github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 03:11:40 +00:00
Code Issues Projects Releases Wiki Activity

cloud-provider: remove deprecated insecure serving from Config

Browse Source
This commit is contained in:
SataQiu 2022-09-01 10:54:23 +08:00
parent 863a462eec
commit f09e136aca
2 changed files with 20 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
staging/src/k8s.io/cloud-provider/app/config/config.go
View File

@ -34,10 +34,8 @@ type Config struct {
// LoopbackClientConfig is a config for a privileged loopback connection // LoopbackClientConfig is a config for a privileged loopback connection
LoopbackClientConfig *restclient.Config LoopbackClientConfig *restclient.Config
// TODO: remove deprecated insecure serving Authentication apiserver.AuthenticationInfo
InsecureServing *apiserver.DeprecatedInsecureServingInfo Authorization apiserver.AuthorizationInfo
Authentication apiserver.AuthenticationInfo
Authorization apiserver.AuthorizationInfo
// the general kube client // the general kube client
Client *clientset.Clientset Client *clientset.Clientset

189
test/integration/serving/serving_test.go
View File

@ -39,39 +39,39 @@ import (
) )
type componentTester interface { type componentTester interface {
StartTestServer(t kubectrlmgrtesting.Logger, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, *server.DeprecatedInsecureServingInfo, func(), error) StartTestServer(t kubectrlmgrtesting.Logger, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, func(), error)
} }
type kubeControllerManagerTester struct{} type kubeControllerManagerTester struct{}
func (kubeControllerManagerTester) StartTestServer(t kubectrlmgrtesting.Logger, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, *server.DeprecatedInsecureServingInfo, func(), error) { func (kubeControllerManagerTester) StartTestServer(t kubectrlmgrtesting.Logger, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, func(), error) {
// avoid starting any controller loops, we're just testing serving // avoid starting any controller loops, we're just testing serving
customFlags = append([]string{"--controllers="}, customFlags...) customFlags = append([]string{"--controllers="}, customFlags...)
gotResult, err := kubectrlmgrtesting.StartTestServer(t, customFlags) gotResult, err := kubectrlmgrtesting.StartTestServer(t, customFlags)
if err != nil { if err != nil {
return nil, nil, nil, nil, err return nil, nil, nil, err
} }
return gotResult.Options.SecureServing, gotResult.Config.SecureServing, nil, gotResult.TearDownFn, err return gotResult.Options.SecureServing, gotResult.Config.SecureServing, gotResult.TearDownFn, err
} }
type cloudControllerManagerTester struct{} type cloudControllerManagerTester struct{}
func (cloudControllerManagerTester) StartTestServer(t kubectrlmgrtesting.Logger, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, *server.DeprecatedInsecureServingInfo, func(), error) { func (cloudControllerManagerTester) StartTestServer(t kubectrlmgrtesting.Logger, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, func(), error) {
gotResult, err := cloudctrlmgrtesting.StartTestServer(t, customFlags) gotResult, err := cloudctrlmgrtesting.StartTestServer(t, customFlags)
if err != nil { if err != nil {
return nil, nil, nil, nil, err return nil, nil, nil, err
} }
return gotResult.Options.SecureServing, gotResult.Config.SecureServing, gotResult.Config.InsecureServing, gotResult.TearDownFn, err return gotResult.Options.SecureServing, gotResult.Config.SecureServing, gotResult.TearDownFn, err
} }
type kubeSchedulerTester struct{} type kubeSchedulerTester struct{}
func (kubeSchedulerTester) StartTestServer(t kubectrlmgrtesting.Logger, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, *server.DeprecatedInsecureServingInfo, func(), error) { func (kubeSchedulerTester) StartTestServer(t kubectrlmgrtesting.Logger, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, func(), error) {
gotResult, err := kubeschedulertesting.StartTestServer(t, customFlags) gotResult, err := kubeschedulertesting.StartTestServer(t, customFlags)
if err != nil { if err != nil {
return nil, nil, nil, nil, err return nil, nil, nil, err
} }
return gotResult.Options.SecureServing, gotResult.Config.SecureServing, nil, gotResult.TearDownFn, err return gotResult.Options.SecureServing, gotResult.Config.SecureServing, gotResult.TearDownFn, err
} }
func TestComponentSecureServingAndAuth(t *testing.T) { func TestComponentSecureServingAndAuth(t *testing.T) {
@ -158,171 +158,18 @@ users:
brokenApiserverConfig.Close() brokenApiserverConfig.Close()
tests := []struct { tests := []struct {
name string name string
tester componentTester tester componentTester
extraFlags []string extraFlags []string
insecureDisabled bool
}{ }{
{"kube-controller-manager", kubeControllerManagerTester{}, nil, true}, {"kube-controller-manager", kubeControllerManagerTester{}, nil},
{"cloud-controller-manager", cloudControllerManagerTester{}, []string{"--cloud-provider=fake"}, true}, {"cloud-controller-manager", cloudControllerManagerTester{}, []string{"--cloud-provider=fake"}},
{"kube-scheduler", kubeSchedulerTester{}, nil, true}, {"kube-scheduler", kubeSchedulerTester{}, nil},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
if tt.insecureDisabled { testComponentWithSecureServing(t, tt.tester, apiserverConfig.Name(), brokenApiserverConfig.Name(), token, tt.extraFlags)
testComponentWithSecureServing(t, tt.tester, apiserverConfig.Name(), brokenApiserverConfig.Name(), token, tt.extraFlags)
} else {
testComponent(t, tt.tester, apiserverConfig.Name(), brokenApiserverConfig.Name(), token, tt.extraFlags)
}
})
}
}
func testComponent(t *testing.T, tester componentTester, kubeconfig, brokenKubeconfig, token string, extraFlags []string) {
tests := []struct {
name string
flags []string
path string
anonymous bool // to use the token or not
wantErr bool
wantSecureCode, wantInsecureCode *int
}{
{"no-flags", nil, "/healthz", false, true, nil, nil},
{"insecurely /healthz", []string{
"--secure-port=0",
"--port=10253",
"--kubeconfig", kubeconfig,
"--leader-elect=false",
}, "/healthz", true, false, nil, intPtr(http.StatusOK)},
{"insecurely /metrics", []string{
"--secure-port=0",
"--port=10253",
"--kubeconfig", kubeconfig,
"--leader-elect=false",
}, "/metrics", true, false, nil, intPtr(http.StatusOK)},
{"/healthz without authn/authz", []string{
"--port=0",
"--kubeconfig", kubeconfig,
"--leader-elect=false",
}, "/healthz", true, false, intPtr(http.StatusOK), nil},
{"/metrics without authn/authz", []string{
"--kubeconfig", kubeconfig,
"--leader-elect=false",
"--port=10253",
}, "/metrics", true, false, intPtr(http.StatusForbidden), intPtr(http.StatusOK)},
{"authorization skipped for /healthz with authn/authz", []string{
"--port=0",
"--authentication-kubeconfig", kubeconfig,
"--authorization-kubeconfig", kubeconfig,
"--kubeconfig", kubeconfig,
"--leader-elect=false",
}, "/healthz", false, false, intPtr(http.StatusOK), nil},
{"authorization skipped for /healthz with BROKEN authn/authz", []string{
"--port=0",
"--authentication-skip-lookup", // to survive inaccessible extensions-apiserver-authentication configmap
"--authentication-kubeconfig", brokenKubeconfig,
"--authorization-kubeconfig", brokenKubeconfig,
"--kubeconfig", kubeconfig,
"--leader-elect=false",
}, "/healthz", false, false, intPtr(http.StatusOK), nil},
{"not authorized /metrics", []string{
"--port=0",
"--authentication-kubeconfig", kubeconfig,
"--authorization-kubeconfig", kubeconfig,
"--kubeconfig", kubeconfig,
