github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 05:57:25 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #39636 from liggitt/proxy-subresource

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 41382, 41407, 41409, 41296, 39636)

Update to use proxy subresource consistently

Proxy subresources have been in place since 1.2.0 and improve the ability to put policy in place around proxy access.

This PR updates the last few clients to use proxy subresources rather than the root proxy
This commit is contained in:
Kubernetes Submit Queue 2017-02-14 13:04:33 -08:00 committed by GitHub
commit 7332baf9a3
13 changed files with 81 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/client/clientset_generated/clientset/typed/core/v1/service_expansion.go
View File

@ -29,9 +29,9 @@ type ServiceExpansion interface {
// ProxyGet returns a response of the service by calling it through the proxy. // ProxyGet returns a response of the service by calling it through the proxy.
func (c *services) ProxyGet(scheme, name, port, path string, params map[string]string) restclient.ResponseWrapper { func (c *services) ProxyGet(scheme, name, port, path string, params map[string]string) restclient.ResponseWrapper {
request := c.client.Get(). request := c.client.Get().
Prefix("proxy").
Namespace(c.ns). Namespace(c.ns).
Resource("services"). Resource("services").
SubResource("proxy").
Name(net.JoinSchemeNamePort(scheme, name, port)). Name(net.JoinSchemeNamePort(scheme, name, port)).
Suffix(path) Suffix(path)
for k, v := range params { for k, v := range params {

2
pkg/client/clientset_generated/internalclientset/typed/core/internalversion/service_expansion.go
View File

@ -29,9 +29,9 @@ type ServiceExpansion interface {
// ProxyGet returns a response of the service by calling it through the proxy. // ProxyGet returns a response of the service by calling it through the proxy.
func (c *services) ProxyGet(scheme, name, port, path string, params map[string]string) restclient.ResponseWrapper { func (c *services) ProxyGet(scheme, name, port, path string, params map[string]string) restclient.ResponseWrapper {
request := c.client.Get(). request := c.client.Get().
Prefix("proxy").
Namespace(c.ns). Namespace(c.ns).
Resource("services"). Resource("services").
SubResource("proxy").
Name(net.JoinSchemeNamePort(scheme, name, port)). Name(net.JoinSchemeNamePort(scheme, name, port)).
Suffix(path) Suffix(path)
for k, v := range params { for k, v := range params {

2
pkg/kubectl/cmd/top_test.go
View File

@ -35,7 +35,7 @@ import (
) )
const ( const (
baseHeapsterServiceAddress = "/api/v1/proxy/namespaces/kube-system/services/http:heapster:" baseHeapsterServiceAddress = "/api/v1/namespaces/kube-system/services/http:heapster:/proxy"
baseMetricsAddress = baseHeapsterServiceAddress + "/apis/metrics" baseMetricsAddress = baseHeapsterServiceAddress + "/apis/metrics"
metricsApiVersion = "v1alpha1" metricsApiVersion = "v1alpha1"
) )

2
pkg/metrics/generic_metrics.go
View File

@ -100,9 +100,9 @@ func parseMetrics(data string, output *Metrics) error {
func (g *MetricsGrabber) getMetricsFromPod(podName string, namespace string, port int) (string, error) { func (g *MetricsGrabber) getMetricsFromPod(podName string, namespace string, port int) (string, error) {
rawOutput, err := g.client.Core().RESTClient().Get(). rawOutput, err := g.client.Core().RESTClient().Get().
Prefix("proxy").
Namespace(namespace). Namespace(namespace).
Resource("pods"). Resource("pods").
SubResource("proxy").
Name(fmt.Sprintf("%v:%v", podName, port)). Name(fmt.Sprintf("%v:%v", podName, port)).
Suffix("metrics"). Suffix("metrics").
Do().Raw() Do().Raw()

2
pkg/metrics/kubelet_metrics.go
View File

@ -66,8 +66,8 @@ func (g *MetricsGrabber) getMetricsFromNode(nodeName string, kubeletPort int) (s
var rawOutput []byte var rawOutput []byte
go func() { go func() {
rawOutput, err = g.client.Core().RESTClient().Get(). rawOutput, err = g.client.Core().RESTClient().Get().
Prefix("proxy").
Resource("nodes"). Resource("nodes").
SubResource("proxy").
Name(fmt.Sprintf("%v:%v", nodeName, kubeletPort)). Name(fmt.Sprintf("%v:%v", nodeName, kubeletPort)).
Suffix("metrics"). Suffix("metrics").
Do().Raw() Do().Raw()

2
pkg/routes/ui.go
View File

@ -22,7 +22,7 @@ import (
"k8s.io/apiserver/pkg/server/mux" "k8s.io/apiserver/pkg/server/mux"
) )
const dashboardPath = "/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard" const dashboardPath = "/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy"
// UIRediect redirects /ui to the kube-ui proxy path. // UIRediect redirects /ui to the kube-ui proxy path.
type UIRedirect struct{} type UIRedirect struct{}

