Commit d23c7368 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #45238 from deads2k/auth-04-expose-kubelet

Automatic merge from submit-queue (batch tested with PRs 45362, 45159, 45321, 45238) expose kubelet authentication and authorization builders The kubelet authentication and authorization builder methods are useful for consumers. @liggitt
parents d22a9c25 0022223d
......@@ -34,7 +34,8 @@ import (
"k8s.io/kubernetes/pkg/kubelet/server"
)
func buildAuth(nodeName types.NodeName, client clientset.Interface, config componentconfig.KubeletConfiguration) (server.AuthInterface, error) {
// BuildAuth creates an authenticator, an authorizer, and a matching authorizer attributes getter compatible with the kubelet's needs
func BuildAuth(nodeName types.NodeName, client clientset.Interface, config componentconfig.KubeletConfiguration) (server.AuthInterface, error) {
// Get clients, if provided
var (
tokenClient authenticationclient.TokenReviewInterface
......@@ -45,14 +46,14 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo
sarClient = client.AuthorizationV1beta1().SubjectAccessReviews()
}
authenticator, err := buildAuthn(tokenClient, config.Authentication)
authenticator, err := BuildAuthn(tokenClient, config.Authentication)
if err != nil {
return nil, err
}
attributes := server.NewNodeAuthorizerAttributesGetter(nodeName)
authorizer, err := buildAuthz(sarClient, config.Authorization)
authorizer, err := BuildAuthz(sarClient, config.Authorization)
if err != nil {
return nil, err
}
......@@ -60,7 +61,8 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo
return server.NewKubeletAuth(authenticator, attributes, authorizer), nil
}
func buildAuthn(client authenticationclient.TokenReviewInterface, authn componentconfig.KubeletAuthentication) (authenticator.Request, error) {
// BuildAuthn creates an authenticator compatible with the kubelet's needs
func BuildAuthn(client authenticationclient.TokenReviewInterface, authn componentconfig.KubeletAuthentication) (authenticator.Request, error) {
authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{
Anonymous: authn.Anonymous.Enabled,
CacheTTL: authn.Webhook.CacheTTL.Duration,
......@@ -78,7 +80,8 @@ func buildAuthn(client authenticationclient.TokenReviewInterface, authn componen
return authenticator, err
}
func buildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz componentconfig.KubeletAuthorization) (authorizer.Authorizer, error) {
// BuildAuthz creates an authorizer compatible with the kubelet's needs
func BuildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz componentconfig.KubeletAuthorization) (authorizer.Authorizer, error) {
switch authz.Mode {
case componentconfig.KubeletAuthorizationModeAlwaysAllow:
return authorizerfactory.NewAlwaysAllowAuthorizer(), nil
......
......@@ -490,7 +490,7 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.KubeletDeps) (err error) {
}
if kubeDeps.Auth == nil {
auth, err := buildAuth(nodeName, kubeDeps.ExternalKubeClient, s.KubeletConfiguration)
auth, err := BuildAuth(nodeName, kubeDeps.ExternalKubeClient, s.KubeletConfiguration)
if err != nil {
return err
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment