scheduler: add https+authn+authz to options, set to nil for now

2025-07-23 19:56:01 +00:00 · 2018-02-24 16:02:27 +01:00 · 2018-02-24 16:02:27 +01:00 · 2af0bdb00f
commit 2af0bdb00f
parent abc8c98e35
3 changed files with 42 additions and 4 deletions
--- a/cmd/kube-scheduler/app/config/config.go
+++ b/cmd/kube-scheduler/app/config/config.go
@ -17,6 +17,7 @@ limitations under the License.
 package config
 import (
 	apiserver "k8s.io/apiserver/pkg/server"
 	"k8s.io/client-go/informers"
 	coreinformers "k8s.io/client-go/informers/core/v1"
 	clientset "k8s.io/client-go/kubernetes"
@ -34,6 +35,9 @@ type Config struct {
 	InsecureServing        *app.InsecureServingInfo // nil will disable serving on an insecure port
 	InsecureMetricsServing *app.InsecureServingInfo // non-nil if metrics should be served independently
 	Authentication         apiserver.AuthenticationInfo
 	Authorization          apiserver.AuthorizationInfo
 	SecureServing          *apiserver.SecureServingInfo
 	Client          clientset.Interface
 	InformerFactory informers.SharedInformerFactory
--- a/cmd/kube-scheduler/app/options/options.go
+++ b/cmd/kube-scheduler/app/options/options.go
@ -28,6 +28,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/informers"
 	clientset "k8s.io/client-go/kubernetes"
@ -52,7 +53,10 @@ type Options struct {
 	// The default values. These are overridden if ConfigFile is set or by values in InsecureServing.
 	ComponentConfig componentconfig.KubeSchedulerConfiguration
 	SecureServing           *apiserveroptions.SecureServingOptions
 	CombinedInsecureServing *CombinedInsecureServingOptions
 	Authentication          *apiserveroptions.DelegatingAuthenticationOptions
 	Authorization           *apiserveroptions.DelegatingAuthorizationOptions
 	Deprecated              *DeprecatedOptions
 	// ConfigFile is the location of the scheduler server's configuration file.
@ -78,6 +82,7 @@ func NewOptions() (*Options, error) {
 	o := &Options{
 		ComponentConfig: *cfg,
 		SecureServing:   nil, // TODO: enable with apiserveroptions.NewSecureServingOptions()
 		CombinedInsecureServing: &CombinedInsecureServingOptions{
 			Healthz: &controlleroptions.InsecureServingOptions{
 				BindNetwork: "tcp",
@ -88,6 +93,8 @@ func NewOptions() (*Options, error) {
 			BindPort:    hport,
 			BindAddress: hhost,
 		},
 		Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions()
 		Authorization:  nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions()
 		Deprecated: &DeprecatedOptions{
 			UseLegacyPolicyConfig:    false,
 			PolicyConfigMapNamespace: metav1.NamespaceSystem,
@ -125,7 +132,10 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&o.WriteConfigTo, "write-config-to", o.WriteConfigTo, "If set, write the configuration values to this file and exit.")
 	fs.StringVar(&o.Master, "master", o.Master, "The address of the Kubernetes API server (overrides any value in kubeconfig)")
 	o.SecureServing.AddFlags(fs)
 	o.CombinedInsecureServing.AddFlags(fs)
 	o.Authentication.AddFlags(fs)
 	o.Authorization.AddFlags(fs)
 	o.Deprecated.AddFlags(fs, &o.ComponentConfig)
 	leaderelectionconfig.BindFlags(&o.ComponentConfig.LeaderElection.LeaderElectionConfiguration, fs)
@ -163,14 +173,23 @@ func (o *Options) ApplyTo(c *schedulerappconfig.Config) error {
 		}
 	}
-	return nil
+	if err := o.SecureServing.ApplyTo(&c.SecureServing); err != nil {
 		return err
 	}
 	if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {
 		return err
 	}
 	return o.Authorization.ApplyTo(&c.Authorization)
 }
 // Validate validates all the required options.
 func (o *Options) Validate() []error {
 	var errs []error
 	errs = append(errs, o.SecureServing.Validate()...)
 	errs = append(errs, o.CombinedInsecureServing.Validate()...)
 	errs = append(errs, o.Authentication.Validate()...)
 	errs = append(errs, o.Authorization.Validate()...)
 	errs = append(errs, o.Deprecated.Validate()...)
 	return errs
--- a/cmd/kube-scheduler/app/server.go
+++ b/cmd/kube-scheduler/app/server.go
@ -30,6 +30,8 @@ import (
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	genericfilters "k8s.io/apiserver/pkg/server/filters"
@ -42,6 +44,7 @@ import (
 	"k8s.io/client-go/tools/leaderelection"
 	schedulerserverconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
 	"k8s.io/kubernetes/cmd/kube-scheduler/app/options"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 	"k8s.io/kubernetes/pkg/controller"
 	"k8s.io/kubernetes/pkg/features"
@ -149,7 +152,8 @@ func Run(c schedulerserverconfig.CompletedConfig, stopCh <-chan struct{}) error
 	// Start up the healthz server.
 	if c.InsecureServing != nil {
-		handler := buildHandlerChain(newHealthzHandler(&c.ComponentConfig, c.InsecureMetricsServing != nil))
+		separateMetrics := c.InsecureMetricsServing != nil
 		handler := buildHandlerChain(newHealthzHandler(&c.ComponentConfig, separateMetrics), nil, nil)
 		// TODO: fail early as all other Kubernetes binaries
 		go wait.Until(func() {
 			if err := c.InsecureServing.Serve(handler, 0, stopCh); err != nil {
@ -158,7 +162,7 @@ func Run(c schedulerserverconfig.CompletedConfig, stopCh <-chan struct{}) error
 		}, 5*time.Second, stopCh)
 	}
 	if c.InsecureServing != nil {
-		handler := buildHandlerChain(newMetricsHandler(&c.ComponentConfig))
+		handler := buildHandlerChain(newMetricsHandler(&c.ComponentConfig), nil, nil)
 		// TODO: fail early as all other Kubernetes binaries
 		go wait.Until(func() {
 			if err := c.InsecureServing.Serve(handler, 0, stopCh); err != nil {
@ -166,6 +170,13 @@ func Run(c schedulerserverconfig.CompletedConfig, stopCh <-chan struct{}) error
 			}
 		}, 5*time.Second, stopCh)
 	}
 	if c.SecureServing != nil {
 		handler := buildHandlerChain(newHealthzHandler(&c.ComponentConfig, false), c.Authentication.Authenticator, c.Authorization.Authorizer)
 		if err := c.SecureServing.Serve(handler, 0, stopCh); err != nil {
 			// fail early for secure handlers, removing the old error loop from above
 			return fmt.Errorf("failed to start healthz server: %v", err)
 		}
 	}
 	// Start all informers.
 	go c.PodInformer.Informer().Run(stopCh)
@ -205,9 +216,13 @@ func Run(c schedulerserverconfig.CompletedConfig, stopCh <-chan struct{}) error
 }
 // buildHandlerChain wraps the given handler with the standard filters.
-func buildHandlerChain(handler http.Handler) http.Handler {
+func buildHandlerChain(handler http.Handler, authn authenticator.Request, authz authorizer.Authorizer) http.Handler {
 	requestInfoResolver := &apirequest.RequestInfoFactory{}
 	failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false)
 	handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver)
 	handler = genericapifilters.WithAuthorization(handler, authz, legacyscheme.Codecs)
 	handler = genericapifilters.WithAuthentication(handler, authn, failedHandler)
 	handler = genericapifilters.WithRequestInfo(handler, requestInfoResolver)
 	handler = genericfilters.WithPanicRecovery(handler)