From b4eaf625a05afc72963c71c4c37bb8a4fff1f9dd Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Tue, 12 Jul 2016 13:44:36 -0700 Subject: [PATCH] pkg/genericapiserver/options: don't import pkg/apiserver Refactor the authorization options for the API server so pkg/apiserver isn't directly imported by the options package. --- cmd/kube-apiserver/app/server.go | 23 ++-- .../cmd/federation-apiserver/app/server.go | 48 +++++++- .../authorizer}/authz.go | 39 ++----- .../authorizer}/authz_test.go | 20 ++-- .../options/server_run_options.go | 108 ++++++++++-------- test/integration/auth/auth_test.go | 4 +- test/integration/framework/master_utils.go | 4 +- 7 files changed, 150 insertions(+), 96 deletions(-) rename pkg/{apiserver => genericapiserver/authorizer}/authz.go (86%) rename pkg/{apiserver => genericapiserver/authorizer}/authz_test.go (85%) diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index 504b37aa1ad..a87e6500cd4 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -46,6 +46,8 @@ import ( "k8s.io/kubernetes/pkg/controller/framework/informers" serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount" "k8s.io/kubernetes/pkg/genericapiserver" + "k8s.io/kubernetes/pkg/genericapiserver/authorizer" + genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options" genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation" kubeletclient "k8s.io/kubernetes/pkg/kubelet/client" "k8s.io/kubernetes/pkg/master" @@ -225,7 +227,14 @@ func Run(s *options.APIServer) error { return false } - if modeEnabled(apiserver.ModeRBAC) { + authorizationConfig := authorizer.AuthorizationConfig{ + PolicyFile: s.AuthorizationPolicyFile, + WebhookConfigFile: s.AuthorizationWebhookConfigFile, + WebhookCacheAuthorizedTTL: s.AuthorizationWebhookCacheAuthorizedTTL, + WebhookCacheUnauthorizedTTL: s.AuthorizationWebhookCacheUnauthorizedTTL, + RBACSuperUser: s.AuthorizationRBACSuperUser, + } + if modeEnabled(genericoptions.ModeRBAC) { mustGetRESTOptions := func(resource string) generic.RESTOptions { config, err := storageFactory.NewConfig(rbac.Resource(resource)) if err != nil { @@ -235,13 +244,13 @@ func Run(s *options.APIServer) error { } // For initial bootstrapping go directly to etcd to avoid privillege escalation check. - s.AuthorizationConfig.RBACRoleRegistry = role.NewRegistry(roleetcd.NewREST(mustGetRESTOptions("roles"))) - s.AuthorizationConfig.RBACRoleBindingRegistry = rolebinding.NewRegistry(rolebindingetcd.NewREST(mustGetRESTOptions("rolebindings"))) - s.AuthorizationConfig.RBACClusterRoleRegistry = clusterrole.NewRegistry(clusterroleetcd.NewREST(mustGetRESTOptions("clusterroles"))) - s.AuthorizationConfig.RBACClusterRoleBindingRegistry = clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(mustGetRESTOptions("clusterrolebindings"))) + authorizationConfig.RBACRoleRegistry = role.NewRegistry(roleetcd.NewREST(mustGetRESTOptions("roles"))) + authorizationConfig.RBACRoleBindingRegistry = rolebinding.NewRegistry(rolebindingetcd.NewREST(mustGetRESTOptions("rolebindings"))) + authorizationConfig.RBACClusterRoleRegistry = clusterrole.NewRegistry(clusterroleetcd.NewREST(mustGetRESTOptions("clusterroles"))) + authorizationConfig.RBACClusterRoleBindingRegistry = clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(mustGetRESTOptions("clusterrolebindings"))) } - authorizer, err := apiserver.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, s.AuthorizationConfig) + authorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, authorizationConfig) if err != nil { glog.Fatalf("Invalid Authorization Config: %v", err) } @@ -265,7 +274,7 @@ func Run(s *options.APIServer) error { genericConfig.Authenticator = authenticator genericConfig.SupportsBasicAuth = len(s.BasicAuthFile) > 0 genericConfig.Authorizer = authorizer - genericConfig.AuthorizerRBACSuperUser = s.AuthorizationConfig.RBACSuperUser + genericConfig.AuthorizerRBACSuperUser = s.AuthorizationRBACSuperUser genericConfig.AdmissionControl = admissionController genericConfig.APIResourceConfigSource = storageFactory.APIResourceConfigSource genericConfig.MasterServiceNamespace = s.MasterServiceNamespace diff --git a/federation/cmd/federation-apiserver/app/server.go b/federation/cmd/federation-apiserver/app/server.go index e5b53206584..0b161eeba67 100644 --- a/federation/cmd/federation-apiserver/app/server.go +++ b/federation/cmd/federation-apiserver/app/server.go @@ -31,13 +31,23 @@ import ( "k8s.io/kubernetes/pkg/admission" "k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/api/unversioned" - "k8s.io/kubernetes/pkg/apiserver" + "k8s.io/kubernetes/pkg/apis/rbac" "k8s.io/kubernetes/pkg/apiserver/authenticator" "k8s.io/kubernetes/pkg/controller/framework/informers" "k8s.io/kubernetes/pkg/genericapiserver" + "k8s.io/kubernetes/pkg/genericapiserver/authorizer" + genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options" genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation" "k8s.io/kubernetes/pkg/registry/cachesize" + "k8s.io/kubernetes/pkg/registry/clusterrole" + clusterroleetcd "k8s.io/kubernetes/pkg/registry/clusterrole/etcd" + "k8s.io/kubernetes/pkg/registry/clusterrolebinding" + clusterrolebindingetcd "k8s.io/kubernetes/pkg/registry/clusterrolebinding/etcd" "k8s.io/kubernetes/pkg/registry/generic" + "k8s.io/kubernetes/pkg/registry/role" + roleetcd "k8s.io/kubernetes/pkg/registry/role/etcd" + "k8s.io/kubernetes/pkg/registry/rolebinding" + rolebindingetcd "k8s.io/kubernetes/pkg/registry/rolebinding/etcd" "k8s.io/kubernetes/pkg/util/wait" ) @@ -113,7 +123,40 @@ func Run(s *options.ServerRunOptions) error { } authorizationModeNames := strings.Split(s.AuthorizationMode, ",") - authorizer, err := apiserver.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, s.AuthorizationConfig) + + modeEnabled := func(mode string) bool { + for _, m := range authorizationModeNames { + if m == mode { + return true + } + } + return false + } + + authorizationConfig := authorizer.AuthorizationConfig{ + PolicyFile: s.AuthorizationPolicyFile, + WebhookConfigFile: s.AuthorizationWebhookConfigFile, + WebhookCacheAuthorizedTTL: s.AuthorizationWebhookCacheAuthorizedTTL, + WebhookCacheUnauthorizedTTL: s.AuthorizationWebhookCacheUnauthorizedTTL, + RBACSuperUser: s.AuthorizationRBACSuperUser, + } + if modeEnabled(genericoptions.ModeRBAC) { + mustGetRESTOptions := func(resource string) generic.RESTOptions { + config, err := storageFactory.NewConfig(rbac.Resource(resource)) + if err != nil { + glog.Fatalf("Unable to get %s storage: %v", resource, err) + } + return generic.RESTOptions{StorageConfig: config, Decorator: generic.UndecoratedStorage, ResourcePrefix: storageFactory.ResourcePrefix(rbac.Resource(resource))} + } + + // For initial bootstrapping go directly to etcd to avoid privillege escalation check. + authorizationConfig.RBACRoleRegistry = role.NewRegistry(roleetcd.NewREST(mustGetRESTOptions("roles"))) + authorizationConfig.RBACRoleBindingRegistry = rolebinding.NewRegistry(rolebindingetcd.NewREST(mustGetRESTOptions("rolebindings"))) + authorizationConfig.RBACClusterRoleRegistry = clusterrole.NewRegistry(clusterroleetcd.NewREST(mustGetRESTOptions("clusterroles"))) + authorizationConfig.RBACClusterRoleBindingRegistry = clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(mustGetRESTOptions("clusterrolebindings"))) + } + + authorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, authorizationConfig) if err != nil { glog.Fatalf("Invalid Authorization Config: %v", err) } @@ -136,6 +179,7 @@ func Run(s *options.ServerRunOptions) error { genericConfig.Authenticator = authenticator genericConfig.SupportsBasicAuth = len(s.BasicAuthFile) > 0 genericConfig.Authorizer = authorizer + genericConfig.AuthorizerRBACSuperUser = s.AuthorizationRBACSuperUser genericConfig.AdmissionControl = admissionController genericConfig.APIResourceConfigSource = storageFactory.APIResourceConfigSource genericConfig.MasterServiceNamespace = s.MasterServiceNamespace diff --git a/pkg/apiserver/authz.go b/pkg/genericapiserver/authorizer/authz.go similarity index 86% rename from pkg/apiserver/authz.go rename to pkg/genericapiserver/authorizer/authz.go index d65eebbd2d8..e20480220ca 100644 --- a/pkg/apiserver/authz.go +++ b/pkg/genericapiserver/authorizer/authz.go @@ -1,5 +1,5 @@ /* -Copyright 2014 The Kubernetes Authors. +Copyright 2016 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package apiserver +package authorizer import ( "errors" @@ -24,6 +24,7 @@ import ( "k8s.io/kubernetes/pkg/auth/authorizer" "k8s.io/kubernetes/pkg/auth/authorizer/abac" "k8s.io/kubernetes/pkg/auth/authorizer/union" + "k8s.io/kubernetes/pkg/genericapiserver/options" "k8s.io/kubernetes/pkg/registry/clusterrole" "k8s.io/kubernetes/pkg/registry/clusterrolebinding" "k8s.io/kubernetes/pkg/registry/role" @@ -32,11 +33,6 @@ import ( "k8s.io/kubernetes/plugin/pkg/auth/authorizer/webhook" ) -// Attributes implements authorizer.Attributes interface. -type Attributes struct { - // TODO: add fields and methods when authorizer.Attributes is completed. -} - // alwaysAllowAuthorizer is an implementation of authorizer.Attributes // which always says yes to an authorization request. // It is useful in tests and when using kubernetes in an open manner. @@ -76,17 +72,6 @@ func NewAlwaysFailAuthorizer() authorizer.Authorizer { return new(alwaysFailAuthorizer) } -const ( - ModeAlwaysAllow string = "AlwaysAllow" - ModeAlwaysDeny string = "AlwaysDeny" - ModeABAC string = "ABAC" - ModeWebhook string = "Webhook" - ModeRBAC string = "RBAC" -) - -// Keep this list in sync with constant list above. -var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABAC, ModeWebhook, ModeRBAC} - type AuthorizationConfig struct { // Options for ModeABAC @@ -115,7 +100,7 @@ type AuthorizationConfig struct { // NewAuthorizerFromAuthorizationConfig returns the right sort of union of multiple authorizer.Authorizer objects // based on the authorizationMode or an error. authorizationMode should be a comma separated values -// of AuthorizationModeChoices. +// of options.AuthorizationModeChoices. func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config AuthorizationConfig) (authorizer.Authorizer, error) { if len(authorizationModes) == 0 { @@ -131,11 +116,11 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au } // Keep cases in sync with constant list above. switch authorizationMode { - case ModeAlwaysAllow: + case options.ModeAlwaysAllow: authorizers = append(authorizers, NewAlwaysAllowAuthorizer()) - case ModeAlwaysDeny: + case options.ModeAlwaysDeny: authorizers = append(authorizers, NewAlwaysDenyAuthorizer()) - case ModeABAC: + case options.ModeABAC: if config.PolicyFile == "" { return nil, errors.New("ABAC's authorization policy file not passed") } @@ -144,7 +129,7 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au return nil, err } authorizers = append(authorizers, abacAuthorizer) - case ModeWebhook: + case options.ModeWebhook: if config.WebhookConfigFile == "" { return nil, errors.New("Webhook's configuration file not passed") } @@ -155,7 +140,7 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au return nil, err } authorizers = append(authorizers, webhookAuthorizer) - case ModeRBAC: + case options.ModeRBAC: rbacAuthorizer := rbac.New( config.RBACRoleRegistry, config.RBACRoleBindingRegistry, @@ -170,13 +155,13 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au authorizerMap[authorizationMode] = true } - if !authorizerMap[ModeABAC] && config.PolicyFile != "" { + if !authorizerMap[options.ModeABAC] && config.PolicyFile != "" { return nil, errors.New("Cannot specify --authorization-policy-file without mode ABAC") } - if !authorizerMap[ModeWebhook] && config.WebhookConfigFile != "" { + if !authorizerMap[options.ModeWebhook] && config.WebhookConfigFile != "" { return nil, errors.New("Cannot specify --authorization-webhook-config-file without mode Webhook") } - if !authorizerMap[ModeRBAC] && config.RBACSuperUser != "" { + if !authorizerMap[options.ModeRBAC] && config.RBACSuperUser != "" { return nil, errors.New("Cannot specify --authorization-rbac-super-user without mode RBAC") } diff --git a/pkg/apiserver/authz_test.go b/pkg/genericapiserver/authorizer/authz_test.go similarity index 85% rename from pkg/apiserver/authz_test.go rename to pkg/genericapiserver/authorizer/authz_test.go index 09b50d1fe92..50d4b7bacdb 100644 --- a/pkg/apiserver/authz_test.go +++ b/pkg/genericapiserver/authorizer/authz_test.go @@ -1,5 +1,5 @@ /* -Copyright 2014 The Kubernetes Authors. +Copyright 2016 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -14,10 +14,12 @@ See the License for the specific language governing permissions and limitations under the License. */ -package apiserver +package authorizer import ( "testing" + + "k8s.io/kubernetes/pkg/genericapiserver/options" ) // NewAlwaysAllowAuthorizer must return a struct which implements authorizer.Authorizer @@ -42,7 +44,7 @@ func TestNewAlwaysDenyAuthorizer(t *testing.T) { // validates that errors are returned only when proper. func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) { - examplePolicyFile := "../auth/authorizer/abac/example_policy_file.jsonl" + examplePolicyFile := "../../auth/authorizer/abac/example_policy_file.jsonl" tests := []struct { modes []string @@ -59,25 +61,25 @@ func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) { { // ModeAlwaysAllow and ModeAlwaysDeny should return without authorizationPolicyFile // but error if one is given - modes: []string{ModeAlwaysAllow, ModeAlwaysDeny}, + modes: []string{options.ModeAlwaysAllow, options.ModeAlwaysDeny}, msg: "returned an error for valid config", }, { // ModeABAC requires a policy file - modes: []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABAC}, + modes: []string{options.ModeAlwaysAllow, options.ModeAlwaysDeny, options.ModeABAC}, wantErr: true, msg: "specifying ABAC with no policy file should return an error", }, { // ModeABAC should not error if a valid policy path is provided - modes: []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABAC}, + modes: []string{options.ModeAlwaysAllow, options.ModeAlwaysDeny, options.ModeABAC}, config: AuthorizationConfig{PolicyFile: examplePolicyFile}, msg: "errored while using a valid policy file", }, { // Authorization Policy file cannot be used without ModeABAC - modes: []string{ModeAlwaysAllow, ModeAlwaysDeny}, + modes: []string{options.ModeAlwaysAllow, options.ModeAlwaysDeny}, config: AuthorizationConfig{PolicyFile: examplePolicyFile}, wantErr: true, msg: "should have errored when Authorization Policy File is used without ModeABAC", @@ -91,13 +93,13 @@ func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) { }, { // ModeWebhook requires at minimum a target. - modes: []string{ModeWebhook}, + modes: []string{options.ModeWebhook}, wantErr: true, msg: "should have errored when config was empty with ModeWebhook", }, { // Cannot provide webhook flags without ModeWebhook - modes: []string{ModeAlwaysAllow}, + modes: []string{options.ModeAlwaysAllow}, config: AuthorizationConfig{WebhookConfigFile: "authz_webhook_config.yml"}, wantErr: true, msg: "should have errored when Webhook config file is used without ModeWebhook", diff --git a/pkg/genericapiserver/options/server_run_options.go b/pkg/genericapiserver/options/server_run_options.go index d3ab2f29d76..0dfc227989f 100644 --- a/pkg/genericapiserver/options/server_run_options.go +++ b/pkg/genericapiserver/options/server_run_options.go @@ -27,7 +27,6 @@ import ( "k8s.io/kubernetes/pkg/api/unversioned" apiutil "k8s.io/kubernetes/pkg/api/util" "k8s.io/kubernetes/pkg/apimachinery/registered" - "k8s.io/kubernetes/pkg/apiserver" clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" "k8s.io/kubernetes/pkg/client/restclient" "k8s.io/kubernetes/pkg/storage/storagebackend" @@ -47,6 +46,16 @@ const ( var DefaultServiceNodePortRange = utilnet.PortRange{Base: 30000, Size: 2768} +const ( + ModeAlwaysAllow string = "AlwaysAllow" + ModeAlwaysDeny string = "AlwaysDeny" + ModeABAC string = "ABAC" + ModeWebhook string = "Webhook" + ModeRBAC string = "RBAC" +) + +var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABAC, ModeWebhook, ModeRBAC} + // ServerRunOptions contains the options while running a generic api server. type ServerRunOptions struct { APIGroupPrefix string @@ -54,17 +63,24 @@ type ServerRunOptions struct { AdmissionControl string AdmissionControlConfigFile string AdvertiseAddress net.IP - AuthorizationConfig apiserver.AuthorizationConfig - AuthorizationMode string - BasicAuthFile string - BindAddress net.IP - CertDirectory string - ClientCAFile string - CloudConfigFile string - CloudProvider string - CorsAllowedOriginList []string - DefaultStorageMediaType string - DeleteCollectionWorkers int + + // Authorization mode and associated flags. + AuthorizationMode string + AuthorizationPolicyFile string + AuthorizationWebhookConfigFile string + AuthorizationWebhookCacheAuthorizedTTL time.Duration + AuthorizationWebhookCacheUnauthorizedTTL time.Duration + AuthorizationRBACSuperUser string + + BasicAuthFile string + BindAddress net.IP + CertDirectory string + ClientCAFile string + CloudConfigFile string + CloudProvider string + CorsAllowedOriginList []string + DefaultStorageMediaType string + DeleteCollectionWorkers int // Used to specify the storage version that should be used for the legacy v1 api group. DeprecatedStorageVersion string AuditLogPath string @@ -110,33 +126,31 @@ type ServerRunOptions struct { func NewServerRunOptions() *ServerRunOptions { return &ServerRunOptions{ - APIGroupPrefix: "/apis", - APIPrefix: "/api", - AdmissionControl: "AlwaysAdmit", - AuthorizationMode: "AlwaysAllow", - AuthorizationConfig: apiserver.AuthorizationConfig{ - WebhookCacheAuthorizedTTL: 5 * time.Minute, - WebhookCacheUnauthorizedTTL: 30 * time.Second, - }, - BindAddress: net.ParseIP("0.0.0.0"), - CertDirectory: "/var/run/kubernetes", - DefaultStorageMediaType: "application/json", - DefaultStorageVersions: registered.AllPreferredGroupVersions(), - DeleteCollectionWorkers: 1, - EnableLogsSupport: true, - EnableProfiling: true, - EnableWatchCache: true, - InsecureBindAddress: net.ParseIP("127.0.0.1"), - InsecurePort: 8080, - LongRunningRequestRE: defaultLongRunningRequestRE, - MasterCount: 1, - MasterServiceNamespace: api.NamespaceDefault, - MaxRequestsInFlight: 400, - MinRequestTimeout: 1800, - RuntimeConfig: make(config.ConfigurationMap), - SecurePort: 6443, - ServiceNodePortRange: DefaultServiceNodePortRange, - StorageVersions: registered.AllPreferredGroupVersions(), + APIGroupPrefix: "/apis", + APIPrefix: "/api", + AdmissionControl: "AlwaysAdmit", + AuthorizationMode: "AlwaysAllow", + AuthorizationWebhookCacheAuthorizedTTL: 5 * time.Minute, + AuthorizationWebhookCacheUnauthorizedTTL: 30 * time.Second, + BindAddress: net.ParseIP("0.0.0.0"), + CertDirectory: "/var/run/kubernetes", + DefaultStorageMediaType: "application/json", + DefaultStorageVersions: registered.AllPreferredGroupVersions(), + DeleteCollectionWorkers: 1, + EnableLogsSupport: true, + EnableProfiling: true, + EnableWatchCache: true, + InsecureBindAddress: net.ParseIP("127.0.0.1"), + InsecurePort: 8080, + LongRunningRequestRE: defaultLongRunningRequestRE, + MasterCount: 1, + MasterServiceNamespace: api.NamespaceDefault, + MaxRequestsInFlight: 400, + MinRequestTimeout: 1800, + RuntimeConfig: make(config.ConfigurationMap), + SecurePort: 6443, + ServiceNodePortRange: DefaultServiceNodePortRange, + StorageVersions: registered.AllPreferredGroupVersions(), } } @@ -238,24 +252,24 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) { fs.StringVar(&s.AuthorizationMode, "authorization-mode", s.AuthorizationMode, ""+ "Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+ - strings.Join(apiserver.AuthorizationModeChoices, ",")+".") + strings.Join(AuthorizationModeChoices, ",")+".") - fs.StringVar(&s.AuthorizationConfig.PolicyFile, "authorization-policy-file", s.AuthorizationConfig.PolicyFile, ""+ + fs.StringVar(&s.AuthorizationPolicyFile, "authorization-policy-file", s.AuthorizationPolicyFile, ""+ "File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port.") - fs.StringVar(&s.AuthorizationConfig.WebhookConfigFile, "authorization-webhook-config-file", s.AuthorizationConfig.WebhookConfigFile, ""+ + fs.StringVar(&s.AuthorizationWebhookConfigFile, "authorization-webhook-config-file", s.AuthorizationWebhookConfigFile, ""+ "File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. "+ "The API server will query the remote service to determine access on the API server's secure port.") - fs.DurationVar(&s.AuthorizationConfig.WebhookCacheAuthorizedTTL, "authorization-webhook-cache-authorized-ttl", - s.AuthorizationConfig.WebhookCacheAuthorizedTTL, + fs.DurationVar(&s.AuthorizationWebhookCacheAuthorizedTTL, "authorization-webhook-cache-authorized-ttl", + s.AuthorizationWebhookCacheAuthorizedTTL, "The duration to cache 'authorized' responses from the webhook authorizer. Default is 5m.") - fs.DurationVar(&s.AuthorizationConfig.WebhookCacheUnauthorizedTTL, - "authorization-webhook-cache-unauthorized-ttl", s.AuthorizationConfig.WebhookCacheUnauthorizedTTL, + fs.DurationVar(&s.AuthorizationWebhookCacheUnauthorizedTTL, + "authorization-webhook-cache-unauthorized-ttl", s.AuthorizationWebhookCacheUnauthorizedTTL, "The duration to cache 'unauthorized' responses from the webhook authorizer. Default is 30s.") - fs.StringVar(&s.AuthorizationConfig.RBACSuperUser, "authorization-rbac-super-user", s.AuthorizationConfig.RBACSuperUser, ""+ + fs.StringVar(&s.AuthorizationRBACSuperUser, "authorization-rbac-super-user", s.AuthorizationRBACSuperUser, ""+ "If specified, a username which avoids RBAC authorization checks and role binding "+ "privilege escalation checks, to be used with --authorization-mode=RBAC.") diff --git a/test/integration/auth/auth_test.go b/test/integration/auth/auth_test.go index 424d3bf7948..8cf6a9a9de9 100644 --- a/test/integration/auth/auth_test.go +++ b/test/integration/auth/auth_test.go @@ -41,13 +41,13 @@ import ( authenticationv1beta1 "k8s.io/kubernetes/pkg/apis/authentication/v1beta1" "k8s.io/kubernetes/pkg/apis/autoscaling" "k8s.io/kubernetes/pkg/apis/extensions" - "k8s.io/kubernetes/pkg/apiserver" "k8s.io/kubernetes/pkg/auth/authenticator" "k8s.io/kubernetes/pkg/auth/authenticator/bearertoken" "k8s.io/kubernetes/pkg/auth/authorizer" "k8s.io/kubernetes/pkg/auth/authorizer/abac" "k8s.io/kubernetes/pkg/auth/user" "k8s.io/kubernetes/pkg/client/unversioned/clientcmd/api/v1" + apiserverauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer" "k8s.io/kubernetes/pkg/serviceaccount" "k8s.io/kubernetes/plugin/pkg/admission/admit" "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/tokentest" @@ -500,7 +500,7 @@ func getPreviousResourceVersionKey(url, id string) string { func TestAuthModeAlwaysDeny(t *testing.T) { // Set up a master masterConfig := framework.NewIntegrationTestMasterConfig() - masterConfig.Authorizer = apiserver.NewAlwaysDenyAuthorizer() + masterConfig.Authorizer = apiserverauthorizer.NewAlwaysDenyAuthorizer() _, s := framework.RunAMaster(masterConfig) defer s.Close() diff --git a/test/integration/framework/master_utils.go b/test/integration/framework/master_utils.go index f0d832e5263..e66fe9d8836 100644 --- a/test/integration/framework/master_utils.go +++ b/test/integration/framework/master_utils.go @@ -37,7 +37,6 @@ import ( "k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/apis/rbac" - "k8s.io/kubernetes/pkg/apiserver" clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" "k8s.io/kubernetes/pkg/client/record" "k8s.io/kubernetes/pkg/client/restclient" @@ -46,6 +45,7 @@ import ( replicationcontroller "k8s.io/kubernetes/pkg/controller/replication" "k8s.io/kubernetes/pkg/fields" "k8s.io/kubernetes/pkg/genericapiserver" + "k8s.io/kubernetes/pkg/genericapiserver/authorizer" "k8s.io/kubernetes/pkg/kubectl" kubeletclient "k8s.io/kubernetes/pkg/kubelet/client" "k8s.io/kubernetes/pkg/master" @@ -203,7 +203,7 @@ func NewMasterConfig() *master.Config { APIResourceConfigSource: master.DefaultAPIResourceConfigSource(), APIPrefix: "/api", APIGroupPrefix: "/apis", - Authorizer: apiserver.NewAlwaysAllowAuthorizer(), + Authorizer: authorizer.NewAlwaysAllowAuthorizer(), AdmissionControl: admit.NewAlwaysAdmit(), Serializer: api.Codecs, EnableWatchCache: true,