github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-20 01:23:48 +00:00
Code Issues Projects Releases Wiki Activity

pass Dialer instead of egressselector to webhooks

Browse Source
This commit is contained in:
Jefftree
2019-12-05 17:28:59 -08:00
parent d318e52ffe
commit 1b38199ea8
15 changed files with 85 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/kubeapiserver/authenticator/BUILD
View File

@@ -12,6 +12,7 @@ go_library(
deps = [
"//pkg/features:go_default_library",
"//pkg/serviceaccount:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/group:go_default_library",
@@ -25,7 +26,6 @@ go_library(
"//staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/token/union:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/egressselector:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
"//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile:go_default_library",
"//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth:go_default_library",

15
pkg/kubeapiserver/authenticator/config.go
View File

@@ -21,6 +21,7 @@ import (
"github.com/go-openapi/spec"
utilnet "k8s.io/apimachinery/pkg/util/net"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
"k8s.io/apiserver/pkg/authentication/group"
@@ -34,7 +35,6 @@ import (
"k8s.io/apiserver/pkg/authentication/token/tokenfile"
tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
"k8s.io/apiserver/pkg/server/dynamiccertificates"
"k8s.io/apiserver/pkg/server/egressselector"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile"
"k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth"
@@ -85,8 +85,8 @@ type Config struct {
// If this value is nil, then mutual TLS is disabled.
ClientCAContentProvider dynamiccertificates.CAContentProvider
// Lookup will give us a dialer if the egress selector is configured for it
EgressLookup egressselector.Lookup
// Optional field, custom dial function used to connect to webhook
CustomDial utilnet.DialFunc
}
// New returns an authenticator.Request or an error that supports the standard
@@ -311,15 +311,10 @@ func newServiceAccountAuthenticator(iss string, keyfiles []string, apiAudiences
}
func newWebhookTokenAuthenticator(config Config) (authenticator.Token, error) {
webhookConfigFile := config.WebhookTokenAuthnConfigFile
version := config.WebhookTokenAuthnVersion
ttl := config.WebhookTokenAuthnCacheTTL
implicitAuds := config.APIAudiences
webhookTokenAuthenticator, err := webhook.New(webhookConfigFile, version, implicitAuds, config.EgressLookup)
webhookTokenAuthenticator, err := webhook.New(config.WebhookTokenAuthnConfigFile, config.WebhookTokenAuthnVersion, config.APIAudiences, config.CustomDial)
if err != nil {
return nil, err
}
return tokencache.New(webhookTokenAuthenticator, false, ttl, ttl), nil
return tokencache.New(webhookTokenAuthenticator, false, config.WebhookTokenAuthnCacheTTL, config.WebhookTokenAuthnCacheTTL), nil
}

1
pkg/kubeapiserver/authorizer/BUILD
View File

@@ -16,6 +16,7 @@ go_library(
"//plugin/pkg/auth/authorizer/node:go_default_library",
"//plugin/pkg/auth/authorizer/rbac:go_default_library",
"//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/union:go_default_library",

7
pkg/kubeapiserver/authorizer/config.go
View File

@@ -20,6 +20,7 @@ import (
"fmt"
"time"
utilnet "k8s.io/apimachinery/pkg/util/net"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/apiserver/pkg/authorization/union"
@@ -54,6 +55,9 @@ type Config struct {
WebhookCacheUnauthorizedTTL time.Duration
VersionedInformerFactory versionedinformers.SharedInformerFactory
// Optional field, custom dial function used to connect to webhook
CustomDial utilnet.DialFunc
}
// New returns the right sort of union of multiple authorizer.Authorizer objects
@@ -102,7 +106,8 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
webhookAuthorizer, err := webhook.New(config.WebhookConfigFile,
config.WebhookVersion,
config.WebhookCacheAuthorizedTTL,
config.WebhookCacheUnauthorizedTTL)
config.WebhookCacheUnauthorizedTTL,
config.CustomDial)
if err != nil {
return nil, nil, err
}