github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 03:41:45 +00:00
Code Issues Projects Releases Wiki Activity

externalize pv informer in node authorizer

Browse Source
This commit is contained in:
yue9944882 2018-08-09 21:27:23 +08:00
parent b497570e50
commit e7d0983707
5 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/kubeapiserver/authorizer/config.go
View File

@ -76,7 +76,7 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
graph, graph,
config.InformerFactory.Core().InternalVersion().Nodes(), config.InformerFactory.Core().InternalVersion().Nodes(),
config.VersionedInformerFactory.Core().V1().Pods(), config.VersionedInformerFactory.Core().V1().Pods(),
config.InformerFactory.Core().InternalVersion().PersistentVolumes(), config.VersionedInformerFactory.Core().V1().PersistentVolumes(),
config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(), config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(),
) )
nodeAuthorizer := node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules()) nodeAuthorizer := node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules())

2
plugin/pkg/auth/authorizer/node/BUILD
View File

@ -40,7 +40,7 @@ go_library(
], ],
importpath = "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node", importpath = "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node",
deps = [ deps = [
"//pkg/api/persistentvolume:go_default_library", "//pkg/api/v1/persistentvolume:go_default_library",
"//pkg/api/v1/pod:go_default_library", "//pkg/api/v1/pod:go_default_library",
"//pkg/apis/core:go_default_library", "//pkg/apis/core:go_default_library",
"//pkg/apis/storage:go_default_library", "//pkg/apis/storage:go_default_library",

4
plugin/pkg/auth/authorizer/node/graph.go
View File

@ -20,7 +20,7 @@ import (
"sync" "sync"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
pvutil "k8s.io/kubernetes/pkg/api/persistentvolume" pvutil "k8s.io/kubernetes/pkg/api/v1/persistentvolume"
podutil "k8s.io/kubernetes/pkg/api/v1/pod" podutil "k8s.io/kubernetes/pkg/api/v1/pod"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/third_party/forked/gonum/graph" "k8s.io/kubernetes/third_party/forked/gonum/graph"
@ -365,7 +365,7 @@ func (g *Graph) DeletePod(name, namespace string) {
// secret -> pv // secret -> pv
// //
// pv -> pvc // pv -> pvc
func (g *Graph) AddPV(pv *api.PersistentVolume) { func (g *Graph) AddPV(pv *corev1.PersistentVolume) {
g.lock.Lock() g.lock.Lock()
defer g.lock.Unlock() defer g.lock.Unlock()

6
plugin/pkg/auth/authorizer/node/graph_populator.go
View File

@ -39,7 +39,7 @@ func AddGraphEventHandlers(
graph *Graph, graph *Graph,
nodes coreinformers.NodeInformer, nodes coreinformers.NodeInformer,
pods corev1informers.PodInformer, pods corev1informers.PodInformer,
pvs coreinformers.PersistentVolumeInformer, pvs corev1informers.PersistentVolumeInformer,
attachments storageinformers.VolumeAttachmentInformer, attachments storageinformers.VolumeAttachmentInformer,
) { ) {
g := &graphPopulator{ g := &graphPopulator{
@ -175,7 +175,7 @@ func (g *graphPopulator) addPV(obj interface{}) {
} }
func (g *graphPopulator) updatePV(oldObj, obj interface{}) { func (g *graphPopulator) updatePV(oldObj, obj interface{}) {
pv := obj.(*api.PersistentVolume) pv := obj.(*corev1.PersistentVolume)
// TODO: skip add if uid, pvc, and secrets are all identical between old and new // TODO: skip add if uid, pvc, and secrets are all identical between old and new
g.graph.AddPV(pv) g.graph.AddPV(pv)
} }
@ -184,7 +184,7 @@ func (g *graphPopulator) deletePV(obj interface{}) {
if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok { if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
obj = tombstone.Obj obj = tombstone.Obj
} }
pv, ok := obj.(*api.PersistentVolume) pv, ok := obj.(*corev1.PersistentVolume)
if !ok { if !ok {
glog.Infof("unexpected type %T", obj) glog.Infof("unexpected type %T", obj)
return return

