kube-controller-manager: disable authn/z on insecure port
This is the old behaviour and we did not intent to change it due to enabled authn/z in general. As the kube-apiserver this sets the "system:unsecured" user info.
This commit is contained in:
@@ -39,8 +39,13 @@ func BuildHandlerChain(apiHandler http.Handler, authorizationInfo *apiserver.Aut
|
|||||||
requestInfoResolver := &apirequest.RequestInfoFactory{}
|
requestInfoResolver := &apirequest.RequestInfoFactory{}
|
||||||
failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false)
|
failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false)
|
||||||
|
|
||||||
handler := genericapifilters.WithAuthorization(apiHandler, authorizationInfo.Authorizer, legacyscheme.Codecs)
|
handler := apiHandler
|
||||||
handler = genericapifilters.WithAuthentication(handler, authenticationInfo.Authenticator, failedHandler)
|
if authorizationInfo != nil {
|
||||||
|
handler = genericapifilters.WithAuthorization(apiHandler, authorizationInfo.Authorizer, legacyscheme.Codecs)
|
||||||
|
}
|
||||||
|
if authenticationInfo != nil {
|
||||||
|
handler = genericapifilters.WithAuthentication(handler, authenticationInfo.Authenticator, failedHandler)
|
||||||
|
}
|
||||||
handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver)
|
handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver)
|
||||||
handler = genericfilters.WithPanicRecovery(handler)
|
handler = genericfilters.WithPanicRecovery(handler)
|
||||||
|
|
||||||
|
@@ -111,6 +111,7 @@ go_library(
|
|||||||
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
|
||||||
|
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
|
||||||
"//staging/src/k8s.io/apiserver/pkg/server/mux:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/server/mux:go_default_library",
|
||||||
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
|
||||||
"//staging/src/k8s.io/apiserver/pkg/util/flag:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/util/flag:go_default_library",
|
||||||
|
@@ -25,19 +25,19 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
|
|
||||||
"net/http"
|
|
||||||
|
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apimachinery/pkg/util/uuid"
|
"k8s.io/apimachinery/pkg/util/uuid"
|
||||||
"k8s.io/apimachinery/pkg/util/wait"
|
"k8s.io/apimachinery/pkg/util/wait"
|
||||||
|
"k8s.io/apiserver/pkg/server"
|
||||||
"k8s.io/apiserver/pkg/server/mux"
|
"k8s.io/apiserver/pkg/server/mux"
|
||||||
apiserverflag "k8s.io/apiserver/pkg/util/flag"
|
apiserverflag "k8s.io/apiserver/pkg/util/flag"
|
||||||
cacheddiscovery "k8s.io/client-go/discovery/cached"
|
cacheddiscovery "k8s.io/client-go/discovery/cached"
|
||||||
@@ -160,7 +160,8 @@ func Run(c *config.CompletedConfig, stopCh <-chan struct{}) error {
|
|||||||
}
|
}
|
||||||
if c.InsecureServing != nil {
|
if c.InsecureServing != nil {
|
||||||
unsecuredMux = genericcontrollermanager.NewBaseHandler(&c.ComponentConfig.Debugging)
|
unsecuredMux = genericcontrollermanager.NewBaseHandler(&c.ComponentConfig.Debugging)
|
||||||
handler := genericcontrollermanager.BuildHandlerChain(unsecuredMux, &c.Authorization, &c.Authentication)
|
insecureSuperuserAuthn := server.AuthenticationInfo{Authenticator: &server.InsecureSuperuser{}}
|
||||||
|
handler := genericcontrollermanager.BuildHandlerChain(unsecuredMux, nil, &insecureSuperuserAuthn)
|
||||||
if err := c.InsecureServing.Serve(handler, 0, stopCh); err != nil {
|
if err := c.InsecureServing.Serve(handler, 0, stopCh); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@@ -10,7 +10,6 @@ go_library(
|
|||||||
srcs = ["insecure_handler.go"],
|
srcs = ["insecure_handler.go"],
|
||||||
importpath = "k8s.io/kubernetes/pkg/kubeapiserver/server",
|
importpath = "k8s.io/kubernetes/pkg/kubeapiserver/server",
|
||||||
deps = [
|
deps = [
|
||||||
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
|
|
||||||
"//staging/src/k8s.io/apiserver/pkg/endpoints/filters:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/endpoints/filters:go_default_library",
|
||||||
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
|
||||||
"//staging/src/k8s.io/apiserver/pkg/server/filters:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/server/filters:go_default_library",
|
||||||
|
@@ -19,7 +19,6 @@ package server
|
|||||||
import (
|
import (
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
|
||||||
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
|
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
|
||||||
"k8s.io/apiserver/pkg/server"
|
"k8s.io/apiserver/pkg/server"
|
||||||
genericfilters "k8s.io/apiserver/pkg/server/filters"
|
genericfilters "k8s.io/apiserver/pkg/server/filters"
|
||||||
@@ -32,7 +31,7 @@ import (
|
|||||||
func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
|
func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
|
||||||
handler := apiHandler
|
handler := apiHandler
|
||||||
handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
|
handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
|
||||||
handler = genericapifilters.WithAuthentication(handler, insecureSuperuser{}, nil)
|
handler = genericapifilters.WithAuthentication(handler, server.InsecureSuperuser{}, nil)
|
||||||
handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
|
handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
|
||||||
handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)
|
handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)
|
||||||
handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc)
|
handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc)
|
||||||
@@ -42,15 +41,3 @@ func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.H
|
|||||||
|
|
||||||
return handler
|
return handler
|
||||||
}
|
}
|
||||||
|
|
||||||
// insecureSuperuser implements authenticator.Request to always return a superuser.
