apiserver: make SecureServingOptions and authz/n options re-usable
This commit is contained in:
		| @@ -42,7 +42,7 @@ import ( | |||||||
| type ServerRunOptions struct { | type ServerRunOptions struct { | ||||||
| 	GenericServerRunOptions *genericoptions.ServerRunOptions | 	GenericServerRunOptions *genericoptions.ServerRunOptions | ||||||
| 	Etcd                    *genericoptions.EtcdOptions | 	Etcd                    *genericoptions.EtcdOptions | ||||||
| 	SecureServing           *genericoptions.SecureServingOptions | 	SecureServing           *genericoptions.SecureServingOptionsWithLoopback | ||||||
| 	InsecureServing         *kubeoptions.InsecureServingOptions | 	InsecureServing         *kubeoptions.InsecureServingOptions | ||||||
| 	Audit                   *genericoptions.AuditOptions | 	Audit                   *genericoptions.AuditOptions | ||||||
| 	Features                *genericoptions.FeatureOptions | 	Features                *genericoptions.FeatureOptions | ||||||
|   | |||||||
| @@ -26,6 +26,7 @@ import ( | |||||||
|  |  | ||||||
| 	"k8s.io/apimachinery/pkg/util/diff" | 	"k8s.io/apimachinery/pkg/util/diff" | ||||||
| 	apiserveroptions "k8s.io/apiserver/pkg/server/options" | 	apiserveroptions "k8s.io/apiserver/pkg/server/options" | ||||||
|  | 	genericoptions "k8s.io/apiserver/pkg/server/options" | ||||||
| 	"k8s.io/apiserver/pkg/storage/storagebackend" | 	"k8s.io/apiserver/pkg/storage/storagebackend" | ||||||
| 	utilflag "k8s.io/apiserver/pkg/util/flag" | 	utilflag "k8s.io/apiserver/pkg/util/flag" | ||||||
| 	auditwebhook "k8s.io/apiserver/plugin/pkg/audit/webhook" | 	auditwebhook "k8s.io/apiserver/plugin/pkg/audit/webhook" | ||||||
| @@ -137,14 +138,14 @@ func TestAddFlags(t *testing.T) { | |||||||
| 			EnableWatchCache:        true, | 			EnableWatchCache:        true, | ||||||
| 			DefaultWatchCacheSize:   100, | 			DefaultWatchCacheSize:   100, | ||||||
| 		}, | 		}, | ||||||
| 		SecureServing: &apiserveroptions.SecureServingOptions{ | 		SecureServing: genericoptions.WithLoopback(&apiserveroptions.SecureServingOptions{ | ||||||
| 			BindAddress: net.ParseIP("192.168.10.20"), | 			BindAddress: net.ParseIP("192.168.10.20"), | ||||||
| 			BindPort:    6443, | 			BindPort:    6443, | ||||||
| 			ServerCert: apiserveroptions.GeneratableKeyCert{ | 			ServerCert: apiserveroptions.GeneratableKeyCert{ | ||||||
| 				CertDirectory: "/var/run/kubernetes", | 				CertDirectory: "/var/run/kubernetes", | ||||||
| 				PairName:      "apiserver", | 				PairName:      "apiserver", | ||||||
| 			}, | 			}, | ||||||
| 		}, | 		}), | ||||||
| 		InsecureServing: &kubeoptions.InsecureServingOptions{ | 		InsecureServing: &kubeoptions.InsecureServingOptions{ | ||||||
| 			BindAddress: net.ParseIP("127.0.0.1"), | 			BindAddress: net.ParseIP("127.0.0.1"), | ||||||
| 			BindPort:    8080, | 			BindPort:    8080, | ||||||
|   | |||||||
| @@ -450,12 +450,12 @@ func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transp | |||||||
| 		) | 		) | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	genericConfig.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, storageFactory, client, sharedInformers) | 	genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, storageFactory, client, sharedInformers) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, nil, nil, nil, nil, fmt.Errorf("invalid authentication config: %v", err) | 		return nil, nil, nil, nil, nil, fmt.Errorf("invalid authentication config: %v", err) | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	genericConfig.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, sharedInformers, versionedInformers) | 	genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, sharedInformers, versionedInformers) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return nil, nil, nil, nil, nil, fmt.Errorf("invalid authorization config: %v", err) | 		return nil, nil, nil, nil, nil, fmt.Errorf("invalid authorization config: %v", err) | ||||||
| 	} | 	} | ||||||
| @@ -634,7 +634,7 @@ func BuildStorageFactory(s *options.ServerRunOptions, apiResourceConfig *servers | |||||||
|  |  | ||||||
| func defaultOptions(s *options.ServerRunOptions) error { | func defaultOptions(s *options.ServerRunOptions) error { | ||||||
| 	// set defaults | 	// set defaults | ||||||
| 	if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing); err != nil { | 	if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing.SecureServingOptions); err != nil { | ||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
| 	if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil { | 	if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil { | ||||||
|   | |||||||
| @@ -341,19 +341,17 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error | |||||||
|  |  | ||||||
| 	var err error | 	var err error | ||||||
| 	if o.ClientCert != nil { | 	if o.ClientCert != nil { | ||||||
| 		c, err = c.ApplyClientCert(o.ClientCert.ClientCA) | 		if err = c.Authentication.ApplyClientCert(o.ClientCert.ClientCA, c.SecureServing); err != nil { | ||||||
| 		if err != nil { |  | ||||||
| 			return fmt.Errorf("unable to load client CA file: %v", err) | 			return fmt.Errorf("unable to load client CA file: %v", err) | ||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
| 	if o.RequestHeader != nil { | 	if o.RequestHeader != nil { | ||||||
| 		c, err = c.ApplyClientCert(o.RequestHeader.ClientCAFile) | 		if err = c.Authentication.ApplyClientCert(o.RequestHeader.ClientCAFile, c.SecureServing); err != nil { | ||||||
| 		if err != nil { |  | ||||||
| 			return fmt.Errorf("unable to load client CA file: %v", err) | 			return fmt.Errorf("unable to load client CA file: %v", err) | ||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	c.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0 | 	c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0 | ||||||
|  |  | ||||||
| 	return nil | 	return nil | ||||||
| } | } | ||||||
|   | |||||||
| @@ -33,15 +33,15 @@ import ( | |||||||
|  |  | ||||||
| // NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by | // NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by | ||||||
| // "normal" API servers running on the platform | // "normal" API servers running on the platform | ||||||
| func NewSecureServingOptions() *genericoptions.SecureServingOptions { | func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback { | ||||||
| 	return &genericoptions.SecureServingOptions{ | 	return genericoptions.WithLoopback(&genericoptions.SecureServingOptions{ | ||||||
| 		BindAddress: net.ParseIP("0.0.0.0"), | 		BindAddress: net.ParseIP("0.0.0.0"), | ||||||
| 		BindPort:    6443, | 		BindPort:    6443, | ||||||
| 		ServerCert: genericoptions.GeneratableKeyCert{ | 		ServerCert: genericoptions.GeneratableKeyCert{ | ||||||
| 			PairName:      "apiserver", | 			PairName:      "apiserver", | ||||||
| 			CertDirectory: "/var/run/kubernetes", | 			CertDirectory: "/var/run/kubernetes", | ||||||
| 		}, | 		}, | ||||||
| 	} | 	}) | ||||||
| } | } | ||||||
|  |  | ||||||
| // DefaultAdvertiseAddress sets the field AdvertiseAddress if | // DefaultAdvertiseAddress sets the field AdvertiseAddress if | ||||||
|   | |||||||
| @@ -337,15 +337,15 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget) | |||||||
| 	// TODO: describe the priority all the way down in the RESTStorageProviders and plumb it back through the various discovery | 	// TODO: describe the priority all the way down in the RESTStorageProviders and plumb it back through the various discovery | ||||||
| 	// handlers that we have. | 	// handlers that we have. | ||||||
| 	restStorageProviders := []RESTStorageProvider{ | 	restStorageProviders := []RESTStorageProvider{ | ||||||
| 		authenticationrest.RESTStorageProvider{Authenticator: c.GenericConfig.Authenticator}, | 		authenticationrest.RESTStorageProvider{Authenticator: c.GenericConfig.Authentication.Authenticator}, | ||||||
| 		authorizationrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorizer, RuleResolver: c.GenericConfig.RuleResolver}, | 		authorizationrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorization.Authorizer, RuleResolver: c.GenericConfig.RuleResolver}, | ||||||
| 		autoscalingrest.RESTStorageProvider{}, | 		autoscalingrest.RESTStorageProvider{}, | ||||||
| 		batchrest.RESTStorageProvider{}, | 		batchrest.RESTStorageProvider{}, | ||||||
| 		certificatesrest.RESTStorageProvider{}, | 		certificatesrest.RESTStorageProvider{}, | ||||||
| 		extensionsrest.RESTStorageProvider{}, | 		extensionsrest.RESTStorageProvider{}, | ||||||
| 		networkingrest.RESTStorageProvider{}, | 		networkingrest.RESTStorageProvider{}, | ||||||
| 		policyrest.RESTStorageProvider{}, | 		policyrest.RESTStorageProvider{}, | ||||||
| 		rbacrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorizer}, | 		rbacrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorization.Authorizer}, | ||||||
| 		schedulingrest.RESTStorageProvider{}, | 		schedulingrest.RESTStorageProvider{}, | ||||||
| 		settingsrest.RESTStorageProvider{}, | 		settingsrest.RESTStorageProvider{}, | ||||||
| 		storagerest.RESTStorageProvider{}, | 		storagerest.RESTStorageProvider{}, | ||||||
|   | |||||||
| @@ -79,14 +79,19 @@ const ( | |||||||
| // Config is a structure used to configure a GenericAPIServer. | // Config is a structure used to configure a GenericAPIServer. | ||||||
| // Its members are sorted roughly in order of importance for composers. | // Its members are sorted roughly in order of importance for composers. | ||||||
| type Config struct { | type Config struct { | ||||||
| 	// SecureServingInfo is required to serve https | 	// SecureServing is required to serve https | ||||||
| 	SecureServingInfo *SecureServingInfo | 	SecureServing *SecureServingInfo | ||||||
|  |  | ||||||
|  | 	// Authentication is the configuration for authentication | ||||||
|  | 	Authentication AuthenticationInfo | ||||||
|  |  | ||||||
|  | 	// Authentication is the configuration for authentication | ||||||
|  | 	Authorization AuthorizationInfo | ||||||
|  |  | ||||||
| 	// LoopbackClientConfig is a config for a privileged loopback connection to the API server | 	// LoopbackClientConfig is a config for a privileged loopback connection to the API server | ||||||
| 	// This is required for proper functioning of the PostStartHooks on a GenericAPIServer | 	// This is required for proper functioning of the PostStartHooks on a GenericAPIServer | ||||||
|  | 	// TODO: move into SecureServing(WithLoopback) as soon as insecure serving is gone | ||||||
| 	LoopbackClientConfig *restclient.Config | 	LoopbackClientConfig *restclient.Config | ||||||
| 	// Authenticator determines which subject is making the request |  | ||||||
| 	Authenticator authenticator.Request |  | ||||||
| 	// Authorizer determines whether the subject is allowed to make the request based only | 	// Authorizer determines whether the subject is allowed to make the request based only | ||||||
| 	// on the RequestURI | 	// on the RequestURI | ||||||
| 	Authorizer authorizer.Authorizer | 	Authorizer authorizer.Authorizer | ||||||
| @@ -116,10 +121,6 @@ type Config struct { | |||||||
| 	AuditBackend audit.Backend | 	AuditBackend audit.Backend | ||||||
| 	// AuditPolicyChecker makes the decision of whether and how to audit log a request. | 	// AuditPolicyChecker makes the decision of whether and how to audit log a request. | ||||||
| 	AuditPolicyChecker auditpolicy.Checker | 	AuditPolicyChecker auditpolicy.Checker | ||||||
| 	// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth |  | ||||||
| 	// If this is true, a basic auth challenge is returned on authentication failure |  | ||||||
| 	// TODO(roberthbailey): Remove once the server no longer supports http basic auth. |  | ||||||
| 	SupportsBasicAuth bool |  | ||||||
| 	// ExternalAddress is the host name to use for external (public internet) facing URLs (e.g. Swagger) | 	// ExternalAddress is the host name to use for external (public internet) facing URLs (e.g. Swagger) | ||||||
| 	// Will default to a value based on secure serving info and available ipv4 IPs. | 	// Will default to a value based on secure serving info and available ipv4 IPs. | ||||||
| 	ExternalAddress string | 	ExternalAddress string | ||||||
| @@ -231,6 +232,21 @@ type SecureServingInfo struct { | |||||||
| 	CipherSuites []uint16 | 	CipherSuites []uint16 | ||||||
| } | } | ||||||
|  |  | ||||||
|  | type AuthenticationInfo struct { | ||||||
|  | 	// Authenticator determines which subject is making the request | ||||||
|  | 	Authenticator authenticator.Request | ||||||
|  | 	// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth | ||||||
|  | 	// If this is true, a basic auth challenge is returned on authentication failure | ||||||
|  | 	// TODO(roberthbailey): Remove once the server no longer supports http basic auth. | ||||||
|  | 	SupportsBasicAuth bool | ||||||
|  | } | ||||||
|  |  | ||||||
|  | type AuthorizationInfo struct { | ||||||
|  | 	// Authorizer determines whether the subject is allowed to make the request based only | ||||||
|  | 	// on the RequestURI | ||||||
|  | 	Authorizer authorizer.Authorizer | ||||||
|  | } | ||||||
|  |  | ||||||
| // NewConfig returns a Config struct with the default values | // NewConfig returns a Config struct with the default values | ||||||
| func NewConfig(codecs serializer.CodecFactory) *Config { | func NewConfig(codecs serializer.CodecFactory) *Config { | ||||||
| 	return &Config{ | 	return &Config{ | ||||||
| @@ -302,23 +318,23 @@ func DefaultSwaggerConfig() *swagger.Config { | |||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  |  | ||||||
| func (c *Config) ApplyClientCert(clientCAFile string) (*Config, error) { | func (c *AuthenticationInfo) ApplyClientCert(clientCAFile string, servingInfo *SecureServingInfo) error { | ||||||
| 	if c.SecureServingInfo != nil { | 	if servingInfo != nil { | ||||||
| 		if len(clientCAFile) > 0 { | 		if len(clientCAFile) > 0 { | ||||||
| 			clientCAs, err := certutil.CertsFromFile(clientCAFile) | 			clientCAs, err := certutil.CertsFromFile(clientCAFile) | ||||||
| 			if err != nil { | 			if err != nil { | ||||||
| 				return nil, fmt.Errorf("unable to load client CA file: %v", err) | 				return fmt.Errorf("unable to load client CA file: %v", err) | ||||||
| 			} | 			} | ||||||
| 			if c.SecureServingInfo.ClientCA == nil { | 			if servingInfo.ClientCA == nil { | ||||||
| 				c.SecureServingInfo.ClientCA = x509.NewCertPool() | 				servingInfo.ClientCA = x509.NewCertPool() | ||||||
| 			} | 			} | ||||||
| 			for _, cert := range clientCAs { | 			for _, cert := range clientCAs { | ||||||
| 				c.SecureServingInfo.ClientCA.AddCert(cert) | 				servingInfo.ClientCA.AddCert(cert) | ||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	return c, nil | 	return nil | ||||||
| } | } | ||||||
|  |  | ||||||
| type completedConfig struct { | type completedConfig struct { | ||||||
| @@ -385,7 +401,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo | |||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
| 	if c.SwaggerConfig != nil && len(c.SwaggerConfig.WebServicesUrl) == 0 { | 	if c.SwaggerConfig != nil && len(c.SwaggerConfig.WebServicesUrl) == 0 { | ||||||
| 		if c.SecureServingInfo != nil { | 		if c.SecureServing != nil { | ||||||
| 			c.SwaggerConfig.WebServicesUrl = "https://" + c.ExternalAddress | 			c.SwaggerConfig.WebServicesUrl = "https://" + c.ExternalAddress | ||||||
| 		} else { | 		} else { | ||||||
| 			c.SwaggerConfig.WebServicesUrl = "http://" + c.ExternalAddress | 			c.SwaggerConfig.WebServicesUrl = "http://" + c.ExternalAddress | ||||||
| @@ -397,7 +413,7 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo | |||||||
|  |  | ||||||
| 	// If the loopbackclientconfig is specified AND it has a token for use against the API server | 	// If the loopbackclientconfig is specified AND it has a token for use against the API server | ||||||