"--leader-elect=false",
}, "/metrics", false, false, intPtr(http.StatusForbidden), nil},
{"not authorized /metrics with BROKEN authn/authz", []string{
"--port=10253",
"--authentication-kubeconfig", kubeconfig,
"--authorization-kubeconfig", brokenKubeconfig,
"--kubeconfig", kubeconfig,
"--leader-elect=false",
}, "/metrics", false, false, intPtr(http.StatusInternalServerError), intPtr(http.StatusOK)},
{"always-allowed /metrics with BROKEN authn/authz", []string{
"--port=0",
"--authentication-skip-lookup", // to survive inaccessible extensions-apiserver-authentication configmap
"--authentication-kubeconfig", brokenKubeconfig,
"--authorization-kubeconfig", brokenKubeconfig,
"--authorization-always-allow-paths", "/healthz,/metrics",
"--kubeconfig", kubeconfig,
"--leader-elect=false",
}, "/metrics", false, false, intPtr(http.StatusOK), nil},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
secureOptions, secureInfo, insecureInfo, tearDownFn, err := tester.StartTestServer(t, append(append([]string{}, tt.flags...), extraFlags...))
if tearDownFn != nil {
defer tearDownFn()
}
if (err != nil) != tt.wantErr {
t.Fatalf("StartTestServer() error = %v, wantErr %v", err, tt.wantErr)
}
if err != nil {
return
}
if want, got := tt.wantSecureCode != nil, secureInfo != nil; want != got {
t.Errorf("SecureServing enabled: expected=%v got=%v", want, got)
} else if want {
url := fmt.Sprintf("https://%s%s", secureInfo.Listener.Addr().String(), tt.path)
url = strings.Replace(url, "[::]", "127.0.0.1", -1) // switch to IPv4 because the self-signed cert does not support [::]
// read self-signed server cert disk
pool := x509.NewCertPool()
serverCertPath := path.Join(secureOptions.ServerCert.CertDirectory, secureOptions.ServerCert.PairName+".crt")
serverCert, err := os.ReadFile(serverCertPath)
if err != nil {
t.Fatalf("Failed to read component server cert %q: %v", serverCertPath, err)
}
pool.AppendCertsFromPEM(serverCert)
tr := &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: pool,
},
}
client := &http.Client{Transport: tr}
req, err := http.NewRequest("GET", url, nil)
if err != nil {
t.Fatal(err)
}
if !tt.anonymous {
req.Header.Add("Authorization", fmt.Sprintf("Token %s", token))
}
r, err := client.Do(req)
if err != nil {
t.Fatalf("failed to GET %s from component: %v", tt.path, err)
}
body, err := io.ReadAll(r.Body)
if err != nil {
t.Fatalf("failed to read response body: %v", err)
}
defer r.Body.Close()
if got, expected := r.StatusCode, *tt.wantSecureCode; got != expected {
t.Fatalf("expected http %d at %s of component, got: %d %q", expected, tt.path, got, string(body))
}
}
if want, got := tt.wantInsecureCode != nil, insecureInfo != nil; want != got {
t.Errorf("InsecureServing enabled: expected=%v got=%v", want, got)
} else if want {
url := fmt.Sprintf("http://%s%s", insecureInfo.Listener.Addr().String(), tt.path)
r, err := http.Get(url)
if err != nil {
t.Fatalf("failed to GET %s from component: %v", tt.path, err)
}
body, err := io.ReadAll(r.Body)
if err != nil {
t.Fatalf("failed to read response body: %v", err)
}
defer r.Body.Close()
if got, expected := r.StatusCode, *tt.wantInsecureCode; got != expected {
t.Fatalf("expected http %d at %s of component, got: %d %q", expected, tt.path, got, string(body))
}
}
}) })
} }
} }
@ -375,7 +222,7 @@ func testComponentWithSecureServing(t *testing.T, tester componentTester, kubeco
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
secureOptions, secureInfo, _, tearDownFn, err := tester.StartTestServer(t, append(append([]string{}, tt.flags...), extraFlags...)) secureOptions, secureInfo, tearDownFn, err := tester.StartTestServer(t, append(append([]string{}, tt.flags...), extraFlags...))
if tearDownFn != nil { if tearDownFn != nil {
defer tearDownFn() defer tearDownFn()
} }