github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 10:51:29 +00:00
Code Issues Projects Releases Wiki Activity

cloud-controller-manager: enable delegated authz/authn if secure port is enabled

Browse Source
This commit is contained in:
Dr. Stefan Schimanski 2018-08-07 11:11:36 +02:00
parent f35c3f1836
commit b25a551ed8
2 changed files with 46 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cmd/cloud-controller-manager/app/options/options.go
View File

@ -95,11 +95,15 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error)
BindPort: int(componentConfig.KubeCloudShared.Port), BindPort: int(componentConfig.KubeCloudShared.Port),
BindNetwork: "tcp", BindNetwork: "tcp",
}, },
Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions() Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(),
Authorization: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions() Authorization: apiserveroptions.NewDelegatingAuthorizationOptions(),
NodeStatusUpdateFrequency: componentConfig.NodeStatusUpdateFrequency, NodeStatusUpdateFrequency: componentConfig.NodeStatusUpdateFrequency,
} }
s.Authentication.RemoteKubeConfigFileOptional = true
s.Authorization.RemoteKubeConfigFileOptional = true
s.Authorization.AlwaysAllowPaths = []string{"/healthz"}
s.SecureServing.ServerCert.CertDirectory = "/var/run/kubernetes" s.SecureServing.ServerCert.CertDirectory = "/var/run/kubernetes"
s.SecureServing.ServerCert.PairName = "cloud-controller-manager" s.SecureServing.ServerCert.PairName = "cloud-controller-manager"
s.SecureServing.BindPort = ports.CloudControllerManagerPort s.SecureServing.BindPort = ports.CloudControllerManagerPort
@ -175,12 +179,14 @@ func (o *CloudControllerManagerOptions) ApplyTo(c *cloudcontrollerconfig.Config,
if err = o.InsecureServing.ApplyTo(&c.InsecureServing); err != nil { if err = o.InsecureServing.ApplyTo(&c.InsecureServing); err != nil {
return err return err
} }
if o.SecureServing.BindPort != 0 || o.SecureServing.Listener != nil {
if err = o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil { if err = o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {
return err return err
} }
if err = o.Authorization.ApplyTo(&c.Authorization); err != nil { if err = o.Authorization.ApplyTo(&c.Authorization); err != nil {
return err return err
} }
}
c.Kubeconfig, err = clientcmd.BuildConfigFromFlags(o.Master, o.Kubeconfig) c.Kubeconfig, err = clientcmd.BuildConfigFromFlags(o.Master, o.Kubeconfig)
if err != nil { if err != nil {

34
cmd/cloud-controller-manager/app/options/options_test.go
View File

@ -71,7 +71,7 @@ func TestDefaultFlags(t *testing.T) {
ConcurrentServiceSyncs: 1, ConcurrentServiceSyncs: 1,
}, },
SecureServing: &apiserveroptions.SecureServingOptions{ SecureServing: &apiserveroptions.SecureServingOptions{
BindPort: 0, BindPort: 10258,
BindAddress: net.ParseIP("0.0.0.0"), BindAddress: net.ParseIP("0.0.0.0"),
ServerCert: apiserveroptions.GeneratableKeyCert{ ServerCert: apiserveroptions.GeneratableKeyCert{
CertDirectory: "/var/run/kubernetes", CertDirectory: "/var/run/kubernetes",
@ -84,6 +84,22 @@ func TestDefaultFlags(t *testing.T) {
BindPort: int(10253), BindPort: int(10253),
BindNetwork: "tcp", BindNetwork: "tcp",
}, },
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
CacheTTL: 10 * time.Second,
ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{
UsernameHeaders: []string{"x-remote-user"},
GroupHeaders: []string{"x-remote-group"},
ExtraHeaderPrefixes: []string{"x-remote-extra-"},
},
RemoteKubeConfigFileOptional: true,
},
Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
AllowCacheTTL: 10 * time.Second,
DenyCacheTTL: 10 * time.Second,
RemoteKubeConfigFileOptional: true,
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or
},
Kubeconfig: "", Kubeconfig: "",
Master: "", Master: "",
NodeStatusUpdateFrequency: metav1.Duration{Duration: 5 * time.Minute}, NodeStatusUpdateFrequency: metav1.Duration{Duration: 5 * time.Minute},
@ -183,6 +199,22 @@ func TestAddFlags(t *testing.T) {
BindPort: int(10000), BindPort: int(10000),
BindNetwork: "tcp", BindNetwork: "tcp",
}, },
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
CacheTTL: 10 * time.Second,
ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{
UsernameHeaders: []string{"x-remote-user"},
GroupHeaders: []string{"x-remote-group"},
ExtraHeaderPrefixes: []string{"x-remote-extra-"},
},
RemoteKubeConfigFileOptional: true,
},
Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
AllowCacheTTL: 10 * time.Second,
DenyCacheTTL: 10 * time.Second,
RemoteKubeConfigFileOptional: true,
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or
},
Kubeconfig: "/kubeconfig", Kubeconfig: "/kubeconfig",
Master: "192.168.4.20", Master: "192.168.4.20",
NodeStatusUpdateFrequency: metav1.Duration{Duration: 10 * time.Minute}, NodeStatusUpdateFrequency: metav1.Duration{Duration: 10 * time.Minute},