github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 14:07:14 +00:00
Code Issues Projects Releases Wiki Activity

inject authorizer when admission controller requests it

Browse Source
This commit is contained in:
pweil- 2016-09-12 12:14:44 -04:00
parent 04437f6403
commit 5c66dcb526
8 changed files with 81 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/kube-apiserver/app/server.go
View File

@ -314,7 +314,7 @@ func Run(s *options.APIServer) error {
} }
sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute) sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)
pluginInitializer := admission.NewPluginInitializer(sharedInformers) pluginInitializer := admission.NewPluginInitializer(sharedInformers, apiAuthorizer)
admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile, pluginInitializer) admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile, pluginInitializer)
if err != nil { if err != nil {

2
federation/cmd/federation-apiserver/app/server.go
View File

@ -204,7 +204,7 @@ func Run(s *options.ServerRunOptions) error {
} }
sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute) sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)
pluginInitializer := admission.NewPluginInitializer(sharedInformers) pluginInitializer := admission.NewPluginInitializer(sharedInformers, apiAuthorizer)
admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile, pluginInitializer) admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile, pluginInitializer)
if err != nil { if err != nil {

13
pkg/admission/init.go
View File

@ -17,6 +17,7 @@ limitations under the License.
package admission package admission
import ( import (
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/controller/informers" "k8s.io/kubernetes/pkg/controller/informers"
) )
@ -27,13 +28,15 @@ type PluginInitializer interface {
} }
type pluginInitializer struct { type pluginInitializer struct {
informers informers.SharedInformerFactory informers informers.SharedInformerFactory
authorizer authorizer.Authorizer
} }
// NewPluginInitializer constructs new instance of PluginInitializer // NewPluginInitializer constructs new instance of PluginInitializer
func NewPluginInitializer(sharedInformers informers.SharedInformerFactory) PluginInitializer { func NewPluginInitializer(sharedInformers informers.SharedInformerFactory, authz authorizer.Authorizer) PluginInitializer {
plugInit := &pluginInitializer{ plugInit := &pluginInitializer{
informers: sharedInformers, informers: sharedInformers,
authorizer: authz,
} }
return plugInit return plugInit
} }
@ -45,6 +48,10 @@ func (i *pluginInitializer) Initialize(plugins []Interface) {
if wantsInformerFactory, ok := plugin.(WantsInformerFactory); ok { if wantsInformerFactory, ok := plugin.(WantsInformerFactory); ok {
wantsInformerFactory.SetInformerFactory(i.informers) wantsInformerFactory.SetInformerFactory(i.informers)
} }
if wantsAuthorizer, ok := plugin.(WantsAuthorizer); ok {
wantsAuthorizer.SetAuthorizer(i.authorizer)
}
} }
} }

59
pkg/admission/init_test.go Normal file
View File

@ -0,0 +1,59 @@
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package admission
import (
"testing"
"k8s.io/kubernetes/pkg/auth/authorizer"
)
// TestAuthorizer is a testing struct for testing that fulfills the authorizer interface.
type TestAuthorizer struct{}
func (t *TestAuthorizer) Authorize(a authorizer.Attributes) (authorized bool, reason string, err error) {
return false, "", nil
}
var _ authorizer.Authorizer = &TestAuthorizer{}
// WantAuthorizerAdmission is a testing struct that fulfills the WantsAuthorizer
// interface.
type WantAuthorizerAdmission struct {
auth authorizer.Authorizer
}
func (self *WantAuthorizerAdmission) SetAuthorizer(a authorizer.Authorizer) {
self.auth = a
}
func (self *WantAuthorizerAdmission) Admit(a Attributes) error { return nil }
func (self *WantAuthorizerAdmission) Handles(o Operation) bool { return false }
func (self *WantAuthorizerAdmission) Validate() error { return nil }
var _ Interface = &WantAuthorizerAdmission{}
var _ WantsAuthorizer = &WantAuthorizerAdmission{}
// TestWantsAuthorizer ensures that the authorizer is injected when the WantsAuthorizer
// interface is implemented.
func TestWantsAuthorizer(t *testing.T) {
initializer := NewPluginInitializer(nil, &TestAuthorizer{})
wantAuthorizerAdmission := &WantAuthorizerAdmission{}
initializer.Initialize([]Interface{wantAuthorizerAdmission})
if wantAuthorizerAdmission.auth == nil {
t.Errorf("expected authorizer to be initialized but found nil")
}
}

7
pkg/admission/types.go
View File

@ -17,6 +17,7 @@ limitations under the License.
package admission package admission
import ( import (
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/controller/informers" "k8s.io/kubernetes/pkg/controller/informers"
) )
@ -31,3 +32,9 @@ type WantsInformerFactory interface {
SetInformerFactory(informers.SharedInformerFactory) SetInformerFactory(informers.SharedInformerFactory)
Validator Validator
} }
// WantsAuthorizer defines a function which sets Authorizer for admission plugins that need it.
type WantsAuthorizer interface {
SetAuthorizer(authorizer.Authorizer)
Validator
}

2
plugin/pkg/admission/namespace/autoprovision/admission_test.go
View File

@ -38,7 +38,7 @@ func newHandlerForTest(c clientset.Interface) (admission.Interface, informers.Sh
f := informers.NewSharedInformerFactory(c, 5*time.Minute) f := informers.NewSharedInformerFactory(c, 5*time.Minute)
handler := NewProvision(c) handler := NewProvision(c)
plugins := []admission.Interface{handler} plugins := []admission.Interface{handler}
pluginInitializer := admission.NewPluginInitializer(f) pluginInitializer := admission.NewPluginInitializer(f, nil)
pluginInitializer.Initialize(plugins) pluginInitializer.Initialize(plugins)
err := admission.Validate(plugins) err := admission.Validate(plugins)
return handler, f, err return handler, f, err

2
plugin/pkg/admission/namespace/exists/admission_test.go
View File

@ -37,7 +37,7 @@ func newHandlerForTest(c clientset.Interface) (admission.Interface, informers.Sh
f := informers.NewSharedInformerFactory(c, 5*time.Minute) f := informers.NewSharedInformerFactory(c, 5*time.Minute)
handler := NewExists(c) handler := NewExists(c)
plugins := []admission.Interface{handler} plugins := []admission.Interface{handler}
pluginInitializer := admission.NewPluginInitializer(f) pluginInitializer := admission.NewPluginInitializer(f, nil)
pluginInitializer.Initialize(plugins) pluginInitializer.Initialize(plugins)
err := admission.Validate(plugins) err := admission.Validate(plugins)
return handler, f, err return handler, f, err

2
plugin/pkg/admission/namespace/lifecycle/admission_test.go
View File

@ -47,7 +47,7 @@ func newHandlerForTestWithClock(c clientset.Interface, cacheClock clock.Clock) (
return nil, f, err return nil, f, err
} }
plugins := []admission.Interface{handler} plugins := []admission.Interface{handler}
pluginInitializer := admission.NewPluginInitializer(f) pluginInitializer := admission.NewPluginInitializer(f, nil)
pluginInitializer.Initialize(plugins) pluginInitializer.Initialize(plugins)
err = admission.Validate(plugins) err = admission.Validate(plugins)
return handler, f, err return handler, f, err