|
|
||||||
// This is functionally equivalent to skipping authentication and authorization,
|
|
||||||
// but allows apiserver code to stop special-casing a nil user to skip authorization checks.
|
|
||||||
type insecureSuperuser struct{}
|
|
||||||
|
|
||||||
func (insecureSuperuser) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
|
|
||||||
return &user.DefaultInfo{
|
|
||||||
Name: "system:unsecured",
|
|
||||||
Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
|
|
||||||
}, true, nil
|
|
||||||
}
|
|
||||||
|
@@ -23,6 +23,7 @@ import (
|
|||||||
|
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
|
|
||||||
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
"k8s.io/client-go/rest"
|
"k8s.io/client-go/rest"
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -70,3 +71,15 @@ func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config,
|
|||||||
Burst: 100,
|
Burst: 100,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// InsecureSuperuser implements authenticator.Request to always return a superuser.
|
||||||
|
// This is functionally equivalent to skipping authentication and authorization,
|
||||||
|
// but allows apiserver code to stop special-casing a nil user to skip authorization checks.
|
||||||
|
type InsecureSuperuser struct{}
|
||||||
|
|
||||||
|
func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
|
||||||
|
return &user.DefaultInfo{
|
||||||
|
Name: "system:unsecured",
|
||||||
|
Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
|
||||||
|
}, true, nil
|
||||||
|
}
|
||||||
|
@@ -176,6 +176,11 @@ users:
|
|||||||
"--kubeconfig", apiserverConfig.Name(),
|
"--kubeconfig", apiserverConfig.Name(),
|
||||||
"--leader-elect=false",
|
"--leader-elect=false",
|
||||||
}, "/healthz", true, false, intPtr(http.StatusOK), nil},
|
}, "/healthz", true, false, intPtr(http.StatusOK), nil},
|
||||||
|
{"/metrics without auhn/z", []string{
|
||||||
|
"--kubeconfig", apiserverConfig.Name(),
|
||||||
|
"--kubeconfig", apiserverConfig.Name(),
|
||||||
|
"--leader-elect=false",
|
||||||
|
}, "/metrics", true, false, intPtr(http.StatusForbidden), intPtr(http.StatusOK)},
|
||||||
{"authorization skipped for /healthz with authn/authz", []string{
|
{"authorization skipped for /healthz with authn/authz", []string{
|
||||||
"--port=0",
|
"--port=0",
|
||||||
"--authentication-kubeconfig", apiserverConfig.Name(),
|
"--authentication-kubeconfig", apiserverConfig.Name(),
|
||||||
@@ -199,12 +204,11 @@ users:
|
|||||||
"--leader-elect=false",
|
"--leader-elect=false",
|
||||||
}, "/metrics", false, false, intPtr(http.StatusForbidden), nil},
|
}, "/metrics", false, false, intPtr(http.StatusForbidden), nil},
|
||||||
{"not authorized /metrics with BROKEN authn/authz", []string{
|
{"not authorized /metrics with BROKEN authn/authz", []string{
|
||||||
"--port=0",
|
|
||||||
"--authentication-kubeconfig", apiserverConfig.Name(),
|
"--authentication-kubeconfig", apiserverConfig.Name(),
|
||||||
"--authorization-kubeconfig", brokenApiserverConfig.Name(),
|
"--authorization-kubeconfig", brokenApiserverConfig.Name(),
|
||||||
"--kubeconfig", apiserverConfig.Name(),
|
"--kubeconfig", apiserverConfig.Name(),
|
||||||
"--leader-elect=false",
|
"--leader-elect=false",
|
||||||
}, "/metrics", false, false, intPtr(http.StatusInternalServerError), nil},
|
}, "/metrics", false, false, intPtr(http.StatusInternalServerError), intPtr(http.StatusOK)},
|
||||||
{"always-allowed /metrics with BROKEN authn/authz", []string{
|
{"always-allowed /metrics with BROKEN authn/authz", []string{
|
||||||
"--port=0",
|
"--port=0",
|
||||||
"--authentication-skip-lookup", // to survive unaccessible extensions-apiserver-authentication configmap
|
"--authentication-skip-lookup", // to survive unaccessible extensions-apiserver-authentication configmap
|
||||||
|
Reference in New Issue
Block a user