github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 03:41:45 +00:00
Code Issues Projects Releases Wiki Activity

authentication webhook via network proxy

Browse Source
This commit is contained in:
Jefftree 2019-12-03 15:20:49 -08:00
parent a555825ab4
commit d318e52ffe
13 changed files with 53 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/kube-apiserver/app/server.go
View File

@ -498,7 +498,7 @@ func buildGenericConfig(
} }
versionedInformers = clientgoinformers.NewSharedInformerFactory(clientgoExternalClient, 10*time.Minute) versionedInformers = clientgoinformers.NewSharedInformerFactory(clientgoExternalClient, 10*time.Minute)
genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, clientgoExternalClient, versionedInformers) genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, genericConfig, clientgoExternalClient, versionedInformers)
if err != nil { if err != nil {
lastErr = fmt.Errorf("invalid authentication config: %v", err) lastErr = fmt.Errorf("invalid authentication config: %v", err)
return return
@ -560,7 +560,7 @@ func buildGenericConfig(
} }
// BuildAuthenticator constructs the authenticator // BuildAuthenticator constructs the authenticator
func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset.Interface, versionedInformer clientgoinformers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) { func BuildAuthenticator(s *options.ServerRunOptions, c *genericapiserver.Config, extclient clientgoclientset.Interface, versionedInformer clientgoinformers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) {
authenticatorConfig, err := s.Authentication.ToAuthenticationConfig() authenticatorConfig, err := s.Authentication.ToAuthenticationConfig()
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
@ -577,6 +577,10 @@ func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset
versionedInformer.Core().V1().Secrets().Lister().Secrets(v1.NamespaceSystem), versionedInformer.Core().V1().Secrets().Lister().Secrets(v1.NamespaceSystem),
) )
if c.EgressSelector != nil {
authenticatorConfig.EgressLookup = c.EgressSelector.Lookup
}
return authenticatorConfig.New() return authenticatorConfig.New()
} }

1
pkg/kubeapiserver/authenticator/BUILD
View File

@ -25,6 +25,7 @@ go_library(
"//staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/token/union:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/token/union:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/egressselector:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
"//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile:go_default_library", "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile:go_default_library",
"//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth:go_default_library", "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth:go_default_library",

16
pkg/kubeapiserver/authenticator/config.go
View File

@ -34,6 +34,7 @@ import (
"k8s.io/apiserver/pkg/authentication/token/tokenfile" "k8s.io/apiserver/pkg/authentication/token/tokenfile"
tokenunion "k8s.io/apiserver/pkg/authentication/token/union" tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
"k8s.io/apiserver/pkg/server/dynamiccertificates" "k8s.io/apiserver/pkg/server/dynamiccertificates"
"k8s.io/apiserver/pkg/server/egressselector"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile" "k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile"
"k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth" "k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth"
@ -83,6 +84,9 @@ type Config struct {
// Generally this is the CA bundle file used to authenticate client certificates // Generally this is the CA bundle file used to authenticate client certificates
// If this value is nil, then mutual TLS is disabled. // If this value is nil, then mutual TLS is disabled.
ClientCAContentProvider dynamiccertificates.CAContentProvider ClientCAContentProvider dynamiccertificates.CAContentProvider
// Lookup will give us a dialer if the egress selector is configured for it
EgressLookup egressselector.Lookup
} }
// New returns an authenticator.Request or an error that supports the standard // New returns an authenticator.Request or an error that supports the standard
@ -179,10 +183,11 @@ func (config Config) New() (authenticator.Request, *spec.SecurityDefinitions, er
tokenAuthenticators = append(tokenAuthenticators, authenticator.WrapAudienceAgnosticToken(config.APIAudiences, oidcAuth)) tokenAuthenticators = append(tokenAuthenticators, authenticator.WrapAudienceAgnosticToken(config.APIAudiences, oidcAuth))
} }
if len(config.WebhookTokenAuthnConfigFile) > 0 { if len(config.WebhookTokenAuthnConfigFile) > 0 {
webhookTokenAuth, err := newWebhookTokenAuthenticator(config.WebhookTokenAuthnConfigFile, config.WebhookTokenAuthnVersion, config.WebhookTokenAuthnCacheTTL, config.APIAudiences) webhookTokenAuth, err := newWebhookTokenAuthenticator(config)
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
tokenAuthenticators = append(tokenAuthenticators, webhookTokenAuth) tokenAuthenticators = append(tokenAuthenticators, webhookTokenAuth)
} }
@ -305,8 +310,13 @@ func newServiceAccountAuthenticator(iss string, keyfiles []string, apiAudiences
return tokenAuthenticator, nil return tokenAuthenticator, nil
} }
func newWebhookTokenAuthenticator(webhookConfigFile string, version string, ttl time.Duration, implicitAuds authenticator.Audiences) (authenticator.Token, error) { func newWebhookTokenAuthenticator(config Config) (authenticator.Token, error) {
webhookTokenAuthenticator, err := webhook.New(webhookConfigFile, version, implicitAuds) webhookConfigFile := config.WebhookTokenAuthnConfigFile
version := config.WebhookTokenAuthnVersion
ttl := config.WebhookTokenAuthnCacheTTL
implicitAuds := config.APIAudiences
webhookTokenAuthenticator, err := webhook.New(webhookConfigFile, version, implicitAuds, config.EgressLookup)
if err != nil { if err != nil {
return nil, err return nil, err
} }

