github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
e250074b38
kubernetes/pkg/kubelet/apis/kubeletconfig/helpers_test.go
Kubernetes Submit Queue 63380d12db
Merge pull request #59666 from mtaufen/kc-secure-componentconfig-defaults 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Secure Kubelet's componentconfig defaults while maintaining CLI compatibility

This updates the Kubelet's componentconfig defaults, while applying the legacy defaults to values from options.NewKubeletConfiguration(). This keeps defaults the same for the command line and improves the security of defaults when you load config from a file.

See: https://github.com/kubernetes/kubernetes/issues/53618
See: https://github.com/kubernetes/kubernetes/pull/53833#discussion_r166669931

Also moves EnableServer to KubeletFlags, per @tallclair's comments on #53833.

We should find way of generating documentation for config file defaults, so that people can easily look up what's different from flags.

```release-note
Action required: Default values differ between the Kubelet's componentconfig (config file) API and the Kubelet's command line. Be sure to review the default values when migrating to using a config file.
```
2018-02-14 10:09:13 -08:00

214 lines
6.3 KiB
Go
Raw Blame History

/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kubeletconfig
import (
"reflect"
"strings"
"testing"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field"
)
func TestKubeletConfigurationPathFields(t *testing.T) {
// ensure the intersection of kubeletConfigurationPathFieldPaths and KubeletConfigurationNonPathFields is empty
if i := kubeletConfigurationPathFieldPaths.Intersection(kubeletConfigurationNonPathFieldPaths); len(i) > 0 {
t.Fatalf("expect the intersection of kubeletConfigurationPathFieldPaths and "+
"KubeletConfigurationNonPathFields to be empty, got:\n%s",
strings.Join(i.List(), "\n"))
}
// ensure that kubeletConfigurationPathFields U kubeletConfigurationNonPathFields == allPrimitiveFieldPaths(KubeletConfiguration)
expect := sets.NewString().Union(kubeletConfigurationPathFieldPaths).Union(kubeletConfigurationNonPathFieldPaths)
result := allPrimitiveFieldPaths(t, reflect.TypeOf(&KubeletConfiguration{}), nil)
if !expect.Equal(result) {
// expected fields missing from result
missing := expect.Difference(result)
// unexpected fields in result but not specified in expect
unexpected := result.Difference(expect)
if len(missing) > 0 {
t.Errorf("the following fields were expected, but missing from the result. "+
"If the field has been removed, please remove it from the kubeletConfigurationPathFieldPaths set "+
"and the KubeletConfigurationPathRefs function, "+
"or remove it from the kubeletConfigurationNonPathFieldPaths set, as appropriate:\n%s",
strings.Join(missing.List(), "\n"))
}
if len(unexpected) > 0 {
t.Errorf("the following fields were in the result, but unexpected. "+
"If the field is new, please add it to the kubeletConfigurationPathFieldPaths set "+
"and the KubeletConfigurationPathRefs function, "+
"or add it to the kubeletConfigurationNonPathFieldPaths set, as appropriate:\n%s",
strings.Join(unexpected.List(), "\n"))
}
}
}
func allPrimitiveFieldPaths(t *testing.T, tp reflect.Type, path *field.Path) sets.String {
paths := sets.NewString()
switch tp.Kind() {
case reflect.Ptr:
paths.Insert(allPrimitiveFieldPaths(t, tp.Elem(), path).List()...)
case reflect.Struct:
for i := 0; i < tp.NumField(); i++ {
field := tp.Field(i)
paths.Insert(allPrimitiveFieldPaths(t, field.Type, path.Child(field.Name)).List()...)
}
case reflect.Map, reflect.Slice:
paths.Insert(allPrimitiveFieldPaths(t, tp.Elem(), path.Key("*")).List()...)
case reflect.Interface:
t.Fatalf("unexpected interface{} field %s", path.String())
default:
// if we hit a primitive type, we're at a leaf
paths.Insert(path.String())
}
return paths
}
// dummy helper types
type foo struct {
foo int
}
type bar struct {
str string
strptr *string
ints []int
stringMap map[string]string
foo foo
fooptr *foo
bars []foo
barMap map[string]foo
}
func TestAllPrimitiveFieldPaths(t *testing.T) {
expect := sets.NewString(
"str",
"strptr",
"ints[*]",
"stringMap[*]",
"foo.foo",
"fooptr.foo",
"bars[*].foo",
"barMap[*].foo",
)
result := allPrimitiveFieldPaths(t, reflect.TypeOf(&bar{}), nil)
if !expect.Equal(result) {
// expected fields missing from result
missing := expect.Difference(result)
// unexpected fields in result but not specified in expect
unexpected := result.Difference(expect)
if len(missing) > 0 {
t.Errorf("the following fields were exepcted, but missing from the result:\n%s", strings.Join(missing.List(), "\n"))
}
if len(unexpected) > 0 {
t.Errorf("the following fields were in the result, but unexpected:\n%s", strings.Join(unexpected.List(), "\n"))
}
}
}
var (
// KubeletConfiguration fields that contain file paths. If you update this, also update KubeletConfigurationPathRefs!
kubeletConfigurationPathFieldPaths = sets.NewString(
"PodManifestPath",
"Authentication.X509.ClientCAFile",
"TLSCertFile",
"TLSPrivateKeyFile",
"ResolverConfig",
)
// KubeletConfiguration fields that do not contain file paths.
kubeletConfigurationNonPathFieldPaths = sets.NewString(
"Address",
"Authentication.Anonymous.Enabled",
"Authentication.Webhook.CacheTTL.Duration",
"Authentication.Webhook.Enabled",
"Authorization.Mode",
"Authorization.Webhook.CacheAuthorizedTTL.Duration",
"Authorization.Webhook.CacheUnauthorizedTTL.Duration",
"CPUCFSQuota",
"CPUManagerPolicy",
"CPUManagerReconcilePeriod.Duration",
"CgroupDriver",
"CgroupRoot",
"CgroupsPerQOS",
"ClusterDNS[*]",
"ClusterDomain",
"ContentType",
"EnableContentionProfiling",
"EnableControllerAttachDetach",
"EnableDebuggingHandlers",
"EnforceNodeAllocatable[*]",
"EventBurst",
"EventRecordQPS",
"EvictionHard[*]",
"EvictionMaxPodGracePeriod",
"EvictionMinimumReclaim[*]",
"EvictionPressureTransitionPeriod.Duration",
"EvictionSoft[*]",
"EvictionSoftGracePeriod[*]",
"FailSwapOn",
"FeatureGates[*]",
"FileCheckFrequency.Duration",
"HTTPCheckFrequency.Duration",
"HairpinMode",
"HealthzBindAddress",
"HealthzPort",
"TLSCipherSuites[*]",
"TLSMinVersion",
"IPTablesDropBit",
"IPTablesMasqueradeBit",
"ImageGCHighThresholdPercent",
"ImageGCLowThresholdPercent",
"ImageMinimumGCAge.Duration",
"KubeAPIBurst",
"KubeAPIQPS",
"KubeReservedCgroup",
"KubeReserved[*]",
"KubeletCgroups",
"MakeIPTablesUtilChains",
"ManifestURL",
"ManifestURLHeader[*][*]",
"MaxOpenFiles",
"MaxPods",
"NodeStatusUpdateFrequency.Duration",
"OOMScoreAdj",
"PodCIDR",
"PodPidsLimit",
"PodsPerCore",
"Port",
"ProtectKernelDefaults",
"ReadOnlyPort",
"RegistryBurst",
"RegistryPullQPS",
"RuntimeRequestTimeout.Duration",
"SerializeImagePulls",
"StreamingConnectionIdleTimeout.Duration",
"SyncFrequency.Duration",
"SystemCgroups",
"SystemReservedCgroup",
"SystemReserved[*]",
"TypeMeta.APIVersion",
"TypeMeta.Kind",
"VolumeStatsAggPeriod.Duration",
)
)
Reference in New Issue View Git Blame Copy Permalink