServiceAccountCredentials: true, UseServiceAccountCredentials: true,
}, },
SecureServing: &apiserveroptions.SecureServingOptions{
BindPort: 10001,
BindAddress: net.ParseIP("192.168.4.21"),
ServerCert: apiserveroptions.GeneratableKeyCert{
CertDirectory: "/a/b/c",
PairName: "kube-controller-manager",
},
},
InsecureServing: &cmoptions.InsecureServingOptions{
BindAddress: net.ParseIP("192.168.4.10"),
BindPort: int(10000),
BindNetwork: "tcp",
},
Kubeconfig: "/kubeconfig", Kubeconfig: "/kubeconfig",
Master: "192.168.4.20", Master: "192.168.4.20",
}, },
...@@ -211,7 +229,7 @@ func TestAddFlags(t *testing.T) { ...@@ -211,7 +229,7 @@ func TestAddFlags(t *testing.T) {
// Sort GCIgnoredResources because it's built from a map, which means the // Sort GCIgnoredResources because it's built from a map, which means the
// insertion order is random. // insertion order is random.
sort.Sort(sortedGCIgnoredResources(expected.GCIgnoredResources)) sort.Sort(sortedGCIgnoredResources(expected.Generic.ComponentConfig.GCIgnoredResources))
if !reflect.DeepEqual(expected, s) { if !reflect.DeepEqual(expected, s) {
t.Errorf("Got different run options than expected.\nDifference detected on:\n%s", diff.ObjectReflectDiff(expected, s)) t.Errorf("Got different run options than expected.\nDifference detected on:\n%s", diff.ObjectReflectDiff(expected, s))
......
...@@ -22,14 +22,13 @@ package main ...@@ -22,14 +22,13 @@ package main
import ( import (
goflag "flag" goflag "flag"
"fmt"
"math/rand" "math/rand"
"os" "os"
"time" "time"
"github.com/spf13/pflag" "github.com/spf13/pflag"
"fmt"
utilflag "k8s.io/apiserver/pkg/util/flag" utilflag "k8s.io/apiserver/pkg/util/flag"
"k8s.io/apiserver/pkg/util/logs" "k8s.io/apiserver/pkg/util/logs"
"k8s.io/kubernetes/cmd/kube-controller-manager/app" "k8s.io/kubernetes/cmd/kube-controller-manager/app"
......
...@@ -530,7 +530,7 @@ func (eac ExtraArgsCheck) Check() (warnings, errors []error) { ...@@ -530,7 +530,7 @@ func (eac ExtraArgsCheck) Check() (warnings, errors []error) {
} }
if len(eac.ControllerManagerExtraArgs) > 0 { if len(eac.ControllerManagerExtraArgs) > 0 {
flags := pflag.NewFlagSet("", pflag.ContinueOnError) flags := pflag.NewFlagSet("", pflag.ContinueOnError)
s := cmoptions.NewCMServer() s := cmoptions.NewKubeControllerManagerOptions()
s.AddFlags(flags, []string{}, []string{}) s.AddFlags(flags, []string{}, []string{})
warnings = append(warnings, argsCheck("kube-controller-manager", eac.ControllerManagerExtraArgs, flags)...) warnings = append(warnings, argsCheck("kube-controller-manager", eac.ControllerManagerExtraArgs, flags)...)
} }
......
...@@ -341,19 +341,17 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error ...@@ -341,19 +341,17 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
var err error var err error
if o.ClientCert != nil { if o.ClientCert != nil {
c, err = c.ApplyClientCert(o.ClientCert.ClientCA) if err = c.Authentication.ApplyClientCert(o.ClientCert.ClientCA, c.SecureServing); err != nil {
if err != nil {
return fmt.Errorf("unable to load client CA file: %v", err) return fmt.Errorf("unable to load client CA file: %v", err)
} }
} }
if o.RequestHeader != nil { if o.RequestHeader != nil {
c, err = c.ApplyClientCert(o.RequestHeader.ClientCAFile) if err = c.Authentication.ApplyClientCert(o.RequestHeader.ClientCAFile, c.SecureServing); err != nil {
if err != nil {
return fmt.Errorf("unable to load client CA file: %v", err) return fmt.Errorf("unable to load client CA file: %v", err)
} }
} }
c.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0 c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0
return nil return nil
} }
......
...@@ -33,15 +33,15 @@ import ( ...@@ -33,15 +33,15 @@ import (
// NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by // NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by
// "normal" API servers running on the platform // "normal" API servers running on the platform
func NewSecureServingOptions() *genericoptions.SecureServingOptions { func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback {
return &genericoptions.SecureServingOptions{ return genericoptions.WithLoopback(&genericoptions.SecureServingOptions{
BindAddress: net.ParseIP("0.0.0.0"), BindAddress: net.ParseIP("0.0.0.0"),
BindPort: 6443, BindPort: 6443,
ServerCert: genericoptions.GeneratableKeyCert{ ServerCert: genericoptions.GeneratableKeyCert{
PairName: "apiserver", PairName: "apiserver",
CertDirectory: "/var/run/kubernetes", CertDirectory: "/var/run/kubernetes",
}, },
} })
} }
// DefaultAdvertiseAddress sets the field AdvertiseAddress if // DefaultAdvertiseAddress sets the field AdvertiseAddress if
......
...@@ -330,15 +330,15 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget) ...@@ -330,15 +330,15 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
// TODO: describe the priority all the way down in the RESTStorageProviders and plumb it back through the various discovery // TODO: describe the priority all the way down in the RESTStorageProviders and plumb it back through the various discovery
// handlers that we have. // handlers that we have.
restStorageProviders := []RESTStorageProvider{ restStorageProviders := []RESTStorageProvider{
authenticationrest.RESTStorageProvider{Authenticator: c.GenericConfig.Authenticator}, authenticationrest.RESTStorageProvider{Authenticator: c.GenericConfig.Authentication.Authenticator},
authorizationrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorizer, RuleResolver: c.GenericConfig.RuleResolver}, authorizationrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorization.Authorizer, RuleResolver: c.GenericConfig.RuleResolver},
autoscalingrest.RESTStorageProvider{}, autoscalingrest.RESTStorageProvider{},
batchrest.RESTStorageProvider{}, batchrest.RESTStorageProvider{},
certificatesrest.RESTStorageProvider{}, certificatesrest.RESTStorageProvider{},
extensionsrest.RESTStorageProvider{}, extensionsrest.RESTStorageProvider{},
networkingrest.RESTStorageProvider{}, networkingrest.RESTStorageProvider{},
policyrest.RESTStorageProvider{}, policyrest.RESTStorageProvider{},
rbacrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorizer}, rbacrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorization.Authorizer},
schedulingrest.RESTStorageProvider{}, schedulingrest.RESTStorageProvider{},
settingsrest.RESTStorageProvider{}, settingsrest.RESTStorageProvider{},
storagerest.RESTStorageProvider{}, storagerest.RESTStorageProvider{},
......
...@@ -26,12 +26,12 @@ const ( ...@@ -26,12 +26,12 @@ const (
// SchedulerPort is the default port for the scheduler status server. // SchedulerPort is the default port for the scheduler status server.
// May be overridden by a flag at startup. // May be overridden by a flag at startup.
SchedulerPort = 10251 SchedulerPort = 10251
// ControllerManagerPort is the default port for the controller manager status server. // InsecureKubeControllerManagerPort is the default port for the controller manager status server.
// May be overridden by a flag at startup. // May be overridden by a flag at startup.