| 	// wrap the authenticator and authorizer in loopback authentication logic | 	// wrap the authenticator and authorizer in loopback authentication logic | ||||||
| 	if c.Authenticator != nil && c.Authorizer != nil && c.LoopbackClientConfig != nil && len(c.LoopbackClientConfig.BearerToken) > 0 { | 	if c.Authentication.Authenticator != nil && c.Authorization.Authorizer != nil && c.LoopbackClientConfig != nil && len(c.LoopbackClientConfig.BearerToken) > 0 { | ||||||
| 		privilegedLoopbackToken := c.LoopbackClientConfig.BearerToken | 		privilegedLoopbackToken := c.LoopbackClientConfig.BearerToken | ||||||
| 		var uid = uuid.NewRandom().String() | 		var uid = uuid.NewRandom().String() | ||||||
| 		tokens := make(map[string]*user.DefaultInfo) | 		tokens := make(map[string]*user.DefaultInfo) | ||||||
| @@ -408,10 +424,10 @@ func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedCo | |||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens) | 		tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens) | ||||||
| 		c.Authenticator = authenticatorunion.New(tokenAuthenticator, c.Authenticator) | 		c.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, c.Authentication.Authenticator) | ||||||
|  |  | ||||||
| 		tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup) | 		tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup) | ||||||
| 		c.Authorizer = authorizerunion.New(tokenAuthorizer, c.Authorizer) | 		c.Authorization.Authorizer = authorizerunion.New(tokenAuthorizer, c.Authorization.Authorizer) | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if c.RequestInfoResolver == nil { | 	if c.RequestInfoResolver == nil { | ||||||
| @@ -458,7 +474,7 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G | |||||||
| 		minRequestTimeout: time.Duration(c.MinRequestTimeout) * time.Second, | 		minRequestTimeout: time.Duration(c.MinRequestTimeout) * time.Second, | ||||||
| 		ShutdownTimeout:   c.RequestTimeout, | 		ShutdownTimeout:   c.RequestTimeout, | ||||||
|  |  | ||||||
| 		SecureServingInfo: c.SecureServingInfo, | 		SecureServingInfo: c.SecureServing, | ||||||
| 		ExternalAddress:   c.ExternalAddress, | 		ExternalAddress:   c.ExternalAddress, | ||||||
|  |  | ||||||
| 		Handler: apiServerHandler, | 		Handler: apiServerHandler, | ||||||
| @@ -530,19 +546,19 @@ func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*G | |||||||
| } | } | ||||||
|  |  | ||||||
| func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler { | func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler { | ||||||
| 	handler := genericapifilters.WithAuthorization(apiHandler, c.RequestContextMapper, c.Authorizer, c.Serializer) | 	handler := genericapifilters.WithAuthorization(apiHandler, c.RequestContextMapper, c.Authorization.Authorizer, c.Serializer) | ||||||
| 	handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.RequestContextMapper, c.LongRunningFunc) | 	handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.RequestContextMapper, c.LongRunningFunc) | ||||||
| 	handler = genericapifilters.WithImpersonation(handler, c.RequestContextMapper, c.Authorizer, c.Serializer) | 	handler = genericapifilters.WithImpersonation(handler, c.RequestContextMapper, c.Authorization.Authorizer, c.Serializer) | ||||||
| 	if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) { | 	if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) { | ||||||
| 		handler = genericapifilters.WithAudit(handler, c.RequestContextMapper, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc) | 		handler = genericapifilters.WithAudit(handler, c.RequestContextMapper, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc) | ||||||
| 	} else { | 	} else { | ||||||
| 		handler = genericapifilters.WithLegacyAudit(handler, c.RequestContextMapper, c.LegacyAuditWriter) | 		handler = genericapifilters.WithLegacyAudit(handler, c.RequestContextMapper, c.LegacyAuditWriter) | ||||||
| 	} | 	} | ||||||
| 	failedHandler := genericapifilters.Unauthorized(c.RequestContextMapper, c.Serializer, c.SupportsBasicAuth) | 	failedHandler := genericapifilters.Unauthorized(c.RequestContextMapper, c.Serializer, c.Authentication.SupportsBasicAuth) | ||||||
| 	if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) { | 	if utilfeature.DefaultFeatureGate.Enabled(features.AdvancedAuditing) { | ||||||
| 		failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.RequestContextMapper, c.AuditBackend, c.AuditPolicyChecker) | 		failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.RequestContextMapper, c.AuditBackend, c.AuditPolicyChecker) | ||||||
| 	} | 	} | ||||||
| 	handler = genericapifilters.WithAuthentication(handler, c.RequestContextMapper, c.Authenticator, failedHandler) | 	handler = genericapifilters.WithAuthentication(handler, c.RequestContextMapper, c.Authentication.Authenticator, failedHandler) | ||||||
| 	handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true") | 	handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true") | ||||||
| 	handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.RequestContextMapper, c.LongRunningFunc, c.RequestTimeout) | 	handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.RequestContextMapper, c.LongRunningFunc, c.RequestTimeout) | ||||||
| 	handler = genericfilters.WithWaitGroup(handler, c.RequestContextMapper, c.LongRunningFunc, c.HandlerChainWaitGroup) | 	handler = genericfilters.WithWaitGroup(handler, c.RequestContextMapper, c.LongRunningFunc, c.HandlerChainWaitGroup) | ||||||
|   | |||||||
| @@ -310,7 +310,7 @@ func (s preparedGenericAPIServer) NonBlockingRun(stopCh <-chan struct{}) error { | |||||||
| 	internalStopCh := make(chan struct{}) | 	internalStopCh := make(chan struct{}) | ||||||
|  |  | ||||||
| 	if s.SecureServingInfo != nil && s.Handler != nil { | 	if s.SecureServingInfo != nil && s.Handler != nil { | ||||||
| 		if err := s.serveSecurely(internalStopCh); err != nil { | 		if err := s.SecureServingInfo.Serve(s.Handler, s.ShutdownTimeout, internalStopCh); err != nil { | ||||||
| 			close(internalStopCh) | 			close(internalStopCh) | ||||||
| 			return err | 			return err | ||||||
| 		} | 		} | ||||||
|   | |||||||
| @@ -387,7 +387,7 @@ func TestNotRestRoutesHaveAuth(t *testing.T) { | |||||||
| 	authz := mockAuthorizer{} | 	authz := mockAuthorizer{} | ||||||
|  |  | ||||||
| 	config.LegacyAPIGroupPrefixes = sets.NewString("/apiPrefix") | 	config.LegacyAPIGroupPrefixes = sets.NewString("/apiPrefix") | ||||||
| 	config.Authorizer = &authz | 	config.Authorization.Authorizer = &authz | ||||||
|  |  | ||||||
| 	config.EnableSwaggerUI = true | 	config.EnableSwaggerUI = true | ||||||
| 	config.EnableIndex = true | 	config.EnableIndex = true | ||||||
|   | |||||||
| @@ -15,6 +15,7 @@ go_library( | |||||||
|         "recommended.go", |         "recommended.go", | ||||||
|         "server_run_options.go", |         "server_run_options.go", | ||||||
|         "serving.go", |         "serving.go", | ||||||
|  |         "serving_with_loopback.go", | ||||||
|     ], |     ], | ||||||
|     importpath = "k8s.io/apiserver/pkg/server/options", |     importpath = "k8s.io/apiserver/pkg/server/options", | ||||||
|     visibility = ["//visibility:public"], |     visibility = ["//visibility:public"], | ||||||
|   | |||||||
| @@ -136,7 +136,7 @@ func (a *AdmissionOptions) ApplyTo( | |||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
| 	genericInitializer := initializer.New(clientset, informers, c.Authorizer, scheme) | 	genericInitializer := initializer.New(clientset, informers, c.Authorization.Authorizer, scheme) | ||||||
| 	initializersChain := admission.PluginInitializers{} | 	initializersChain := admission.PluginInitializers{} | ||||||
| 	pluginInitializers = append(pluginInitializers, genericInitializer) | 	pluginInitializers = append(pluginInitializers, genericInitializer) | ||||||
| 	initializersChain = append(initializersChain, pluginInitializers...) | 	initializersChain = append(initializersChain, pluginInitializers...) | ||||||