2
plugin/pkg/admission/initialresources/data_source.go
View File

@ -25,7 +25,7 @@ import (
) )
var ( var (
influxdbHost = flag.String("ir-influxdb-host", "localhost:8080/api/v1/proxy/namespaces/kube-system/services/monitoring-influxdb:api", "Address of InfluxDB which contains metrics required by InitialResources") influxdbHost = flag.String("ir-influxdb-host", "localhost:8080/api/v1/namespaces/kube-system/services/monitoring-influxdb:api/proxy", "Address of InfluxDB which contains metrics required by InitialResources")
user = flag.String("ir-user", "root", "User used for connecting to InfluxDB") user = flag.String("ir-user", "root", "User used for connecting to InfluxDB")
// TODO: figure out how to better pass password here // TODO: figure out how to better pass password here
password = flag.String("ir-password", "root", "Password used for connecting to InfluxDB") password = flag.String("ir-password", "root", "Password used for connecting to InfluxDB")

5
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
View File

@ -140,9 +140,10 @@ func init() {
rbac.NewRule("get", "update").Groups(extensionsGroup).Resources("replicationcontrollers/scale").RuleOrDie(), rbac.NewRule("get", "update").Groups(extensionsGroup).Resources("replicationcontrollers/scale").RuleOrDie(),
rbac.NewRule("get", "update").Groups(extensionsGroup).Resources("deployments/scale", "replicasets/scale").RuleOrDie(), rbac.NewRule("get", "update").Groups(extensionsGroup).Resources("deployments/scale", "replicasets/scale").RuleOrDie(),
rbac.NewRule("list").Groups(legacyGroup).Resources("pods").RuleOrDie(), rbac.NewRule("list").Groups(legacyGroup).Resources("pods").RuleOrDie(),
// TODO: fix MetricsClient to no longer require root proxy access // TODO: Remove the root /proxy permission in 1.7; MetricsClient no longer requires root proxy access as of 1.6 (fixed in https://github.com/kubernetes/kubernetes/pull/39636)
// TODO: restrict this to the appropriate namespace
rbac.NewRule("proxy").Groups(legacyGroup).Resources("services").Names("https:heapster:", "http:heapster:").RuleOrDie(), rbac.NewRule("proxy").Groups(legacyGroup).Resources("services").Names("https:heapster:", "http:heapster:").RuleOrDie(),
// TODO: restrict this to the appropriate namespace
rbac.NewRule("get").Groups(legacyGroup).Resources("services/proxy").Names("https:heapster:", "http:heapster:").RuleOrDie(),
eventsRule(), eventsRule(),
}, },
}) })

9
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml vendored
View File

@ -419,6 +419,15 @@ items:
- services - services
verbs: verbs:
- proxy - proxy
- apiGroups:
- ""
resourceNames:
- 'http:heapster:'
- 'https:heapster:'
resources:
- services/proxy
verbs:
- get
- apiGroups: - apiGroups:
- "" - ""
resources: resources:

4
test/e2e/framework/kubelet_stats.go
View File

@ -284,7 +284,7 @@ func getContainerInfo(c clientset.Interface, nodeName string, req *kubeletstats.
if err != nil { if err != nil {
return nil, err return nil, err
} }
subResourceProxyAvailable, err := ServerVersionGTE(subResourceServiceAndNodeProxyVersion, c.Discovery()) subResourceProxyAvailable, err := ServerVersionGTE(SubResourceServiceAndNodeProxyVersion, c.Discovery())
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -407,7 +407,7 @@ func getOneTimeResourceUsageOnNode(
} }
func getNodeStatsSummary(c clientset.Interface, nodeName string) (*stats.Summary, error) { func getNodeStatsSummary(c clientset.Interface, nodeName string) (*stats.Summary, error) {
subResourceProxyAvailable, err := ServerVersionGTE(subResourceServiceAndNodeProxyVersion, c.Discovery()) subResourceProxyAvailable, err := ServerVersionGTE(SubResourceServiceAndNodeProxyVersion, c.Discovery())
if err != nil { if err != nil {
return nil, err return nil, err
} }