ControllerManagerPort = 10252 InsecureKubeControllerManagerPort = 10252
// CloudControllerManagerPort is the default port for the cloud controller manager server. // InsecureCloudControllerManagerPort is the default port for the cloud controller manager server.
// This value may be overridden by a flag at startup. // This value may be overridden by a flag at startup.
CloudControllerManagerPort = 10253 InsecureCloudControllerManagerPort = 10253
// KubeletReadOnlyPort exposes basic read-only services from the kubelet. // KubeletReadOnlyPort exposes basic read-only services from the kubelet.
// May be overridden by a flag at startup. // May be overridden by a flag at startup.
// This is necessary for heapster to collect monitoring stats from the kubelet // This is necessary for heapster to collect monitoring stats from the kubelet
......
...@@ -239,7 +239,7 @@ type componentStatusStorage struct { ...@@ -239,7 +239,7 @@ type componentStatusStorage struct {
func (s componentStatusStorage) serversToValidate() map[string]*componentstatus.Server { func (s componentStatusStorage) serversToValidate() map[string]*componentstatus.Server {
serversToValidate := map[string]*componentstatus.Server{ serversToValidate := map[string]*componentstatus.Server{
"controller-manager": {Addr: "127.0.0.1", Port: ports.ControllerManagerPort, Path: "/healthz"}, "controller-manager": {Addr: "127.0.0.1", Port: ports.InsecureKubeControllerManagerPort, Path: "/healthz"},
"scheduler": {Addr: "127.0.0.1", Port: ports.SchedulerPort, Path: "/healthz"}, "scheduler": {Addr: "127.0.0.1", Port: ports.SchedulerPort, Path: "/healthz"},
} }
......
...@@ -79,14 +79,19 @@ const ( ...@@ -79,14 +79,19 @@ const (
// Config is a structure used to configure a GenericAPIServer. // Config is a structure used to configure a GenericAPIServer.
// Its members are sorted roughly in order of importance for composers. // Its members are sorted roughly in order of importance for composers.
type Config struct { type Config struct {
// SecureServingInfo is required to serve https // SecureServing is required to serve https
SecureServingInfo *SecureServingInfo SecureServing *SecureServingInfo
// Authentication is the configuration for authentication
Authentication AuthenticationInfo
// Authentication is the configuration for authentication
Authorization AuthorizationInfo
// LoopbackClientConfig is a config for a privileged loopback connection to the API server // LoopbackClientConfig is a config for a privileged loopback connection to the API server
// This is required for proper functioning of the PostStartHooks on a GenericAPIServer // This is required for proper functioning of the PostStartHooks on a GenericAPIServer
// TODO: move into SecureServing(WithLoopback) as soon as insecure serving is gone
LoopbackClientConfig *restclient.Config LoopbackClientConfig *restclient.Config
// Authenticator determines which subject is making the request
Authenticator authenticator.Request
// Authorizer determines whether the subject is allowed to make the request based only // Authorizer determines whether the subject is allowed to make the request based only
// on the RequestURI // on the RequestURI
Authorizer authorizer.Authorizer Authorizer authorizer.Authorizer
...@@ -116,10 +121,6 @@ type Config struct { ...@@ -116,10 +121,6 @@ type Config struct {
AuditBackend audit.Backend AuditBackend audit.Backend
// AuditPolicyChecker makes the decision of whether and how to audit log a request. // AuditPolicyChecker makes the decision of whether and how to audit log a request.
AuditPolicyChecker auditpolicy.Checker AuditPolicyChecker auditpolicy.Checker
// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
// If this is true, a basic auth challenge is returned on authentication failure
// TODO(roberthbailey): Remove once the server no longer supports http basic auth.
SupportsBasicAuth bool
// ExternalAddress is the host name to use for external (public internet) facing URLs (e.g. Swagger) // ExternalAddress is the host name to use for external (public internet) facing URLs (e.g. Swagger)
// Will default to a value based on secure serving info and available ipv4 IPs. // Will default to a value based on secure serving info and available ipv4 IPs.
ExternalAddress string ExternalAddress string
...@@ -231,6 +232,21 @@ type SecureServingInfo struct { ...@@ -231,6 +232,21 @@ type SecureServingInfo struct {
CipherSuites []uint16 CipherSuites []uint16
} }
type AuthenticationInfo struct {
// Authenticator determines which subject is making the request
Authenticator authenticator.Request
// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
// If this is true, a basic auth challenge is returned on authentication failure
// TODO(roberthbailey): Remove once the server no longer supports http basic auth.
SupportsBasicAuth bool
}
type AuthorizationInfo struct {
// Authorizer determines whether the subject is allowed to make the request based only
// on the RequestURI
Authorizer authorizer.Authorizer
}
// NewConfig returns a Config struct with the default values // NewConfig returns a Config struct with the default values
func NewConfig(codecs serializer.CodecFactory) *Config { func NewConfig(codecs serializer.CodecFactory) *Config {
return &Config{ return &Config{
...@@ -302,23 +318,23 @@ func DefaultSwaggerConfig() *swagger.Config { ...@@ -302,23 +318,23 @@ func DefaultSwaggerConfig() *swagger.Config {
} }
} }
func (c *Config) ApplyClientCert(clientCAFile string) (*Config, error) { func (c *AuthenticationInfo) ApplyClientCert(clientCAFile string, servingInfo *SecureServingInfo) error {
if c.SecureServingInfo != nil { if servingInfo != nil {
if len(clientCAFile) > 0 { if len(clientCAFile) > 0 {
clientCAs, err := certutil.CertsFromFile(clientCAFile) clientCAs, err := certutil.CertsFromFile(clientCAFile)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to load client CA file: %v", err) return fmt.Errorf("unable to load client CA file: %v", err)
} }
if c.SecureServingInfo.ClientCA == nil { if servingInfo.ClientCA == nil {
c.SecureServingInfo.ClientCA = x509.NewCertPool() servingInfo.ClientCA = x509.NewCertPool()
} }
for _, cert := range clientCAs { for _, cert := range clientCAs {
c.SecureServingInfo.ClientCA.AddCert(cert) servingInfo.ClientCA.AddCert(cert)
} }
} }
} }
return c, nil return nil
} }
type completedConfig struct { type completedConfig struct {
...@@ -385,7 +401,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo ...@@ -385,7 +401,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
} }
} }
if c.SwaggerConfig != nil && len(c.SwaggerConfig.WebServicesUrl) == 0 { if c.SwaggerConfig != nil && len(c.SwaggerConfig.WebServicesUrl) == 0 {
if c.SecureServingInfo != nil { if c.SecureServing != nil {
c.SwaggerConfig.WebServicesUrl = "https://" + c.ExternalAddress c.SwaggerConfig.WebServicesUrl = "https://" + c.ExternalAddress
} else { } else {
c.SwaggerConfig.WebServicesUrl = "http://" + c.ExternalAddress c.SwaggerConfig.WebServicesUrl = "http://" + c.ExternalAddress
...@@ -397,7 +413,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo ...@@ -397,7 +413,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
// If the loopbackclientconfig is specified AND it has a token for use against the API server // If the loopbackclientconfig is specified AND it has a token for use against the API server
// wrap the authenticator and authorizer in loopback authentication logic // wrap the authenticator and authorizer in loopback authentication logic
if c.Authenticator != nil && c.Authorizer != nil && c.LoopbackClientConfig != nil && len(c.LoopbackClientConfig.BearerToken) > 0 { if c.Authentication.Authenticator != nil && c.Authorization.Authorizer != nil && c.LoopbackClientConfig != nil && len(c.LoopbackClientConfig.BearerToken) > 0 {
privilegedLoopbackToken := c.LoopbackClientConfig.BearerToken privilegedLoopbackToken := c.LoopbackClientConfig.BearerToken
var uid = uuid.NewRandom().String() var uid = uuid.NewRandom().String()
tokens := make(map[string]*user.DefaultInfo) tokens := make(map[string]*user.DefaultInfo)
...@@ -408,10 +424,10 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo ...@@ -408,10 +424,10 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo
} }
tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens) tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens)
c.Authenticator = authenticatorunion.New(tokenAuthenticator, c.Authenticator) c.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, c.Authentication.Authenticator)
tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup) tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
c.Authorizer = authorizerunion.New(tokenAuthorizer, c.Authorizer) c.Authorization.Authorizer = authorizerunion.New(tokenAuthorizer, c.Authorization.Authorizer)
} }
if c.RequestInfoResolver == nil { if c.RequestInfoResolver == nil {
...@@ -458,7 +474,7 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G ...@@ -458,7 +474,7 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G
minRequestTimeout: time.Duration(c.MinRequestTimeout) * time.Second, minRequestTimeout: time.Duration(c.MinRequestTimeout) * time.Second,
ShutdownTimeout: c.RequestTimeout, ShutdownTimeout: c.RequestTimeout,
SecureServingInfo: c.SecureServingInfo, SecureServingInfo: c.SecureServing,
ExternalAddress: c.ExternalAddress, ExternalAddress: c.ExternalAddress,
Handler: apiServerHandler, Handler: apiServerHandler,
...@@ -530,19 +546,19 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G ...@@ -530,19 +546,19 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G
} }
func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler { func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {
handler := genericapifilters.WithAuthorization(apiHandler, c.RequestContextMapper, c.Authorizer, c.Serializer) handler := genericapifilters.WithAuthorization(apiHandler, c.RequestContextMapper, c.Authorization.Authorizer, c.Serializer)
handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.RequestContextMapper, c.LongRunningFunc) handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.RequestContextMapper, c.LongRunningFunc)
handler = genericapifilters.WithImpersonation(handler, c.RequestContextMapper, c.Authorizer, c.Serializer) handler = genericapifilters.WithImpersonation(handler, c.RequestContextMapper, c.Authorization.Authorizer, c.Serializer)
if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) { if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) {
handler = genericapifilters.WithAudit(handler, c.RequestContextMapper, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc) handler = genericapifilters.WithAudit(handler, c.RequestContextMapper, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
} else { } else {
handler = genericapifilters.WithLegacyAudit(handler, c.RequestContextMapper, c.LegacyAuditWriter) handler = genericapifilters.WithLegacyAudit(handler, c.RequestContextMapper, c.LegacyAuditWriter)
} }
failedHandler := genericapifilters.Unauthorized(c.RequestContextMapper, c.Serializer, c.SupportsBasicAuth) failedHandler := genericapifilters.Unauthorized(c.RequestContextMapper, c.Serializer, c.Authentication.SupportsBasicAuth)
if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) { if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) {
failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.RequestContextMapper, c.AuditBackend, c.AuditPolicyChecker) failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.RequestContextMapper, c.AuditBackend, c.AuditPolicyChecker)
} }
handler = genericapifilters.WithAuthentication(handler, c.RequestContextMapper, c.Authenticator, failedHandler) handler = genericapifilters.WithAuthentication(handler, c.RequestContextMapper, c.Authentication.Authenticator, failedHandler)
handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true") handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.RequestContextMapper, c.LongRunningFunc, c.RequestTimeout) handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.RequestContextMapper, c.LongRunningFunc, c.RequestTimeout)
handler = genericfilters.WithWaitGroup(handler, c.RequestContextMapper, c.LongRunningFunc, c.HandlerChainWaitGroup) handler = genericfilters.WithWaitGroup(handler, c.RequestContextMapper, c.LongRunningFunc, c.HandlerChainWaitGroup)
......
...@@ -310,7 +310,7 @@ func (s preparedGenericAPIServer) NonBlockingRun(stopCh <-chan struct{}) error { ...@@ -310,7 +310,7 @@ func (s preparedGenericAPIServer) NonBlockingRun(stopCh <-chan struct{}) error {
internalStopCh := make(chan struct{}) internalStopCh := make(chan struct{})
if s.SecureServingInfo != nil && s.Handler != nil { if s.SecureServingInfo != nil && s.Handler != nil {
if err := s.serveSecurely(internalStopCh); err != nil { if err := s.SecureServingInfo.Serve(s.Handler, s.ShutdownTimeout, internalStopCh); err != nil {
close(internalStopCh) close(internalStopCh)
return err return err
} }
......
...@@ -387,7 +387,7 @@ func TestNotRestRoutesHaveAuth(t *testing.T) { ...@@ -387,7 +387,7 @@ func TestNotRestRoutesHaveAuth(t *testing.T) {
authz := mockAuthorizer{} authz := mockAuthorizer{}
config.LegacyAPIGroupPrefixes = sets.NewString("/apiPrefix") config.LegacyAPIGroupPrefixes = sets.NewString("/apiPrefix")
config.Authorizer = &authz config.Authorization.Authorizer = &authz
config.EnableSwaggerUI = true config.EnableSwaggerUI = true
config.EnableIndex = true config.EnableIndex = true
......
...@@ -15,6 +15,7 @@ go_library( ...@@ -15,6 +15,7 @@ go_library(
"recommended.go", "recommended.go",
"server_run_options.go", "server_run_options.go",
"serving.go", "serving.go",
"serving_with_loopback.go",
], ],
importpath = "k8s.io/apiserver/pkg/server/options", importpath = "k8s.io/apiserver/pkg/server/options",
visibility = ["//visibility:public"], visibility = ["//visibility:public"],
...@@ -64,6 +65,7 @@ go_library( ...@@ -64,6 +65,7 @@ go_library(
"//vendor/k8s.io/client-go/rest:go_default_library", "//vendor/k8s.io/client-go/rest:go_default_library",
"//vendor/k8s.io/client-go/tools/clientcmd:go_default_library", "//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
"//vendor/k8s.io/client-go/util/cert:go_default_library", "//vendor/k8s.io/client-go/util/cert:go_default_library",
"//vendor/k8s.io/kube-openapi/pkg/common:go_default_library",
], ],
) )
......
...@@ -136,7 +136,7 @@ func (a *AdmissionOptions) ApplyTo( ...@@ -136,7 +136,7 @@ func (a *AdmissionOptions) ApplyTo(
if err != nil { if err != nil {
return err return err
} }
genericInitializer := initializer.New(clientset, informers, c.Authorizer, scheme) genericInitializer := initializer.New(clientset, informers, c.Authorization.Authorizer, scheme)
initializersChain := admission.PluginInitializers{} initializersChain := admission.PluginInitializers{}
pluginInitializers = append(pluginInitializers, genericInitializer) pluginInitializers = append(pluginInitializers, genericInitializer)
initializersChain = append(initializersChain, pluginInitializers...) initializersChain = append(initializersChain, pluginInitializers...)
......