|   | |||||||
| @@ -32,6 +32,7 @@ import ( | |||||||
| 	coreclient "k8s.io/client-go/kubernetes/typed/core/v1" | 	coreclient "k8s.io/client-go/kubernetes/typed/core/v1" | ||||||
| 	"k8s.io/client-go/rest" | 	"k8s.io/client-go/rest" | ||||||
| 	"k8s.io/client-go/tools/clientcmd" | 	"k8s.io/client-go/tools/clientcmd" | ||||||
|  | 	openapicommon "k8s.io/kube-openapi/pkg/common" | ||||||
| ) | ) | ||||||
|  |  | ||||||
| type RequestHeaderAuthenticationOptions struct { | type RequestHeaderAuthenticationOptions struct { | ||||||
| @@ -146,7 +147,7 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { | |||||||
|  |  | ||||||
| } | } | ||||||
|  |  | ||||||
| func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error { | func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo, servingInfo *server.SecureServingInfo, openAPIConfig *openapicommon.Config) error { | ||||||
| 	if s == nil { | 	if s == nil { | ||||||
| 		c.Authenticator = nil | 		c.Authenticator = nil | ||||||
| 		return nil | 		return nil | ||||||
| @@ -156,8 +157,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error { | |||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
| 	c, err = c.ApplyClientCert(clientCA.ClientCA) | 	if err = c.ApplyClientCert(clientCA.ClientCA, servingInfo); err != nil { | ||||||
| 	if err != nil { |  | ||||||
| 		return fmt.Errorf("unable to load client CA file: %v", err) | 		return fmt.Errorf("unable to load client CA file: %v", err) | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| @@ -165,8 +165,7 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error { | |||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
| 	c, err = c.ApplyClientCert(requestHeader.ClientCAFile) | 	if err = c.ApplyClientCert(requestHeader.ClientCAFile, servingInfo); err != nil { | ||||||
| 	if err != nil { |  | ||||||
| 		return fmt.Errorf("unable to load client CA file: %v", err) | 		return fmt.Errorf("unable to load client CA file: %v", err) | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| @@ -180,8 +179,8 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error { | |||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	c.Authenticator = authenticator | 	c.Authenticator = authenticator | ||||||
| 	if c.OpenAPIConfig != nil { | 	if openAPIConfig != nil { | ||||||
| 		c.OpenAPIConfig.SecurityDefinitions = securityDefinitions | 		openAPIConfig.SecurityDefinitions = securityDefinitions | ||||||
| 	} | 	} | ||||||
| 	c.SupportsBasicAuth = false | 	c.SupportsBasicAuth = false | ||||||
|  |  | ||||||
|   | |||||||
| @@ -74,7 +74,7 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { | |||||||
| 		"The duration to cache 'unauthorized' responses from the webhook authorizer.") | 		"The duration to cache 'unauthorized' responses from the webhook authorizer.") | ||||||
| } | } | ||||||
|  |  | ||||||
| func (s *DelegatingAuthorizationOptions) ApplyTo(c *server.Config) error { | func (s *DelegatingAuthorizationOptions) ApplyTo(c *server.AuthorizationInfo) error { | ||||||
| 	if s == nil { | 	if s == nil { | ||||||
| 		c.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer() | 		c.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer() | ||||||
| 		return nil | 		return nil | ||||||
|   | |||||||
| @@ -30,7 +30,7 @@ import ( | |||||||
| // Each of them can be nil to leave the feature unconfigured on ApplyTo. | // Each of them can be nil to leave the feature unconfigured on ApplyTo. | ||||||
| type RecommendedOptions struct { | type RecommendedOptions struct { | ||||||
| 	Etcd           *EtcdOptions | 	Etcd           *EtcdOptions | ||||||
| 	SecureServing  *SecureServingOptions | 	SecureServing  *SecureServingOptionsWithLoopback | ||||||
| 	Authentication *DelegatingAuthenticationOptions | 	Authentication *DelegatingAuthenticationOptions | ||||||
| 	Authorization  *DelegatingAuthorizationOptions | 	Authorization  *DelegatingAuthorizationOptions | ||||||
| 	Audit          *AuditOptions | 	Audit          *AuditOptions | ||||||
| @@ -46,7 +46,7 @@ type RecommendedOptions struct { | |||||||
| func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptions { | func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptions { | ||||||
| 	return &RecommendedOptions{ | 	return &RecommendedOptions{ | ||||||
| 		Etcd:                       NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)), | 		Etcd:                       NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)), | ||||||
| 		SecureServing:              NewSecureServingOptions(), | 		SecureServing:              WithLoopback(NewSecureServingOptions()), | ||||||
| 		Authentication:             NewDelegatingAuthenticationOptions(), | 		Authentication:             NewDelegatingAuthenticationOptions(), | ||||||
| 		Authorization:              NewDelegatingAuthorizationOptions(), | 		Authorization:              NewDelegatingAuthorizationOptions(), | ||||||
| 		Audit:                      NewAuditOptions(), | 		Audit:                      NewAuditOptions(), | ||||||
| @@ -78,10 +78,10 @@ func (o *RecommendedOptions) ApplyTo(config *server.RecommendedConfig, scheme *r | |||||||
| 	if err := o.SecureServing.ApplyTo(&config.Config); err != nil { | 	if err := o.SecureServing.ApplyTo(&config.Config); err != nil { | ||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
| 	if err := o.Authentication.ApplyTo(&config.Config); err != nil { | 	if err := o.Authentication.ApplyTo(&config.Config.Authentication, config.SecureServing, config.OpenAPIConfig); err != nil { | ||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
| 	if err := o.Authorization.ApplyTo(&config.Config); err != nil { | 	if err := o.Authorization.ApplyTo(&config.Config.Authorization); err != nil { | ||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
| 	if err := o.Audit.ApplyTo(&config.Config); err != nil { | 	if err := o.Audit.ApplyTo(&config.Config); err != nil { | ||||||
|   | |||||||
| @@ -24,7 +24,6 @@ import ( | |||||||
| 	"strconv" | 	"strconv" | ||||||
|  |  | ||||||
| 	"github.com/golang/glog" | 	"github.com/golang/glog" | ||||||
| 	"github.com/pborman/uuid" |  | ||||||
| 	"github.com/spf13/pflag" | 	"github.com/spf13/pflag" | ||||||
|  |  | ||||||
| 	utilnet "k8s.io/apimachinery/pkg/util/net" | 	utilnet "k8s.io/apimachinery/pkg/util/net" | ||||||
| @@ -110,9 +109,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) { | |||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	fs.IPVar(&s.BindAddress, "bind-address", s.BindAddress, ""+ | 	fs.IPVar(&s.BindAddress, "bind-address", s.BindAddress, ""+ | ||||||
| 		"The IP address on which to listen for the --secure-port port. The "+ | 		"The IP address on which to listen for the --secure-port port. If blank, all interfaces will be used (0.0.0.0).") | ||||||
| 		"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+ |  | ||||||
| 		"clients. If blank, all interfaces will be used (0.0.0.0).") |  | ||||||
|  |  | ||||||
| 	fs.IntVar(&s.BindPort, "secure-port", s.BindPort, ""+ | 	fs.IntVar(&s.BindPort, "secure-port", s.BindPort, ""+ | ||||||
| 		"The port on which to serve HTTPS with authentication and authorization. If 0, "+ | 		"The port on which to serve HTTPS with authentication and authorization. If 0, "+ | ||||||
| @@ -156,7 +153,7 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) { | |||||||
| } | } | ||||||
|  |  | ||||||
| // ApplyTo fills up serving information in the server configuration. | // ApplyTo fills up serving information in the server configuration. | ||||||
| func (s *SecureServingOptions) ApplyTo(c *server.Config) error { | func (s *SecureServingOptions) ApplyTo(config **server.SecureServingInfo) error { | ||||||
| 	if s == nil { | 	if s == nil { | ||||||
| 		return nil | 		return nil | ||||||
| 	} | 	} | ||||||
| @@ -173,42 +170,10 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error { | |||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if err := s.applyServingInfoTo(c); err != nil { | 	*config = &server.SecureServingInfo{ | ||||||
