From 01008911687c27b15aee4766a70786684bdb3f01 Mon Sep 17 00:00:00 2001 From: immutablet Date: Thu, 31 May 2018 14:00:42 -0700 Subject: [PATCH] Add support for linux abstract socket namespace. --- .../pkg/storage/value/encrypt/envelope/BUILD | 10 -------- .../value/encrypt/envelope/grpc_service.go | 10 ++++++++ .../envelope/grpc_service_unix_test.go | 25 +++++-------------- test/integration/master/BUILD | 10 -------- test/integration/master/kms_plugin_mock.go | 17 +------------ .../master/kms_transformation_test.go | 2 +- 6 files changed, 18 insertions(+), 56 deletions(-) diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/BUILD b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/BUILD index 89a822b70af..81403bdc6bf 100644 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/BUILD @@ -36,52 +36,42 @@ go_test( ] + select({ "@io_bazel_rules_go//go/platform:android": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:darwin": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:dragonfly": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:freebsd": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:linux": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:nacl": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:netbsd": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:openbsd": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:plan9": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:solaris": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "//conditions:default": [], diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service.go index a94e26f227a..c9295ed1fad 100644 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service.go +++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service.go @@ -22,6 +22,7 @@ import ( "fmt" "net" "net/url" + "strings" "time" "github.com/golang/glog" @@ -93,6 +94,15 @@ func parseEndpoint(endpoint string) (string, error) { if u.Scheme != unixProtocol { return "", fmt.Errorf("unsupported scheme %q for remote KMS provider", u.Scheme) } + + // Linux abstract namespace socket - no physical file required + // Warning: Linux Abstract sockets have not concept of ACL (unlike traditional file based sockets). + // However, Linux Abstract sockets are subject to Linux networking namespace, so will only be accessible to + // containers within the same pod (unless host networking is used). + if strings.HasPrefix(u.Path, "/@") { + return strings.TrimPrefix(u.Path, "/"), nil + } + return u.Path, nil } diff --git a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service_unix_test.go b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service_unix_test.go index f1b1cdef103..6e0aa12bad6 100644 --- a/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service_unix_test.go +++ b/staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/grpc_service_unix_test.go @@ -24,19 +24,16 @@ import ( "encoding/base64" "fmt" "net" - "os" "reflect" "testing" "google.golang.org/grpc" - "golang.org/x/sys/unix" - kmsapi "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1" ) const ( - sockFile = "/tmp/kms-provider.sock" + endpoint = "unix:///@kms-socket.sock" ) // Normal encryption and decryption operation. @@ -49,7 +46,6 @@ func TestGRPCService(t *testing.T) { defer stopTestKMSProvider(server) // Create the gRPC client service. - endpoint := unixProtocol + "://" + sockFile service, err := NewGRPCService(endpoint) if err != nil { t.Fatalf("failed to create envelope service, error: %v", err) @@ -95,8 +91,8 @@ func TestInvalidConfiguration(t *testing.T) { }{ {"emptyConfiguration", kmsapiVersion, ""}, {"invalidScheme", kmsapiVersion, "tcp://localhost:6060"}, - {"unavailableEndpoint", kmsapiVersion, unixProtocol + "://" + sockFile + ".nonexist"}, - {"invalidAPIVersion", "invalidVersion", unixProtocol + "://" + sockFile}, + {"unavailableEndpoint", kmsapiVersion, unixProtocol + ":///kms-socket.nonexist"}, + {"invalidAPIVersion", "invalidVersion", endpoint}, } for _, testCase := range invalidConfigs { @@ -114,10 +110,10 @@ func TestInvalidConfiguration(t *testing.T) { // Start the gRPC server that listens on unix socket. func startTestKMSProvider() (*grpc.Server, error) { - if err := cleanSockFile(); err != nil { - return nil, err + sockFile, err := parseEndpoint(endpoint) + if err != nil { + return nil, fmt.Errorf("failed to parse endpoint:%q, error %v", endpoint, err) } - listener, err := net.Listen(unixProtocol, sockFile) if err != nil { return nil, fmt.Errorf("failed to listen on the unix socket, error: %v", err) @@ -131,15 +127,6 @@ func startTestKMSProvider() (*grpc.Server, error) { func stopTestKMSProvider(server *grpc.Server) { server.Stop() - cleanSockFile() -} - -func cleanSockFile() error { - err := unix.Unlink(sockFile) - if err != nil && !os.IsNotExist(err) { - return fmt.Errorf("failed to delete the socket file, error: %v", err) - } - return nil } // Fake gRPC sever for remote KMS provider. diff --git a/test/integration/master/BUILD b/test/integration/master/BUILD index 2c7a2b77c55..96fe7cd49d4 100644 --- a/test/integration/master/BUILD +++ b/test/integration/master/BUILD @@ -131,61 +131,51 @@ go_library( "@io_bazel_rules_go//go/platform:android": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", "//vendor/github.com/golang/glog:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:darwin": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", "//vendor/github.com/golang/glog:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:dragonfly": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", "//vendor/github.com/golang/glog:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:freebsd": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", "//vendor/github.com/golang/glog:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:linux": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", "//vendor/github.com/golang/glog:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:nacl": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", "//vendor/github.com/golang/glog:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:netbsd": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", "//vendor/github.com/golang/glog:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:openbsd": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", "//vendor/github.com/golang/glog:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:plan9": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", "//vendor/github.com/golang/glog:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "@io_bazel_rules_go//go/platform:solaris": [ "//staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/v1beta1:go_default_library", "//vendor/github.com/golang/glog:go_default_library", - "//vendor/golang.org/x/sys/unix:go_default_library", "//vendor/google.golang.org/grpc:go_default_library", ], "//conditions:default": [], diff --git a/test/integration/master/kms_plugin_mock.go b/test/integration/master/kms_plugin_mock.go index 49e6401f522..ad7c73f049c 100644 --- a/test/integration/master/kms_plugin_mock.go +++ b/test/integration/master/kms_plugin_mock.go @@ -23,9 +23,7 @@ import ( "encoding/base64" "fmt" "net" - "os" - "golang.org/x/sys/unix" "google.golang.org/grpc" "github.com/golang/glog" @@ -34,7 +32,7 @@ import ( const ( kmsAPIVersion = "v1beta1" - sockFile = "/tmp/kms-provider.sock" + sockFile = "@kms-provider.sock" unixProtocol = "unix" ) @@ -49,10 +47,6 @@ type base64Plugin struct { } func NewBase64Plugin() (*base64Plugin, error) { - if err := cleanSockFile(); err != nil { - return nil, err - } - listener, err := net.Listen(unixProtocol, sockFile) if err != nil { return nil, fmt.Errorf("failed to listen on the unix socket, error: %v", err) @@ -75,7 +69,6 @@ func NewBase64Plugin() (*base64Plugin, error) { func (s *base64Plugin) cleanUp() { s.grpcServer.Stop() s.listener.Close() - cleanSockFile() } var testProviderAPIVersion = kmsAPIVersion @@ -105,11 +98,3 @@ func (s *base64Plugin) Encrypt(ctx context.Context, request *kmsapi.EncryptReque return &kmsapi.EncryptResponse{Cipher: buf}, nil } - -func cleanSockFile() error { - err := unix.Unlink(sockFile) - if err != nil && !os.IsNotExist(err) { - return fmt.Errorf("failed to delete the socket file, error: %v", err) - } - return nil -} diff --git a/test/integration/master/kms_transformation_test.go b/test/integration/master/kms_transformation_test.go index f3cfa201c2c..4a08d0408bf 100644 --- a/test/integration/master/kms_transformation_test.go +++ b/test/integration/master/kms_transformation_test.go @@ -48,7 +48,7 @@ resources: - kms: name: grpc-kms-provider cachesize: 1000 - endpoint: unix:///tmp/kms-provider.sock + endpoint: unix:///@kms-provider.sock ` )