Merge pull request #95235 from andrewsykim/controlplane-egress-selector

apiserver: support 'controlplane' as an egress selector type

cmd/kube-apiserver/app/server.go

@@ -562,7 +562,7 @@ func BuildAuthorizer(s *options.ServerRunOptions, EgressSelector *egressselector
 	authorizationConfig := s.Authorization.ToAuthorizationConfig(versionedInformers)
 
 	if EgressSelector != nil {
-		egressDialer, err := EgressSelector.Lookup(egressselector.Master.AsNetworkContext())
+		egressDialer, err := EgressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext())
 		if err != nil {
 			return nil, nil, err
 		}

pkg/kubeapiserver/options/authentication.go

@@ -477,7 +477,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen
 	)
 
 	if egressSelector != nil {
-		egressDialer, err := egressSelector.Lookup(egressselector.Master.AsNetworkContext())
+		egressDialer, err := egressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext())
 		if err != nil {
 			return err
 		}

staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go

@@ -62,7 +62,8 @@ type EgressSelectorConfiguration struct {
 // EgressSelection provides the configuration for a single egress selection client.
 type EgressSelection struct {
 	// Name is the name of the egress selection.
-	// Currently supported values are "Master", "Etcd" and "Cluster"
+	// Currently supported values are "controlplane", "master", "etcd" and "cluster"
+	// The "master" egress selector is deprecated in favor of "controlplane"
 	Name string
 
 	// Connection is the exact information used to configure the egress selection

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go

@@ -62,7 +62,8 @@ type EgressSelectorConfiguration struct {
 // EgressSelection provides the configuration for a single egress selection client.
 type EgressSelection struct {
 	// name is the name of the egress selection.
-	// Currently supported values are "Master", "Etcd" and "Cluster"
+	// Currently supported values are "controlplane", "master", "etcd" and "cluster"
+	// The "master" egress selector is deprecated in favor of "controlplane"
 	Name string `json:"name"`
 
 	// connection is the exact information used to configure the egress selection

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1beta1/types.go

@@ -33,7 +33,8 @@ type EgressSelectorConfiguration struct {
 // EgressSelection provides the configuration for a single egress selection client.
 type EgressSelection struct {
 	// name is the name of the egress selection.
-	// Currently supported values are "Master", "Etcd" and "Cluster"
+	// Currently supported values are "controlplane", "master", "etcd" and "cluster"
+	// The "master" egress selector is deprecated in favor of "controlplane"
 	Name string `json:"name"`
 
 	// connection is the exact information used to configure the egress selection

staging/src/k8s.io/apiserver/pkg/server/egressselector/BUILD

@@ -12,6 +12,7 @@ go_library(
     deps = [
         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/apis/apiserver:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/apis/apiserver/install:go_default_library",

staging/src/k8s.io/apiserver/pkg/server/egressselector/config.go

@@ -22,6 +22,7 @@ import (
 	"strings"
 
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/apis/apiserver"
 	"k8s.io/apiserver/pkg/apis/apiserver/install"
@@ -32,6 +33,10 @@ import (
 
 var cfgScheme = runtime.NewScheme()
 
+// validEgressSelectorNames contains the set of valid egress selctor names.
+// 'master' is deprecated in favor of 'controlplane' and will be removed in v1.22.
+var validEgressSelectorNames = sets.NewString("master", "controlplane", "cluster", "etcd")
+
 func init() {
 	install.Install(cfgScheme)
 }
@@ -97,6 +102,30 @@ func ValidateEgressSelectorConfiguration(config *apiserver.EgressSelectorConfigu
 				}))
 		}
 	}
+
+	var foundControlPlane, foundMaster bool
+	for _, service := range config.EgressSelections {
+		canonicalName := strings.ToLower(service.Name)
+
+		if !validEgressSelectorNames.Has(canonicalName) {
+			allErrs = append(allErrs, field.NotSupported(field.NewPath("egressSelection", "name"), canonicalName, validEgressSelectorNames.List()))
+			continue
+		}
+
+		if canonicalName == "master" {
+			foundMaster = true
+		}
+
+		if canonicalName == "controlplane" {
+			foundControlPlane = true
+		}
+	}
+
+	// error if both master and controlplane egress selectors are set
+	if foundMaster && foundControlPlane {
+		allErrs = append(allErrs, field.Forbidden(field.NewPath("egressSelection", "name"), "both egressSelection names 'master' and 'controlplane' are specified, only one is allowed"))
+	}
+
 	return allErrs
 }
 

staging/src/k8s.io/apiserver/pkg/server/egressselector/config_test.go

@@ -60,6 +60,86 @@ func TestReadEgressSelectorConfiguration(t *testing.T) {
 apiVersion: apiserver.k8s.io/v1beta1
 kind: EgressSelectorConfiguration
 egressSelections:
+- name: "cluster"
+  connection:
+    proxyProtocol: "HTTPConnect"
+    transport:
+      tcp:
+        url: "https://127.0.0.1:8131"
+        tlsConfig:
+          caBundle: "/etc/srv/kubernetes/pki/konnectivity-server/ca.crt"
+          clientKey: "/etc/srv/kubernetes/pki/konnectivity-server/client.key"
+          clientCert: "/etc/srv/kubernetes/pki/konnectivity-server/client.crt"
+- name: "controlplane"
+  connection:
+    proxyProtocol: "HTTPConnect"
+    transport:
+      tcp:
+        url: "https://127.0.0.1:8132"
+        tlsConfig:
+          caBundle: "/etc/srv/kubernetes/pki/konnectivity-server-master/ca.crt"
+          clientKey: "/etc/srv/kubernetes/pki/konnectivity-server-master/client.key"
+          clientCert: "/etc/srv/kubernetes/pki/konnectivity-server-master/client.crt"
+- name: "etcd"
+  connection:
+    proxyProtocol: "Direct"
+`,
+			expectedResult: &apiserver.EgressSelectorConfiguration{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "",
+					APIVersion: "",
+				},
+				EgressSelections: []apiserver.EgressSelection{
+					{
+						Name: "cluster",
+						Connection: apiserver.Connection{
+							ProxyProtocol: "HTTPConnect",
+							Transport: &apiserver.Transport{
+								TCP: &apiserver.TCPTransport{
+									URL: "https://127.0.0.1:8131",
+
+									TLSConfig: &apiserver.TLSConfig{
+										CABundle:   "/etc/srv/kubernetes/pki/konnectivity-server/ca.crt",
+										ClientKey:  "/etc/srv/kubernetes/pki/konnectivity-server/client.key",
+										ClientCert: "/etc/srv/kubernetes/pki/konnectivity-server/client.crt",
+									},
+								},
+							},
+						},
+					},
+					{
+						Name: "controlplane",
+						Connection: apiserver.Connection{
+							ProxyProtocol: "HTTPConnect",
+							Transport: &apiserver.Transport{
+								TCP: &apiserver.TCPTransport{
+									URL: "https://127.0.0.1:8132",
+									TLSConfig: &apiserver.TLSConfig{
+										CABundle:   "/etc/srv/kubernetes/pki/konnectivity-server-master/ca.crt",
+										ClientKey:  "/etc/srv/kubernetes/pki/konnectivity-server-master/client.key",
+										ClientCert: "/etc/srv/kubernetes/pki/konnectivity-server-master/client.crt",
+									},
+								},
+							},
+						},
+					},
+					{
+						Name: "etcd",
+						Connection: apiserver.Connection{
+							ProxyProtocol: "Direct",
+						},
+					},
+				},
+			},
+			expectedError: nil,
+		},
+		{
+			name:       "v1beta1 using deprecated 'master' type",
+			createFile: true,
+			contents: `
+apiVersion: apiserver.k8s.io/v1beta1
+kind: EgressSelectorConfiguration
+egressSelections:
 - name: "cluster"
   connection:
     proxyProtocol: "HTTPConnect"
@@ -240,7 +320,7 @@ func TestValidateEgressSelectorConfiguration(t *testing.T) {
 				},
 				EgressSelections: []apiserver.EgressSelection{
 					{
-						Name: "master",
+						Name: "controlplane",
 						Connection: apiserver.Connection{
 							ProxyProtocol: apiserver.ProtocolDirect,
 						},
@@ -413,6 +493,48 @@ func TestValidateEgressSelectorConfiguration(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:        "invalid egress selection name",
+			expectError: true,
+			contents: &apiserver.EgressSelectorConfiguration{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "",
+					APIVersion: "",
+				},
+				EgressSelections: []apiserver.EgressSelection{
+					{
+						Name: "invalid",
+						Connection: apiserver.Connection{
+							ProxyProtocol: apiserver.ProtocolDirect,
+						},
+					},
+				},
+			},
+		},
+		{
+			name:        "both master and controlplane egress selection configured",
+			expectError: true,
+			contents: &apiserver.EgressSelectorConfiguration{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "",
+					APIVersion: "",
+				},
+				EgressSelections: []apiserver.EgressSelection{
+					{
+						Name: "controlplane",
+						Connection: apiserver.Connection{
+							ProxyProtocol: apiserver.ProtocolDirect,
+						},
+					},
+					{
+						Name: "master",
+						Connection: apiserver.Connection{
+							ProxyProtocol: apiserver.ProtocolDirect,
+						},
+					},
+				},
+			},
+		},
 	}
 
 	for _, tc := range testcases {

staging/src/k8s.io/apiserver/pkg/server/egressselector/egress_selector.go

@@ -51,8 +51,8 @@ type EgressSelector struct {
 type EgressType int
 
 const (
-	// Master is the EgressType for traffic intended to go to the control plane.
+	// ControlPlane is the EgressType for traffic intended to go to the control plane.
-	Master EgressType = iota
+	ControlPlane EgressType = iota
 	// Etcd is the EgressType for traffic intended to go to Kubernetes persistence store.
 	Etcd
 	// Cluster is the EgressType for traffic intended to go to the system being managed by Kubernetes.
@@ -73,8 +73,8 @@ type Lookup func(networkContext NetworkContext) (utilnet.DialFunc, error)
 // String returns the canonical string representation of the egress type
 func (s EgressType) String() string {
 	switch s {
-	case Master:
+	case ControlPlane:
-		return "master"
+		return "controlplane"
 	case Etcd:
 		return "etcd"
 	case Cluster:
@@ -91,8 +91,12 @@ func (s EgressType) AsNetworkContext() NetworkContext {
 
 func lookupServiceName(name string) (EgressType, error) {
 	switch strings.ToLower(name) {
+	// 'master' is deprecated, interpret "master" as controlplane internally until removed in v1.22.
 	case "master":
-		return Master, nil
+		klog.Warning("EgressSelection name 'master' is deprecated, use 'controlplane' instead")
+		return ControlPlane, nil
+	case "controlplane":
+		return ControlPlane, nil
 	case "etcd":
 		return Etcd, nil
 	case "cluster":
@@ -364,5 +368,6 @@ func (cs *EgressSelector) Lookup(networkContext NetworkContext) (utilnet.DialFun
 		// The round trip wrapper will over-ride the dialContext method appropriately
 		return nil, nil
 	}
+
 	return cs.egressToDialer[networkContext.EgressSelectionName], nil
 }

staging/src/k8s.io/apiserver/pkg/server/egressselector/egress_selector_test.go

@@ -90,7 +90,7 @@ func TestEgressSelector(t *testing.T) {
 					nil,
 				},
 				{
-					Master,
+					ControlPlane,
 					validateDirectDialer,
 					nil,
 					nil,

staging/src/k8s.io/apiserver/pkg/server/options/audit.go

@@ -306,7 +306,7 @@ func (o *AuditOptions) ApplyTo(
 			klog.V(2).Info("No audit policy file provided, no events will be recorded for webhook backend")
 		} else {
 			if c.EgressSelector != nil {
-				egressDialer, err := c.EgressSelector.Lookup(egressselector.Master.AsNetworkContext())
+				egressDialer, err := c.EgressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext())
 				if err != nil {
 					return err
 				}

staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go

@@ -55,7 +55,7 @@ func NewDefaultAuthenticationInfoResolverWrapper(
 				}
 
 				if egressSelector != nil {
-					networkContext := egressselector.Master.AsNetworkContext()
+					networkContext := egressselector.ControlPlane.AsNetworkContext()
 					var egressDialer utilnet.DialFunc
 					egressDialer, err = egressSelector.Lookup(networkContext)