...@@ -32,6 +32,7 @@ import ( ...@@ -32,6 +32,7 @@ import (
coreclient "k8s.io/client-go/kubernetes/typed/core/v1" coreclient "k8s.io/client-go/kubernetes/typed/core/v1"
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd" "k8s.io/client-go/tools/clientcmd"
openapicommon "k8s.io/kube-openapi/pkg/common"
) )
type RequestHeaderAuthenticationOptions struct { type RequestHeaderAuthenticationOptions struct {
...@@ -130,6 +131,10 @@ func (s *DelegatingAuthenticationOptions) Validate() []error { ...@@ -130,6 +131,10 @@ func (s *DelegatingAuthenticationOptions) Validate() []error {
} }
func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
if s == nil {
return
}
fs.StringVar(&s.RemoteKubeConfigFile, "authentication-kubeconfig", s.RemoteKubeConfigFile, ""+ fs.StringVar(&s.RemoteKubeConfigFile, "authentication-kubeconfig", s.RemoteKubeConfigFile, ""+
"kubeconfig file pointing at the 'core' kubernetes server with enough rights to create "+ "kubeconfig file pointing at the 'core' kubernetes server with enough rights to create "+
"tokenaccessreviews.authentication.k8s.io.") "tokenaccessreviews.authentication.k8s.io.")
...@@ -146,7 +151,7 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -146,7 +151,7 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
} }
func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error { func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo, servingInfo *server.SecureServingInfo, openAPIConfig *openapicommon.Config) error {
if s == nil { if s == nil {
c.Authenticator = nil c.Authenticator = nil
return nil return nil
...@@ -156,8 +161,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error { ...@@ -156,8 +161,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
if err != nil { if err != nil {
return err return err
} }
c, err = c.ApplyClientCert(clientCA.ClientCA) if err = c.ApplyClientCert(clientCA.ClientCA, servingInfo); err != nil {
if err != nil {
return fmt.Errorf("unable to load client CA file: %v", err) return fmt.Errorf("unable to load client CA file: %v", err)
} }
...@@ -165,8 +169,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error { ...@@ -165,8 +169,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
if err != nil { if err != nil {
return err return err
} }
c, err = c.ApplyClientCert(requestHeader.ClientCAFile) if err = c.ApplyClientCert(requestHeader.ClientCAFile, servingInfo); err != nil {
if err != nil {
return fmt.Errorf("unable to load client CA file: %v", err) return fmt.Errorf("unable to load client CA file: %v", err)
} }
...@@ -180,8 +183,8 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error { ...@@ -180,8 +183,8 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
} }
c.Authenticator = authenticator c.Authenticator = authenticator
if c.OpenAPIConfig != nil { if openAPIConfig != nil {
c.OpenAPIConfig.SecurityDefinitions = securityDefinitions openAPIConfig.SecurityDefinitions = securityDefinitions
} }
c.SupportsBasicAuth = false c.SupportsBasicAuth = false
......
...@@ -74,7 +74,7 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -74,7 +74,7 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
"The duration to cache 'unauthorized' responses from the webhook authorizer.") "The duration to cache 'unauthorized' responses from the webhook authorizer.")
} }
func (s *DelegatingAuthorizationOptions) ApplyTo(c *server.Config) error { func (s *DelegatingAuthorizationOptions) ApplyTo(c *server.AuthorizationInfo) error {
if s == nil { if s == nil {
c.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer() c.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
return nil return nil
......
...@@ -30,7 +30,7 @@ import ( ...@@ -30,7 +30,7 @@ import (
// Each of them can be nil to leave the feature unconfigured on ApplyTo. // Each of them can be nil to leave the feature unconfigured on ApplyTo.
type RecommendedOptions struct { type RecommendedOptions struct {
Etcd *EtcdOptions Etcd *EtcdOptions
SecureServing *SecureServingOptions SecureServing *SecureServingOptionsWithLoopback
Authentication *DelegatingAuthenticationOptions Authentication *DelegatingAuthenticationOptions
Authorization *DelegatingAuthorizationOptions Authorization *DelegatingAuthorizationOptions
Audit *AuditOptions Audit *AuditOptions
...@@ -46,7 +46,7 @@ type RecommendedOptions struct { ...@@ -46,7 +46,7 @@ type RecommendedOptions struct {
func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptions { func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptions {
return &RecommendedOptions{ return &RecommendedOptions{
Etcd: NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)), Etcd: NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)),
SecureServing: NewSecureServingOptions(), SecureServing: WithLoopback(NewSecureServingOptions()),
Authentication: NewDelegatingAuthenticationOptions(), Authentication: NewDelegatingAuthenticationOptions(),
Authorization: NewDelegatingAuthorizationOptions(), Authorization: NewDelegatingAuthorizationOptions(),
Audit: NewAuditOptions(), Audit: NewAuditOptions(),
...@@ -78,10 +78,10 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig, scheme *r ...@@ -78,10 +78,10 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig, scheme *r
if err := o.SecureServing.ApplyTo(&config.Config); err != nil { if err := o.SecureServing.ApplyTo(&config.Config); err != nil {
return err return err
} }
if err := o.Authentication.ApplyTo(&config.Config); err != nil { if err := o.Authentication.ApplyTo(&config.Config.Authentication, config.SecureServing, config.OpenAPIConfig); err != nil {
return err return err
} }
if err := o.Authorization.ApplyTo(&config.Config); err != nil { if err := o.Authorization.ApplyTo(&config.Config.Authorization); err != nil {
return err return err
} }
if err := o.Audit.ApplyTo(&config.Config); err != nil { if err := o.Audit.ApplyTo(&config.Config); err != nil {
......
...@@ -24,7 +24,6 @@ import ( ...@@ -24,7 +24,6 @@ import (
"strconv" "strconv"
"github.com/golang/glog" "github.com/golang/glog"
"github.com/pborman/uuid"
"github.com/spf13/pflag" "github.com/spf13/pflag"
utilnet "k8s.io/apimachinery/pkg/util/net" utilnet "k8s.io/apimachinery/pkg/util/net"
...@@ -111,9 +110,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -111,9 +110,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
} }
fs.IPVar(&s.BindAddress, "bind-address", s.BindAddress, ""+ fs.IPVar(&s.BindAddress, "bind-address", s.BindAddress, ""+
"The IP address on which to listen for the --secure-port port. The "+ "The IP address on which to listen for the --secure-port port. If blank, all interfaces will be used (0.0.0.0).")
"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+
"clients. If blank, all interfaces will be used (0.0.0.0).")
fs.IntVar(&s.BindPort, "secure-port", s.BindPort, ""+ fs.IntVar(&s.BindPort, "secure-port", s.BindPort, ""+
"The port on which to serve HTTPS with authentication and authorization. If 0, "+ "The port on which to serve HTTPS with authentication and authorization. If 0, "+
...@@ -157,7 +154,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) { ...@@ -157,7 +154,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
} }
// ApplyTo fills up serving information in the server configuration. // ApplyTo fills up serving information in the server configuration.
func (s *SecureServingOptions) ApplyTo(c *server.Config) error { func (s *SecureServingOptions) ApplyTo(config **server.SecureServingInfo) error {
if s == nil { if s == nil {
return nil return nil
} }
...@@ -180,42 +177,10 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error { ...@@ -180,42 +177,10 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
s.BindAddress = s.Listener.Addr().(*net.TCPAddr).IP s.BindAddress = s.Listener.Addr().(*net.TCPAddr).IP
} }
if err := s.applyServingInfoTo(c); err != nil { *config = &server.SecureServingInfo{
return err Listener: s.Listener,
}
c.SecureServingInfo.Listener = s.Listener
// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and
// let the server return it when the loopback client connects.
