diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index 27880351ab8..72548ecc7b8 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -526,7 +526,7 @@ func buildGenericConfig( return } - genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, sharedInformers, versionedInformers) + genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, versionedInformers) if err != nil { lastErr = fmt.Errorf("invalid authorization config: %v", err) return @@ -634,8 +634,8 @@ func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset } // BuildAuthorizer constructs the authorizer -func BuildAuthorizer(s *options.ServerRunOptions, sharedInformers informers.SharedInformerFactory, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, error) { - authorizationConfig := s.Authorization.ToAuthorizationConfig(sharedInformers, versionedInformers) +func BuildAuthorizer(s *options.ServerRunOptions, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, error) { + authorizationConfig := s.Authorization.ToAuthorizationConfig(versionedInformers) return authorizationConfig.New() } diff --git a/pkg/kubeapiserver/authorizer/BUILD b/pkg/kubeapiserver/authorizer/BUILD index 66cb0d41725..129eacedfca 100644 --- a/pkg/kubeapiserver/authorizer/BUILD +++ b/pkg/kubeapiserver/authorizer/BUILD @@ -12,7 +12,6 @@ go_library( deps = [ "//pkg/auth/authorizer/abac:go_default_library", "//pkg/auth/nodeidentifier:go_default_library", - "//pkg/client/informers/informers_generated/internalversion:go_default_library", "//pkg/kubeapiserver/authorizer/modes:go_default_library", "//plugin/pkg/auth/authorizer/node:go_default_library", "//plugin/pkg/auth/authorizer/rbac:go_default_library", diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go index 1e0b650cb8a..00224fd4825 100644 --- a/pkg/kubeapiserver/authorizer/config.go +++ b/pkg/kubeapiserver/authorizer/config.go @@ -27,7 +27,6 @@ import ( versionedinformers "k8s.io/client-go/informers" "k8s.io/kubernetes/pkg/auth/authorizer/abac" "k8s.io/kubernetes/pkg/auth/nodeidentifier" - informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac" @@ -51,7 +50,6 @@ type AuthorizationConfig struct { // TTL for caching of unauthorized responses from the webhook server. WebhookCacheUnauthorizedTTL time.Duration - InformerFactory informers.SharedInformerFactory VersionedInformerFactory versionedinformers.SharedInformerFactory } @@ -74,7 +72,7 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR graph := node.NewGraph() node.AddGraphEventHandlers( graph, - config.InformerFactory.Core().InternalVersion().Nodes(), + config.VersionedInformerFactory.Core().V1().Nodes(), config.VersionedInformerFactory.Core().V1().Pods(), config.VersionedInformerFactory.Core().V1().PersistentVolumes(), config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(), diff --git a/pkg/kubeapiserver/options/BUILD b/pkg/kubeapiserver/options/BUILD index c4829201b59..1f4ca636a7d 100644 --- a/pkg/kubeapiserver/options/BUILD +++ b/pkg/kubeapiserver/options/BUILD @@ -21,7 +21,6 @@ go_library( importpath = "k8s.io/kubernetes/pkg/kubeapiserver/options", deps = [ "//pkg/api/legacyscheme:go_default_library", - "//pkg/client/informers/informers_generated/internalversion:go_default_library", "//pkg/cloudprovider/providers:go_default_library", "//pkg/features:go_default_library", "//pkg/kubeapiserver/authenticator:go_default_library", diff --git a/pkg/kubeapiserver/options/authorization.go b/pkg/kubeapiserver/options/authorization.go index dd483c5e4c8..3c5559ef031 100644 --- a/pkg/kubeapiserver/options/authorization.go +++ b/pkg/kubeapiserver/options/authorization.go @@ -25,7 +25,6 @@ import ( "k8s.io/apimachinery/pkg/util/sets" versionedinformers "k8s.io/client-go/informers" - informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" "k8s.io/kubernetes/pkg/kubeapiserver/authorizer" authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" ) @@ -110,14 +109,13 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { "The duration to cache 'unauthorized' responses from the webhook authorizer.") } -func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory, versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig { +func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig { return authorizer.AuthorizationConfig{ AuthorizationModes: s.Modes, PolicyFile: s.PolicyFile, WebhookConfigFile: s.WebhookConfigFile, WebhookCacheAuthorizedTTL: s.WebhookCacheAuthorizedTTL, WebhookCacheUnauthorizedTTL: s.WebhookCacheUnauthorizedTTL, - InformerFactory: informerFactory, VersionedInformerFactory: versionedInformerFactory, } } diff --git a/plugin/pkg/auth/authorizer/node/BUILD b/plugin/pkg/auth/authorizer/node/BUILD index 98d4ecb3079..8d87e36eddd 100644 --- a/plugin/pkg/auth/authorizer/node/BUILD +++ b/plugin/pkg/auth/authorizer/node/BUILD @@ -15,7 +15,6 @@ go_test( ], embed = [":go_default_library"], deps = [ - "//pkg/apis/core:go_default_library", "//pkg/auth/nodeidentifier:go_default_library", "//pkg/features:go_default_library", "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library", @@ -45,7 +44,6 @@ go_library( "//pkg/apis/core:go_default_library", "//pkg/apis/storage:go_default_library", "//pkg/auth/nodeidentifier:go_default_library", - "//pkg/client/informers/informers_generated/internalversion/core/internalversion:go_default_library", "//pkg/features:go_default_library", "//plugin/pkg/auth/authorizer/rbac:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", diff --git a/plugin/pkg/auth/authorizer/node/graph.go b/plugin/pkg/auth/authorizer/node/graph.go index 2b96db103ef..39e2cef4823 100644 --- a/plugin/pkg/auth/authorizer/node/graph.go +++ b/plugin/pkg/auth/authorizer/node/graph.go @@ -22,7 +22,6 @@ import ( corev1 "k8s.io/api/core/v1" pvutil "k8s.io/kubernetes/pkg/api/v1/persistentvolume" podutil "k8s.io/kubernetes/pkg/api/v1/pod" - api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/third_party/forked/gonum/graph" "k8s.io/kubernetes/third_party/forked/gonum/graph/simple" ) @@ -318,7 +317,7 @@ func (g *Graph) AddPod(pod *corev1.Pod) { // Short-circuit adding edges to other resources for mirror pods. // A node must never be able to create a pod that grants them permissions on other API objects. // The NodeRestriction admission plugin prevents creation of such pods, but short-circuiting here gives us defense in depth. - if _, isMirrorPod := pod.Annotations[api.MirrorPodAnnotationKey]; isMirrorPod { + if _, isMirrorPod := pod.Annotations[corev1.MirrorPodAnnotationKey]; isMirrorPod { return } diff --git a/plugin/pkg/auth/authorizer/node/graph_populator.go b/plugin/pkg/auth/authorizer/node/graph_populator.go index 9910ce0d3c1..7bdf9b76857 100644 --- a/plugin/pkg/auth/authorizer/node/graph_populator.go +++ b/plugin/pkg/auth/authorizer/node/graph_populator.go @@ -26,8 +26,6 @@ import ( corev1informers "k8s.io/client-go/informers/core/v1" storageinformers "k8s.io/client-go/informers/storage/v1beta1" "k8s.io/client-go/tools/cache" - api "k8s.io/kubernetes/pkg/apis/core" - coreinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/core/internalversion" "k8s.io/kubernetes/pkg/features" ) @@ -37,7 +35,7 @@ type graphPopulator struct { func AddGraphEventHandlers( graph *Graph, - nodes coreinformers.NodeInformer, + nodes corev1informers.NodeInformer, pods corev1informers.PodInformer, pvs corev1informers.PersistentVolumeInformer, attachments storageinformers.VolumeAttachmentInformer, @@ -80,10 +78,10 @@ func (g *graphPopulator) addNode(obj interface{}) { } func (g *graphPopulator) updateNode(oldObj, obj interface{}) { - node := obj.(*api.Node) - var oldNode *api.Node + node := obj.(*corev1.Node) + var oldNode *corev1.Node if oldObj != nil { - oldNode = oldObj.(*api.Node) + oldNode = oldObj.(*corev1.Node) } // we only set up rules for ConfigMap today, because that is the only reference type @@ -119,7 +117,7 @@ func (g *graphPopulator) deleteNode(obj interface{}) { if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok { obj = tombstone.Obj } - node, ok := obj.(*api.Node) + node, ok := obj.(*corev1.Node) if !ok { glog.Infof("unexpected type %T", obj) return diff --git a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go index 04b3d6167cc..16c6101083e 100644 --- a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go +++ b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go @@ -33,7 +33,6 @@ import ( "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" utilfeature "k8s.io/apiserver/pkg/util/feature" - api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/auth/nodeidentifier" "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy" @@ -684,7 +683,7 @@ func BenchmarkAuthorization(b *testing.B) { } } -func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*corev1.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) { +func populate(graph *Graph, nodes []*corev1.Node, pods []*corev1.Pod, pvs []*corev1.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) { p := &graphPopulator{} p.graph = graph for _, node := range nodes { @@ -705,8 +704,8 @@ func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*corev1 // the secret/configmap/pvc/node references in the pod and pv objects are named to indicate the connections between the objects. // for example, secret0-pod0-node0 is a secret referenced by pod0 which is bound to node0. // when populated into the graph, the node authorizer should allow node0 to access that secret, but not node1. -func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*corev1.PersistentVolume, []*storagev1beta1.VolumeAttachment) { - nodes := make([]*api.Node, 0, opts.nodes) +func generate(opts sampleDataOpts) ([]*corev1.Node, []*corev1.Pod, []*corev1.PersistentVolume, []*storagev1beta1.VolumeAttachment) { + nodes := make([]*corev1.Node, 0, opts.nodes) pods := make([]*corev1.Pod, 0, opts.nodes*opts.podsPerNode) pvs := make([]*corev1.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces)) attachments := make([]*storagev1beta1.VolumeAttachment, 0, opts.nodes*opts.attachmentsPerNode) @@ -775,11 +774,11 @@ func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*corev1.Persis } name := fmt.Sprintf("%s-configmap", nodeName) - nodes = append(nodes, &api.Node{ + nodes = append(nodes, &corev1.Node{ ObjectMeta: metav1.ObjectMeta{Name: nodeName}, - Spec: api.NodeSpec{ - ConfigSource: &api.NodeConfigSource{ - ConfigMap: &api.ConfigMapNodeConfigSource{ + Spec: corev1.NodeSpec{ + ConfigSource: &corev1.NodeConfigSource{ + ConfigMap: &corev1.ConfigMapNodeConfigSource{ Name: name, Namespace: "ns0", UID: types.UID(fmt.Sprintf("ns0-%s", name)), diff --git a/test/integration/auth/BUILD b/test/integration/auth/BUILD index 3a74cf6a8c0..f218e3f8149 100644 --- a/test/integration/auth/BUILD +++ b/test/integration/auth/BUILD @@ -30,7 +30,6 @@ go_test( "//pkg/auth/authorizer/abac:go_default_library", "//pkg/auth/nodeidentifier:go_default_library", "//pkg/client/clientset_generated/internalclientset:go_default_library", - "//pkg/client/informers/informers_generated/internalversion:go_default_library", "//pkg/controller/serviceaccount:go_default_library", "//pkg/features:go_default_library", "//pkg/kubeapiserver/authorizer:go_default_library", diff --git a/test/integration/auth/node_test.go b/test/integration/auth/node_test.go index de109aa368a..8e40effe133 100644 --- a/test/integration/auth/node_test.go +++ b/test/integration/auth/node_test.go @@ -42,7 +42,6 @@ import ( "k8s.io/kubernetes/pkg/apis/policy" "k8s.io/kubernetes/pkg/auth/nodeidentifier" clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" - informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/kubeapiserver/authorizer" "k8s.io/kubernetes/plugin/pkg/admission/noderestriction" @@ -75,7 +74,6 @@ func TestNodeAuthorizer(t *testing.T) { // Build client config, clientset, and informers clientConfig := &restclient.Config{Host: apiServer.URL, ContentConfig: restclient.ContentConfig{NegotiatedSerializer: legacyscheme.Codecs}} superuserClient, superuserClientExternal := clientsetForToken(tokenMaster, clientConfig) - informerFactory := informers.NewSharedInformerFactory(superuserClient, time.Minute) versionedInformerFactory := versionedinformers.NewSharedInformerFactory(superuserClientExternal, time.Minute) // Enabled CSIPersistentVolume feature at startup so volumeattachments get watched @@ -87,7 +85,6 @@ func TestNodeAuthorizer(t *testing.T) { // Set up Node+RBAC authorizer authorizerConfig := &authorizer.AuthorizationConfig{ AuthorizationModes: []string{"Node", "RBAC"}, - InformerFactory: informerFactory, VersionedInformerFactory: versionedInformerFactory, } nodeRBACAuthorizer, _, err := authorizerConfig.New() @@ -114,7 +111,6 @@ func TestNodeAuthorizer(t *testing.T) { // Start the informers stopCh := make(chan struct{}) defer close(stopCh) - informerFactory.Start(stopCh) versionedInformerFactory.Start(stopCh) // Wait for a healthy server