Disable RBAC post-start hook if not using the RBAC authorizer
This commit is contained in:
Jordan Liggitt
@@ -32,12 +32,14 @@ go_library(
|
|||||||
"//pkg/kubeapiserver:go_default_library",
|
"//pkg/kubeapiserver:go_default_library",
|
||||||
"//pkg/kubeapiserver/admission:go_default_library",
|
"//pkg/kubeapiserver/admission:go_default_library",
|
||||||
"//pkg/kubeapiserver/authenticator:go_default_library",
|
"//pkg/kubeapiserver/authenticator:go_default_library",
|
||||||
|
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
|
||||||
"//pkg/kubeapiserver/options:go_default_library",
|
"//pkg/kubeapiserver/options:go_default_library",
|
||||||
"//pkg/kubeapiserver/server:go_default_library",
|
"//pkg/kubeapiserver/server:go_default_library",
|
||||||
"//pkg/master:go_default_library",
|
"//pkg/master:go_default_library",
|
||||||
"//pkg/master/thirdparty:go_default_library",
|
"//pkg/master/thirdparty:go_default_library",
|
||||||
"//pkg/master/tunneler:go_default_library",
|
"//pkg/master/tunneler:go_default_library",
|
||||||
"//pkg/registry/cachesize:go_default_library",
|
"//pkg/registry/cachesize:go_default_library",
|
||||||
|
"//pkg/registry/rbac/rest:go_default_library",
|
||||||
"//pkg/version:go_default_library",
|
"//pkg/version:go_default_library",
|
||||||
"//plugin/pkg/admission/admit:go_default_library",
|
"//plugin/pkg/admission/admit:go_default_library",
|
||||||
"//plugin/pkg/admission/alwayspullimages:go_default_library",
|
"//plugin/pkg/admission/alwayspullimages:go_default_library",
|
||||||
|
|||||||
@@ -66,11 +66,13 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/kubeapiserver"
|
"k8s.io/kubernetes/pkg/kubeapiserver"
|
||||||
kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
|
kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
|
||||||
kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
|
kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
|
||||||
|
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
|
||||||
kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
|
kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
|
||||||
kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server"
|
kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server"
|
||||||
"k8s.io/kubernetes/pkg/master"
|
"k8s.io/kubernetes/pkg/master"
|
||||||
"k8s.io/kubernetes/pkg/master/tunneler"
|
"k8s.io/kubernetes/pkg/master/tunneler"
|
||||||
"k8s.io/kubernetes/pkg/registry/cachesize"
|
"k8s.io/kubernetes/pkg/registry/cachesize"
|
||||||
|
rbacrest "k8s.io/kubernetes/pkg/registry/rbac/rest"
|
||||||
"k8s.io/kubernetes/pkg/version"
|
"k8s.io/kubernetes/pkg/version"
|
||||||
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"
|
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"
|
||||||
)
|
)
|
||||||
@@ -353,6 +355,9 @@ func BuildGenericConfig(s *options.ServerRunOptions) (*genericapiserver.Config,
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, nil, fmt.Errorf("invalid authorization config: %v", err)
|
return nil, nil, nil, fmt.Errorf("invalid authorization config: %v", err)
|
||||||
}
|
}
|
||||||
|
if !sets.NewString(s.Authorization.Modes()...).Has(modes.ModeRBAC) {
|
||||||
|
genericConfig.DisabledPostStartHooks.Insert(rbacrest.PostStartHookName)
|
||||||
|
}
|
||||||
|
|
||||||
genericConfig.AdmissionControl, err = BuildAdmission(s, client, sharedInformers, genericConfig.Authorizer)
|
genericConfig.AdmissionControl, err = BuildAdmission(s, client, sharedInformers, genericConfig.Authorizer)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@@ -36,10 +36,14 @@ function run_kube_apiserver() {
|
|||||||
# Admission Controllers to invoke prior to persisting objects in cluster
|
# Admission Controllers to invoke prior to persisting objects in cluster
|
||||||
ADMISSION_CONTROL="NamespaceLifecycle,LimitRanger,ResourceQuota"
|
ADMISSION_CONTROL="NamespaceLifecycle,LimitRanger,ResourceQuota"
|
||||||
|
|
||||||
|
# Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions
|
||||||
|
AUTHORIZATION_MODE="RBAC,AlwaysAllow"
|
||||||
|
|
||||||
"${KUBE_OUTPUT_HOSTBIN}/kube-apiserver" \
|
"${KUBE_OUTPUT_HOSTBIN}/kube-apiserver" \
|
||||||
--address="127.0.0.1" \
|
--address="127.0.0.1" \
|
||||||
--public-address-override="127.0.0.1" \
|
--public-address-override="127.0.0.1" \
|
||||||
--port="${API_PORT}" \
|
--port="${API_PORT}" \
|
||||||
|
--authorization-mode="${AUTHORIZATION_MODE}" \
|
||||||
--admission-control="${ADMISSION_CONTROL}" \
|
--admission-control="${ADMISSION_CONTROL}" \
|
||||||
--etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \
|
--etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \
|
||||||
--public-address-override="127.0.0.1" \
|
--public-address-override="127.0.0.1" \
|
||||||
|
|||||||
@@ -75,14 +75,17 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory) authorizer.AuthorizationConfig {
|
func (s *BuiltInAuthorizationOptions) Modes() []string {
|
||||||
modes := []string{}
|
modes := []string{}
|
||||||
if len(s.Mode) > 0 {
|
if len(s.Mode) > 0 {
|
||||||
modes = strings.Split(s.Mode, ",")
|
modes = strings.Split(s.Mode, ",")
|
||||||
}
|
}
|
||||||
|
return modes
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory) authorizer.AuthorizationConfig {
|
||||||
return authorizer.AuthorizationConfig{
|
return authorizer.AuthorizationConfig{
|
||||||
AuthorizationModes: modes,
|
AuthorizationModes: s.Modes(),
|
||||||
PolicyFile: s.PolicyFile,
|
PolicyFile: s.PolicyFile,
|
||||||
WebhookConfigFile: s.WebhookConfigFile,
|
WebhookConfigFile: s.WebhookConfigFile,
|
||||||
WebhookCacheAuthorizedTTL: s.WebhookCacheAuthorizedTTL,
|
WebhookCacheAuthorizedTTL: s.WebhookCacheAuthorizedTTL,
|
||||||
|
|||||||
@@ -55,6 +55,8 @@ import (
|
|||||||
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy"
|
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const PostStartHookName = "rbac/bootstrap-roles"
|
||||||
|
|
||||||
type RESTStorageProvider struct {
|
type RESTStorageProvider struct {
|
||||||
Authorizer authorizer.Authorizer
|
Authorizer authorizer.Authorizer
|
||||||
}
|
}
|
||||||
@@ -123,7 +125,7 @@ func (p RESTStorageProvider) storage(version schema.GroupVersion, apiResourceCon
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (p RESTStorageProvider) PostStartHook() (string, genericapiserver.PostStartHookFunc, error) {
|
func (p RESTStorageProvider) PostStartHook() (string, genericapiserver.PostStartHookFunc, error) {
|
||||||
return "rbac/bootstrap-roles", PostStartHook, nil
|
return PostStartHookName, PostStartHook, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
|
func PostStartHook(hookContext genericapiserver.PostStartHookContext) error {
|
||||||
|
|||||||
Reference in New Issue
Block a user