certPem, keyPem, err := certutil.GenerateSelfSignedCertKey(server.LoopbackClientServerNameOverride, nil, nil)
if err != nil {
return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
} }
tlsCert, err := tls.X509KeyPair(certPem, keyPem) c := *config
if err != nil {
return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
}
secureLoopbackClientConfig, err := c.SecureServingInfo.NewLoopbackClientConfig(uuid.NewRandom().String(), certPem)
switch {
// if we failed and there's no fallback loopback client config, we need to fail
case err != nil && c.LoopbackClientConfig == nil:
return err
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
case err != nil && c.LoopbackClientConfig != nil:
default:
c.LoopbackClientConfig = secureLoopbackClientConfig
c.SecureServingInfo.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert
}
return nil
}
func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
secureServingInfo := &server.SecureServingInfo{}
serverCertFile, serverKeyFile := s.ServerCert.CertKey.CertFile, s.ServerCert.CertKey.KeyFile serverCertFile, serverKeyFile := s.ServerCert.CertKey.CertFile, s.ServerCert.CertKey.KeyFile
// load main cert // load main cert
...@@ -224,7 +189,7 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error { ...@@ -224,7 +189,7 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
if err != nil { if err != nil {
return fmt.Errorf("unable to load server certificate: %v", err) return fmt.Errorf("unable to load server certificate: %v", err)
} }
secureServingInfo.Cert = &tlsCert c.Cert = &tlsCert
} }
if len(s.CipherSuites) != 0 { if len(s.CipherSuites) != 0 {
...@@ -232,11 +197,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error { ...@@ -232,11 +197,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
if err != nil { if err != nil {
return err return err
} }
secureServingInfo.CipherSuites = cipherSuites c.CipherSuites = cipherSuites
} }
var err error var err error
secureServingInfo.MinTLSVersion, err = utilflag.TLSVersion(s.MinTLSVersion) c.MinTLSVersion, err = utilflag.TLSVersion(s.MinTLSVersion)
if err != nil { if err != nil {
return err return err
} }
...@@ -253,14 +218,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error { ...@@ -253,14 +218,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
return fmt.Errorf("failed to load SNI cert and key: %v", err) return fmt.Errorf("failed to load SNI cert and key: %v", err)
} }
} }
secureServingInfo.SNICerts, err = server.GetNamedCertificateMap(namedTLSCerts) c.SNICerts, err = server.GetNamedCertificateMap(namedTLSCerts)
if err != nil { if err != nil {
return err return err
} }
c.SecureServingInfo = secureServingInfo
c.ReadWritePort = s.BindPort
return nil return nil
} }
......
...@@ -32,6 +32,7 @@ import ( ...@@ -32,6 +32,7 @@ import (
"os" "os"
"path/filepath" "path/filepath"
"reflect" "reflect"
"strconv"
"strings" "strings"
"testing" "testing"
"time" "time"
...@@ -47,7 +48,6 @@ import ( ...@@ -47,7 +48,6 @@ import (
utilflag "k8s.io/apiserver/pkg/util/flag" utilflag "k8s.io/apiserver/pkg/util/flag"
"k8s.io/client-go/discovery" "k8s.io/client-go/discovery"
restclient "k8s.io/client-go/rest" restclient "k8s.io/client-go/rest"
"strconv"
) )
func setUp(t *testing.T) Config { func setUp(t *testing.T) Config {
...@@ -471,7 +471,7 @@ NextTest: ...@@ -471,7 +471,7 @@ NextTest:
config.Version = &v config.Version = &v
config.EnableIndex = true config.EnableIndex = true
secureOptions := &SecureServingOptions{ secureOptions := WithLoopback(&SecureServingOptions{
BindAddress: net.ParseIP("127.0.0.1"), BindAddress: net.ParseIP("127.0.0.1"),
BindPort: 6443, BindPort: 6443,
ServerCert: GeneratableKeyCert{ ServerCert: GeneratableKeyCert{
...@@ -481,7 +481,7 @@ NextTest: ...@@ -481,7 +481,7 @@ NextTest:
}, },
}, },
SNICertKeys: namedCertKeys, SNICertKeys: namedCertKeys,
} })
// use a random free port // use a random free port
ln, err := net.Listen("tcp", "127.0.0.1:0") ln, err := net.Listen("tcp", "127.0.0.1:0")
if err != nil { if err != nil {
......
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package options
import (
"crypto/tls"
"fmt"
"github.com/pborman/uuid"
"k8s.io/apiserver/pkg/server"
certutil "k8s.io/client-go/util/cert"
)
type SecureServingOptionsWithLoopback struct {
*SecureServingOptions
}
func WithLoopback(o *SecureServingOptions) *SecureServingOptionsWithLoopback {
return &SecureServingOptionsWithLoopback{o}
}
// ApplyTo fills up serving information in the server configuration.
func (s *SecureServingOptionsWithLoopback) ApplyTo(c *server.Config) error {
if s == nil || s.SecureServingOptions == nil {
return nil
}
if err := s.SecureServingOptions.ApplyTo(&c.SecureServing); err != nil {
return err
}
if c.SecureServing == nil {
return nil
}
c.ReadWritePort = s.BindPort
// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and
// let the server return it when the loopback client connects.
certPem, keyPem, err := certutil.GenerateSelfSignedCertKey(server.LoopbackClientServerNameOverride, nil, nil)
if err != nil {
return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
}
tlsCert, err := tls.X509KeyPair(certPem, keyPem)
if err != nil {
return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
}
secureLoopbackClientConfig, err := c.SecureServing.NewLoopbackClientConfig(uuid.NewRandom().String(), certPem)
switch {
// if we failed and there's no fallback loopback client config, we need to fail
case err != nil && c.LoopbackClientConfig == nil:
return err
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
case err != nil && c.LoopbackClientConfig != nil:
default:
c.LoopbackClientConfig = secureLoopbackClientConfig
c.SecureServing.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert
}
return nil
}
...@@ -39,17 +39,17 @@ const ( ...@@ -39,17 +39,17 @@ const (
// serveSecurely runs the secure http server. It fails only if certificates cannot // serveSecurely runs the secure http server. It fails only if certificates cannot
// be loaded or the initial listen call fails. The actual server loop (stoppable by closing // be loaded or the initial listen call fails. The actual server loop (stoppable by closing
// stopCh) runs in a go routine, i.e. serveSecurely does not block. // stopCh) runs in a go routine, i.e. serveSecurely does not block.