| 		return err | 		Listener: s.Listener, | ||||||
| 	} | 	} | ||||||
|  | 	c := *config | ||||||
| 	c.SecureServingInfo.Listener = s.Listener |  | ||||||
|  |  | ||||||
| 	// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and |  | ||||||
| 	// let the server return it when the loopback client connects. |  | ||||||
| 	certPem, keyPem, err := certutil.GenerateSelfSignedCertKey(server.LoopbackClientServerNameOverride, nil, nil) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err) |  | ||||||
| 	} |  | ||||||
| 	tlsCert, err := tls.X509KeyPair(certPem, keyPem) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err) |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	secureLoopbackClientConfig, err := c.SecureServingInfo.NewLoopbackClientConfig(uuid.NewRandom().String(), certPem) |  | ||||||
| 	switch { |  | ||||||
| 	// if we failed and there's no fallback loopback client config, we need to fail |  | ||||||
| 	case err != nil && c.LoopbackClientConfig == nil: |  | ||||||
| 		return err |  | ||||||
|  |  | ||||||
| 	// if we failed, but we already have a fallback loopback client config (usually insecure), allow it |  | ||||||
| 	case err != nil && c.LoopbackClientConfig != nil: |  | ||||||
|  |  | ||||||
| 	default: |  | ||||||
| 		c.LoopbackClientConfig = secureLoopbackClientConfig |  | ||||||
| 		c.SecureServingInfo.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	return nil |  | ||||||
| } |  | ||||||
|  |  | ||||||
| func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error { |  | ||||||
| 	secureServingInfo := &server.SecureServingInfo{} |  | ||||||
|  |  | ||||||
| 	serverCertFile, serverKeyFile := s.ServerCert.CertKey.CertFile, s.ServerCert.CertKey.KeyFile | 	serverCertFile, serverKeyFile := s.ServerCert.CertKey.CertFile, s.ServerCert.CertKey.KeyFile | ||||||
| 	// load main cert | 	// load main cert | ||||||
| @@ -217,7 +182,7 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error { | |||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			return fmt.Errorf("unable to load server certificate: %v", err) | 			return fmt.Errorf("unable to load server certificate: %v", err) | ||||||
| 		} | 		} | ||||||
| 		secureServingInfo.Cert = &tlsCert | 		c.Cert = &tlsCert | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if len(s.CipherSuites) != 0 { | 	if len(s.CipherSuites) != 0 { | ||||||
| @@ -225,11 +190,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error { | |||||||
| 		if err != nil { | 		if err != nil { | ||||||
| 			return err | 			return err | ||||||
| 		} | 		} | ||||||
| 		secureServingInfo.CipherSuites = cipherSuites | 		c.CipherSuites = cipherSuites | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	var err error | 	var err error | ||||||
| 	secureServingInfo.MinTLSVersion, err = utilflag.TLSVersion(s.MinTLSVersion) | 	c.MinTLSVersion, err = utilflag.TLSVersion(s.MinTLSVersion) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
| @@ -246,14 +211,11 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error { | |||||||
| 			return fmt.Errorf("failed to load SNI cert and key: %v", err) | 			return fmt.Errorf("failed to load SNI cert and key: %v", err) | ||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
| 	secureServingInfo.SNICerts, err = server.GetNamedCertificateMap(namedTLSCerts) | 	c.SNICerts, err = server.GetNamedCertificateMap(namedTLSCerts) | ||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	c.SecureServingInfo = secureServingInfo |  | ||||||
| 	c.ReadWritePort = s.BindPort |  | ||||||
|  |  | ||||||
| 	return nil | 	return nil | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
| @@ -32,6 +32,7 @@ import ( | |||||||
| 	"os" | 	"os" | ||||||
| 	"path/filepath" | 	"path/filepath" | ||||||
| 	"reflect" | 	"reflect" | ||||||
|  | 	"strconv" | ||||||
| 	"strings" | 	"strings" | ||||||
| 	"testing" | 	"testing" | ||||||
| 	"time" | 	"time" | ||||||
| @@ -47,7 +48,6 @@ import ( | |||||||
| 	utilflag "k8s.io/apiserver/pkg/util/flag" | 	utilflag "k8s.io/apiserver/pkg/util/flag" | ||||||
| 	"k8s.io/client-go/discovery" | 	"k8s.io/client-go/discovery" | ||||||
| 	restclient "k8s.io/client-go/rest" | 	restclient "k8s.io/client-go/rest" | ||||||
| 	"strconv" |  | ||||||
| ) | ) | ||||||
|  |  | ||||||
| func setUp(t *testing.T) Config { | func setUp(t *testing.T) Config { | ||||||
| @@ -471,7 +471,7 @@ NextTest: | |||||||
| 			config.Version = &v | 			config.Version = &v | ||||||
|  |  | ||||||
| 			config.EnableIndex = true | 			config.EnableIndex = true | ||||||
| 			secureOptions := &SecureServingOptions{ | 			secureOptions := WithLoopback(&SecureServingOptions{ | ||||||
| 				BindAddress: net.ParseIP("127.0.0.1"), | 				BindAddress: net.ParseIP("127.0.0.1"), | ||||||
| 				BindPort:    6443, | 				BindPort:    6443, | ||||||
| 				ServerCert: GeneratableKeyCert{ | 				ServerCert: GeneratableKeyCert{ | ||||||
| @@ -481,7 +481,7 @@ NextTest: | |||||||
| 					}, | 					}, | ||||||
| 				}, | 				}, | ||||||
| 				SNICertKeys: namedCertKeys, | 				SNICertKeys: namedCertKeys, | ||||||
| 			} | 			}) | ||||||
| 			// use a random free port | 			// use a random free port | ||||||
| 			ln, err := net.Listen("tcp", "127.0.0.1:0") | 			ln, err := net.Listen("tcp", "127.0.0.1:0") | ||||||
| 			if err != nil { | 			if err != nil { | ||||||
|   | |||||||
| @@ -0,0 +1,79 @@ | |||||||
|  | /* | ||||||
|  | Copyright 2018 The Kubernetes Authors. | ||||||
|  |  | ||||||
|  | Licensed under the Apache License, Version 2.0 (the "License"); | ||||||
|  | you may not use this file except in compliance with the License. | ||||||
|  | You may obtain a copy of the License at | ||||||
|  |  | ||||||
|  |     http://www.apache.org/licenses/LICENSE-2.0 | ||||||
|  |  | ||||||
|  | Unless required by applicable law or agreed to in writing, software | ||||||
|  | distributed under the License is distributed on an "AS IS" BASIS, | ||||||
|  | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||||
|  | See the License for the specific language governing permissions and | ||||||
|  | limitations under the License. | ||||||
|  | */ | ||||||
|  |  | ||||||
|  | package options | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"crypto/tls" | ||||||
|  | 	"fmt" | ||||||
|  |  | ||||||
|  | 	"github.com/pborman/uuid" | ||||||
|  |  | ||||||
|  | 	"k8s.io/apiserver/pkg/server" | ||||||
|  | 	certutil "k8s.io/client-go/util/cert" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | type SecureServingOptionsWithLoopback struct { | ||||||
|  | 	*SecureServingOptions | ||||||
|  | } | ||||||
|  |  | ||||||
|  | func WithLoopback(o *SecureServingOptions) *SecureServingOptionsWithLoopback { | ||||||
|  | 	return &SecureServingOptionsWithLoopback{o} | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // ApplyTo fills up serving information in the server configuration. | ||||||
|  | func (s *SecureServingOptionsWithLoopback) ApplyTo(c *server.Config) error { | ||||||
|  | 	if s == nil || s.SecureServingOptions == nil { | ||||||
|  | 		return nil | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	if err := s.SecureServingOptions.ApplyTo(&c.SecureServing); err != nil { | ||||||
|  | 		return err | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	if c.SecureServing == nil { | ||||||
|  | 		return nil | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	c.ReadWritePort = s.BindPort | ||||||
|  |  | ||||||
|  | 	// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and | ||||||
|  | 	// let the server return it when the loopback client connects. | ||||||
|  | 	certPem, keyPem, err := certutil.GenerateSelfSignedCertKey(server.LoopbackClientServerNameOverride, nil, nil) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err) | ||||||
|  | 	} | ||||||
|  | 	tlsCert, err := tls.X509KeyPair(certPem, keyPem) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err) | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	secureLoopbackClientConfig, err := c.SecureServing.NewLoopbackClientConfig(uuid.NewRandom().String(), certPem) | ||||||
