From dffe50f8bd820295f7f1fbc56a6269b6b8c6966b Mon Sep 17 00:00:00 2001 From: "Dr. Stefan Schimanski" Date: Wed, 6 Sep 2017 18:15:43 +0200 Subject: [PATCH] apiserver: allow disabling authz/n via options --- .../test/integration/testserver/start.go | 20 +++---------------- .../pkg/server/options/authentication.go | 5 +++++ .../pkg/server/options/authorization.go | 5 +++++ 3 files changed, 13 insertions(+), 17 deletions(-) diff --git a/staging/src/k8s.io/apiextensions-apiserver/test/integration/testserver/start.go b/staging/src/k8s.io/apiextensions-apiserver/test/integration/testserver/start.go index 2c83a9335c1..c5c593c8c43 100644 --- a/staging/src/k8s.io/apiextensions-apiserver/test/integration/testserver/start.go +++ b/staging/src/k8s.io/apiextensions-apiserver/test/integration/testserver/start.go @@ -30,7 +30,6 @@ import ( "k8s.io/apiextensions-apiserver/pkg/cmd/server" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/util/wait" - "k8s.io/apiserver/pkg/authorization/authorizerfactory" genericapiserver "k8s.io/apiserver/pkg/server" "k8s.io/client-go/dynamic" ) @@ -44,7 +43,8 @@ func DefaultServerConfig() (*extensionsapiserver.Config, error) { options := server.NewCustomResourceDefinitionsServerOptions(os.Stdout, os.Stderr) options.RecommendedOptions.Audit.LogOptions.Path = "-" options.RecommendedOptions.SecureServing.BindPort = port - options.RecommendedOptions.Authentication.SkipInClusterLookup = true + options.RecommendedOptions.Authentication = nil // disable + options.RecommendedOptions.Authorization = nil // disable options.RecommendedOptions.SecureServing.BindAddress = net.ParseIP("127.0.0.1") etcdURL, ok := os.LookupEnv("KUBE_INTEGRATION_ETCD_URL") if !ok { @@ -53,26 +53,12 @@ func DefaultServerConfig() (*extensionsapiserver.Config, error) { options.RecommendedOptions.Etcd.StorageConfig.ServerList = []string{etcdURL} options.RecommendedOptions.Etcd.StorageConfig.Prefix = uuid.New() - // TODO stop copying this - // because there isn't currently a way to disable authentication or authorization from options - // explode options.Config here genericConfig := genericapiserver.NewConfig(extensionsapiserver.Codecs) - genericConfig.Authenticator = nil - genericConfig.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer() if err := options.RecommendedOptions.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil { return nil, fmt.Errorf("error creating self-signed certificates: %v", err) } - if err := options.RecommendedOptions.Etcd.ApplyTo(genericConfig); err != nil { - return nil, err - } - if err := options.RecommendedOptions.SecureServing.ApplyTo(genericConfig); err != nil { - return nil, err - } - if err := options.RecommendedOptions.Audit.ApplyTo(genericConfig); err != nil { - return nil, err - } - if err := options.RecommendedOptions.Features.ApplyTo(genericConfig); err != nil { + if err := options.RecommendedOptions.ApplyTo(genericConfig); err != nil { return nil, err } diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go index 1a5c728c5b2..624343fc479 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go @@ -143,6 +143,11 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { } func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error { + if s == nil { + c.Authenticator = nil + return nil + } + clientCA, err := s.getClientCA() if err != nil { return err diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go index ddc32fc9092..3d356958f5d 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go @@ -71,6 +71,11 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { } func (s *DelegatingAuthorizationOptions) ApplyTo(c *server.Config) error { + if s == nil { + c.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer() + return nil + } + cfg, err := s.ToAuthorizationConfig() if err != nil { return err