func (s *GenericAPIServer) serveSecurely(stopCh <-chan struct{}) error { func (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error {
if s.SecureServingInfo.Listener == nil { if s.Listener == nil {
return fmt.Errorf("listener must not be nil") return fmt.Errorf("listener must not be nil")
} }
secureServer := &http.Server{ secureServer := &http.Server{
Addr: s.SecureServingInfo.Listener.Addr().String(), Addr: s.Listener.Addr().String(),
Handler: s.Handler, Handler: handler,
MaxHeaderBytes: 1 << 20, MaxHeaderBytes: 1 << 20,
TLSConfig: &tls.Config{ TLSConfig: &tls.Config{
NameToCertificate: s.SecureServingInfo.SNICerts, NameToCertificate: s.SNICerts,
// Can't use SSLv3 because of POODLE and BEAST // Can't use SSLv3 because of POODLE and BEAST
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher // Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
// Can't use TLSv1.1 because of RC4 cipher usage // Can't use TLSv1.1 because of RC4 cipher usage
...@@ -59,41 +59,41 @@ func (s *GenericAPIServer) serveSecurely(stopCh <-chan struct{}) error { ...@@ -59,41 +59,41 @@ func (s *GenericAPIServer) serveSecurely(stopCh <-chan struct{}) error {
}, },
} }
if s.SecureServingInfo.MinTLSVersion > 0 { if s.MinTLSVersion > 0 {
secureServer.TLSConfig.MinVersion = s.SecureServingInfo.MinTLSVersion secureServer.TLSConfig.MinVersion = s.MinTLSVersion
} }
if len(s.SecureServingInfo.CipherSuites) > 0 { if len(s.CipherSuites) > 0 {
secureServer.TLSConfig.CipherSuites = s.SecureServingInfo.CipherSuites secureServer.TLSConfig.CipherSuites = s.CipherSuites
} }
if s.SecureServingInfo.Cert != nil { if s.Cert != nil {
secureServer.TLSConfig.Certificates = []tls.Certificate{*s.SecureServingInfo.Cert} secureServer.TLSConfig.Certificates = []tls.Certificate{*s.Cert}
} }
// append all named certs. Otherwise, the go tls stack will think no SNI processing // append all named certs. Otherwise, the go tls stack will think no SNI processing
// is necessary because there is only one cert anyway. // is necessary because there is only one cert anyway.
// Moreover, if ServerCert.CertFile/ServerCert.KeyFile are not set, the first SNI // Moreover, if ServerCert.CertFile/ServerCert.KeyFile are not set, the first SNI
// cert will become the default cert. That's what we expect anyway. // cert will become the default cert. That's what we expect anyway.
for _, c := range s.SecureServingInfo.SNICerts { for _, c := range s.SNICerts {
secureServer.TLSConfig.Certificates = append(secureServer.TLSConfig.Certificates, *c) secureServer.TLSConfig.Certificates = append(secureServer.TLSConfig.Certificates, *c)
} }
if s.SecureServingInfo.ClientCA != nil { if s.ClientCA != nil {
// Populate PeerCertificates in requests, but don't reject connections without certificates // Populate PeerCertificates in requests, but don't reject connections without certificates
// This allows certificates to be validated by authenticators, while still allowing other auth types // This allows certificates to be validated by authenticators, while still allowing other auth types
secureServer.TLSConfig.ClientAuth = tls.RequestClientCert secureServer.TLSConfig.ClientAuth = tls.RequestClientCert
// Specify allowed CAs for client certificates // Specify allowed CAs for client certificates
secureServer.TLSConfig.ClientCAs = s.SecureServingInfo.ClientCA secureServer.TLSConfig.ClientCAs = s.ClientCA
} }
glog.Infof("Serving securely on %s", secureServer.Addr) glog.Infof("Serving securely on %s", secureServer.Addr)
err := RunServer(secureServer, s.SecureServingInfo.Listener, s.ShutdownTimeout, stopCh) return RunServer(secureServer, s.Listener, shutdownTimeout, stopCh)
return err
} }
// RunServer listens on the given port if listener is not given, // RunServer listens on the given port if listener is not given,
// then spawns a go-routine continuously serving // then spawns a go-routine continuously serving
// until the stopCh is closed. This function does not block. // until the stopCh is closed. This function does not block.
// TODO: make private when insecure serving is gone from the kube-apiserver
func RunServer( func RunServer(
server *http.Server, server *http.Server,
ln net.Listener, ln net.Listener,
......
...@@ -249,7 +249,7 @@ var _ = SIGDescribe("DaemonRestart [Disruptive]", func() { ...@@ -249,7 +249,7 @@ var _ = SIGDescribe("DaemonRestart [Disruptive]", func() {
// Requires master ssh access. // Requires master ssh access.
framework.SkipUnlessProviderIs("gce", "aws") framework.SkipUnlessProviderIs("gce", "aws")
restarter := NewRestartConfig( restarter := NewRestartConfig(
framework.GetMasterHost(), "kube-controller", ports.ControllerManagerPort, restartPollInterval, restartTimeout) framework.GetMasterHost(), "kube-controller", ports.InsecureKubeControllerManagerPort, restartPollInterval, restartTimeout)
restarter.restart() restarter.restart()
// The intent is to ensure the replication controller manager has observed and reported status of // The intent is to ensure the replication controller manager has observed and reported status of
......
...@@ -158,7 +158,7 @@ func (g *MetricsGrabber) GrabFromControllerManager() (ControllerManagerMetrics, ...@@ -158,7 +158,7 @@ func (g *MetricsGrabber) GrabFromControllerManager() (ControllerManagerMetrics,
if !g.registeredMaster { if !g.registeredMaster {
return ControllerManagerMetrics{}, fmt.Errorf("Master's Kubelet is not registered. Skipping ControllerManager's metrics gathering.") return ControllerManagerMetrics{}, fmt.Errorf("Master's Kubelet is not registered. Skipping ControllerManager's metrics gathering.")
} }
output, err := g.getMetricsFromPod(g.client, fmt.Sprintf("%v-%v", "kube-controller-manager", g.masterName), metav1.NamespaceSystem, ports.ControllerManagerPort) output, err := g.getMetricsFromPod(g.client, fmt.Sprintf("%v-%v", "kube-controller-manager", g.masterName), metav1.NamespaceSystem, ports.InsecureKubeControllerManagerPort)
if err != nil { if err != nil {
return ControllerManagerMetrics{}, err return ControllerManagerMetrics{}, err
} }
......
...@@ -3967,7 +3967,7 @@ func RestartControllerManager() error { ...@@ -3967,7 +3967,7 @@ func RestartControllerManager() error {
} }
func WaitForControllerManagerUp() error { func WaitForControllerManagerUp() error {
cmd := "curl http://localhost:" + strconv.Itoa(ports.ControllerManagerPort) + "/healthz" cmd := "curl http://localhost:" + strconv.Itoa(ports.InsecureKubeControllerManagerPort) + "/healthz"
for start := time.Now(); time.Since(start) < time.Minute; time.Sleep(5 * time.Second) { for start := time.Now(); time.Since(start) < time.Minute; time.Sleep(5 * time.Second) {
result, err := SSH(cmd, net.JoinHostPort(GetMasterHost(), sshPort), TestContext.Provider) result, err := SSH(cmd, net.JoinHostPort(GetMasterHost(), sshPort), TestContext.Provider)
if err != nil || result.Code != 0 { if err != nil || result.Code != 0 {
......
...@@ -170,7 +170,7 @@ var _ = SIGDescribe("Firewall rule", func() { ...@@ -170,7 +170,7 @@ var _ = SIGDescribe("Firewall rule", func() {
nodeAddrs := framework.NodeAddresses(nodes, v1.NodeExternalIP) nodeAddrs := framework.NodeAddresses(nodes, v1.NodeExternalIP)
Expect(len(nodeAddrs)).NotTo(BeZero()) Expect(len(nodeAddrs)).NotTo(BeZero())
masterAddr := framework.GetMasterAddress(cs) masterAddr := framework.GetMasterAddress(cs)
flag, _ := framework.TestNotReachableHTTPTimeout(masterAddr, ports.ControllerManagerPort, framework.FirewallTestTcpTimeout) flag, _ := framework.TestNotReachableHTTPTimeout(masterAddr, ports.InsecureKubeControllerManagerPort, framework.FirewallTestTcpTimeout)
Expect(flag).To(BeTrue()) Expect(flag).To(BeTrue())
flag, _ = framework.TestNotReachableHTTPTimeout(masterAddr, ports.SchedulerPort, framework.FirewallTestTcpTimeout) flag, _ = framework.TestNotReachableHTTPTimeout(masterAddr, ports.SchedulerPort, framework.FirewallTestTcpTimeout)
Expect(flag).To(BeTrue()) Expect(flag).To(BeTrue())
......