|  | 	switch { | ||||||
|  | 	// if we failed and there's no fallback loopback client config, we need to fail | ||||||
|  | 	case err != nil && c.LoopbackClientConfig == nil: | ||||||
|  | 		return err | ||||||
|  |  | ||||||
|  | 	// if we failed, but we already have a fallback loopback client config (usually insecure), allow it | ||||||
|  | 	case err != nil && c.LoopbackClientConfig != nil: | ||||||
|  |  | ||||||
|  | 	default: | ||||||
|  | 		c.LoopbackClientConfig = secureLoopbackClientConfig | ||||||
|  | 		c.SecureServing.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert | ||||||
|  | 	} | ||||||
|  |  | ||||||
|  | 	return nil | ||||||
|  | } | ||||||
| @@ -39,17 +39,17 @@ const ( | |||||||
| // serveSecurely runs the secure http server. It fails only if certificates cannot | // serveSecurely runs the secure http server. It fails only if certificates cannot | ||||||
| // be loaded or the initial listen call fails. The actual server loop (stoppable by closing | // be loaded or the initial listen call fails. The actual server loop (stoppable by closing | ||||||
| // stopCh) runs in a go routine, i.e. serveSecurely does not block. | // stopCh) runs in a go routine, i.e. serveSecurely does not block. | ||||||
| func (s *GenericAPIServer) serveSecurely(stopCh <-chan struct{}) error { | func (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error { | ||||||
| 	if s.SecureServingInfo.Listener == nil { | 	if s.Listener == nil { | ||||||
| 		return fmt.Errorf("listener must not be nil") | 		return fmt.Errorf("listener must not be nil") | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	secureServer := &http.Server{ | 	secureServer := &http.Server{ | ||||||
| 		Addr:           s.SecureServingInfo.Listener.Addr().String(), | 		Addr:           s.Listener.Addr().String(), | ||||||
| 		Handler:        s.Handler, | 		Handler:        handler, | ||||||
| 		MaxHeaderBytes: 1 << 20, | 		MaxHeaderBytes: 1 << 20, | ||||||
| 		TLSConfig: &tls.Config{ | 		TLSConfig: &tls.Config{ | ||||||
| 			NameToCertificate: s.SecureServingInfo.SNICerts, | 			NameToCertificate: s.SNICerts, | ||||||
| 			// Can't use SSLv3 because of POODLE and BEAST | 			// Can't use SSLv3 because of POODLE and BEAST | ||||||
| 			// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher | 			// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher | ||||||
| 			// Can't use TLSv1.1 because of RC4 cipher usage | 			// Can't use TLSv1.1 because of RC4 cipher usage | ||||||
| @@ -59,41 +59,41 @@ func (s *GenericAPIServer) serveSecurely(stopCh <-chan struct{}) error { | |||||||
| 		}, | 		}, | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if s.SecureServingInfo.MinTLSVersion > 0 { | 	if s.MinTLSVersion > 0 { | ||||||
| 		secureServer.TLSConfig.MinVersion = s.SecureServingInfo.MinTLSVersion | 		secureServer.TLSConfig.MinVersion = s.MinTLSVersion | ||||||
| 	} | 	} | ||||||
| 	if len(s.SecureServingInfo.CipherSuites) > 0 { | 	if len(s.CipherSuites) > 0 { | ||||||
| 		secureServer.TLSConfig.CipherSuites = s.SecureServingInfo.CipherSuites | 		secureServer.TLSConfig.CipherSuites = s.CipherSuites | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if s.SecureServingInfo.Cert != nil { | 	if s.Cert != nil { | ||||||
| 		secureServer.TLSConfig.Certificates = []tls.Certificate{*s.SecureServingInfo.Cert} | 		secureServer.TLSConfig.Certificates = []tls.Certificate{*s.Cert} | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	// append all named certs. Otherwise, the go tls stack will think no SNI processing | 	// append all named certs. Otherwise, the go tls stack will think no SNI processing | ||||||
| 	// is necessary because there is only one cert anyway. | 	// is necessary because there is only one cert anyway. | ||||||
| 	// Moreover, if ServerCert.CertFile/ServerCert.KeyFile are not set, the first SNI | 	// Moreover, if ServerCert.CertFile/ServerCert.KeyFile are not set, the first SNI | ||||||
| 	// cert will become the default cert. That's what we expect anyway. | 	// cert will become the default cert. That's what we expect anyway. | ||||||
| 	for _, c := range s.SecureServingInfo.SNICerts { | 	for _, c := range s.SNICerts { | ||||||
| 		secureServer.TLSConfig.Certificates = append(secureServer.TLSConfig.Certificates, *c) | 		secureServer.TLSConfig.Certificates = append(secureServer.TLSConfig.Certificates, *c) | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if s.SecureServingInfo.ClientCA != nil { | 	if s.ClientCA != nil { | ||||||
| 		// Populate PeerCertificates in requests, but don't reject connections without certificates | 		// Populate PeerCertificates in requests, but don't reject connections without certificates | ||||||
| 		// This allows certificates to be validated by authenticators, while still allowing other auth types | 		// This allows certificates to be validated by authenticators, while still allowing other auth types | ||||||
| 		secureServer.TLSConfig.ClientAuth = tls.RequestClientCert | 		secureServer.TLSConfig.ClientAuth = tls.RequestClientCert | ||||||
| 		// Specify allowed CAs for client certificates | 		// Specify allowed CAs for client certificates | ||||||
| 		secureServer.TLSConfig.ClientCAs = s.SecureServingInfo.ClientCA | 		secureServer.TLSConfig.ClientCAs = s.ClientCA | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	glog.Infof("Serving securely on %s", secureServer.Addr) | 	glog.Infof("Serving securely on %s", secureServer.Addr) | ||||||
| 	err := RunServer(secureServer, s.SecureServingInfo.Listener, s.ShutdownTimeout, stopCh) | 	return RunServer(secureServer, s.Listener, shutdownTimeout, stopCh) | ||||||
| 	return err |  | ||||||
| } | } | ||||||
|  |  | ||||||
| // RunServer listens on the given port if listener is not given, | // RunServer listens on the given port if listener is not given, | ||||||
| // then spawns a go-routine continuously serving | // then spawns a go-routine continuously serving | ||||||
| // until the stopCh is closed. This function does not block. | // until the stopCh is closed. This function does not block. | ||||||
|  | // TODO: make private when insecure serving is gone from the kube-apiserver | ||||||
| func RunServer( | func RunServer( | ||||||
| 	server *http.Server, | 	server *http.Server, | ||||||
| 	ln net.Listener, | 	ln net.Listener, | ||||||
|   | |||||||
| @@ -55,8 +55,8 @@ func alwaysAlice(req *http.Request) (user.Info, bool, error) { | |||||||
|  |  | ||||||
| func TestSubjectAccessReview(t *testing.T) { | func TestSubjectAccessReview(t *testing.T) { | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authenticator = authenticator.RequestFunc(alwaysAlice) | 	masterConfig.GenericConfig.Authentication.Authenticator = authenticator.RequestFunc(alwaysAlice) | ||||||
| 	masterConfig.GenericConfig.Authorizer = sarAuthorizer{} | 	masterConfig.GenericConfig.Authorization.Authorizer = sarAuthorizer{} | ||||||
| 	masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() | 	masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 	defer closeFn() | 	defer closeFn() | ||||||
| @@ -147,10 +147,10 @@ func TestSubjectAccessReview(t *testing.T) { | |||||||
| func TestSelfSubjectAccessReview(t *testing.T) { | func TestSelfSubjectAccessReview(t *testing.T) { | ||||||
| 	username := "alice" | 	username := "alice" | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authenticator = authenticator.RequestFunc(func(req *http.Request) (user.Info, bool, error) { | 	masterConfig.GenericConfig.Authentication.Authenticator = authenticator.RequestFunc(func(req *http.Request) (user.Info, bool, error) { | ||||||
| 		return &user.DefaultInfo{Name: username}, true, nil | 		return &user.DefaultInfo{Name: username}, true, nil | ||||||
| 	}) | 	}) | ||||||
| 	masterConfig.GenericConfig.Authorizer = sarAuthorizer{} | 	masterConfig.GenericConfig.Authorization.Authorizer = sarAuthorizer{} | ||||||
