From dffe50f8bd820295f7f1fbc56a6269b6b8c6966b Mon Sep 17 00:00:00 2001
From: "Dr. Stefan Schimanski" <stefan.schimanski@gmail.com>
Date: Wed, 6 Sep 2017 18:15:43 +0200
Subject: [PATCH] apiserver: allow disabling authz/n via options

---
 .../test/integration/testserver/start.go      | 20 +++----------------
 .../pkg/server/options/authentication.go      |  5 +++++
 .../pkg/server/options/authorization.go       |  5 +++++
 3 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/staging/src/k8s.io/apiextensions-apiserver/test/integration/testserver/start.go b/staging/src/k8s.io/apiextensions-apiserver/test/integration/testserver/start.go
index 2c83a9335c1..c5c593c8c43 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/test/integration/testserver/start.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/test/integration/testserver/start.go
@@ -30,7 +30,6 @@ import (
 	"k8s.io/apiextensions-apiserver/pkg/cmd/server"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/util/wait"
-	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	"k8s.io/client-go/dynamic"
 )
@@ -44,7 +43,8 @@ func DefaultServerConfig() (*extensionsapiserver.Config, error) {
 	options := server.NewCustomResourceDefinitionsServerOptions(os.Stdout, os.Stderr)
 	options.RecommendedOptions.Audit.LogOptions.Path = "-"
 	options.RecommendedOptions.SecureServing.BindPort = port
-	options.RecommendedOptions.Authentication.SkipInClusterLookup = true
+	options.RecommendedOptions.Authentication = nil // disable
+	options.RecommendedOptions.Authorization = nil  // disable
 	options.RecommendedOptions.SecureServing.BindAddress = net.ParseIP("127.0.0.1")
 	etcdURL, ok := os.LookupEnv("KUBE_INTEGRATION_ETCD_URL")
 	if !ok {
@@ -53,26 +53,12 @@ func DefaultServerConfig() (*extensionsapiserver.Config, error) {
 	options.RecommendedOptions.Etcd.StorageConfig.ServerList = []string{etcdURL}
 	options.RecommendedOptions.Etcd.StorageConfig.Prefix = uuid.New()
 
-	// TODO stop copying this
-	// because there isn't currently a way to disable authentication or authorization from options
-	// explode options.Config here
 	genericConfig := genericapiserver.NewConfig(extensionsapiserver.Codecs)
-	genericConfig.Authenticator = nil
-	genericConfig.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
 
 	if err := options.RecommendedOptions.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
 		return nil, fmt.Errorf("error creating self-signed certificates: %v", err)
 	}
-	if err := options.RecommendedOptions.Etcd.ApplyTo(genericConfig); err != nil {
-		return nil, err
-	}
-	if err := options.RecommendedOptions.SecureServing.ApplyTo(genericConfig); err != nil {
-		return nil, err
-	}
-	if err := options.RecommendedOptions.Audit.ApplyTo(genericConfig); err != nil {
-		return nil, err
-	}
-	if err := options.RecommendedOptions.Features.ApplyTo(genericConfig); err != nil {
+	if err := options.RecommendedOptions.ApplyTo(genericConfig); err != nil {
 		return nil, err
 	}
 
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
index 1a5c728c5b2..624343fc479 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
@@ -143,6 +143,11 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 }
 
 func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.Config) error {
+	if s == nil {
+		c.Authenticator = nil
+		return nil
+	}
+
 	clientCA, err := s.getClientCA()
 	if err != nil {
 		return err
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
index ddc32fc9092..3d356958f5d 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
@@ -71,6 +71,11 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
 }
 
 func (s *DelegatingAuthorizationOptions) ApplyTo(c *server.Config) error {
+	if s == nil {
+		c.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
+		return nil
+	}
+
 	cfg, err := s.ToAuthorizationConfig()
 	if err != nil {
 		return err