diff --git a/pkg/client/clientset_generated/clientset/typed/core/v1/service_expansion.go b/pkg/client/clientset_generated/clientset/typed/core/v1/service_expansion.go index d2bb531d765..4937fd1a394 100644 --- a/pkg/client/clientset_generated/clientset/typed/core/v1/service_expansion.go +++ b/pkg/client/clientset_generated/clientset/typed/core/v1/service_expansion.go @@ -29,9 +29,9 @@ type ServiceExpansion interface { // ProxyGet returns a response of the service by calling it through the proxy. func (c *services) ProxyGet(scheme, name, port, path string, params map[string]string) restclient.ResponseWrapper { request := c.client.Get(). - Prefix("proxy"). Namespace(c.ns). Resource("services"). + SubResource("proxy"). Name(net.JoinSchemeNamePort(scheme, name, port)). Suffix(path) for k, v := range params { diff --git a/pkg/client/clientset_generated/internalclientset/typed/core/internalversion/service_expansion.go b/pkg/client/clientset_generated/internalclientset/typed/core/internalversion/service_expansion.go index 85d2c7207db..247d0682bdf 100644 --- a/pkg/client/clientset_generated/internalclientset/typed/core/internalversion/service_expansion.go +++ b/pkg/client/clientset_generated/internalclientset/typed/core/internalversion/service_expansion.go @@ -29,9 +29,9 @@ type ServiceExpansion interface { // ProxyGet returns a response of the service by calling it through the proxy. func (c *services) ProxyGet(scheme, name, port, path string, params map[string]string) restclient.ResponseWrapper { request := c.client.Get(). - Prefix("proxy"). Namespace(c.ns). Resource("services"). + SubResource("proxy"). Name(net.JoinSchemeNamePort(scheme, name, port)). Suffix(path) for k, v := range params { diff --git a/pkg/kubectl/cmd/top_test.go b/pkg/kubectl/cmd/top_test.go index 9541a8805dc..8d27d7e2f9c 100644 --- a/pkg/kubectl/cmd/top_test.go +++ b/pkg/kubectl/cmd/top_test.go @@ -35,7 +35,7 @@ import ( ) const ( - baseHeapsterServiceAddress = "/api/v1/proxy/namespaces/kube-system/services/http:heapster:" + baseHeapsterServiceAddress = "/api/v1/namespaces/kube-system/services/http:heapster:/proxy" baseMetricsAddress = baseHeapsterServiceAddress + "/apis/metrics" metricsApiVersion = "v1alpha1" ) diff --git a/pkg/metrics/generic_metrics.go b/pkg/metrics/generic_metrics.go index f17629a0613..3a8251886a6 100644 --- a/pkg/metrics/generic_metrics.go +++ b/pkg/metrics/generic_metrics.go @@ -100,9 +100,9 @@ func parseMetrics(data string, output *Metrics) error { func (g *MetricsGrabber) getMetricsFromPod(podName string, namespace string, port int) (string, error) { rawOutput, err := g.client.Core().RESTClient().Get(). - Prefix("proxy"). Namespace(namespace). Resource("pods"). + SubResource("proxy"). Name(fmt.Sprintf("%v:%v", podName, port)). Suffix("metrics"). Do().Raw() diff --git a/pkg/metrics/kubelet_metrics.go b/pkg/metrics/kubelet_metrics.go index 2f1b9525cb9..0e6267b513a 100644 --- a/pkg/metrics/kubelet_metrics.go +++ b/pkg/metrics/kubelet_metrics.go @@ -66,8 +66,8 @@ func (g *MetricsGrabber) getMetricsFromNode(nodeName string, kubeletPort int) (s var rawOutput []byte go func() { rawOutput, err = g.client.Core().RESTClient().Get(). - Prefix("proxy"). Resource("nodes"). + SubResource("proxy"). Name(fmt.Sprintf("%v:%v", nodeName, kubeletPort)). Suffix("metrics"). Do().Raw() diff --git a/pkg/routes/ui.go b/pkg/routes/ui.go index 0f8e3164c2b..0d4b85e06c6 100644 --- a/pkg/routes/ui.go +++ b/pkg/routes/ui.go @@ -22,7 +22,7 @@ import ( "k8s.io/apiserver/pkg/server/mux" ) -const dashboardPath = "/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard" +const dashboardPath = "/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy" // UIRediect redirects /ui to the kube-ui proxy path. type UIRedirect struct{} diff --git a/plugin/pkg/admission/initialresources/data_source.go b/plugin/pkg/admission/initialresources/data_source.go index 5fd6c118fb1..0d366c18c4c 100644 --- a/plugin/pkg/admission/initialresources/data_source.go +++ b/plugin/pkg/admission/initialresources/data_source.go @@ -25,7 +25,7 @@ import ( ) var ( - influxdbHost = flag.String("ir-influxdb-host", "localhost:8080/api/v1/proxy/namespaces/kube-system/services/monitoring-influxdb:api", "Address of InfluxDB which contains metrics required by InitialResources") + influxdbHost = flag.String("ir-influxdb-host", "localhost:8080/api/v1/namespaces/kube-system/services/monitoring-influxdb:api/proxy", "Address of InfluxDB which contains metrics required by InitialResources") user = flag.String("ir-user", "root", "User used for connecting to InfluxDB") // TODO: figure out how to better pass password here password = flag.String("ir-password", "root", "Password used for connecting to InfluxDB") diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index f488cb4f0a5..f214bf48e5c 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -140,9 +140,10 @@ func init() { rbac.NewRule("get", "update").Groups(extensionsGroup).Resources("replicationcontrollers/scale").RuleOrDie(), rbac.NewRule("get", "update").Groups(extensionsGroup).Resources("deployments/scale", "replicasets/scale").RuleOrDie(), rbac.NewRule("list").Groups(legacyGroup).Resources("pods").RuleOrDie(), - // TODO: fix MetricsClient to no longer require root proxy access - // TODO: restrict this to the appropriate namespace + // TODO: Remove the root /proxy permission in 1.7; MetricsClient no longer requires root proxy access as of 1.6 (fixed in https://github.com/kubernetes/kubernetes/pull/39636) rbac.NewRule("proxy").Groups(legacyGroup).Resources("services").Names("https:heapster:", "http:heapster:").RuleOrDie(), + // TODO: restrict this to the appropriate namespace + rbac.NewRule("get").Groups(legacyGroup).Resources("services/proxy").Names("https:heapster:", "http:heapster:").RuleOrDie(), eventsRule(), }, }) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index 901ea67108a..ed720ca59b2 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -419,6 +419,15 @@ items: - services verbs: - proxy + - apiGroups: + - "" + resourceNames: + - 'http:heapster:' + - 'https:heapster:' + resources: + - services/proxy + verbs: + - get - apiGroups: - "" resources: diff --git a/test/e2e/framework/kubelet_stats.go b/test/e2e/framework/kubelet_stats.go index 04571ef8072..ba5810b9231 100644 --- a/test/e2e/framework/kubelet_stats.go +++ b/test/e2e/framework/kubelet_stats.go @@ -284,7 +284,7 @@ func getContainerInfo(c clientset.Interface, nodeName string, req *kubeletstats. if err != nil { return nil, err } - subResourceProxyAvailable, err := ServerVersionGTE(subResourceServiceAndNodeProxyVersion, c.Discovery()) + subResourceProxyAvailable, err := ServerVersionGTE(SubResourceServiceAndNodeProxyVersion, c.Discovery()) if err != nil { return nil, err } @@ -407,7 +407,7 @@ func getOneTimeResourceUsageOnNode( } func getNodeStatsSummary(c clientset.Interface, nodeName string) (*stats.Summary, error) { - subResourceProxyAvailable, err := ServerVersionGTE(subResourceServiceAndNodeProxyVersion, c.Discovery()) + subResourceProxyAvailable, err := ServerVersionGTE(SubResourceServiceAndNodeProxyVersion, c.Discovery()) if err != nil { return nil, err } diff --git a/test/e2e/framework/metrics_util.go b/test/e2e/framework/metrics_util.go index 9b94bdcb663..35ac6164315 100644 --- a/test/e2e/framework/metrics_util.go +++ b/test/e2e/framework/metrics_util.go @@ -327,6 +327,11 @@ func getSchedulingLatency(c clientset.Interface) (SchedulingLatency, error) { nodes, err := c.Core().Nodes().List(metav1.ListOptions{}) ExpectNoError(err) + subResourceProxyAvailable, err := ServerVersionGTE(SubResourcePodProxyVersion, c.Discovery()) + if err != nil { + return result, err + } + var data string var masterRegistered = false for _, node := range nodes.Items { @@ -338,14 +343,26 @@ func getSchedulingLatency(c clientset.Interface) (SchedulingLatency, error) { ctx, cancel := context.WithTimeout(context.Background(), SingleCallTimeout) defer cancel() - rawData, err := c.Core().RESTClient().Get(). - Context(ctx). - Prefix("proxy"). - Namespace(metav1.NamespaceSystem). - Resource("pods"). - Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.SchedulerPort)). - Suffix("metrics"). - Do().Raw() + var rawData []byte + if subResourceProxyAvailable { + rawData, err = c.Core().RESTClient().Get(). + Context(ctx). + Namespace(metav1.NamespaceSystem). + Resource("pods"). + Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.SchedulerPort)). + SubResource("proxy"). + Suffix("metrics"). + Do().Raw() + } else { + rawData, err = c.Core().RESTClient().Get(). + Context(ctx). + Prefix("proxy"). + Namespace(metav1.NamespaceSystem). + SubResource("pods"). + Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.SchedulerPort)). + Suffix("metrics"). + Do().Raw() + } ExpectNoError(err) data = string(rawData) diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go index fd9f5237b81..a390be8d167 100644 --- a/test/e2e/framework/util.go +++ b/test/e2e/framework/util.go @@ -234,10 +234,10 @@ func GetPauseImageNameForHostArch() string { // TODO(ihmccreery): remove once we don't care about v1.0 anymore, (tentatively // in v1.3). var SubResourcePodProxyVersion = utilversion.MustParseSemantic("v1.1.0") -var subResourceServiceAndNodeProxyVersion = utilversion.MustParseSemantic("v1.2.0") +var SubResourceServiceAndNodeProxyVersion = utilversion.MustParseSemantic("v1.2.0") func GetServicesProxyRequest(c clientset.Interface, request *restclient.Request) (*restclient.Request, error) { - subResourceProxyAvailable, err := ServerVersionGTE(subResourceServiceAndNodeProxyVersion, c.Discovery()) + subResourceProxyAvailable, err := ServerVersionGTE(SubResourceServiceAndNodeProxyVersion, c.Discovery()) if err != nil { return nil, err } @@ -4809,7 +4809,7 @@ const proxyTimeout = 2 * time.Minute func NodeProxyRequest(c clientset.Interface, node, endpoint string) (restclient.Result, error) { // proxy tends to hang in some cases when Node is not ready. Add an artificial timeout for this call. // This will leak a goroutine if proxy hangs. #22165 - subResourceProxyAvailable, err := ServerVersionGTE(subResourceServiceAndNodeProxyVersion, c.Discovery()) + subResourceProxyAvailable, err := ServerVersionGTE(SubResourceServiceAndNodeProxyVersion, c.Discovery()) if err != nil { return restclient.Result{}, err } diff --git a/test/e2e/monitoring.go b/test/e2e/monitoring.go index 0d0f2c9710d..d3d7426df0b 100644 --- a/test/e2e/monitoring.go +++ b/test/e2e/monitoring.go @@ -63,21 +63,42 @@ var ( // Query sends a command to the server and returns the Response func Query(c clientset.Interface, query string) (*influxdb.Response, error) { + subResourceProxyAvailable, err := framework.ServerVersionGTE(framework.SubResourceServiceAndNodeProxyVersion, c.Discovery()) + if err != nil { + return nil, err + } ctx, cancel := context.WithTimeout(context.Background(), framework.SingleCallTimeout) defer cancel() - result, err := c.Core().RESTClient().Get(). - Prefix("proxy"). - Namespace("kube-system"). - Resource("services"). - Name(influxdbService+":api"). - Suffix("query"). - Param("q", query). - Param("db", influxdbDatabaseName). - Param("epoch", "s"). - Do(). - Raw() + var result []byte + if subResourceProxyAvailable { + result, err = c.Core().RESTClient().Get(). + Context(ctx). + Namespace("kube-system"). + Resource("services"). + Name(influxdbService+":api"). + SubResource("proxy"). + Suffix("query"). + Param("q", query). + Param("db", influxdbDatabaseName). + Param("epoch", "s"). + Do(). + Raw() + } else { + result, err = c.Core().RESTClient().Get(). + Context(ctx). + Prefix("proxy"). + Namespace("kube-system"). + Resource("services"). + Name(influxdbService+":api"). + Suffix("query"). + Param("q", query). + Param("db", influxdbDatabaseName). + Param("epoch", "s"). + Do(). + Raw() + } if err != nil { if ctx.Err() != nil {