| 	masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() | 	masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 	defer closeFn() | 	defer closeFn() | ||||||
| @@ -229,8 +229,8 @@ func TestSelfSubjectAccessReview(t *testing.T) { | |||||||
|  |  | ||||||
| func TestLocalSubjectAccessReview(t *testing.T) { | func TestLocalSubjectAccessReview(t *testing.T) { | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authenticator = authenticator.RequestFunc(alwaysAlice) | 	masterConfig.GenericConfig.Authentication.Authenticator = authenticator.RequestFunc(alwaysAlice) | ||||||
| 	masterConfig.GenericConfig.Authorizer = sarAuthorizer{} | 	masterConfig.GenericConfig.Authorization.Authorizer = sarAuthorizer{} | ||||||
| 	masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() | 	masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 	defer closeFn() | 	defer closeFn() | ||||||
|   | |||||||
| @@ -500,7 +500,7 @@ func getPreviousResourceVersionKey(url, id string) string { | |||||||
| func TestAuthModeAlwaysDeny(t *testing.T) { | func TestAuthModeAlwaysDeny(t *testing.T) { | ||||||
| 	// Set up a master | 	// Set up a master | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer() | 	masterConfig.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer() | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 	defer closeFn() | 	defer closeFn() | ||||||
|  |  | ||||||
| @@ -549,8 +549,8 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) { | |||||||
|  |  | ||||||
| 	// Set up a master | 	// Set up a master | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authenticator = getTestTokenAuth() | 	masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth() | ||||||
| 	masterConfig.GenericConfig.Authorizer = allowAliceAuthorizer{} | 	masterConfig.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{} | ||||||
| 	masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() | 	masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 	defer closeFn() | 	defer closeFn() | ||||||
| @@ -619,8 +619,8 @@ func TestAliceNotForbiddenOrUnauthorized(t *testing.T) { | |||||||
| func TestBobIsForbidden(t *testing.T) { | func TestBobIsForbidden(t *testing.T) { | ||||||
| 	// This file has alice and bob in it. | 	// This file has alice and bob in it. | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authenticator = getTestTokenAuth() | 	masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth() | ||||||
| 	masterConfig.GenericConfig.Authorizer = allowAliceAuthorizer{} | 	masterConfig.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{} | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 	defer closeFn() | 	defer closeFn() | ||||||
|  |  | ||||||
| @@ -663,8 +663,8 @@ func TestUnknownUserIsUnauthorized(t *testing.T) { | |||||||
|  |  | ||||||
| 	// Set up a master | 	// Set up a master | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authenticator = getTestTokenAuth() | 	masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth() | ||||||
| 	masterConfig.GenericConfig.Authorizer = allowAliceAuthorizer{} | 	masterConfig.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{} | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 	defer closeFn() | 	defer closeFn() | ||||||
|  |  | ||||||
| @@ -725,8 +725,8 @@ func (impersonateAuthorizer) Authorize(a authorizer.Attributes) (authorizer.Deci | |||||||
| func TestImpersonateIsForbidden(t *testing.T) { | func TestImpersonateIsForbidden(t *testing.T) { | ||||||
| 	// Set up a master | 	// Set up a master | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authenticator = getTestTokenAuth() | 	masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth() | ||||||
| 	masterConfig.GenericConfig.Authorizer = impersonateAuthorizer{} | 	masterConfig.GenericConfig.Authorization.Authorizer = impersonateAuthorizer{} | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 	defer closeFn() | 	defer closeFn() | ||||||
|  |  | ||||||
| @@ -872,8 +872,8 @@ func TestAuthorizationAttributeDetermination(t *testing.T) { | |||||||
|  |  | ||||||
| 	// Set up a master | 	// Set up a master | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authenticator = getTestTokenAuth() | 	masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth() | ||||||
| 	masterConfig.GenericConfig.Authorizer = trackingAuthorizer | 	masterConfig.GenericConfig.Authorization.Authorizer = trackingAuthorizer | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 	defer closeFn() | 	defer closeFn() | ||||||
|  |  | ||||||
| @@ -938,8 +938,8 @@ func TestNamespaceAuthorization(t *testing.T) { | |||||||
|  |  | ||||||
| 	// Set up a master | 	// Set up a master | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authenticator = getTestTokenAuth() | 	masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth() | ||||||
| 	masterConfig.GenericConfig.Authorizer = a | 	masterConfig.GenericConfig.Authorization.Authorizer = a | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 	defer closeFn() | 	defer closeFn() | ||||||
|  |  | ||||||
| @@ -1036,8 +1036,8 @@ func TestKindAuthorization(t *testing.T) { | |||||||
|  |  | ||||||
| 	// Set up a master | 	// Set up a master | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authenticator = getTestTokenAuth() | 	masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth() | ||||||
| 	masterConfig.GenericConfig.Authorizer = a | 	masterConfig.GenericConfig.Authorization.Authorizer = a | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 	defer closeFn() | 	defer closeFn() | ||||||
|  |  | ||||||
| @@ -1120,8 +1120,8 @@ func TestReadOnlyAuthorization(t *testing.T) { | |||||||
|  |  | ||||||
| 	// Set up a master | 	// Set up a master | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authenticator = getTestTokenAuth() | 	masterConfig.GenericConfig.Authentication.Authenticator = getTestTokenAuth() | ||||||
| 	masterConfig.GenericConfig.Authorizer = a | 	masterConfig.GenericConfig.Authorization.Authorizer = a | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 	defer closeFn() | 	defer closeFn() | ||||||
|  |  | ||||||
| @@ -1179,8 +1179,8 @@ func TestWebhookTokenAuthenticator(t *testing.T) { | |||||||
|  |  | ||||||
| 	// Set up a master | 	// Set up a master | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authenticator = authenticator | 	masterConfig.GenericConfig.Authentication.Authenticator = authenticator | ||||||
| 	masterConfig.GenericConfig.Authorizer = allowAliceAuthorizer{} | 	masterConfig.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{} | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 	defer closeFn() | 	defer closeFn() | ||||||
|  |  | ||||||
|   | |||||||
| @@ -125,7 +125,7 @@ func TestBootstrapTokenAuth(t *testing.T) { | |||||||
| 		authenticator := bearertoken.New(bootstrap.NewTokenAuthenticator(bootstrapSecrets{test.secret})) | 		authenticator := bearertoken.New(bootstrap.NewTokenAuthenticator(bootstrapSecrets{test.secret})) | ||||||
| 		// Set up a master | 		// Set up a master | ||||||
| 		masterConfig := framework.NewIntegrationTestMasterConfig() | 		masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 		masterConfig.GenericConfig.Authenticator = authenticator | 		masterConfig.GenericConfig.Authentication.Authenticator = authenticator | ||||||
| 		masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() | 		masterConfig.GenericConfig.AdmissionControl = admit.NewAlwaysAdmit() | ||||||
| 		_, s, closeFn := framework.RunAMaster(masterConfig) | 		_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
| 		defer closeFn() | 		defer closeFn() | ||||||
|   | |||||||
| @@ -101,8 +101,8 @@ func TestNodeAuthorizer(t *testing.T) { | |||||||
|  |  | ||||||
| 	// Start the server | 	// Start the server | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authenticator = authenticator | 	masterConfig.GenericConfig.Authentication.Authenticator = authenticator | ||||||
| 	masterConfig.GenericConfig.Authorizer = nodeRBACAuthorizer | 	masterConfig.GenericConfig.Authorization.Authorizer = nodeRBACAuthorizer | ||||||
| 	masterConfig.GenericConfig.AdmissionControl = nodeRestrictionAdmission | 	masterConfig.GenericConfig.AdmissionControl = nodeRestrictionAdmission | ||||||
|  |  | ||||||
| 	_, _, closeFn := framework.RunAMasterUsingServer(masterConfig, apiServer, h) | 	_, _, closeFn := framework.RunAMasterUsingServer(masterConfig, apiServer, h) | ||||||
|   | |||||||
| @@ -414,8 +414,8 @@ func TestRBAC(t *testing.T) { | |||||||
| 	for i, tc := range tests { | 	for i, tc := range tests { | ||||||
| 		// Create an API Server. | 		// Create an API Server. | ||||||
| 		masterConfig := framework.NewIntegrationTestMasterConfig() | 		masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 		masterConfig.GenericConfig.Authorizer = newRBACAuthorizer(masterConfig) | 		masterConfig.GenericConfig.Authorization.Authorizer = newRBACAuthorizer(masterConfig) | ||||||
| 		masterConfig.GenericConfig.Authenticator = bearertoken.New(tokenfile.New(map[string]*user.DefaultInfo{ | 		masterConfig.GenericConfig.Authentication.Authenticator = bearertoken.New(tokenfile.New(map[string]*user.DefaultInfo{ | ||||||
| 			superUser:                          {Name: "admin", Groups: []string{"system:masters"}}, | 			superUser:                          {Name: "admin", Groups: []string{"system:masters"}}, | ||||||
| 			"any-rolebinding-writer":           {Name: "any-rolebinding-writer"}, | 			"any-rolebinding-writer":           {Name: "any-rolebinding-writer"}, | ||||||
| 			"any-rolebinding-writer-namespace": {Name: "any-rolebinding-writer-namespace"}, | 			"any-rolebinding-writer-namespace": {Name: "any-rolebinding-writer-namespace"}, | ||||||
| @@ -517,8 +517,8 @@ func TestBootstrapping(t *testing.T) { | |||||||
| 	superUser := "admin/system:masters" | 	superUser := "admin/system:masters" | ||||||
|  |  | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authorizer = newRBACAuthorizer(masterConfig) | 	masterConfig.GenericConfig.Authorization.Authorizer = newRBACAuthorizer(masterConfig) | ||||||
| 	masterConfig.GenericConfig.Authenticator = bearertoken.New(tokenfile.New(map[string]*user.DefaultInfo{ | 	masterConfig.GenericConfig.Authentication.Authenticator = bearertoken.New(tokenfile.New(map[string]*user.DefaultInfo{ | ||||||
| 		superUser: {Name: "admin", Groups: []string{"system:masters"}}, | 		superUser: {Name: "admin", Groups: []string{"system:masters"}}, | ||||||
| 	})) | 	})) | ||||||
| 	_, s, closeFn := framework.RunAMaster(masterConfig) | 	_, s, closeFn := framework.RunAMaster(masterConfig) | ||||||
|   | |||||||
| @@ -160,17 +160,17 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv | |||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens) | 	tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens) | ||||||
| 	if masterConfig.GenericConfig.Authenticator == nil { | 	if masterConfig.GenericConfig.Authentication.Authenticator == nil { | ||||||
| 		masterConfig.GenericConfig.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(alwaysEmpty)) | 		masterConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(alwaysEmpty)) | ||||||
| 	} else { | 	} else { | ||||||
| 		masterConfig.GenericConfig.Authenticator = authenticatorunion.New(tokenAuthenticator, masterConfig.GenericConfig.Authenticator) | 		masterConfig.GenericConfig.Authentication.Authenticator = authenticatorunion.New(tokenAuthenticator, masterConfig.GenericConfig.Authentication.Authenticator) | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if masterConfig.GenericConfig.Authorizer != nil { | 	if masterConfig.GenericConfig.Authorization.Authorizer != nil { | ||||||
| 		tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup) | 		tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup) | ||||||
| 		masterConfig.GenericConfig.Authorizer = authorizerunion.New(tokenAuthorizer, masterConfig.GenericConfig.Authorizer) | 		masterConfig.GenericConfig.Authorization.Authorizer = authorizerunion.New(tokenAuthorizer, masterConfig.GenericConfig.Authorization.Authorizer) | ||||||
| 	} else { | 	} else { | ||||||
| 		masterConfig.GenericConfig.Authorizer = alwaysAllow{} | 		masterConfig.GenericConfig.Authorization.Authorizer = alwaysAllow{} | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	masterConfig.GenericConfig.LoopbackClientConfig.BearerToken = privilegedLoopbackToken | 	masterConfig.GenericConfig.LoopbackClientConfig.BearerToken = privilegedLoopbackToken | ||||||
| @@ -281,7 +281,7 @@ func NewMasterConfig() *master.Config { | |||||||
| 	genericConfig := genericapiserver.NewConfig(legacyscheme.Codecs) | 	genericConfig := genericapiserver.NewConfig(legacyscheme.Codecs) | ||||||
| 	kubeVersion := version.Get() | 	kubeVersion := version.Get() | ||||||
| 	genericConfig.Version = &kubeVersion | 	genericConfig.Version = &kubeVersion | ||||||
| 	genericConfig.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer() | 	genericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer() | ||||||
| 	genericConfig.AdmissionControl = admit.NewAlwaysAdmit() | 	genericConfig.AdmissionControl = admit.NewAlwaysAdmit() | ||||||
| 	genericConfig.EnableMetrics = true | 	genericConfig.EnableMetrics = true | ||||||
|  |  | ||||||
|   | |||||||
| @@ -134,7 +134,7 @@ func TestEmptyList(t *testing.T) { | |||||||
|  |  | ||||||
| func initStatusForbiddenMasterCongfig() *master.Config { | func initStatusForbiddenMasterCongfig() *master.Config { | ||||||
| 	masterConfig := framework.NewIntegrationTestMasterConfig() | 	masterConfig := framework.NewIntegrationTestMasterConfig() | ||||||
| 	masterConfig.GenericConfig.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer() | 	masterConfig.GenericConfig.Authorization.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer() | ||||||
| 	return masterConfig | 	return masterConfig | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -143,8 +143,8 @@ func initUnauthorizedMasterCongfig() *master.Config { | |||||||
| 	tokenAuthenticator := tokentest.New() | 	tokenAuthenticator := tokentest.New() | ||||||
| 	tokenAuthenticator.Tokens[AliceToken] = &user.DefaultInfo{Name: "alice", UID: "1"} | 	tokenAuthenticator.Tokens[AliceToken] = &user.DefaultInfo{Name: "alice", UID: "1"} | ||||||
| 	tokenAuthenticator.Tokens[BobToken] = &user.DefaultInfo{Name: "bob", UID: "2"} | 	tokenAuthenticator.Tokens[BobToken] = &user.DefaultInfo{Name: "bob", UID: "2"} | ||||||
| 	masterConfig.GenericConfig.Authenticator = group.NewGroupAdder(bearertoken.New(tokenAuthenticator), []string{user.AllAuthenticated}) | 	masterConfig.GenericConfig.Authentication.Authenticator = group.NewGroupAdder(bearertoken.New(tokenAuthenticator), []string{user.AllAuthenticated}) | ||||||
| 	masterConfig.GenericConfig.Authorizer = allowAliceAuthorizer{} | 	masterConfig.GenericConfig.Authorization.Authorizer = allowAliceAuthorizer{} | ||||||
| 	return masterConfig | 	return masterConfig | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
| @@ -425,8 +425,8 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie | |||||||
|  |  | ||||||
| 	masterConfig := framework.NewMasterConfig() | 	masterConfig := framework.NewMasterConfig() | ||||||
| 	masterConfig.GenericConfig.EnableIndex = true | 	masterConfig.GenericConfig.EnableIndex = true | ||||||
| 	masterConfig.GenericConfig.Authenticator = authenticator | 	masterConfig.GenericConfig.Authentication.Authenticator = authenticator | ||||||
| 	masterConfig.GenericConfig.Authorizer = authorizer | 	masterConfig.GenericConfig.Authorization.Authorizer = authorizer | ||||||
| 	masterConfig.GenericConfig.AdmissionControl = serviceAccountAdmission | 	masterConfig.GenericConfig.AdmissionControl = serviceAccountAdmission | ||||||
| 	framework.RunAMasterUsingServer(masterConfig, apiServer, h) | 	framework.RunAMasterUsingServer(masterConfig, apiServer, h) | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Dr. Stefan Schimanski
					Dr. Stefan Schimanski