mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 12:15:52 +00:00
externalize node admission
fixes internal pod annotation reference completely strip internal informers from authz initialization
This commit is contained in:
parent
b44a768052
commit
f624a4efb8
@ -526,7 +526,7 @@ func buildGenericConfig(
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, sharedInformers, versionedInformers)
|
genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, versionedInformers)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
lastErr = fmt.Errorf("invalid authorization config: %v", err)
|
lastErr = fmt.Errorf("invalid authorization config: %v", err)
|
||||||
return
|
return
|
||||||
@ -634,8 +634,8 @@ func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset
|
|||||||
}
|
}
|
||||||
|
|
||||||
// BuildAuthorizer constructs the authorizer
|
// BuildAuthorizer constructs the authorizer
|
||||||
func BuildAuthorizer(s *options.ServerRunOptions, sharedInformers informers.SharedInformerFactory, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, error) {
|
func BuildAuthorizer(s *options.ServerRunOptions, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, error) {
|
||||||
authorizationConfig := s.Authorization.ToAuthorizationConfig(sharedInformers, versionedInformers)
|
authorizationConfig := s.Authorization.ToAuthorizationConfig(versionedInformers)
|
||||||
return authorizationConfig.New()
|
return authorizationConfig.New()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -12,7 +12,6 @@ go_library(
|
|||||||
deps = [
|
deps = [
|
||||||
"//pkg/auth/authorizer/abac:go_default_library",
|
"//pkg/auth/authorizer/abac:go_default_library",
|
||||||
"//pkg/auth/nodeidentifier:go_default_library",
|
"//pkg/auth/nodeidentifier:go_default_library",
|
||||||
"//pkg/client/informers/informers_generated/internalversion:go_default_library",
|
|
||||||
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
|
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
|
||||||
"//plugin/pkg/auth/authorizer/node:go_default_library",
|
"//plugin/pkg/auth/authorizer/node:go_default_library",
|
||||||
"//plugin/pkg/auth/authorizer/rbac:go_default_library",
|
"//plugin/pkg/auth/authorizer/rbac:go_default_library",
|
||||||
|
@ -27,7 +27,6 @@ import (
|
|||||||
versionedinformers "k8s.io/client-go/informers"
|
versionedinformers "k8s.io/client-go/informers"
|
||||||
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
|
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
|
||||||
"k8s.io/kubernetes/pkg/auth/nodeidentifier"
|
"k8s.io/kubernetes/pkg/auth/nodeidentifier"
|
||||||
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
|
|
||||||
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
|
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
|
||||||
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/node"
|
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/node"
|
||||||
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
|
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
|
||||||
@ -51,7 +50,6 @@ type AuthorizationConfig struct {
|
|||||||
// TTL for caching of unauthorized responses from the webhook server.
|
// TTL for caching of unauthorized responses from the webhook server.
|
||||||
WebhookCacheUnauthorizedTTL time.Duration
|
WebhookCacheUnauthorizedTTL time.Duration
|
||||||
|
|
||||||
InformerFactory informers.SharedInformerFactory
|
|
||||||
VersionedInformerFactory versionedinformers.SharedInformerFactory
|
VersionedInformerFactory versionedinformers.SharedInformerFactory
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -74,7 +72,7 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
|
|||||||
graph := node.NewGraph()
|
graph := node.NewGraph()
|
||||||
node.AddGraphEventHandlers(
|
node.AddGraphEventHandlers(
|
||||||
graph,
|
graph,
|
||||||
config.InformerFactory.Core().InternalVersion().Nodes(),
|
config.VersionedInformerFactory.Core().V1().Nodes(),
|
||||||
config.VersionedInformerFactory.Core().V1().Pods(),
|
config.VersionedInformerFactory.Core().V1().Pods(),
|
||||||
config.VersionedInformerFactory.Core().V1().PersistentVolumes(),
|
config.VersionedInformerFactory.Core().V1().PersistentVolumes(),
|
||||||
config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(),
|
config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(),
|
||||||
|
@ -21,7 +21,6 @@ go_library(
|
|||||||
importpath = "k8s.io/kubernetes/pkg/kubeapiserver/options",
|
importpath = "k8s.io/kubernetes/pkg/kubeapiserver/options",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/api/legacyscheme:go_default_library",
|
"//pkg/api/legacyscheme:go_default_library",
|
||||||
"//pkg/client/informers/informers_generated/internalversion:go_default_library",
|
|
||||||
"//pkg/cloudprovider/providers:go_default_library",
|
"//pkg/cloudprovider/providers:go_default_library",
|
||||||
"//pkg/features:go_default_library",
|
"//pkg/features:go_default_library",
|
||||||
"//pkg/kubeapiserver/authenticator:go_default_library",
|
"//pkg/kubeapiserver/authenticator:go_default_library",
|
||||||
|
@ -25,7 +25,6 @@ import (
|
|||||||
|
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
versionedinformers "k8s.io/client-go/informers"
|
versionedinformers "k8s.io/client-go/informers"
|
||||||
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
|
|
||||||
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
|
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
|
||||||
authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
|
authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
|
||||||
)
|
)
|
||||||
@ -110,14 +109,13 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
|
|||||||
"The duration to cache 'unauthorized' responses from the webhook authorizer.")
|
"The duration to cache 'unauthorized' responses from the webhook authorizer.")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(informerFactory informers.SharedInformerFactory, versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig {
|
func (s *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFactory versionedinformers.SharedInformerFactory) authorizer.AuthorizationConfig {
|
||||||
return authorizer.AuthorizationConfig{
|
return authorizer.AuthorizationConfig{
|
||||||
AuthorizationModes: s.Modes,
|
AuthorizationModes: s.Modes,
|
||||||
PolicyFile: s.PolicyFile,
|
PolicyFile: s.PolicyFile,
|
||||||
WebhookConfigFile: s.WebhookConfigFile,
|
WebhookConfigFile: s.WebhookConfigFile,
|
||||||
WebhookCacheAuthorizedTTL: s.WebhookCacheAuthorizedTTL,
|
WebhookCacheAuthorizedTTL: s.WebhookCacheAuthorizedTTL,
|
||||||
WebhookCacheUnauthorizedTTL: s.WebhookCacheUnauthorizedTTL,
|
WebhookCacheUnauthorizedTTL: s.WebhookCacheUnauthorizedTTL,
|
||||||
InformerFactory: informerFactory,
|
|
||||||
VersionedInformerFactory: versionedInformerFactory,
|
VersionedInformerFactory: versionedInformerFactory,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -15,7 +15,6 @@ go_test(
|
|||||||
],
|
],
|
||||||
embed = [":go_default_library"],
|
embed = [":go_default_library"],
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/apis/core:go_default_library",
|
|
||||||
"//pkg/auth/nodeidentifier:go_default_library",
|
"//pkg/auth/nodeidentifier:go_default_library",
|
||||||
"//pkg/features:go_default_library",
|
"//pkg/features:go_default_library",
|
||||||
"//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
|
"//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
|
||||||
@ -45,7 +44,6 @@ go_library(
|
|||||||
"//pkg/apis/core:go_default_library",
|
"//pkg/apis/core:go_default_library",
|
||||||
"//pkg/apis/storage:go_default_library",
|
"//pkg/apis/storage:go_default_library",
|
||||||
"//pkg/auth/nodeidentifier:go_default_library",
|
"//pkg/auth/nodeidentifier:go_default_library",
|
||||||
"//pkg/client/informers/informers_generated/internalversion/core/internalversion:go_default_library",
|
|
||||||
"//pkg/features:go_default_library",
|
"//pkg/features:go_default_library",
|
||||||
"//plugin/pkg/auth/authorizer/rbac:go_default_library",
|
"//plugin/pkg/auth/authorizer/rbac:go_default_library",
|
||||||
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
||||||
|
@ -22,7 +22,6 @@ import (
|
|||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
pvutil "k8s.io/kubernetes/pkg/api/v1/persistentvolume"
|
pvutil "k8s.io/kubernetes/pkg/api/v1/persistentvolume"
|
||||||
podutil "k8s.io/kubernetes/pkg/api/v1/pod"
|
podutil "k8s.io/kubernetes/pkg/api/v1/pod"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
|
||||||
"k8s.io/kubernetes/third_party/forked/gonum/graph"
|
"k8s.io/kubernetes/third_party/forked/gonum/graph"
|
||||||
"k8s.io/kubernetes/third_party/forked/gonum/graph/simple"
|
"k8s.io/kubernetes/third_party/forked/gonum/graph/simple"
|
||||||
)
|
)
|
||||||
@ -318,7 +317,7 @@ func (g *Graph) AddPod(pod *corev1.Pod) {
|
|||||||
// Short-circuit adding edges to other resources for mirror pods.
|
// Short-circuit adding edges to other resources for mirror pods.
|
||||||
// A node must never be able to create a pod that grants them permissions on other API objects.
|
// A node must never be able to create a pod that grants them permissions on other API objects.
|
||||||
// The NodeRestriction admission plugin prevents creation of such pods, but short-circuiting here gives us defense in depth.
|
// The NodeRestriction admission plugin prevents creation of such pods, but short-circuiting here gives us defense in depth.
|
||||||
if _, isMirrorPod := pod.Annotations[api.MirrorPodAnnotationKey]; isMirrorPod {
|
if _, isMirrorPod := pod.Annotations[corev1.MirrorPodAnnotationKey]; isMirrorPod {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -26,8 +26,6 @@ import (
|
|||||||
corev1informers "k8s.io/client-go/informers/core/v1"
|
corev1informers "k8s.io/client-go/informers/core/v1"
|
||||||
storageinformers "k8s.io/client-go/informers/storage/v1beta1"
|
storageinformers "k8s.io/client-go/informers/storage/v1beta1"
|
||||||
"k8s.io/client-go/tools/cache"
|
"k8s.io/client-go/tools/cache"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
|
||||||
coreinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/core/internalversion"
|
|
||||||
"k8s.io/kubernetes/pkg/features"
|
"k8s.io/kubernetes/pkg/features"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -37,7 +35,7 @@ type graphPopulator struct {
|
|||||||
|
|
||||||
func AddGraphEventHandlers(
|
func AddGraphEventHandlers(
|
||||||
graph *Graph,
|
graph *Graph,
|
||||||
nodes coreinformers.NodeInformer,
|
nodes corev1informers.NodeInformer,
|
||||||
pods corev1informers.PodInformer,
|
pods corev1informers.PodInformer,
|
||||||
pvs corev1informers.PersistentVolumeInformer,
|
pvs corev1informers.PersistentVolumeInformer,
|
||||||
attachments storageinformers.VolumeAttachmentInformer,
|
attachments storageinformers.VolumeAttachmentInformer,
|
||||||
@ -80,10 +78,10 @@ func (g *graphPopulator) addNode(obj interface{}) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (g *graphPopulator) updateNode(oldObj, obj interface{}) {
|
func (g *graphPopulator) updateNode(oldObj, obj interface{}) {
|
||||||
node := obj.(*api.Node)
|
node := obj.(*corev1.Node)
|
||||||
var oldNode *api.Node
|
var oldNode *corev1.Node
|
||||||
if oldObj != nil {
|
if oldObj != nil {
|
||||||
oldNode = oldObj.(*api.Node)
|
oldNode = oldObj.(*corev1.Node)
|
||||||
}
|
}
|
||||||
|
|
||||||
// we only set up rules for ConfigMap today, because that is the only reference type
|
// we only set up rules for ConfigMap today, because that is the only reference type
|
||||||
@ -119,7 +117,7 @@ func (g *graphPopulator) deleteNode(obj interface{}) {
|
|||||||
if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
|
if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
|
||||||
obj = tombstone.Obj
|
obj = tombstone.Obj
|
||||||
}
|
}
|
||||||
node, ok := obj.(*api.Node)
|
node, ok := obj.(*corev1.Node)
|
||||||
if !ok {
|
if !ok {
|
||||||
glog.Infof("unexpected type %T", obj)
|
glog.Infof("unexpected type %T", obj)
|
||||||
return
|
return
|
||||||
|
@ -33,7 +33,6 @@ import (
|
|||||||
"k8s.io/apiserver/pkg/authentication/user"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||||
api "k8s.io/kubernetes/pkg/apis/core"
|
|
||||||
"k8s.io/kubernetes/pkg/auth/nodeidentifier"
|
"k8s.io/kubernetes/pkg/auth/nodeidentifier"
|
||||||
"k8s.io/kubernetes/pkg/features"
|
"k8s.io/kubernetes/pkg/features"
|
||||||
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy"
|
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy"
|
||||||
@ -684,7 +683,7 @@ func BenchmarkAuthorization(b *testing.B) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*corev1.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) {
|
func populate(graph *Graph, nodes []*corev1.Node, pods []*corev1.Pod, pvs []*corev1.PersistentVolume, attachments []*storagev1beta1.VolumeAttachment) {
|
||||||
p := &graphPopulator{}
|
p := &graphPopulator{}
|
||||||
p.graph = graph
|
p.graph = graph
|
||||||
for _, node := range nodes {
|
for _, node := range nodes {
|
||||||
@ -705,8 +704,8 @@ func populate(graph *Graph, nodes []*api.Node, pods []*corev1.Pod, pvs []*corev1
|
|||||||
// the secret/configmap/pvc/node references in the pod and pv objects are named to indicate the connections between the objects.
|
// the secret/configmap/pvc/node references in the pod and pv objects are named to indicate the connections between the objects.
|
||||||
// for example, secret0-pod0-node0 is a secret referenced by pod0 which is bound to node0.
|
// for example, secret0-pod0-node0 is a secret referenced by pod0 which is bound to node0.
|
||||||
// when populated into the graph, the node authorizer should allow node0 to access that secret, but not node1.
|
// when populated into the graph, the node authorizer should allow node0 to access that secret, but not node1.
|
||||||
func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*corev1.PersistentVolume, []*storagev1beta1.VolumeAttachment) {
|
func generate(opts sampleDataOpts) ([]*corev1.Node, []*corev1.Pod, []*corev1.PersistentVolume, []*storagev1beta1.VolumeAttachment) {
|
||||||
nodes := make([]*api.Node, 0, opts.nodes)
|
nodes := make([]*corev1.Node, 0, opts.nodes)
|
||||||
pods := make([]*corev1.Pod, 0, opts.nodes*opts.podsPerNode)
|
pods := make([]*corev1.Pod, 0, opts.nodes*opts.podsPerNode)
|
||||||
pvs := make([]*corev1.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces))
|
pvs := make([]*corev1.PersistentVolume, 0, (opts.nodes*opts.podsPerNode*opts.uniquePVCsPerPod)+(opts.sharedPVCsPerPod*opts.namespaces))
|
||||||
attachments := make([]*storagev1beta1.VolumeAttachment, 0, opts.nodes*opts.attachmentsPerNode)
|
attachments := make([]*storagev1beta1.VolumeAttachment, 0, opts.nodes*opts.attachmentsPerNode)
|
||||||
@ -775,11 +774,11 @@ func generate(opts sampleDataOpts) ([]*api.Node, []*corev1.Pod, []*corev1.Persis
|
|||||||
}
|
}
|
||||||
|
|
||||||
name := fmt.Sprintf("%s-configmap", nodeName)
|
name := fmt.Sprintf("%s-configmap", nodeName)
|
||||||
nodes = append(nodes, &api.Node{
|
nodes = append(nodes, &corev1.Node{
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: nodeName},
|
ObjectMeta: metav1.ObjectMeta{Name: nodeName},
|
||||||
Spec: api.NodeSpec{
|
Spec: corev1.NodeSpec{
|
||||||
ConfigSource: &api.NodeConfigSource{
|
ConfigSource: &corev1.NodeConfigSource{
|
||||||
ConfigMap: &api.ConfigMapNodeConfigSource{
|
ConfigMap: &corev1.ConfigMapNodeConfigSource{
|
||||||
Name: name,
|
Name: name,
|
||||||
Namespace: "ns0",
|
Namespace: "ns0",
|
||||||
UID: types.UID(fmt.Sprintf("ns0-%s", name)),
|
UID: types.UID(fmt.Sprintf("ns0-%s", name)),
|
||||||
|
@ -30,7 +30,6 @@ go_test(
|
|||||||
"//pkg/auth/authorizer/abac:go_default_library",
|
"//pkg/auth/authorizer/abac:go_default_library",
|
||||||
"//pkg/auth/nodeidentifier:go_default_library",
|
"//pkg/auth/nodeidentifier:go_default_library",
|
||||||
"//pkg/client/clientset_generated/internalclientset:go_default_library",
|
"//pkg/client/clientset_generated/internalclientset:go_default_library",
|
||||||
"//pkg/client/informers/informers_generated/internalversion:go_default_library",
|
|
||||||
"//pkg/controller/serviceaccount:go_default_library",
|
"//pkg/controller/serviceaccount:go_default_library",
|
||||||
"//pkg/features:go_default_library",
|
"//pkg/features:go_default_library",
|
||||||
"//pkg/kubeapiserver/authorizer:go_default_library",
|
"//pkg/kubeapiserver/authorizer:go_default_library",
|
||||||
|
@ -42,7 +42,6 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/apis/policy"
|
"k8s.io/kubernetes/pkg/apis/policy"
|
||||||
"k8s.io/kubernetes/pkg/auth/nodeidentifier"
|
"k8s.io/kubernetes/pkg/auth/nodeidentifier"
|
||||||
clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
|
clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
|
||||||
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
|
|
||||||
"k8s.io/kubernetes/pkg/features"
|
"k8s.io/kubernetes/pkg/features"
|
||||||
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
|
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer"
|
||||||
"k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
|
"k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
|
||||||
@ -75,7 +74,6 @@ func TestNodeAuthorizer(t *testing.T) {
|
|||||||
// Build client config, clientset, and informers
|
// Build client config, clientset, and informers
|
||||||
clientConfig := &restclient.Config{Host: apiServer.URL, ContentConfig: restclient.ContentConfig{NegotiatedSerializer: legacyscheme.Codecs}}
|
clientConfig := &restclient.Config{Host: apiServer.URL, ContentConfig: restclient.ContentConfig{NegotiatedSerializer: legacyscheme.Codecs}}
|
||||||
superuserClient, superuserClientExternal := clientsetForToken(tokenMaster, clientConfig)
|
superuserClient, superuserClientExternal := clientsetForToken(tokenMaster, clientConfig)
|
||||||
informerFactory := informers.NewSharedInformerFactory(superuserClient, time.Minute)
|
|
||||||
versionedInformerFactory := versionedinformers.NewSharedInformerFactory(superuserClientExternal, time.Minute)
|
versionedInformerFactory := versionedinformers.NewSharedInformerFactory(superuserClientExternal, time.Minute)
|
||||||
|
|
||||||
// Enabled CSIPersistentVolume feature at startup so volumeattachments get watched
|
// Enabled CSIPersistentVolume feature at startup so volumeattachments get watched
|
||||||
@ -87,7 +85,6 @@ func TestNodeAuthorizer(t *testing.T) {
|
|||||||
// Set up Node+RBAC authorizer
|
// Set up Node+RBAC authorizer
|
||||||
authorizerConfig := &authorizer.AuthorizationConfig{
|
authorizerConfig := &authorizer.AuthorizationConfig{
|
||||||
AuthorizationModes: []string{"Node", "RBAC"},
|
AuthorizationModes: []string{"Node", "RBAC"},
|
||||||
InformerFactory: informerFactory,
|
|
||||||
VersionedInformerFactory: versionedInformerFactory,
|
VersionedInformerFactory: versionedInformerFactory,
|
||||||
}
|
}
|
||||||
nodeRBACAuthorizer, _, err := authorizerConfig.New()
|
nodeRBACAuthorizer, _, err := authorizerConfig.New()
|
||||||
@ -114,7 +111,6 @@ func TestNodeAuthorizer(t *testing.T) {
|
|||||||
// Start the informers
|
// Start the informers
|
||||||
stopCh := make(chan struct{})
|
stopCh := make(chan struct{})
|
||||||
defer close(stopCh)
|
defer close(stopCh)
|
||||||
informerFactory.Start(stopCh)
|
|
||||||
versionedInformerFactory.Start(stopCh)
|
versionedInformerFactory.Start(stopCh)
|
||||||
|
|
||||||
// Wait for a healthy server
|
// Wait for a healthy server
|
||||||
|
Loading…
Reference in New Issue
Block a user