18
plugin/pkg/auth/authorizer/node/node_authorizer_test.go
View File

@ -684,7 +684,7 @@ func BenchmarkAuthorization(b *testing.B) {
} }
} }
func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*api.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) { func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*corev1.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) {
p := &graphPopulator{} p := &graphPopulator{}
p.graph = graph p.graph = graph
for _, node := range nodes { for _, node := range nodes {
@ -705,10 +705,10 @@ func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*api.Pe
// the secret/configmap/pvc/node references in the pod and pv objects are named to indicate the connections between the objects. // the secret/configmap/pvc/node references in the pod and pv objects are named to indicate the connections between the objects.
// for example, secret0-pod0-node0 is a secret referenced by pod0 which is bound to node0. // for example, secret0-pod0-node0 is a secret referenced by pod0 which is bound to node0.
// when populated into the graph, the node authorizer should allow node0 to access that secret, but not node1. // when populated into the graph, the node authorizer should allow node0 to access that secret, but not node1.
func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*api.PersistentVolume, []*storagev1beta1.VolumeAttachment) { func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*corev1.PersistentVolume, []*storagev1beta1.VolumeAttachment) {
nodes := make([]*api.Node, 0, opts.nodes) nodes := make([]*api.Node, 0, opts.nodes)
pods := make([]*corev1.Pod, 0, opts.nodes*opts.podsPerNode) pods := make([]*corev1.Pod, 0, opts.nodes*opts.podsPerNode)
pvs := make([]*api.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces)) pvs := make([]*corev1.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces))
attachments := make([]*storagev1beta1.VolumeAttachment, 0, opts.nodes*opts.attachmentsPerNode) attachments := make([]*storagev1beta1.VolumeAttachment, 0, opts.nodes*opts.attachmentsPerNode)
for n := 0; n < opts.nodes; n++ { for n := 0; n < opts.nodes; n++ {
@ -743,10 +743,10 @@ func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*api.Persisten
} }
for i := 0; i < opts.uniquePVCsPerPod; i++ { for i := 0; i < opts.uniquePVCsPerPod; i++ {
pv := &api.PersistentVolume{} pv := &corev1.PersistentVolume{}
pv.Name = fmt.Sprintf("pv%d-%s-%s", i, pod.Name, pod.Namespace) pv.Name = fmt.Sprintf("pv%d-%s-%s", i, pod.Name, pod.Namespace)
pv.Spec.FlexVolume = &api.FlexPersistentVolumeSource{SecretRef: &api.SecretReference{Name: fmt.Sprintf("secret-%s", pv.Name)}} pv.Spec.FlexVolume = &corev1.FlexPersistentVolumeSource{SecretRef: &corev1.SecretReference{Name: fmt.Sprintf("secret-%s", pv.Name)}}
pv.Spec.ClaimRef = &api.ObjectReference{Name: fmt.Sprintf("pvc%d-%s", i, pod.Name), Namespace: pod.Namespace} pv.Spec.ClaimRef = &corev1.ObjectReference{Name: fmt.Sprintf("pvc%d-%s", i, pod.Name), Namespace: pod.Namespace}
pvs = append(pvs, pv) pvs = append(pvs, pv)
pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{ pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{
@ -754,10 +754,10 @@ func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*api.Persisten
}}) }})
} }
for i := 0; i < opts.sharedPVCsPerPod; i++ { for i := 0; i < opts.sharedPVCsPerPod; i++ {
pv := &api.PersistentVolume{} pv := &corev1.PersistentVolume{}
pv.Name = fmt.Sprintf("pv%d-shared-%s", i, pod.Namespace) pv.Name = fmt.Sprintf("pv%d-shared-%s", i, pod.Namespace)
pv.Spec.FlexVolume = &api.FlexPersistentVolumeSource{SecretRef: &api.SecretReference{Name: fmt.Sprintf("secret-%s", pv.Name)}} pv.Spec.FlexVolume = &corev1.FlexPersistentVolumeSource{SecretRef: &corev1.SecretReference{Name: fmt.Sprintf("secret-%s", pv.Name)}}
pv.Spec.ClaimRef = &api.ObjectReference{Name: fmt.Sprintf("pvc%d-shared", i), Namespace: pod.Namespace} pv.Spec.ClaimRef = &corev1.ObjectReference{Name: fmt.Sprintf("pvc%d-shared", i), Namespace: pod.Namespace}
pvs = append(pvs, pv) pvs = append(pvs, pv)
pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{ pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{VolumeSource: corev1.VolumeSource{