33
test/e2e/framework/metrics_util.go
View File

@ -327,6 +327,11 @@ func getSchedulingLatency(c clientset.Interface) (SchedulingLatency, error) {
nodes, err := c.Core().Nodes().List(metav1.ListOptions{}) nodes, err := c.Core().Nodes().List(metav1.ListOptions{})
ExpectNoError(err) ExpectNoError(err)
subResourceProxyAvailable, err := ServerVersionGTE(SubResourcePodProxyVersion, c.Discovery())
if err != nil {
return result, err
}
var data string var data string
var masterRegistered = false var masterRegistered = false
for _, node := range nodes.Items { for _, node := range nodes.Items {
@ -338,14 +343,26 @@ func getSchedulingLatency(c clientset.Interface) (SchedulingLatency, error) {
ctx, cancel := context.WithTimeout(context.Background(), SingleCallTimeout) ctx, cancel := context.WithTimeout(context.Background(), SingleCallTimeout)
defer cancel() defer cancel()
rawData, err := c.Core().RESTClient().Get(). var rawData []byte
Context(ctx). if subResourceProxyAvailable {
Prefix("proxy"). rawData, err = c.Core().RESTClient().Get().
Namespace(metav1.NamespaceSystem). Context(ctx).
Resource("pods"). Namespace(metav1.NamespaceSystem).
Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.SchedulerPort)). Resource("pods").
Suffix("metrics"). Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.SchedulerPort)).
Do().Raw() SubResource("proxy").
Suffix("metrics").
Do().Raw()
} else {
rawData, err = c.Core().RESTClient().Get().
Context(ctx).
Prefix("proxy").
Namespace(metav1.NamespaceSystem).
SubResource("pods").
Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.SchedulerPort)).
Suffix("metrics").
Do().Raw()
}
ExpectNoError(err) ExpectNoError(err)
data = string(rawData) data = string(rawData)

6
test/e2e/framework/util.go
View File

@ -234,10 +234,10 @@ func GetPauseImageNameForHostArch() string {
// TODO(ihmccreery): remove once we don't care about v1.0 anymore, (tentatively // TODO(ihmccreery): remove once we don't care about v1.0 anymore, (tentatively
// in v1.3). // in v1.3).
var SubResourcePodProxyVersion = utilversion.MustParseSemantic("v1.1.0") var SubResourcePodProxyVersion = utilversion.MustParseSemantic("v1.1.0")
var subResourceServiceAndNodeProxyVersion = utilversion.MustParseSemantic("v1.2.0") var SubResourceServiceAndNodeProxyVersion = utilversion.MustParseSemantic("v1.2.0")
func GetServicesProxyRequest(c clientset.Interface, request *restclient.Request) (*restclient.Request, error) { func GetServicesProxyRequest(c clientset.Interface, request *restclient.Request) (*restclient.Request, error) {
subResourceProxyAvailable, err := ServerVersionGTE(subResourceServiceAndNodeProxyVersion, c.Discovery()) subResourceProxyAvailable, err := ServerVersionGTE(SubResourceServiceAndNodeProxyVersion, c.Discovery())
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -4809,7 +4809,7 @@ const proxyTimeout = 2 * time.Minute
func NodeProxyRequest(c clientset.Interface, node, endpoint string) (restclient.Result, error) { func NodeProxyRequest(c clientset.Interface, node, endpoint string) (restclient.Result, error) {
// proxy tends to hang in some cases when Node is not ready. Add an artificial timeout for this call. // proxy tends to hang in some cases when Node is not ready. Add an artificial timeout for this call.
// This will leak a goroutine if proxy hangs. #22165 // This will leak a goroutine if proxy hangs. #22165
subResourceProxyAvailable, err := ServerVersionGTE(subResourceServiceAndNodeProxyVersion, c.Discovery()) subResourceProxyAvailable, err := ServerVersionGTE(SubResourceServiceAndNodeProxyVersion, c.Discovery())
if err != nil { if err != nil {
return restclient.Result{}, err return restclient.Result{}, err
} }

43
test/e2e/monitoring.go
View File

@ -63,21 +63,42 @@ var (
// Query sends a command to the server and returns the Response // Query sends a command to the server and returns the Response
func Query(c clientset.Interface, query string) (*influxdb.Response, error) { func Query(c clientset.Interface, query string) (*influxdb.Response, error) {
subResourceProxyAvailable, err := framework.ServerVersionGTE(framework.SubResourceServiceAndNodeProxyVersion, c.Discovery())
if err != nil {
return nil, err
}
ctx, cancel := context.WithTimeout(context.Background(), framework.SingleCallTimeout) ctx, cancel := context.WithTimeout(context.Background(), framework.SingleCallTimeout)
defer cancel() defer cancel()
result, err := c.Core().RESTClient().Get(). var result []byte
Prefix("proxy"). if subResourceProxyAvailable {
Namespace("kube-system"). result, err = c.Core().RESTClient().Get().
Resource("services"). Context(ctx).
Name(influxdbService+":api"). Namespace("kube-system").
Suffix("query"). Resource("services").
Param("q", query). Name(influxdbService+":api").
Param("db", influxdbDatabaseName). SubResource("proxy").
Param("epoch", "s"). Suffix("query").
Do(). Param("q", query).
Raw() Param("db", influxdbDatabaseName).
Param("epoch", "s").
Do().
Raw()
} else {
result, err = c.Core().RESTClient().Get().
Context(ctx).
Prefix("proxy").
Namespace("kube-system").
Resource("services").
Name(influxdbService+":api").
Suffix("query").
Param("q", query).
Param("db", influxdbDatabaseName).
Param("epoch", "s").
Do().
Raw()
}
if err != nil { if err != nil {
if ctx.Err() != nil { if ctx.Err() != nil {