...@@ -55,8 +55,8 @@ func alwaysAlice(req *http.Request) (user.Info, bool, error) { ...@@ -55,8 +55,8 @@ func alwaysAlice(req *http.Request) (user.Info, bool, error) {
func TestSubjectAccessReview(t *testing.T) { func TestSubjectAccessReview(t *testing.T) {
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = authenticator.RequestFunc(alwaysAlice) masterConfig.GenericConfig.Authentication.Authenticator = authenticator.RequestFunc(alwaysAlice)
masterConfig.GenericConfig.Authorizer = sarAuthorizer{} masterConfig.GenericConfig.Authorization.Authorizer = sarAuthorizer{}
masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit()
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
...@@ -147,10 +147,10 @@ func TestSubjectAccessReview(t *testing.T) { ...@@ -147,10 +147,10 @@ func TestSubjectAccessReview(t *testing.T) {
func TestSelfSubjectAccessReview(t *testing.T) { func TestSelfSubjectAccessReview(t *testing.T) {
username := "alice" username := "alice"
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = authenticator.RequestFunc(func(req *http.Request) (user.Info, bool, error) { masterConfig.GenericConfig.Authentication.Authenticator = authenticator.RequestFunc(func(req *http.Request) (user.Info, bool, error) {
return &user.DefaultInfo{Name: username}, true, nil return &user.DefaultInfo{Name: username}, true, nil
}) })
masterConfig.GenericConfig.Authorizer = sarAuthorizer{} masterConfig.GenericConfig.Authorization.Authorizer = sarAuthorizer{}
masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit()
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
...@@ -229,8 +229,8 @@ func TestSelfSubjectAccessReview(t *testing.T) { ...@@ -229,8 +229,8 @@ func TestSelfSubjectAccessReview(t *testing.T) {
func TestLocalSubjectAccessReview(t *testing.T) { func TestLocalSubjectAccessReview(t *testing.T) {
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = authenticator.RequestFunc(alwaysAlice) masterConfig.GenericConfig.Authentication.Authenticator = authenticator.RequestFunc(alwaysAlice)
masterConfig.GenericConfig.Authorizer = sarAuthorizer{} masterConfig.GenericConfig.Authorization.Authorizer = sarAuthorizer{}
masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit()
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
......
...@@ -500,7 +500,7 @@ func getPreviousResourceVersionKey(url, id string) string { ...@@ -500,7 +500,7 @@ func getPreviousResourceVersionKey(url, id string) string {
func TestAuthModeAlwaysDeny(t *testing.T) { func TestAuthModeAlwaysDeny(t *testing.T) {
// Set up a master // Set up a master
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer() masterConfig.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer()
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
...@@ -549,8 +549,8 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) { ...@@ -549,8 +549,8 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) {
// Set up a master // Set up a master
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = getTestTokenAuth() masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth()
masterConfig.GenericConfig.Authorizer = allowAliceAuthorizer{} masterConfig.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{}
masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit()
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
...@@ -619,8 +619,8 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) { ...@@ -619,8 +619,8 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) {
func TestBobIsForbidden(t *testing.T) { func TestBobIsForbidden(t *testing.T) {
// This file has alice and bob in it. // This file has alice and bob in it.
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = getTestTokenAuth() masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth()
masterConfig.GenericConfig.Authorizer = allowAliceAuthorizer{} masterConfig.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{}
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
...@@ -663,8 +663,8 @@ func TestUnknownUserIsUnauthorized(t *testing.T) { ...@@ -663,8 +663,8 @@ func TestUnknownUserIsUnauthorized(t *testing.T) {
// Set up a master // Set up a master
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = getTestTokenAuth() masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth()
masterConfig.GenericConfig.Authorizer = allowAliceAuthorizer{} masterConfig.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{}
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
...@@ -725,8 +725,8 @@ func (impersonateAuthorizer) Authorize(a authorizer.Attributes) (authorizer.Deci ...@@ -725,8 +725,8 @@ func (impersonateAuthorizer) Authorize(a authorizer.Attributes) (authorizer.Deci
func TestImpersonateIsForbidden(t *testing.T) { func TestImpersonateIsForbidden(t *testing.T) {
// Set up a master // Set up a master
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = getTestTokenAuth() masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth()
masterConfig.GenericConfig.Authorizer = impersonateAuthorizer{} masterConfig.GenericConfig.Authorization.Authorizer = impersonateAuthorizer{}
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
...@@ -872,8 +872,8 @@ func TestAuthorizationAttributeDetermination(t *testing.T) { ...@@ -872,8 +872,8 @@ func TestAuthorizationAttributeDetermination(t *testing.T) {
// Set up a master // Set up a master
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = getTestTokenAuth() masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth()
masterConfig.GenericConfig.Authorizer = trackingAuthorizer masterConfig.GenericConfig.Authorization.Authorizer = trackingAuthorizer
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
...@@ -938,8 +938,8 @@ func TestNamespaceAuthorization(t *testing.T) { ...@@ -938,8 +938,8 @@ func TestNamespaceAuthorization(t *testing.T) {
// Set up a master // Set up a master
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = getTestTokenAuth() masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth()
masterConfig.GenericConfig.Authorizer = a masterConfig.GenericConfig.Authorization.Authorizer = a
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
...@@ -1036,8 +1036,8 @@ func TestKindAuthorization(t *testing.T) { ...@@ -1036,8 +1036,8 @@ func TestKindAuthorization(t *testing.T) {
// Set up a master // Set up a master
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = getTestTokenAuth() masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth()
masterConfig.GenericConfig.Authorizer = a masterConfig.GenericConfig.Authorization.Authorizer = a
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
...@@ -1120,8 +1120,8 @@ func TestReadOnlyAuthorization(t *testing.T) { ...@@ -1120,8 +1120,8 @@ func TestReadOnlyAuthorization(t *testing.T) {
// Set up a master // Set up a master
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = getTestTokenAuth() masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth()
masterConfig.GenericConfig.Authorizer = a masterConfig.GenericConfig.Authorization.Authorizer = a
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
...@@ -1179,8 +1179,8 @@ func TestWebhookTokenAuthenticator(t *testing.T) { ...@@ -1179,8 +1179,8 @@ func TestWebhookTokenAuthenticator(t *testing.T) {
// Set up a master // Set up a master
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = authenticator masterConfig.GenericConfig.Authentication.Authenticator = authenticator
masterConfig.GenericConfig.Authorizer = allowAliceAuthorizer{} masterConfig.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{}
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
......
...@@ -125,7 +125,7 @@ func TestBootstrapTokenAuth(t *testing.T) { ...@@ -125,7 +125,7 @@ func TestBootstrapTokenAuth(t *testing.T) {
authenticator := bearertoken.New(bootstrap.NewTokenAuthenticator(bootstrapSecrets{test.secret})) authenticator := bearertoken.New(bootstrap.NewTokenAuthenticator(bootstrapSecrets{test.secret}))
// Set up a master // Set up a master
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = authenticator masterConfig.GenericConfig.Authentication.Authenticator = authenticator
masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit()
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn() defer closeFn()
......
...@@ -101,8 +101,8 @@ func TestNodeAuthorizer(t *testing.T) { ...@@ -101,8 +101,8 @@ func TestNodeAuthorizer(t *testing.T) {
// Start the server // Start the server
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authenticator = authenticator masterConfig.GenericConfig.Authentication.Authenticator = authenticator
masterConfig.GenericConfig.Authorizer = nodeRBACAuthorizer masterConfig.GenericConfig.Authorization.Authorizer = nodeRBACAuthorizer
masterConfig.GenericConfig.AdmissionControl = nodeRestrictionAdmission masterConfig.GenericConfig.AdmissionControl = nodeRestrictionAdmission
_, _, closeFn := framework.RunAMasterUsingServer(masterConfig, apiServer, h) _, _, closeFn := framework.RunAMasterUsingServer(masterConfig, apiServer, h)
......
...@@ -414,8 +414,8 @@ func TestRBAC(t *testing.T) { ...@@ -414,8 +414,8 @@ func TestRBAC(t *testing.T) {
for i, tc := range tests { for i, tc := range tests {
// Create an API Server. // Create an API Server.
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authorizer = newRBACAuthorizer(masterConfig) masterConfig.GenericConfig.Authorization.Authorizer = newRBACAuthorizer(masterConfig)
masterConfig.GenericConfig.Authenticator = bearertoken.New(tokenfile.New(map[string]*user.DefaultInfo{ masterConfig.GenericConfig.Authentication.Authenticator = bearertoken.New(tokenfile.New(map[string]*user.DefaultInfo{
superUser: {Name: "admin", Groups: []string{"system:masters"}}, superUser: {Name: "admin", Groups: []string{"system:masters"}},
"any-rolebinding-writer": {Name: "any-rolebinding-writer"}, "any-rolebinding-writer": {Name: "any-rolebinding-writer"},
"any-rolebinding-writer-namespace": {Name: "any-rolebinding-writer-namespace"}, "any-rolebinding-writer-namespace": {Name: "any-rolebinding-writer-namespace"},
...@@ -517,8 +517,8 @@ func TestBootstrapping(t *testing.T) { ...@@ -517,8 +517,8 @@ func TestBootstrapping(t *testing.T) {
superUser := "admin/system:masters" superUser := "admin/system:masters"
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authorizer = newRBACAuthorizer(masterConfig) masterConfig.GenericConfig.Authorization.Authorizer = newRBACAuthorizer(masterConfig)
masterConfig.GenericConfig.Authenticator = bearertoken.New(tokenfile.New(map[string]*user.DefaultInfo{ masterConfig.GenericConfig.Authentication.Authenticator = bearertoken.New(tokenfile.New(map[string]*user.DefaultInfo{
superUser: {Name: "admin", Groups: []string{"system:masters"}}, superUser: {Name: "admin", Groups: []string{"system:masters"}},
})) }))
_, s, closeFn := framework.RunAMaster(masterConfig) _, s, closeFn := framework.RunAMaster(masterConfig)
......
...@@ -159,17 +159,17 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv ...@@ -159,17 +159,17 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv
} }
tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens) tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens)
if masterConfig.GenericConfig.Authenticator == nil { if masterConfig.GenericConfig.Authentication.Authenticator == nil {
masterConfig.GenericConfig.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(alwaysEmpty)) masterConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(alwaysEmpty))
} else { } else {
masterConfig.GenericConfig.Authenticator = authenticatorunion.New(tokenAuthenticator, masterConfig.GenericConfig.Authenticator) masterConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, masterConfig.GenericConfig.Authentication.Authenticator)
} }
if masterConfig.GenericConfig.Authorizer != nil { if masterConfig.GenericConfig.Authorization.Authorizer != nil {
tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup) tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
masterConfig.GenericConfig.Authorizer = authorizerunion.New(tokenAuthorizer, masterConfig.GenericConfig.Authorizer) masterConfig.GenericConfig.Authorization.Authorizer = authorizerunion.New(tokenAuthorizer, masterConfig.GenericConfig.Authorization.Authorizer)
} else { } else {
masterConfig.GenericConfig.Authorizer = alwaysAllow{} masterConfig.GenericConfig.Authorization.Authorizer = alwaysAllow{}
} }
masterConfig.GenericConfig.LoopbackClientConfig.BearerToken = privilegedLoopbackToken masterConfig.GenericConfig.LoopbackClientConfig.BearerToken = privilegedLoopbackToken
...@@ -280,7 +280,7 @@ func NewMasterConfig() *master.Config { ...@@ -280,7 +280,7 @@ func NewMasterConfig() *master.Config {
genericConfig := genericapiserver.NewConfig(legacyscheme.Codecs) genericConfig := genericapiserver.NewConfig(legacyscheme.Codecs)
kubeVersion := version.Get() kubeVersion := version.Get()
genericConfig.Version = &kubeVersion genericConfig.Version = &kubeVersion
genericConfig.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer() genericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
genericConfig.AdmissionControl = admit.NewAlwaysAdmit() genericConfig.AdmissionControl = admit.NewAlwaysAdmit()
genericConfig.EnableMetrics = true genericConfig.EnableMetrics = true
......
...@@ -134,7 +134,7 @@ func TestEmptyList(t *testing.T) { ...@@ -134,7 +134,7 @@ func TestEmptyList(t *testing.T) {
func initStatusForbiddenMasterCongfig() *master.Config { func initStatusForbiddenMasterCongfig() *master.Config {
masterConfig := framework.NewIntegrationTestMasterConfig() masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer() masterConfig.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer()
return masterConfig return masterConfig
} }
...@@ -143,8 +143,8 @@ func initUnauthorizedMasterCongfig() *master.Config { ...@@ -143,8 +143,8 @@ func initUnauthorizedMasterCongfig() *master.Config {
tokenAuthenticator := tokentest.New() tokenAuthenticator := tokentest.New()
tokenAuthenticator.Tokens[AliceToken] = &user.DefaultInfo{Name: "alice", UID: "1"} tokenAuthenticator.Tokens[AliceToken] = &user.DefaultInfo{Name: "alice", UID: "1"}
tokenAuthenticator.Tokens[BobToken] = &user.DefaultInfo{Name: "bob", UID: "2"} tokenAuthenticator.Tokens[BobToken] = &user.DefaultInfo{Name: "bob", UID: "2"}
masterConfig.GenericConfig.Authenticator = group.NewGroupAdder(bearertoken.New(tokenAuthenticator), []string{user.AllAuthenticated}) masterConfig.GenericConfig.Authentication.Authenticator = group.NewGroupAdder(bearertoken.New(tokenAuthenticator), []string{user.AllAuthenticated})
masterConfig.GenericConfig.Authorizer = allowAliceAuthorizer{} masterConfig.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{}
return masterConfig return masterConfig
} }
......
...@@ -425,8 +425,8 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie ...@@ -425,8 +425,8 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie
masterConfig := framework.NewMasterConfig() masterConfig := framework.NewMasterConfig()
masterConfig.GenericConfig.EnableIndex = true masterConfig.GenericConfig.EnableIndex = true
masterConfig.GenericConfig.Authenticator = authenticator masterConfig.GenericConfig.Authentication.Authenticator = authenticator
masterConfig.GenericConfig.Authorizer = authorizer masterConfig.GenericConfig.Authorization.Authorizer = authorizer
masterConfig.GenericConfig.AdmissionControl = serviceAccountAdmission masterConfig.GenericConfig.AdmissionControl = serviceAccountAdmission
framework.RunAMasterUsingServer(masterConfig, apiServer, h) framework.RunAMasterUsingServer(masterConfig, apiServer, h)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment