From 426caf5bd16704be0d2c5accd752f831194d59ad Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Sat, 8 Oct 2016 00:43:32 -0400 Subject: [PATCH] Kubelet auth flags --- cmd/kubelet/app/BUILD | 13 +++++++++++++ cmd/kubelet/app/options/options.go | 23 +++++++++++++++++++++++ hack/verify-flags/known-flags.txt | 1 + 3 files changed, 37 insertions(+) diff --git a/cmd/kubelet/app/BUILD b/cmd/kubelet/app/BUILD index 0ad48fd21e8..f86fd98480b 100644 --- a/cmd/kubelet/app/BUILD +++ b/cmd/kubelet/app/BUILD @@ -13,6 +13,7 @@ load( go_library( name = "go_default_library", srcs = [ + "auth.go", "bootstrap.go", "plugins.go", "server.go", @@ -24,9 +25,15 @@ go_library( "//pkg/api:go_default_library", "//pkg/apis/componentconfig:go_default_library", "//pkg/apis/componentconfig/v1alpha1:go_default_library", + "//pkg/auth/authenticator:go_default_library", + "//pkg/auth/authenticator/bearertoken:go_default_library", + "//pkg/auth/authorizer:go_default_library", + "//pkg/auth/group:go_default_library", "//pkg/capabilities:go_default_library", "//pkg/client/chaosclient:go_default_library", "//pkg/client/clientset_generated/internalclientset:go_default_library", + "//pkg/client/clientset_generated/internalclientset/typed/authentication/unversioned:go_default_library", + "//pkg/client/clientset_generated/internalclientset/typed/authorization/unversioned:go_default_library", "//pkg/client/clientset_generated/internalclientset/typed/certificates/unversioned:go_default_library", "//pkg/client/clientset_generated/internalclientset/typed/core/unversioned:go_default_library", "//pkg/client/record:go_default_library", @@ -39,6 +46,7 @@ go_library( "//pkg/credentialprovider:go_default_library", "//pkg/credentialprovider/aws:go_default_library", "//pkg/credentialprovider/gcp:go_default_library", + "//pkg/genericapiserver/authorizer:go_default_library", "//pkg/healthz:go_default_library", "//pkg/kubelet:go_default_library", "//pkg/kubelet/cadvisor:go_default_library", @@ -89,6 +97,11 @@ go_library( "//pkg/volume/rbd:go_default_library", "//pkg/volume/secret:go_default_library", "//pkg/volume/vsphere_volume:go_default_library", + "//plugin/pkg/auth/authenticator/request/anonymous:go_default_library", + "//plugin/pkg/auth/authenticator/request/union:go_default_library", + "//plugin/pkg/auth/authenticator/request/x509:go_default_library", + "//plugin/pkg/auth/authenticator/token/webhook:go_default_library", + "//plugin/pkg/auth/authorizer/webhook:go_default_library", "//vendor:github.com/golang/glog", "//vendor:github.com/spf13/cobra", "//vendor:github.com/spf13/pflag", diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go index 3c1c0ab367f..3a2ca3602e7 100644 --- a/cmd/kubelet/app/options/options.go +++ b/cmd/kubelet/app/options/options.go @@ -98,6 +98,29 @@ func (s *KubeletServer) AddFlags(fs *pflag.FlagSet) { fs.Var(componentconfig.IPVar{Val: &s.Address}, "address", "The IP address for the Kubelet to serve on (set to 0.0.0.0 for all interfaces)") fs.Int32Var(&s.Port, "port", s.Port, "The port for the Kubelet to serve on.") fs.Int32Var(&s.ReadOnlyPort, "read-only-port", s.ReadOnlyPort, "The read-only port for the Kubelet to serve on with no authentication/authorization (set to 0 to disable)") + + // Authentication + fs.BoolVar(&s.Authentication.Anonymous.Enabled, "anonymous-auth", s.Authentication.Anonymous.Enabled, ""+ + "Enables anonymous requests to the Kubelet server. Requests that are not rejected by another "+ + "authentication method are treated as anonymous requests. Anonymous requests have a username "+ + "of system:anonymous, and a group name of system:unauthenticated.") + fs.BoolVar(&s.Authentication.Webhook.Enabled, "authentication-token-webhook", s.Authentication.Webhook.Enabled, ""+ + "Use the TokenReview API to determine authentication for bearer tokens.") + fs.DurationVar(&s.Authentication.Webhook.CacheTTL.Duration, "authentication-token-webhook-cache-ttl", s.Authentication.Webhook.CacheTTL.Duration, ""+ + "The duration to cache responses from the webhook token authenticator.") + fs.StringVar(&s.Authentication.X509.ClientCAFile, "client-ca-file", s.Authentication.X509.ClientCAFile, ""+ + "If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file "+ + "is authenticated with an identity corresponding to the CommonName of the client certificate.") + + // Authorization + fs.StringVar((*string)(&s.Authorization.Mode), "authorization-mode", string(s.Authorization.Mode), ""+ + "Authorization mode for Kubelet server. Valid options are AlwaysAllow or Webhook. "+ + "Webhook mode uses the SubjectAccessReview API to determine authorization.") + fs.DurationVar(&s.Authorization.Webhook.CacheAuthorizedTTL.Duration, "authorization-webhook-cache-authorized-ttl", s.Authorization.Webhook.CacheAuthorizedTTL.Duration, ""+ + "The duration to cache 'authorized' responses from the webhook authorizer.") + fs.DurationVar(&s.Authorization.Webhook.CacheUnauthorizedTTL.Duration, "authorization-webhook-cache-unauthorized-ttl", s.Authorization.Webhook.CacheUnauthorizedTTL.Duration, ""+ + "The duration to cache 'unauthorized' responses from the webhook authorizer.") + fs.StringVar(&s.TLSCertFile, "tls-cert-file", s.TLSCertFile, ""+ "File containing x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). "+ "If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key "+ diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt index ca5a43e947d..c34333df572 100644 --- a/hack/verify-flags/known-flags.txt +++ b/hack/verify-flags/known-flags.txt @@ -32,6 +32,7 @@ auth-provider auth-provider auth-provider-arg auth-provider-arg +authentication-token-webhook authentication-token-webhook-cache-ttl authentication-token-webhook-config-file authorization-mode