2
plugin/pkg/admission/imagepolicy/admission.go
View File

@ -261,7 +261,7 @@ func NewImagePolicyWebhook(configFile io.Reader) (*Plugin, error) {
return nil, err return nil, err
} }
gw, err := webhook.NewGenericWebhook(legacyscheme.Scheme, legacyscheme.Codecs, whConfig.KubeConfigFile, groupVersions, whConfig.RetryBackoff) gw, err := webhook.NewGenericWebhook(legacyscheme.Scheme, legacyscheme.Codecs, whConfig.KubeConfigFile, groupVersions, whConfig.RetryBackoff, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }

17
staging/src/k8s.io/apiserver/pkg/util/webhook/webhook.go
View File

@ -27,7 +27,9 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/runtime/serializer" "k8s.io/apimachinery/pkg/runtime/serializer"
"k8s.io/apimachinery/pkg/util/net" "k8s.io/apimachinery/pkg/util/net"
utilnet "k8s.io/apimachinery/pkg/util/net"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apiserver/pkg/server/egressselector"
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd" "k8s.io/client-go/tools/clientcmd"
) )
@ -61,11 +63,11 @@ func DefaultShouldRetry(err error) bool {
} }
// NewGenericWebhook creates a new GenericWebhook from the provided kubeconfig file. // NewGenericWebhook creates a new GenericWebhook from the provided kubeconfig file.
func NewGenericWebhook(scheme *runtime.Scheme, codecFactory serializer.CodecFactory, kubeConfigFile string, groupVersions []schema.GroupVersion, initialBackoff time.Duration) (*GenericWebhook, error) { func NewGenericWebhook(scheme *runtime.Scheme, codecFactory serializer.CodecFactory, kubeConfigFile string, groupVersions []schema.GroupVersion, initialBackoff time.Duration, egressLookup egressselector.Lookup) (*GenericWebhook, error) {
return newGenericWebhook(scheme, codecFactory, kubeConfigFile, groupVersions, initialBackoff, defaultRequestTimeout) return newGenericWebhook(scheme, codecFactory, kubeConfigFile, groupVersions, initialBackoff, defaultRequestTimeout, egressLookup)
} }
func newGenericWebhook(scheme *runtime.Scheme, codecFactory serializer.CodecFactory, kubeConfigFile string, groupVersions []schema.GroupVersion, initialBackoff, requestTimeout time.Duration) (*GenericWebhook, error) { func newGenericWebhook(scheme *runtime.Scheme, codecFactory serializer.CodecFactory, kubeConfigFile string, groupVersions []schema.GroupVersion, initialBackoff, requestTimeout time.Duration, egressLookup egressselector.Lookup) (*GenericWebhook, error) {
for _, groupVersion := range groupVersions { for _, groupVersion := range groupVersions {
if !scheme.IsVersionRegistered(groupVersion) { if !scheme.IsVersionRegistered(groupVersion) {
return nil, fmt.Errorf("webhook plugin requires enabling extension resource: %s", groupVersion) return nil, fmt.Errorf("webhook plugin requires enabling extension resource: %s", groupVersion)
@ -94,6 +96,15 @@ func newGenericWebhook(scheme *runtime.Scheme, codecFactory serializer.CodecFact
codec := codecFactory.LegacyCodec(groupVersions...) codec := codecFactory.LegacyCodec(groupVersions...)
clientConfig.ContentConfig.NegotiatedSerializer = serializer.NegotiatedSerializerWrapper(runtime.SerializerInfo{Serializer: codec}) clientConfig.ContentConfig.NegotiatedSerializer = serializer.NegotiatedSerializerWrapper(runtime.SerializerInfo{Serializer: codec})
if egressLookup != nil {
networkContext := egressselector.Master.AsNetworkContext()
var egressDialer utilnet.DialFunc
egressDialer, err = egressLookup(networkContext)
if err != nil {
return nil, err
}
clientConfig.Dial = egressDialer
}
restClient, err := rest.UnversionedRESTClientFor(clientConfig) restClient, err := rest.UnversionedRESTClientFor(clientConfig)
if err != nil { if err != nil {

10
staging/src/k8s.io/apiserver/pkg/util/webhook/webhook_test.go
View File

@ -259,7 +259,7 @@ func TestKubeConfigFile(t *testing.T) {
if err == nil { if err == nil {
defer os.Remove(kubeConfigFile) defer os.Remove(kubeConfigFile)
_, err = NewGenericWebhook(runtime.NewScheme(), scheme.Codecs, kubeConfigFile, groupVersions, retryBackoff) _, err = NewGenericWebhook(runtime.NewScheme(), scheme.Codecs, kubeConfigFile, groupVersions, retryBackoff, nil)
} }
return err return err
@ -282,7 +282,7 @@ func TestKubeConfigFile(t *testing.T) {
// TestMissingKubeConfigFile ensures that a kube config path to a missing file is handled properly // TestMissingKubeConfigFile ensures that a kube config path to a missing file is handled properly
func TestMissingKubeConfigFile(t *testing.T) { func TestMissingKubeConfigFile(t *testing.T) {
kubeConfigPath := "/some/missing/path" kubeConfigPath := "/some/missing/path"
_, err := NewGenericWebhook(runtime.NewScheme(), scheme.Codecs, kubeConfigPath, groupVersions, retryBackoff) _, err := NewGenericWebhook(runtime.NewScheme(), scheme.Codecs, kubeConfigPath, groupVersions, retryBackoff, nil)
if err == nil { if err == nil {
t.Errorf("creating the webhook should had failed") t.Errorf("creating the webhook should had failed")
@ -394,7 +394,7 @@ func TestTLSConfig(t *testing.T) {
defer os.Remove(configFile) defer os.Remove(configFile)
wh, err := NewGenericWebhook(runtime.NewScheme(), scheme.Codecs, configFile, groupVersions, retryBackoff) wh, err := NewGenericWebhook(runtime.NewScheme(), scheme.Codecs, configFile, groupVersions, retryBackoff, nil)
if err == nil { if err == nil {
err = wh.RestClient.Get().Do(context.TODO()).Error() err = wh.RestClient.Get().Do(context.TODO()).Error()
@ -459,7 +459,7 @@ func TestRequestTimeout(t *testing.T) {
var requestTimeout = 10 * time.Millisecond var requestTimeout = 10 * time.Millisecond
wh, err := newGenericWebhook(runtime.NewScheme(), scheme.Codecs, configFile, groupVersions, retryBackoff, requestTimeout) wh, err := newGenericWebhook(runtime.NewScheme(), scheme.Codecs, configFile, groupVersions, retryBackoff, requestTimeout, nil)
if err != nil { if err != nil {
t.Fatalf("failed to create the webhook: %v", err) t.Fatalf("failed to create the webhook: %v", err)
} }
@ -545,7 +545,7 @@ func TestWithExponentialBackoff(t *testing.T) {
defer os.Remove(configFile) defer os.Remove(configFile)
wh, err := NewGenericWebhook(runtime.NewScheme(), scheme.Codecs, configFile, groupVersions, retryBackoff) wh, err := NewGenericWebhook(runtime.NewScheme(), scheme.Codecs, configFile, groupVersions, retryBackoff, nil)
if err != nil { if err != nil {
t.Fatalf("failed to create the webhook: %v", err) t.Fatalf("failed to create the webhook: %v", err)

2
staging/src/k8s.io/apiserver/plugin/pkg/audit/webhook/webhook.go
View File

@ -62,7 +62,7 @@ func retryOnError(err error) bool {
func loadWebhook(configFile string, groupVersion schema.GroupVersion, initialBackoff time.Duration) (*webhook.GenericWebhook, error) { func loadWebhook(configFile string, groupVersion schema.GroupVersion, initialBackoff time.Duration) (*webhook.GenericWebhook, error) {
w, err := webhook.NewGenericWebhook(audit.Scheme, audit.Codecs, configFile, w, err := webhook.NewGenericWebhook(audit.Scheme, audit.Codecs, configFile,
[]schema.GroupVersion{groupVersion}, initialBackoff) []schema.GroupVersion{groupVersion}, initialBackoff, nil)
w.ShouldRetry = retryOnError w.ShouldRetry = retryOnError
return w, err return w, err
} }

1
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook/BUILD
View File

@ -41,6 +41,7 @@ go_library(
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/egressselector:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/webhook:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes/scheme:go_default_library", "//staging/src/k8s.io/client-go/kubernetes/scheme:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1:go_default_library", "//staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1:go_default_library",

11
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook/webhook.go
View File

@ -30,6 +30,7 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/server/egressselector"
"k8s.io/apiserver/pkg/util/webhook" "k8s.io/apiserver/pkg/util/webhook"
"k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/kubernetes/scheme"
authenticationv1client "k8s.io/client-go/kubernetes/typed/authentication/v1" authenticationv1client "k8s.io/client-go/kubernetes/typed/authentication/v1"
@ -63,8 +64,8 @@ func NewFromInterface(tokenReview authenticationv1client.TokenReviewInterface, i
// file. It is recommend to wrap this authenticator with the token cache // file. It is recommend to wrap this authenticator with the token cache
// authenticator implemented in // authenticator implemented in
// k8s.io/apiserver/pkg/authentication/token/cache. // k8s.io/apiserver/pkg/authentication/token/cache.
func New(kubeConfigFile string, version string, implicitAuds authenticator.Audiences) (*WebhookTokenAuthenticator, error) { func New(kubeConfigFile string, version string, implicitAuds authenticator.Audiences, egressLookup egressselector.Lookup) (*WebhookTokenAuthenticator, error) {
tokenReview, err := tokenReviewInterfaceFromKubeconfig(kubeConfigFile, version) tokenReview, err := tokenReviewInterfaceFromKubeconfig(kubeConfigFile, version, egressLookup)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -153,7 +154,7 @@ func (w *WebhookTokenAuthenticator) AuthenticateToken(ctx context.Context, token
// tokenReviewInterfaceFromKubeconfig builds a client from the specified kubeconfig file, // tokenReviewInterfaceFromKubeconfig builds a client from the specified kubeconfig file,
// and returns a TokenReviewInterface that uses that client. Note that the client submits TokenReview // and returns a TokenReviewInterface that uses that client. Note that the client submits TokenReview
// requests to the exact path specified in the kubeconfig file, so arbitrary non-API servers can be targeted. // requests to the exact path specified in the kubeconfig file, so arbitrary non-API servers can be targeted.
func tokenReviewInterfaceFromKubeconfig(kubeConfigFile string, version string) (tokenReviewer, error) { func tokenReviewInterfaceFromKubeconfig(kubeConfigFile string, version string, egressLookup egressselector.Lookup) (tokenReviewer, error) {
localScheme := runtime.NewScheme() localScheme := runtime.NewScheme()
if err := scheme.AddToScheme(localScheme); err != nil { if err := scheme.AddToScheme(localScheme); err != nil {
return nil, err return nil, err
@ -165,7 +166,7 @@ func tokenReviewInterfaceFromKubeconfig(kubeConfigFile string, version string) (
if err := localScheme.SetVersionPriority(groupVersions...); err != nil { if err := localScheme.SetVersionPriority(groupVersions...); err != nil {
return nil, err return nil, err
} }
gw, err := webhook.NewGenericWebhook(localScheme, scheme.Codecs, kubeConfigFile, groupVersions, 0) gw, err := webhook.NewGenericWebhook(localScheme, scheme.Codecs, kubeConfigFile, groupVersions, 0, egressLookup)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -176,7 +177,7 @@ func tokenReviewInterfaceFromKubeconfig(kubeConfigFile string, version string) (
if err := localScheme.SetVersionPriority(groupVersions...); err != nil { if err := localScheme.SetVersionPriority(groupVersions...); err != nil {
return nil, err return nil, err
} }
gw, err := webhook.NewGenericWebhook(localScheme, scheme.Codecs, kubeConfigFile, groupVersions, 0) gw, err := webhook.NewGenericWebhook(localScheme, scheme.Codecs, kubeConfigFile, groupVersions, 0, egressLookup)
if err != nil { if err != nil {
return nil, err return nil, err
} }

2
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook/webhook_v1_test.go
View File

@ -193,7 +193,7 @@ func newV1TokenAuthenticator(serverURL string, clientCert, clientKey, ca []byte,
return nil, err return nil, err
} }
c, err := tokenReviewInterfaceFromKubeconfig(p, "v1") c, err := tokenReviewInterfaceFromKubeconfig(p, "v1", nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }

2
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook/webhook_v1beta1_test.go
View File

@ -195,7 +195,7 @@ func newV1beta1TokenAuthenticator(serverURL string, clientCert, clientKey, ca []
return nil, err return nil, err
} }
c, err := tokenReviewInterfaceFromKubeconfig(p, "v1beta1") c, err := tokenReviewInterfaceFromKubeconfig(p, "v1beta1", nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }

4
staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
View File

@ -257,7 +257,7 @@ func subjectAccessReviewInterfaceFromKubeconfig(kubeConfigFile string, version s
if err := localScheme.SetVersionPriority(groupVersions...); err != nil { if err := localScheme.SetVersionPriority(groupVersions...); err != nil {
return nil, err return nil, err
} }
gw, err := webhook.NewGenericWebhook(localScheme, scheme.Codecs, kubeConfigFile, groupVersions, 0) gw, err := webhook.NewGenericWebhook(localScheme, scheme.Codecs, kubeConfigFile, groupVersions, 0, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -268,7 +268,7 @@ func subjectAccessReviewInterfaceFromKubeconfig(kubeConfigFile string, version s
if err := localScheme.SetVersionPriority(groupVersions...); err != nil { if err := localScheme.SetVersionPriority(groupVersions...); err != nil {
return nil, err return nil, err
} }
gw, err := webhook.NewGenericWebhook(localScheme, scheme.Codecs, kubeConfigFile, groupVersions, 0) gw, err := webhook.NewGenericWebhook(localScheme, scheme.Codecs, kubeConfigFile, groupVersions, 0, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }

2
test/integration/auth/auth_test.go
View File

@ -85,7 +85,7 @@ func getTestWebhookTokenAuth(serverURL string) (authenticator.Request, error) {
if err := json.NewEncoder(kubecfgFile).Encode(config); err != nil { if err := json.NewEncoder(kubecfgFile).Encode(config); err != nil {
return nil, err return nil, err
} }
webhookTokenAuth, err := webhook.New(kubecfgFile.Name(), "v1beta1", nil) webhookTokenAuth, err := webhook.New(kubecfgFile.Name(), "v1beta1", nil, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }