From e2838df7c7d6b7c3649ebdbb9eab23a346a1d7cf Mon Sep 17 00:00:00 2001 From: yiduyangyi Date: Wed, 15 Jul 2020 15:22:22 +0800 Subject: [PATCH 1/4] fix golint failures in pkg/kubeapiserver/options --- hack/.golint_failures | 1 - pkg/kubeapiserver/options/authentication.go | 42 +++++++++++++++------ pkg/kubeapiserver/options/authorization.go | 5 +++ pkg/kubeapiserver/options/cloudprovider.go | 4 ++ pkg/kubeapiserver/options/options.go | 3 +- 5 files changed, 42 insertions(+), 13 deletions(-) diff --git a/hack/.golint_failures b/hack/.golint_failures index c30c4d59e6b..a6073a2d0a8 100644 --- a/hack/.golint_failures +++ b/hack/.golint_failures @@ -93,7 +93,6 @@ pkg/controller/volume/persistentvolume pkg/controller/volume/persistentvolume/config/v1alpha1 pkg/features pkg/kubeapiserver -pkg/kubeapiserver/options pkg/kubectl/cmd/convert pkg/kubelet/apis/config/v1beta1 pkg/kubelet/cm diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go index ca774cdb0d6..ecbfa994397 100644 --- a/pkg/kubeapiserver/options/authentication.go +++ b/pkg/kubeapiserver/options/authentication.go @@ -37,6 +37,7 @@ import ( cliflag "k8s.io/component-base/cli/flag" "k8s.io/klog/v2" openapicommon "k8s.io/kube-openapi/pkg/common" + serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount" "k8s.io/kubernetes/pkg/features" kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator" @@ -44,6 +45,7 @@ import ( "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap" ) +// BuiltInAuthenticationOptions contains all build-in authentication options for APIServer type BuiltInAuthenticationOptions struct { APIAudiences []string Anonymous *AnonymousAuthenticationOptions @@ -59,14 +61,17 @@ type BuiltInAuthenticationOptions struct { TokenFailureCacheTTL time.Duration } +// AnonymousAuthenticationOptions contains anonymous authentication options for APIServer type AnonymousAuthenticationOptions struct { Allow bool } +// BootstrapTokenAuthenticationOptions contains bootstrap token authentication options for APIServer type BootstrapTokenAuthenticationOptions struct { Enable bool } +// OIDCAuthenticationOptions contains OIDC authentication options for APIServer type OIDCAuthenticationOptions struct { CAFile string ClientID string @@ -79,6 +84,7 @@ type OIDCAuthenticationOptions struct { RequiredClaims map[string]string } +// ServiceAccountAuthenticationOptions contains service account authentication options for APIServer type ServiceAccountAuthenticationOptions struct { KeyFiles []string Lookup bool @@ -88,16 +94,19 @@ type ServiceAccountAuthenticationOptions struct { ExtendExpiration bool } +// TokenFileAuthenticationOptions contains token file authentication options for APIServer type TokenFileAuthenticationOptions struct { TokenFile string } +// WebHookAuthenticationOptions contains web hook authentication options for APIServer type WebHookAuthenticationOptions struct { ConfigFile string Version string CacheTTL time.Duration } +// NewBuiltInAuthenticationOptions create a new BuiltInAuthenticationOptions, just set default token cache TTL func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions { return &BuiltInAuthenticationOptions{ TokenSuccessCacheTTL: 10 * time.Second, @@ -105,6 +114,7 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions { } } +// WithAll set default value for every build-in authentication option func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions { return s. WithAnonymous(). @@ -117,41 +127,49 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions { WithWebHook() } +// WithAnonymous set default value for anonymous authentication func (s *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions { s.Anonymous = &AnonymousAuthenticationOptions{Allow: true} return s } +// WithBootstrapToken set default value for bootstrap token authentication func (s *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions { s.BootstrapToken = &BootstrapTokenAuthenticationOptions{} return s } +// WithClientCert set default value for client cert func (s *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions { s.ClientCert = &genericoptions.ClientCertAuthenticationOptions{} return s } +// WithOIDC set default value for OIDC authentication func (s *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions { s.OIDC = &OIDCAuthenticationOptions{} return s } +// WithRequestHeader set default value for request header authentication func (s *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions { s.RequestHeader = &genericoptions.RequestHeaderAuthenticationOptions{} return s } +// WithServiceAccounts set default value for service account authentication func (s *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions { s.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true} return s } +// WithTokenFile set default value for token file authentication func (s *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions { s.TokenFile = &TokenFileAuthenticationOptions{} return s } +// WithWebHook set default value for web hook authentication func (s *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions { s.WebHook = &WebHookAuthenticationOptions{ Version: "v1beta1", @@ -205,6 +223,7 @@ func (s *BuiltInAuthenticationOptions) Validate() []error { return allErrors } +// AddFlags returns flags of authentication for a APIServer func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { fs.StringSliceVar(&s.APIAudiences, "api-audiences", s.APIAudiences, ""+ "Identifiers of the API. The service account token authenticator will validate that "+ @@ -339,6 +358,7 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { } } +// ToAuthenticationConfig convert BuiltInAuthenticationOptions to kubeauthenticator.Config func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error) { ret := kubeauthenticator.Config{ TokenSuccessCacheTTL: s.TokenSuccessCacheTTL, @@ -414,8 +434,8 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticat } // ApplyTo requires already applied OpenAPIConfig and EgressSelector if present. -func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, secureServing *genericapiserver.SecureServingInfo, egressSelector *egressselector.EgressSelector, openAPIConfig *openapicommon.Config, extclient kubernetes.Interface, versionedInformer informers.SharedInformerFactory) error { - if o == nil { +func (s *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, secureServing *genericapiserver.SecureServingInfo, egressSelector *egressselector.EgressSelector, openAPIConfig *openapicommon.Config, extclient kubernetes.Interface, versionedInformer informers.SharedInformerFactory) error { + if s == nil { return nil } @@ -423,7 +443,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen return errors.New("uninitialized OpenAPIConfig") } - authenticatorConfig, err := o.ToAuthenticationConfig() + authenticatorConfig, err := s.ToAuthenticationConfig() if err != nil { return err } @@ -439,12 +459,12 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen } } - authInfo.APIAudiences = o.APIAudiences - if o.ServiceAccounts != nil && o.ServiceAccounts.Issuer != "" && len(o.APIAudiences) == 0 { - authInfo.APIAudiences = authenticator.Audiences{o.ServiceAccounts.Issuer} + authInfo.APIAudiences = s.APIAudiences + if s.ServiceAccounts != nil && s.ServiceAccounts.Issuer != "" && len(s.APIAudiences) == 0 { + authInfo.APIAudiences = authenticator.Audiences{s.ServiceAccounts.Issuer} } - if o.ServiceAccounts.Lookup || utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) { + if s.ServiceAccounts.Lookup || utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) { authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient( extclient, versionedInformer.Core().V1().Secrets().Lister(), @@ -473,15 +493,15 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen } // ApplyAuthorization will conditionally modify the authentication options based on the authorization options -func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions) { - if o == nil || authorization == nil || o.Anonymous == nil { +func (s *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions) { + if s == nil || authorization == nil || s.Anonymous == nil { return } // authorization ModeAlwaysAllow cannot be combined with AnonymousAuth. // in such a case the AnonymousAuth is stomped to false and you get a message - if o.Anonymous.Allow && sets.NewString(authorization.Modes...).Has(authzmodes.ModeAlwaysAllow) { + if s.Anonymous.Allow && sets.NewString(authorization.Modes...).Has(authzmodes.ModeAlwaysAllow) { klog.Warningf("AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer") - o.Anonymous.Allow = false + s.Anonymous.Allow = false } } diff --git a/pkg/kubeapiserver/options/authorization.go b/pkg/kubeapiserver/options/authorization.go index 9477ea2005c..e2fd7a238d0 100644 --- a/pkg/kubeapiserver/options/authorization.go +++ b/pkg/kubeapiserver/options/authorization.go @@ -29,6 +29,7 @@ import ( authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" ) +// BuiltInAuthorizationOptions contains all build-in authorization options for APIServer type BuiltInAuthorizationOptions struct { Modes []string PolicyFile string @@ -38,6 +39,7 @@ type BuiltInAuthorizationOptions struct { WebhookCacheUnauthorizedTTL time.Duration } +// NewBuiltInAuthorizationOptions create a BuiltInAuthorizationOptions with default value func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions { return &BuiltInAuthorizationOptions{ Modes: []string{authzmodes.ModeAlwaysAllow}, @@ -47,6 +49,7 @@ func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions { } } +// Validate checks invalid config combination func (s *BuiltInAuthorizationOptions) Validate() []error { if s == nil { return nil @@ -89,6 +92,7 @@ func (s *BuiltInAuthorizationOptions) Validate() []error { return allErrors } +// AddFlags returns flags of authorization for a APIServer func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { fs.StringSliceVar(&s.Modes, "authorization-mode", s.Modes, ""+ "Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+ @@ -113,6 +117,7 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { "The duration to cache 'unauthorized' responses from the webhook authorizer.") } +// ToAuthorizationConfig convert BuiltInAuthorizationOptions to authorizer.Config func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.Config { return authorizer.Config{ AuthorizationModes: s.Modes, diff --git a/pkg/kubeapiserver/options/cloudprovider.go b/pkg/kubeapiserver/options/cloudprovider.go index 9b8119fb072..7691904c0be 100644 --- a/pkg/kubeapiserver/options/cloudprovider.go +++ b/pkg/kubeapiserver/options/cloudprovider.go @@ -20,20 +20,24 @@ import ( "github.com/spf13/pflag" ) +// CloudProviderOptions contains cloud provider config type CloudProviderOptions struct { CloudConfigFile string CloudProvider string } +// NewCloudProviderOptions create a default CloudProviderOptions func NewCloudProviderOptions() *CloudProviderOptions { return &CloudProviderOptions{} } +// Validate checks invalid config func (s *CloudProviderOptions) Validate() []error { allErrors := []error{} return allErrors } +// AddFlags returns flags of cloud provider for a APIServer func (s *CloudProviderOptions) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&s.CloudProvider, "cloud-provider", s.CloudProvider, "The provider for cloud services. Empty string for no provider.") diff --git a/pkg/kubeapiserver/options/options.go b/pkg/kubeapiserver/options/options.go index e38bd99996d..f8f89c97ae4 100644 --- a/pkg/kubeapiserver/options/options.go +++ b/pkg/kubeapiserver/options/options.go @@ -26,6 +26,7 @@ import ( var DefaultServiceNodePortRange = utilnet.PortRange{Base: 30000, Size: 2768} // DefaultServiceIPCIDR is a CIDR notation of IP range from which to allocate service cluster IPs -var DefaultServiceIPCIDR net.IPNet = net.IPNet{IP: net.ParseIP("10.0.0.0"), Mask: net.CIDRMask(24, 32)} +var DefaultServiceIPCIDR = net.IPNet{IP: net.ParseIP("10.0.0.0"), Mask: net.CIDRMask(24, 32)} +// DefaultEtcdPathPrefix is the default key prefix of etcd for APIServer const DefaultEtcdPathPrefix = "/registry" From e441c07fe296a08db6c93a6d199749559c9dc158 Mon Sep 17 00:00:00 2001 From: yiduyangyi Date: Thu, 23 Jul 2020 18:41:37 +0800 Subject: [PATCH 2/4] fix golint failures in pkg/kubeapiserver/options, use API Server in commemts instead of APIServer --- pkg/kubeapiserver/options/authentication.go | 264 ++++++++++---------- pkg/kubeapiserver/options/authorization.go | 4 +- pkg/kubeapiserver/options/cloudprovider.go | 2 +- 3 files changed, 135 insertions(+), 135 deletions(-) diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go index ecbfa994397..b03f46f8076 100644 --- a/pkg/kubeapiserver/options/authentication.go +++ b/pkg/kubeapiserver/options/authentication.go @@ -45,7 +45,7 @@ import ( "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap" ) -// BuiltInAuthenticationOptions contains all build-in authentication options for APIServer +// BuiltInAuthenticationOptions contains all build-in authentication options for API Server type BuiltInAuthenticationOptions struct { APIAudiences []string Anonymous *AnonymousAuthenticationOptions @@ -61,17 +61,17 @@ type BuiltInAuthenticationOptions struct { TokenFailureCacheTTL time.Duration } -// AnonymousAuthenticationOptions contains anonymous authentication options for APIServer +// AnonymousAuthenticationOptions contains anonymous authentication options for API Server type AnonymousAuthenticationOptions struct { Allow bool } -// BootstrapTokenAuthenticationOptions contains bootstrap token authentication options for APIServer +// BootstrapTokenAuthenticationOptions contains bootstrap token authentication options for API Server type BootstrapTokenAuthenticationOptions struct { Enable bool } -// OIDCAuthenticationOptions contains OIDC authentication options for APIServer +// OIDCAuthenticationOptions contains OIDC authentication options for API Server type OIDCAuthenticationOptions struct { CAFile string ClientID string @@ -84,7 +84,7 @@ type OIDCAuthenticationOptions struct { RequiredClaims map[string]string } -// ServiceAccountAuthenticationOptions contains service account authentication options for APIServer +// ServiceAccountAuthenticationOptions contains service account authentication options for API Server type ServiceAccountAuthenticationOptions struct { KeyFiles []string Lookup bool @@ -94,12 +94,12 @@ type ServiceAccountAuthenticationOptions struct { ExtendExpiration bool } -// TokenFileAuthenticationOptions contains token file authentication options for APIServer +// TokenFileAuthenticationOptions contains token file authentication options for API Server type TokenFileAuthenticationOptions struct { TokenFile string } -// WebHookAuthenticationOptions contains web hook authentication options for APIServer +// WebHookAuthenticationOptions contains web hook authentication options for API Server type WebHookAuthenticationOptions struct { ConfigFile string Version string @@ -115,8 +115,8 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions { } // WithAll set default value for every build-in authentication option -func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions { - return s. +func (o *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions { + return o. WithAnonymous(). WithBootstrapToken(). WithClientCert(). @@ -128,94 +128,94 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions { } // WithAnonymous set default value for anonymous authentication -func (s *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions { - s.Anonymous = &AnonymousAuthenticationOptions{Allow: true} - return s +func (o *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions { + o.Anonymous = &AnonymousAuthenticationOptions{Allow: true} + return o } // WithBootstrapToken set default value for bootstrap token authentication -func (s *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions { - s.BootstrapToken = &BootstrapTokenAuthenticationOptions{} - return s +func (o *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions { + o.BootstrapToken = &BootstrapTokenAuthenticationOptions{} + return o } // WithClientCert set default value for client cert -func (s *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions { - s.ClientCert = &genericoptions.ClientCertAuthenticationOptions{} - return s +func (o *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions { + o.ClientCert = &genericoptions.ClientCertAuthenticationOptions{} + return o } // WithOIDC set default value for OIDC authentication -func (s *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions { - s.OIDC = &OIDCAuthenticationOptions{} - return s +func (o *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions { + o.OIDC = &OIDCAuthenticationOptions{} + return o } // WithRequestHeader set default value for request header authentication -func (s *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions { - s.RequestHeader = &genericoptions.RequestHeaderAuthenticationOptions{} - return s +func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions { + o.RequestHeader = &genericoptions.RequestHeaderAuthenticationOptions{} + return o } // WithServiceAccounts set default value for service account authentication -func (s *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions { - s.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true} - return s +func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions { + o.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true} + return o } // WithTokenFile set default value for token file authentication -func (s *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions { - s.TokenFile = &TokenFileAuthenticationOptions{} - return s +func (o *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOptions { + o.TokenFile = &TokenFileAuthenticationOptions{} + return o } // WithWebHook set default value for web hook authentication -func (s *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions { - s.WebHook = &WebHookAuthenticationOptions{ +func (o *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions { + o.WebHook = &WebHookAuthenticationOptions{ Version: "v1beta1", CacheTTL: 2 * time.Minute, } - return s + return o } // Validate checks invalid config combination -func (s *BuiltInAuthenticationOptions) Validate() []error { +func (o *BuiltInAuthenticationOptions) Validate() []error { allErrors := []error{} - if s.OIDC != nil && (len(s.OIDC.IssuerURL) > 0) != (len(s.OIDC.ClientID) > 0) { + if o.OIDC != nil && (len(o.OIDC.IssuerURL) > 0) != (len(o.OIDC.ClientID) > 0) { allErrors = append(allErrors, fmt.Errorf("oidc-issuer-url and oidc-client-id should be specified together")) } - if s.ServiceAccounts != nil && len(s.ServiceAccounts.Issuer) > 0 && strings.Contains(s.ServiceAccounts.Issuer, ":") { - if _, err := url.Parse(s.ServiceAccounts.Issuer); err != nil { + if o.ServiceAccounts != nil && len(o.ServiceAccounts.Issuer) > 0 && strings.Contains(o.ServiceAccounts.Issuer, ":") { + if _, err := url.Parse(o.ServiceAccounts.Issuer); err != nil { allErrors = append(allErrors, fmt.Errorf("service-account-issuer contained a ':' but was not a valid URL: %v", err)) } } - if s.ServiceAccounts != nil && utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) { + if o.ServiceAccounts != nil && utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) { if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) || !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequestProjection) { allErrors = append(allErrors, errors.New("if the BoundServiceAccountTokenVolume feature is enabled,"+ " the TokenRequest and TokenRequestProjection features must also be enabled")) } - if len(s.ServiceAccounts.Issuer) == 0 { + if len(o.ServiceAccounts.Issuer) == 0 { allErrors = append(allErrors, errors.New("service-account-issuer is a required flag when BoundServiceAccountTokenVolume is enabled")) } - if len(s.ServiceAccounts.KeyFiles) == 0 { + if len(o.ServiceAccounts.KeyFiles) == 0 { allErrors = append(allErrors, errors.New("service-account-key-file is a required flag when BoundServiceAccountTokenVolume is enabled")) } } - if s.ServiceAccounts != nil { + if o.ServiceAccounts != nil { if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountIssuerDiscovery) { // Validate the JWKS URI when it is explicitly set. // When unset, it is later derived from ExternalHost. - if s.ServiceAccounts.JWKSURI != "" { - if u, err := url.Parse(s.ServiceAccounts.JWKSURI); err != nil { + if o.ServiceAccounts.JWKSURI != "" { + if u, err := url.Parse(o.ServiceAccounts.JWKSURI); err != nil { allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri must be a valid URL: %v", err)) } else if u.Scheme != "https" { allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri requires https scheme, parsed as: %v", u.String())) } } - } else if len(s.ServiceAccounts.JWKSURI) > 0 { + } else if len(o.ServiceAccounts.JWKSURI) > 0 { allErrors = append(allErrors, fmt.Errorf("service-account-jwks-uri may only be set when the ServiceAccountIssuerDiscovery feature gate is enabled")) } } @@ -223,89 +223,89 @@ func (s *BuiltInAuthenticationOptions) Validate() []error { return allErrors } -// AddFlags returns flags of authentication for a APIServer -func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { - fs.StringSliceVar(&s.APIAudiences, "api-audiences", s.APIAudiences, ""+ +// AddFlags returns flags of authentication for a API Server +func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { + fs.StringSliceVar(&o.APIAudiences, "api-audiences", o.APIAudiences, ""+ "Identifiers of the API. The service account token authenticator will validate that "+ "tokens used against the API are bound to at least one of these audiences. If the "+ "--service-account-issuer flag is configured and this flag is not, this field "+ "defaults to a single element list containing the issuer URL.") - if s.Anonymous != nil { - fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+ + if o.Anonymous != nil { + fs.BoolVar(&o.Anonymous.Allow, "anonymous-auth", o.Anonymous.Allow, ""+ "Enables anonymous requests to the secure port of the API server. "+ "Requests that are not rejected by another authentication method are treated as anonymous requests. "+ "Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.") } - if s.BootstrapToken != nil { - fs.BoolVar(&s.BootstrapToken.Enable, "enable-bootstrap-token-auth", s.BootstrapToken.Enable, ""+ + if o.BootstrapToken != nil { + fs.BoolVar(&o.BootstrapToken.Enable, "enable-bootstrap-token-auth", o.BootstrapToken.Enable, ""+ "Enable to allow secrets of type 'bootstrap.kubernetes.io/token' in the 'kube-system' "+ "namespace to be used for TLS bootstrapping authentication.") } - if s.ClientCert != nil { - s.ClientCert.AddFlags(fs) + if o.ClientCert != nil { + o.ClientCert.AddFlags(fs) } - if s.OIDC != nil { - fs.StringVar(&s.OIDC.IssuerURL, "oidc-issuer-url", s.OIDC.IssuerURL, ""+ + if o.OIDC != nil { + fs.StringVar(&o.OIDC.IssuerURL, "oidc-issuer-url", o.OIDC.IssuerURL, ""+ "The URL of the OpenID issuer, only HTTPS scheme will be accepted. "+ "If set, it will be used to verify the OIDC JSON Web Token (JWT).") - fs.StringVar(&s.OIDC.ClientID, "oidc-client-id", s.OIDC.ClientID, + fs.StringVar(&o.OIDC.ClientID, "oidc-client-id", o.OIDC.ClientID, "The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.") - fs.StringVar(&s.OIDC.CAFile, "oidc-ca-file", s.OIDC.CAFile, ""+ - "If set, the OpenID server's certificate will be verified by one of the authorities "+ - "in the oidc-ca-file, otherwise the host's root CA set will be used.") + fs.StringVar(&o.OIDC.CAFile, "oidc-ca-file", o.OIDC.CAFile, ""+ + "If set, the OpenID server'o certificate will be verified by one of the authorities "+ + "in the oidc-ca-file, otherwise the host'o root CA set will be used.") - fs.StringVar(&s.OIDC.UsernameClaim, "oidc-username-claim", "sub", ""+ + fs.StringVar(&o.OIDC.UsernameClaim, "oidc-username-claim", "sub", ""+ "The OpenID claim to use as the user name. Note that claims other than the default ('sub') "+ "is not guaranteed to be unique and immutable. This flag is experimental, please see "+ "the authentication documentation for further details.") - fs.StringVar(&s.OIDC.UsernamePrefix, "oidc-username-prefix", "", ""+ + fs.StringVar(&o.OIDC.UsernamePrefix, "oidc-username-prefix", "", ""+ "If provided, all usernames will be prefixed with this value. If not provided, "+ "username claims other than 'email' are prefixed by the issuer URL to avoid "+ "clashes. To skip any prefixing, provide the value '-'.") - fs.StringVar(&s.OIDC.GroupsClaim, "oidc-groups-claim", "", ""+ + fs.StringVar(&o.OIDC.GroupsClaim, "oidc-groups-claim", "", ""+ "If provided, the name of a custom OpenID Connect claim for specifying user groups. "+ "The claim value is expected to be a string or array of strings. This flag is experimental, "+ "please see the authentication documentation for further details.") - fs.StringVar(&s.OIDC.GroupsPrefix, "oidc-groups-prefix", "", ""+ + fs.StringVar(&o.OIDC.GroupsPrefix, "oidc-groups-prefix", "", ""+ "If provided, all groups will be prefixed with this value to prevent conflicts with "+ "other authentication strategies.") - fs.StringSliceVar(&s.OIDC.SigningAlgs, "oidc-signing-algs", []string{"RS256"}, ""+ + fs.StringSliceVar(&o.OIDC.SigningAlgs, "oidc-signing-algs", []string{"RS256"}, ""+ "Comma-separated list of allowed JOSE asymmetric signing algorithms. JWTs with a "+ "'alg' header value not in this list will be rejected. "+ "Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1.") - fs.Var(cliflag.NewMapStringStringNoSplit(&s.OIDC.RequiredClaims), "oidc-required-claim", ""+ + fs.Var(cliflag.NewMapStringStringNoSplit(&o.OIDC.RequiredClaims), "oidc-required-claim", ""+ "A key=value pair that describes a required claim in the ID Token. "+ "If set, the claim is verified to be present in the ID Token with a matching value. "+ "Repeat this flag to specify multiple claims.") } - if s.RequestHeader != nil { - s.RequestHeader.AddFlags(fs) + if o.RequestHeader != nil { + o.RequestHeader.AddFlags(fs) } - if s.ServiceAccounts != nil { - fs.StringArrayVar(&s.ServiceAccounts.KeyFiles, "service-account-key-file", s.ServiceAccounts.KeyFiles, ""+ + if o.ServiceAccounts != nil { + fs.StringArrayVar(&o.ServiceAccounts.KeyFiles, "service-account-key-file", o.ServiceAccounts.KeyFiles, ""+ "File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify "+ "ServiceAccount tokens. The specified file can contain multiple keys, and the flag can "+ "be specified multiple times with different files. If unspecified, "+ "--tls-private-key-file is used. Must be specified when "+ "--service-account-signing-key is provided") - fs.BoolVar(&s.ServiceAccounts.Lookup, "service-account-lookup", s.ServiceAccounts.Lookup, + fs.BoolVar(&o.ServiceAccounts.Lookup, "service-account-lookup", o.ServiceAccounts.Lookup, "If true, validate ServiceAccount tokens exist in etcd as part of authentication.") - fs.StringVar(&s.ServiceAccounts.Issuer, "service-account-issuer", s.ServiceAccounts.Issuer, ""+ + fs.StringVar(&o.ServiceAccounts.Issuer, "service-account-issuer", o.ServiceAccounts.Issuer, ""+ "Identifier of the service account token issuer. The issuer will assert this identifier "+ "in \"iss\" claim of issued tokens. This value is a string or URI. If this option is not "+ "a valid URI per the OpenID Discovery 1.0 spec, the ServiceAccountIssuerDiscovery feature "+ @@ -315,117 +315,117 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { "recommended that this URL be capable of serving OpenID discovery documents at "+ "`{service-account-issuer}/.well-known/openid-configuration`.") - fs.StringVar(&s.ServiceAccounts.JWKSURI, "service-account-jwks-uri", s.ServiceAccounts.JWKSURI, ""+ + fs.StringVar(&o.ServiceAccounts.JWKSURI, "service-account-jwks-uri", o.ServiceAccounts.JWKSURI, ""+ "Overrides the URI for the JSON Web Key Set in the discovery doc served at "+ "/.well-known/openid-configuration. This flag is useful if the discovery doc"+ "and key set are served to relying parties from a URL other than the "+ - "API server's external (as auto-detected or overridden with external-hostname). "+ + "API server'o external (as auto-detected or overridden with external-hostname). "+ "Only valid if the ServiceAccountIssuerDiscovery feature gate is enabled.") // Deprecated in 1.13 - fs.StringSliceVar(&s.APIAudiences, "service-account-api-audiences", s.APIAudiences, ""+ + fs.StringSliceVar(&o.APIAudiences, "service-account-api-audiences", o.APIAudiences, ""+ "Identifiers of the API. The service account token authenticator will validate that "+ "tokens used against the API are bound to at least one of these audiences.") fs.MarkDeprecated("service-account-api-audiences", "Use --api-audiences") - fs.DurationVar(&s.ServiceAccounts.MaxExpiration, "service-account-max-token-expiration", s.ServiceAccounts.MaxExpiration, ""+ + fs.DurationVar(&o.ServiceAccounts.MaxExpiration, "service-account-max-token-expiration", o.ServiceAccounts.MaxExpiration, ""+ "The maximum validity duration of a token created by the service account token issuer. If an otherwise valid "+ "TokenRequest with a validity duration larger than this value is requested, a token will be issued with a validity duration of this value.") - fs.BoolVar(&s.ServiceAccounts.ExtendExpiration, "service-account-extend-token-expiration", s.ServiceAccounts.ExtendExpiration, ""+ + fs.BoolVar(&o.ServiceAccounts.ExtendExpiration, "service-account-extend-token-expiration", o.ServiceAccounts.ExtendExpiration, ""+ "Turns on projected service account expiration extension during token generation, "+ "which helps safe transition from legacy token to bound service account token feature. "+ "If this flag is enabled, admission injected tokens would be extended up to 1 year to "+ "prevent unexpected failure during transition, ignoring value of service-account-max-token-expiration.") } - if s.TokenFile != nil { - fs.StringVar(&s.TokenFile.TokenFile, "token-auth-file", s.TokenFile.TokenFile, ""+ + if o.TokenFile != nil { + fs.StringVar(&o.TokenFile.TokenFile, "token-auth-file", o.TokenFile.TokenFile, ""+ "If set, the file that will be used to secure the secure port of the API server "+ "via token authentication.") } - if s.WebHook != nil { - fs.StringVar(&s.WebHook.ConfigFile, "authentication-token-webhook-config-file", s.WebHook.ConfigFile, ""+ + if o.WebHook != nil { + fs.StringVar(&o.WebHook.ConfigFile, "authentication-token-webhook-config-file", o.WebHook.ConfigFile, ""+ "File with webhook configuration for token authentication in kubeconfig format. "+ "The API server will query the remote service to determine authentication for bearer tokens.") - fs.StringVar(&s.WebHook.Version, "authentication-token-webhook-version", s.WebHook.Version, ""+ + fs.StringVar(&o.WebHook.Version, "authentication-token-webhook-version", o.WebHook.Version, ""+ "The API version of the authentication.k8s.io TokenReview to send to and expect from the webhook.") - fs.DurationVar(&s.WebHook.CacheTTL, "authentication-token-webhook-cache-ttl", s.WebHook.CacheTTL, + fs.DurationVar(&o.WebHook.CacheTTL, "authentication-token-webhook-cache-ttl", o.WebHook.CacheTTL, "The duration to cache responses from the webhook token authenticator.") } } // ToAuthenticationConfig convert BuiltInAuthenticationOptions to kubeauthenticator.Config -func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error) { +func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticator.Config, error) { ret := kubeauthenticator.Config{ - TokenSuccessCacheTTL: s.TokenSuccessCacheTTL, - TokenFailureCacheTTL: s.TokenFailureCacheTTL, + TokenSuccessCacheTTL: o.TokenSuccessCacheTTL, + TokenFailureCacheTTL: o.TokenFailureCacheTTL, } - if s.Anonymous != nil { - ret.Anonymous = s.Anonymous.Allow + if o.Anonymous != nil { + ret.Anonymous = o.Anonymous.Allow } - if s.BootstrapToken != nil { - ret.BootstrapToken = s.BootstrapToken.Enable + if o.BootstrapToken != nil { + ret.BootstrapToken = o.BootstrapToken.Enable } - if s.ClientCert != nil { + if o.ClientCert != nil { var err error - ret.ClientCAContentProvider, err = s.ClientCert.GetClientCAContentProvider() + ret.ClientCAContentProvider, err = o.ClientCert.GetClientCAContentProvider() if err != nil { return kubeauthenticator.Config{}, err } } - if s.OIDC != nil { - ret.OIDCCAFile = s.OIDC.CAFile - ret.OIDCClientID = s.OIDC.ClientID - ret.OIDCGroupsClaim = s.OIDC.GroupsClaim - ret.OIDCGroupsPrefix = s.OIDC.GroupsPrefix - ret.OIDCIssuerURL = s.OIDC.IssuerURL - ret.OIDCUsernameClaim = s.OIDC.UsernameClaim - ret.OIDCUsernamePrefix = s.OIDC.UsernamePrefix - ret.OIDCSigningAlgs = s.OIDC.SigningAlgs - ret.OIDCRequiredClaims = s.OIDC.RequiredClaims + if o.OIDC != nil { + ret.OIDCCAFile = o.OIDC.CAFile + ret.OIDCClientID = o.OIDC.ClientID + ret.OIDCGroupsClaim = o.OIDC.GroupsClaim + ret.OIDCGroupsPrefix = o.OIDC.GroupsPrefix + ret.OIDCIssuerURL = o.OIDC.IssuerURL + ret.OIDCUsernameClaim = o.OIDC.UsernameClaim + ret.OIDCUsernamePrefix = o.OIDC.UsernamePrefix + ret.OIDCSigningAlgs = o.OIDC.SigningAlgs + ret.OIDCRequiredClaims = o.OIDC.RequiredClaims } - if s.RequestHeader != nil { + if o.RequestHeader != nil { var err error - ret.RequestHeaderConfig, err = s.RequestHeader.ToAuthenticationRequestHeaderConfig() + ret.RequestHeaderConfig, err = o.RequestHeader.ToAuthenticationRequestHeaderConfig() if err != nil { return kubeauthenticator.Config{}, err } } - ret.APIAudiences = s.APIAudiences - if s.ServiceAccounts != nil { - if s.ServiceAccounts.Issuer != "" && len(s.APIAudiences) == 0 { - ret.APIAudiences = authenticator.Audiences{s.ServiceAccounts.Issuer} + ret.APIAudiences = o.APIAudiences + if o.ServiceAccounts != nil { + if o.ServiceAccounts.Issuer != "" && len(o.APIAudiences) == 0 { + ret.APIAudiences = authenticator.Audiences{o.ServiceAccounts.Issuer} } - ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles - ret.ServiceAccountIssuer = s.ServiceAccounts.Issuer - ret.ServiceAccountLookup = s.ServiceAccounts.Lookup + ret.ServiceAccountKeyFiles = o.ServiceAccounts.KeyFiles + ret.ServiceAccountIssuer = o.ServiceAccounts.Issuer + ret.ServiceAccountLookup = o.ServiceAccounts.Lookup } - if s.TokenFile != nil { - ret.TokenAuthFile = s.TokenFile.TokenFile + if o.TokenFile != nil { + ret.TokenAuthFile = o.TokenFile.TokenFile } - if s.WebHook != nil { - ret.WebhookTokenAuthnConfigFile = s.WebHook.ConfigFile - ret.WebhookTokenAuthnVersion = s.WebHook.Version - ret.WebhookTokenAuthnCacheTTL = s.WebHook.CacheTTL + if o.WebHook != nil { + ret.WebhookTokenAuthnConfigFile = o.WebHook.ConfigFile + ret.WebhookTokenAuthnVersion = o.WebHook.Version + ret.WebhookTokenAuthnCacheTTL = o.WebHook.CacheTTL - if len(s.WebHook.ConfigFile) > 0 && s.WebHook.CacheTTL > 0 { - if s.TokenSuccessCacheTTL > 0 && s.WebHook.CacheTTL < s.TokenSuccessCacheTTL { - klog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for successful token authentication attempts.", s.WebHook.CacheTTL, s.TokenSuccessCacheTTL) + if len(o.WebHook.ConfigFile) > 0 && o.WebHook.CacheTTL > 0 { + if o.TokenSuccessCacheTTL > 0 && o.WebHook.CacheTTL < o.TokenSuccessCacheTTL { + klog.Warningf("the webhook cache ttl of %o is shorter than the overall cache ttl of %o for successful token authentication attempts.", o.WebHook.CacheTTL, o.TokenSuccessCacheTTL) } - if s.TokenFailureCacheTTL > 0 && s.WebHook.CacheTTL < s.TokenFailureCacheTTL { - klog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for failed token authentication attempts.", s.WebHook.CacheTTL, s.TokenFailureCacheTTL) + if o.TokenFailureCacheTTL > 0 && o.WebHook.CacheTTL < o.TokenFailureCacheTTL { + klog.Warningf("the webhook cache ttl of %o is shorter than the overall cache ttl of %o for failed token authentication attempts.", o.WebHook.CacheTTL, o.TokenFailureCacheTTL) } } } @@ -434,8 +434,8 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticat } // ApplyTo requires already applied OpenAPIConfig and EgressSelector if present. -func (s *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, secureServing *genericapiserver.SecureServingInfo, egressSelector *egressselector.EgressSelector, openAPIConfig *openapicommon.Config, extclient kubernetes.Interface, versionedInformer informers.SharedInformerFactory) error { - if s == nil { +func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.AuthenticationInfo, secureServing *genericapiserver.SecureServingInfo, egressSelector *egressselector.EgressSelector, openAPIConfig *openapicommon.Config, extclient kubernetes.Interface, versionedInformer informers.SharedInformerFactory) error { + if o == nil { return nil } @@ -443,7 +443,7 @@ func (s *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen return errors.New("uninitialized OpenAPIConfig") } - authenticatorConfig, err := s.ToAuthenticationConfig() + authenticatorConfig, err := o.ToAuthenticationConfig() if err != nil { return err } @@ -459,12 +459,12 @@ func (s *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen } } - authInfo.APIAudiences = s.APIAudiences - if s.ServiceAccounts != nil && s.ServiceAccounts.Issuer != "" && len(s.APIAudiences) == 0 { - authInfo.APIAudiences = authenticator.Audiences{s.ServiceAccounts.Issuer} + authInfo.APIAudiences = o.APIAudiences + if o.ServiceAccounts != nil && o.ServiceAccounts.Issuer != "" && len(o.APIAudiences) == 0 { + authInfo.APIAudiences = authenticator.Audiences{o.ServiceAccounts.Issuer} } - if s.ServiceAccounts.Lookup || utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) { + if o.ServiceAccounts.Lookup || utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) { authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient( extclient, versionedInformer.Core().V1().Secrets().Lister(), @@ -493,15 +493,15 @@ func (s *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen } // ApplyAuthorization will conditionally modify the authentication options based on the authorization options -func (s *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions) { - if s == nil || authorization == nil || s.Anonymous == nil { +func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions) { + if o == nil || authorization == nil || o.Anonymous == nil { return } // authorization ModeAlwaysAllow cannot be combined with AnonymousAuth. // in such a case the AnonymousAuth is stomped to false and you get a message - if s.Anonymous.Allow && sets.NewString(authorization.Modes...).Has(authzmodes.ModeAlwaysAllow) { + if o.Anonymous.Allow && sets.NewString(authorization.Modes...).Has(authzmodes.ModeAlwaysAllow) { klog.Warningf("AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer") - s.Anonymous.Allow = false + o.Anonymous.Allow = false } } diff --git a/pkg/kubeapiserver/options/authorization.go b/pkg/kubeapiserver/options/authorization.go index e2fd7a238d0..52841ab9cd7 100644 --- a/pkg/kubeapiserver/options/authorization.go +++ b/pkg/kubeapiserver/options/authorization.go @@ -29,7 +29,7 @@ import ( authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" ) -// BuiltInAuthorizationOptions contains all build-in authorization options for APIServer +// BuiltInAuthorizationOptions contains all build-in authorization options for API Server type BuiltInAuthorizationOptions struct { Modes []string PolicyFile string @@ -92,7 +92,7 @@ func (s *BuiltInAuthorizationOptions) Validate() []error { return allErrors } -// AddFlags returns flags of authorization for a APIServer +// AddFlags returns flags of authorization for a API Server func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { fs.StringSliceVar(&s.Modes, "authorization-mode", s.Modes, ""+ "Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+ diff --git a/pkg/kubeapiserver/options/cloudprovider.go b/pkg/kubeapiserver/options/cloudprovider.go index 7691904c0be..44c0dc5ca53 100644 --- a/pkg/kubeapiserver/options/cloudprovider.go +++ b/pkg/kubeapiserver/options/cloudprovider.go @@ -26,7 +26,7 @@ type CloudProviderOptions struct { CloudProvider string } -// NewCloudProviderOptions create a default CloudProviderOptions +// NewCloudProviderOptions creates a default CloudProviderOptions func NewCloudProviderOptions() *CloudProviderOptions { return &CloudProviderOptions{} } From 0520d75838d28007896c9af9eff2485ae8b84e86 Mon Sep 17 00:00:00 2001 From: yiduyangyi Date: Thu, 23 Jul 2020 18:52:15 +0800 Subject: [PATCH 3/4] fix golint failures in pkg/kubeapiserver/options, rename receiver name of BuiltInAuthorizationOptions to o --- pkg/kubeapiserver/options/authorization.go | 60 +++++++++++----------- pkg/kubeapiserver/options/cloudprovider.go | 2 +- pkg/kubeapiserver/options/options.go | 2 +- 3 files changed, 32 insertions(+), 32 deletions(-) diff --git a/pkg/kubeapiserver/options/authorization.go b/pkg/kubeapiserver/options/authorization.go index 52841ab9cd7..2cd8e971b75 100644 --- a/pkg/kubeapiserver/options/authorization.go +++ b/pkg/kubeapiserver/options/authorization.go @@ -50,82 +50,82 @@ func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions { } // Validate checks invalid config combination -func (s *BuiltInAuthorizationOptions) Validate() []error { - if s == nil { +func (o *BuiltInAuthorizationOptions) Validate() []error { + if o == nil { return nil } allErrors := []error{} - if len(s.Modes) == 0 { + if len(o.Modes) == 0 { allErrors = append(allErrors, fmt.Errorf("at least one authorization-mode must be passed")) } - modes := sets.NewString(s.Modes...) - for _, mode := range s.Modes { + modes := sets.NewString(o.Modes...) + for _, mode := range o.Modes { if !authzmodes.IsValidAuthorizationMode(mode) { allErrors = append(allErrors, fmt.Errorf("authorization-mode %q is not a valid mode", mode)) } if mode == authzmodes.ModeABAC { - if s.PolicyFile == "" { - allErrors = append(allErrors, fmt.Errorf("authorization-mode ABAC's authorization policy file not passed")) + if o.PolicyFile == "" { + allErrors = append(allErrors, fmt.Errorf("authorization-mode ABAC'o authorization policy file not passed")) } } if mode == authzmodes.ModeWebhook { - if s.WebhookConfigFile == "" { - allErrors = append(allErrors, fmt.Errorf("authorization-mode Webhook's authorization config file not passed")) + if o.WebhookConfigFile == "" { + allErrors = append(allErrors, fmt.Errorf("authorization-mode Webhook'o authorization config file not passed")) } } } - if s.PolicyFile != "" && !modes.Has(authzmodes.ModeABAC) { + if o.PolicyFile != "" && !modes.Has(authzmodes.ModeABAC) { allErrors = append(allErrors, fmt.Errorf("cannot specify --authorization-policy-file without mode ABAC")) } - if s.WebhookConfigFile != "" && !modes.Has(authzmodes.ModeWebhook) { + if o.WebhookConfigFile != "" && !modes.Has(authzmodes.ModeWebhook) { allErrors = append(allErrors, fmt.Errorf("cannot specify --authorization-webhook-config-file without mode Webhook")) } - if len(s.Modes) != len(modes.List()) { - allErrors = append(allErrors, fmt.Errorf("authorization-mode %q has mode specified more than once", s.Modes)) + if len(o.Modes) != len(modes.List()) { + allErrors = append(allErrors, fmt.Errorf("authorization-mode %q has mode specified more than once", o.Modes)) } return allErrors } // AddFlags returns flags of authorization for a API Server -func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { - fs.StringSliceVar(&s.Modes, "authorization-mode", s.Modes, ""+ +func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { + fs.StringSliceVar(&o.Modes, "authorization-mode", o.Modes, ""+ "Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+ strings.Join(authzmodes.AuthorizationModeChoices, ",")+".") - fs.StringVar(&s.PolicyFile, "authorization-policy-file", s.PolicyFile, ""+ + fs.StringVar(&o.PolicyFile, "authorization-policy-file", o.PolicyFile, ""+ "File with authorization policy in json line by line format, used with --authorization-mode=ABAC, on the secure port.") - fs.StringVar(&s.WebhookConfigFile, "authorization-webhook-config-file", s.WebhookConfigFile, ""+ + fs.StringVar(&o.WebhookConfigFile, "authorization-webhook-config-file", o.WebhookConfigFile, ""+ "File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. "+ - "The API server will query the remote service to determine access on the API server's secure port.") + "The API server will query the remote service to determine access on the API server'o secure port.") - fs.StringVar(&s.WebhookVersion, "authorization-webhook-version", s.WebhookVersion, ""+ + fs.StringVar(&o.WebhookVersion, "authorization-webhook-version", o.WebhookVersion, ""+ "The API version of the authorization.k8s.io SubjectAccessReview to send to and expect from the webhook.") - fs.DurationVar(&s.WebhookCacheAuthorizedTTL, "authorization-webhook-cache-authorized-ttl", - s.WebhookCacheAuthorizedTTL, + fs.DurationVar(&o.WebhookCacheAuthorizedTTL, "authorization-webhook-cache-authorized-ttl", + o.WebhookCacheAuthorizedTTL, "The duration to cache 'authorized' responses from the webhook authorizer.") - fs.DurationVar(&s.WebhookCacheUnauthorizedTTL, - "authorization-webhook-cache-unauthorized-ttl", s.WebhookCacheUnauthorizedTTL, + fs.DurationVar(&o.WebhookCacheUnauthorizedTTL, + "authorization-webhook-cache-unauthorized-ttl", o.WebhookCacheUnauthorizedTTL, "The duration to cache 'unauthorized' responses from the webhook authorizer.") } // ToAuthorizationConfig convert BuiltInAuthorizationOptions to authorizer.Config -func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.Config { +func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.Config { return authorizer.Config{ - AuthorizationModes: s.Modes, - PolicyFile: s.PolicyFile, - WebhookConfigFile: s.WebhookConfigFile, - WebhookVersion: s.WebhookVersion, - WebhookCacheAuthorizedTTL: s.WebhookCacheAuthorizedTTL, - WebhookCacheUnauthorizedTTL: s.WebhookCacheUnauthorizedTTL, + AuthorizationModes: o.Modes, + PolicyFile: o.PolicyFile, + WebhookConfigFile: o.WebhookConfigFile, + WebhookVersion: o.WebhookVersion, + WebhookCacheAuthorizedTTL: o.WebhookCacheAuthorizedTTL, + WebhookCacheUnauthorizedTTL: o.WebhookCacheUnauthorizedTTL, VersionedInformerFactory: versionedInformerFactory, } } diff --git a/pkg/kubeapiserver/options/cloudprovider.go b/pkg/kubeapiserver/options/cloudprovider.go index 44c0dc5ca53..9df580ac818 100644 --- a/pkg/kubeapiserver/options/cloudprovider.go +++ b/pkg/kubeapiserver/options/cloudprovider.go @@ -37,7 +37,7 @@ func (s *CloudProviderOptions) Validate() []error { return allErrors } -// AddFlags returns flags of cloud provider for a APIServer +// AddFlags returns flags of cloud provider for a API Server func (s *CloudProviderOptions) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&s.CloudProvider, "cloud-provider", s.CloudProvider, "The provider for cloud services. Empty string for no provider.") diff --git a/pkg/kubeapiserver/options/options.go b/pkg/kubeapiserver/options/options.go index f8f89c97ae4..1314e52c05f 100644 --- a/pkg/kubeapiserver/options/options.go +++ b/pkg/kubeapiserver/options/options.go @@ -28,5 +28,5 @@ var DefaultServiceNodePortRange = utilnet.PortRange{Base: 30000, Size: 2768} // DefaultServiceIPCIDR is a CIDR notation of IP range from which to allocate service cluster IPs var DefaultServiceIPCIDR = net.IPNet{IP: net.ParseIP("10.0.0.0"), Mask: net.CIDRMask(24, 32)} -// DefaultEtcdPathPrefix is the default key prefix of etcd for APIServer +// DefaultEtcdPathPrefix is the default key prefix of etcd for API Server const DefaultEtcdPathPrefix = "/registry" From e6c4633232b865eaceefaf74b1f0095bbc536f11 Mon Sep 17 00:00:00 2001 From: yiduyangyi Date: Thu, 23 Jul 2020 19:02:07 +0800 Subject: [PATCH 4/4] fix golint failures in pkg/kubeapiserver/options, fix some incorrect replace of receiver name --- pkg/kubeapiserver/options/authentication.go | 10 +++++----- pkg/kubeapiserver/options/authorization.go | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go index b03f46f8076..f01118ff8d2 100644 --- a/pkg/kubeapiserver/options/authentication.go +++ b/pkg/kubeapiserver/options/authentication.go @@ -257,8 +257,8 @@ func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { "The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.") fs.StringVar(&o.OIDC.CAFile, "oidc-ca-file", o.OIDC.CAFile, ""+ - "If set, the OpenID server'o certificate will be verified by one of the authorities "+ - "in the oidc-ca-file, otherwise the host'o root CA set will be used.") + "If set, the OpenID server's certificate will be verified by one of the authorities "+ + "in the oidc-ca-file, otherwise the host's root CA set will be used.") fs.StringVar(&o.OIDC.UsernameClaim, "oidc-username-claim", "sub", ""+ "The OpenID claim to use as the user name. Note that claims other than the default ('sub') "+ @@ -319,7 +319,7 @@ func (o *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { "Overrides the URI for the JSON Web Key Set in the discovery doc served at "+ "/.well-known/openid-configuration. This flag is useful if the discovery doc"+ "and key set are served to relying parties from a URL other than the "+ - "API server'o external (as auto-detected or overridden with external-hostname). "+ + "API server's external (as auto-detected or overridden with external-hostname). "+ "Only valid if the ServiceAccountIssuerDiscovery feature gate is enabled.") // Deprecated in 1.13 @@ -422,10 +422,10 @@ func (o *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticat if len(o.WebHook.ConfigFile) > 0 && o.WebHook.CacheTTL > 0 { if o.TokenSuccessCacheTTL > 0 && o.WebHook.CacheTTL < o.TokenSuccessCacheTTL { - klog.Warningf("the webhook cache ttl of %o is shorter than the overall cache ttl of %o for successful token authentication attempts.", o.WebHook.CacheTTL, o.TokenSuccessCacheTTL) + klog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for successful token authentication attempts.", o.WebHook.CacheTTL, o.TokenSuccessCacheTTL) } if o.TokenFailureCacheTTL > 0 && o.WebHook.CacheTTL < o.TokenFailureCacheTTL { - klog.Warningf("the webhook cache ttl of %o is shorter than the overall cache ttl of %o for failed token authentication attempts.", o.WebHook.CacheTTL, o.TokenFailureCacheTTL) + klog.Warningf("the webhook cache ttl of %s is shorter than the overall cache ttl of %s for failed token authentication attempts.", o.WebHook.CacheTTL, o.TokenFailureCacheTTL) } } } diff --git a/pkg/kubeapiserver/options/authorization.go b/pkg/kubeapiserver/options/authorization.go index 2cd8e971b75..b21690464f2 100644 --- a/pkg/kubeapiserver/options/authorization.go +++ b/pkg/kubeapiserver/options/authorization.go @@ -67,12 +67,12 @@ func (o *BuiltInAuthorizationOptions) Validate() []error { } if mode == authzmodes.ModeABAC { if o.PolicyFile == "" { - allErrors = append(allErrors, fmt.Errorf("authorization-mode ABAC'o authorization policy file not passed")) + allErrors = append(allErrors, fmt.Errorf("authorization-mode ABAC's authorization policy file not passed")) } } if mode == authzmodes.ModeWebhook { if o.WebhookConfigFile == "" { - allErrors = append(allErrors, fmt.Errorf("authorization-mode Webhook'o authorization config file not passed")) + allErrors = append(allErrors, fmt.Errorf("authorization-mode Webhook's authorization config file not passed")) } } } @@ -103,7 +103,7 @@ func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&o.WebhookConfigFile, "authorization-webhook-config-file", o.WebhookConfigFile, ""+ "File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. "+ - "The API server will query the remote service to determine access on the API server'o secure port.") + "The API server will query the remote service to determine access on the API server's secure port.") fs.StringVar(&o.WebhookVersion, "authorization-webhook-version", o.WebhookVersion, ""+ "The API version of the authorization.k8s.io SubjectAccessReview to send to and expect from the webhook.")