diff --git a/pkg/kubeapiserver/BUILD b/pkg/kubeapiserver/BUILD index ef4c4b1e22d..2e2b390e1f6 100644 --- a/pkg/kubeapiserver/BUILD +++ b/pkg/kubeapiserver/BUILD @@ -50,6 +50,7 @@ filegroup( "//pkg/kubeapiserver/authorizer:all-srcs", "//pkg/kubeapiserver/options:all-srcs", "//pkg/kubeapiserver/server:all-srcs", + "//pkg/kubeapiserver/util:all-srcs", ], tags = ["automanaged"], ) diff --git a/pkg/kubeapiserver/admission/BUILD b/pkg/kubeapiserver/admission/BUILD index acae1bc2c1d..fb9a80a8e92 100644 --- a/pkg/kubeapiserver/admission/BUILD +++ b/pkg/kubeapiserver/admission/BUILD @@ -12,7 +12,6 @@ go_library( "//pkg/client/clientset_generated/internalclientset:go_default_library", "//pkg/quota/v1:go_default_library", "//pkg/quota/v1/install:go_default_library", - "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/meta:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library", diff --git a/pkg/kubeapiserver/admission/config.go b/pkg/kubeapiserver/admission/config.go index a6cd41724dc..bf88b932dba 100644 --- a/pkg/kubeapiserver/admission/config.go +++ b/pkg/kubeapiserver/admission/config.go @@ -23,7 +23,6 @@ import ( "github.com/golang/glog" - "k8s.io/api/core/v1" utilwait "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/admission" webhookinit "k8s.io/apiserver/pkg/admission/plugin/webhook/initializer" @@ -38,41 +37,15 @@ import ( quotainstall "k8s.io/kubernetes/pkg/quota/v1/install" ) +// AdmissionConfig holds the configuration for initializing the admission plugins type AdmissionConfig struct { CloudConfigFile string LoopbackClientConfig *rest.Config ExternalInformers externalinformers.SharedInformerFactory } -func (c *AdmissionConfig) buildAuthnInfoResolver(proxyTransport *http.Transport) webhook.AuthenticationInfoResolverWrapper { - webhookAuthResolverWrapper := func(delegate webhook.AuthenticationInfoResolver) webhook.AuthenticationInfoResolver { - return &webhook.AuthenticationInfoResolverDelegator{ - ClientConfigForFunc: func(server string) (*rest.Config, error) { - if server == "kubernetes.default.svc" { - return c.LoopbackClientConfig, nil - } - return delegate.ClientConfigFor(server) - }, - ClientConfigForServiceFunc: func(serviceName, serviceNamespace string) (*rest.Config, error) { - if serviceName == "kubernetes" && serviceNamespace == v1.NamespaceDefault { - return c.LoopbackClientConfig, nil - } - ret, err := delegate.ClientConfigForService(serviceName, serviceNamespace) - if err != nil { - return nil, err - } - if proxyTransport != nil && proxyTransport.DialContext != nil { - ret.Dial = proxyTransport.DialContext - } - return ret, err - }, - } - } - return webhookAuthResolverWrapper -} - func (c *AdmissionConfig) New(proxyTransport *http.Transport, serviceResolver webhook.ServiceResolver) ([]admission.PluginInitializer, server.PostStartHookFunc, error) { - webhookAuthResolverWrapper := c.buildAuthnInfoResolver(proxyTransport) + webhookAuthResolverWrapper := webhook.NewDefaultAuthenticationInfoResolverWrapper(proxyTransport, c.LoopbackClientConfig) webhookPluginInitializer := webhookinit.NewPluginInitializer(webhookAuthResolverWrapper, serviceResolver) var cloudConfig []byte diff --git a/pkg/kubeapiserver/util/BUILD b/pkg/kubeapiserver/util/BUILD new file mode 100644 index 00000000000..6df04e38cd7 --- /dev/null +++ b/pkg/kubeapiserver/util/BUILD @@ -0,0 +1,13 @@ +filegroup( + name = "package-srcs", + srcs = glob(["**"]), + tags = ["automanaged"], + visibility = ["//visibility:private"], +) + +filegroup( + name = "all-srcs", + srcs = [":package-srcs"], + tags = ["automanaged"], + visibility = ["//visibility:public"], +) diff --git a/staging/src/k8s.io/apiserver/pkg/util/webhook/BUILD b/staging/src/k8s.io/apiserver/pkg/util/webhook/BUILD index 7928de2deec..d8b20370007 100644 --- a/staging/src/k8s.io/apiserver/pkg/util/webhook/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/util/webhook/BUILD @@ -19,6 +19,7 @@ go_library( importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/util/webhook", importpath = "k8s.io/apiserver/pkg/util/webhook", deps = [ + "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", diff --git a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go index f6d79dea362..1d1c0ad3bc9 100644 --- a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go +++ b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go @@ -19,9 +19,11 @@ package webhook import ( "fmt" "io/ioutil" + "net/http" "strings" "time" + corev1 "k8s.io/api/core/v1" "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" clientcmdapi "k8s.io/client-go/tools/clientcmd/api" @@ -31,6 +33,37 @@ import ( // rest.Config generated by the resolver. type AuthenticationInfoResolverWrapper func(AuthenticationInfoResolver) AuthenticationInfoResolver +// NewDefaultAuthenticationInfoResolverWrapper builds a default authn resolver wrapper +func NewDefaultAuthenticationInfoResolverWrapper( + proxyTransport *http.Transport, + kubeapiserverClientConfig *rest.Config) AuthenticationInfoResolverWrapper { + + webhookAuthResolverWrapper := func(delegate AuthenticationInfoResolver) AuthenticationInfoResolver { + return &AuthenticationInfoResolverDelegator{ + ClientConfigForFunc: func(server string) (*rest.Config, error) { + if server == "kubernetes.default.svc" { + return kubeapiserverClientConfig, nil + } + return delegate.ClientConfigFor(server) + }, + ClientConfigForServiceFunc: func(serviceName, serviceNamespace string) (*rest.Config, error) { + if serviceName == "kubernetes" && serviceNamespace == corev1.NamespaceDefault { + return kubeapiserverClientConfig, nil + } + ret, err := delegate.ClientConfigForService(serviceName, serviceNamespace) + if err != nil { + return nil, err + } + if proxyTransport != nil && proxyTransport.DialContext != nil { + ret.Dial = proxyTransport.DialContext + } + return ret, err + }, + } + } + return webhookAuthResolverWrapper +} + // AuthenticationInfoResolver builds rest.Config base on the server or service // name and service namespace. type AuthenticationInfoResolver interface {