github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-10-22 06:59:03 +00:00
Code Issues Projects Releases Wiki Activity

Refactor RBAC authorizer entry points

Browse Source 
This change refactors various RBAC authorizer functions to be more
flexible in their inputs.  This makes it easier to reuse the various
components that make up the authorizer.

Signed-off-by: Monis Khan <mkhan@redhat.com>
This commit is contained in:
Monis Khan
2017-08-15 16:32:51 -04:00
parent d2cf96d6ef
commit 8e7893e541
5 changed files with 46 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/kubeapiserver/authorizer/BUILD
View File

@@ -20,16 +20,13 @@ go_library(
name = "go_default_library",
srcs = ["config.go"],
deps = [
"//pkg/apis/rbac:go_default_library",
"//pkg/auth/authorizer/abac:go_default_library",
"//pkg/auth/nodeidentifier:go_default_library",
"//pkg/client/informers/informers_generated/internalversion:go_default_library",
"//pkg/client/listers/rbac/internalversion:go_default_library",
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
"//plugin/pkg/auth/authorizer/node:go_default_library",
"//plugin/pkg/auth/authorizer/rbac:go_default_library",
"//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authorization/union:go_default_library",

43
pkg/kubeapiserver/authorizer/config.go
View File

@@ -21,16 +21,13 @@ import (
"fmt"
"time"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/apiserver/pkg/authorization/union"
"k8s.io/apiserver/plugin/pkg/authorizer/webhook"
rbacapi "k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
"k8s.io/kubernetes/pkg/auth/nodeidentifier"
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion"
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/node"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
@@ -57,38 +54,6 @@ type AuthorizationConfig struct {
InformerFactory informers.SharedInformerFactory
}
type roleGetter struct {
lister rbaclisters.RoleLister
}
func (g *roleGetter) GetRole(namespace, name string) (*rbacapi.Role, error) {
return g.lister.Roles(namespace).Get(name)
}
type roleBindingLister struct {
lister rbaclisters.RoleBindingLister
}
func (l *roleBindingLister) ListRoleBindings(namespace string) ([]*rbacapi.RoleBinding, error) {
return l.lister.RoleBindings(namespace).List(labels.Everything())
}
type clusterRoleGetter struct {
lister rbaclisters.ClusterRoleLister
}
func (g *clusterRoleGetter) GetClusterRole(name string) (*rbacapi.ClusterRole, error) {
return g.lister.Get(name)
}
type clusterRoleBindingLister struct {
lister rbaclisters.ClusterRoleBindingLister
}
func (l *clusterRoleBindingLister) ListClusterRoleBindings() ([]*rbacapi.ClusterRoleBinding, error) {
return l.lister.List(labels.Everything())
}
// New returns the right sort of union of multiple authorizer.Authorizer objects
// based on the authorizationMode or an error.
func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
@@ -141,10 +106,10 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
authorizers = append(authorizers, webhookAuthorizer)
case modes.ModeRBAC:
rbacAuthorizer := rbac.New(
&roleGetter{config.InformerFactory.Rbac().InternalVersion().Roles().Lister()},
&roleBindingLister{config.InformerFactory.Rbac().InternalVersion().RoleBindings().Lister()},
&clusterRoleGetter{config.InformerFactory.Rbac().InternalVersion().ClusterRoles().Lister()},
&clusterRoleBindingLister{config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()},
&rbac.RoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().Roles().Lister()},
&rbac.RoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().RoleBindings().Lister()},
&rbac.ClusterRoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoles().Lister()},
&rbac.ClusterRoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()},
)
authorizers = append(authorizers, rbacAuthorizer)
default: