github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 20:53:33 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #40430 from deads2k/generic-28-factory

Browse Source 
Automatic merge from submit-queue

move genericapiserver authenticator and authorizer factories

straight move to `apiserver`
This commit is contained in:
Kubernetes Submit Queue 2017-01-26 07:37:43 -08:00 committed by GitHub
commit ff67d8218e
27 changed files with 103 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/kubelet/app/BUILD
View File

@ -54,8 +54,6 @@ go_library(
"//pkg/credentialprovider/azure:go_default_library",
"//pkg/credentialprovider/gcp:go_default_library",
"//pkg/features:go_default_library",
"//pkg/genericapiserver/authenticator:go_default_library",
"//pkg/genericapiserver/authorizer:go_default_library",
"//pkg/kubelet:go_default_library",
"//pkg/kubelet/cadvisor:go_default_library",
"//pkg/kubelet/cm:go_default_library",
@ -109,7 +107,9 @@ go_library(
"//vendor:k8s.io/apimachinery/pkg/util/runtime",
"//vendor:k8s.io/apimachinery/pkg/util/wait",
"//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
"//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
"//vendor:k8s.io/apiserver/pkg/server/healthz",
"//vendor:k8s.io/apiserver/pkg/util/feature",
"//vendor:k8s.io/client-go/kubernetes",

13
cmd/kubelet/app/auth.go
View File

@ -21,17 +21,16 @@ import (
"fmt"
"reflect"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
clientset "k8s.io/client-go/kubernetes"
authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1beta1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/kubernetes/pkg/apis/componentconfig"
apiserverauthenticator "k8s.io/kubernetes/pkg/genericapiserver/authenticator"
alwaysallowauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
apiserverauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
"k8s.io/kubernetes/pkg/kubelet/server"
)
@ -62,7 +61,7 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo
}
func buildAuthn(client authenticationclient.TokenReviewInterface, authn componentconfig.KubeletAuthentication) (authenticator.Request, error) {
authenticatorConfig := apiserverauthenticator.DelegatingAuthenticatorConfig{
authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{
Anonymous: authn.Anonymous.Enabled,
CacheTTL: authn.Webhook.CacheTTL.Duration,
ClientCAFile: authn.X509.ClientCAFile,
@ -82,13 +81,13 @@ func buildAuthn(client authenticationclient.TokenReviewInterface, authn componen
func buildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz componentconfig.KubeletAuthorization) (authorizer.Authorizer, error) {
switch authz.Mode {
case componentconfig.KubeletAuthorizationModeAlwaysAllow:
return alwaysallowauthorizer.NewAlwaysAllowAuthorizer(), nil
return authorizerfactory.NewAlwaysAllowAuthorizer(), nil
case componentconfig.KubeletAuthorizationModeWebhook:
if client == nil {
return nil, errors.New("no client provided, cannot use webhook authorization")
}
authorizerConfig := apiserverauthorizer.DelegatingAuthorizerConfig{
authorizerConfig := authorizerfactory.DelegatingAuthorizerConfig{
SubjectAccessReviewClient: client,
AllowCacheTTL: authz.Webhook.CacheAuthorizedTTL.Duration,
DenyCacheTTL: authz.Webhook.CacheUnauthorizedTTL.Duration,

2
examples/apiserver/BUILD
View File

@ -16,7 +16,6 @@ go_library(
"//cmd/libs/go2idl/client-gen/test_apis/testgroup/v1:go_default_library",
"//examples/apiserver/rest:go_default_library",
"//pkg/api:go_default_library",
"//pkg/genericapiserver/authorizer:go_default_library",
"//pkg/genericapiserver/registry/generic:go_default_library",
"//pkg/genericapiserver/registry/rest:go_default_library",
"//pkg/genericapiserver/server:go_default_library",
@ -26,6 +25,7 @@ go_library(
"//vendor:github.com/golang/glog",
"//vendor:k8s.io/apimachinery/pkg/runtime/schema",
"//vendor:k8s.io/apimachinery/pkg/util/errors",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
],
)

4
examples/apiserver/apiserver.go
View File

@ -21,10 +21,10 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/kubernetes/cmd/libs/go2idl/client-gen/test_apis/testgroup/v1"
testgroupetcd "k8s.io/kubernetes/examples/apiserver/rest"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
"k8s.io/kubernetes/pkg/genericapiserver/registry/generic"
"k8s.io/kubernetes/pkg/genericapiserver/registry/rest"
genericapiserver "k8s.io/kubernetes/pkg/genericapiserver/server"
@ -113,7 +113,7 @@ func (serverOptions *ServerRunOptions) Run(stopCh <-chan struct{}) error {
return fmt.Errorf("failed to configure authentication: %s", err)
}
config.Authorizer = authorizer.NewAlwaysAllowAuthorizer()
config.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
config.SwaggerConfig = genericapiserver.DefaultSwaggerConfig()
s, err := config.Complete().New()

2
pkg/genericapiserver/BUILD
View File

@ -24,8 +24,6 @@ filegroup(
name = "all-srcs",
srcs = [
":package-srcs",
"//pkg/genericapiserver/authenticator:all-srcs",
"//pkg/genericapiserver/authorizer:all-srcs",
"//pkg/genericapiserver/endpoints:all-srcs",
"//pkg/genericapiserver/registry:all-srcs",
"//pkg/genericapiserver/server:all-srcs",

46
pkg/genericapiserver/authenticator/BUILD
View File

@ -1,46 +0,0 @@
package(default_visibility = ["//visibility:public"])
licenses(["notice"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
)
go_library(
name = "go_default_library",
srcs = [
"delegating.go",
"loopback.go",
"requestheader.go",
],
tags = ["automanaged"],
deps = [
"//vendor:github.com/go-openapi/spec",
"//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
"//vendor:k8s.io/apiserver/pkg/authentication/group",
"//vendor:k8s.io/apiserver/pkg/authentication/request/anonymous",
"//vendor:k8s.io/apiserver/pkg/authentication/request/bearertoken",
"//vendor:k8s.io/apiserver/pkg/authentication/request/headerrequest",
"//vendor:k8s.io/apiserver/pkg/authentication/request/union",
"//vendor:k8s.io/apiserver/pkg/authentication/request/x509",
"//vendor:k8s.io/apiserver/pkg/authentication/token/tokenfile",
"//vendor:k8s.io/apiserver/pkg/authentication/user",
"//vendor:k8s.io/apiserver/plugin/pkg/authenticator/token/webhook",
"//vendor:k8s.io/client-go/kubernetes/typed/authentication/v1beta1",
"//vendor:k8s.io/client-go/util/cert",
],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)

47
pkg/genericapiserver/authorizer/BUILD
View File

@ -1,47 +0,0 @@
package(default_visibility = ["//visibility:public"])
licenses(["notice"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
"go_test",
)
go_test(
name = "go_default_test",
srcs = ["authz_test.go"],
library = ":go_default_library",
tags = ["automanaged"],
deps = [
"//vendor:k8s.io/apiserver/pkg/authentication/user",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
],
)
go_library(
name = "go_default_library",
srcs = [
"builtin.go",
"delegating.go",
],
tags = ["automanaged"],
deps = [
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
"//vendor:k8s.io/apiserver/plugin/pkg/authorizer/webhook",
"//vendor:k8s.io/client-go/kubernetes/typed/authorization/v1beta1",
],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)

4
pkg/genericapiserver/server/BUILD
View File

@ -67,8 +67,6 @@ go_library(
tags = ["automanaged"],
deps = [
"//pkg/api:go_default_library",
"//pkg/genericapiserver/authenticator:go_default_library",
"//pkg/genericapiserver/authorizer:go_default_library",
"//pkg/genericapiserver/endpoints:go_default_library",
"//pkg/genericapiserver/endpoints/filters:go_default_library",
"//pkg/genericapiserver/endpoints/openapi:go_default_library",
@ -99,9 +97,11 @@ go_library(
"//vendor:k8s.io/apimachinery/pkg/version",
"//vendor:k8s.io/apiserver/pkg/admission",
"//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
"//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
"//vendor:k8s.io/apiserver/pkg/authentication/request/union",
"//vendor:k8s.io/apiserver/pkg/authentication/user",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
"//vendor:k8s.io/apiserver/pkg/authorization/union",
"//vendor:k8s.io/apiserver/pkg/endpoints/request",
"//vendor:k8s.io/apiserver/pkg/server/healthz",

8
pkg/genericapiserver/server/config.go
View File

@ -43,17 +43,17 @@ import (
"k8s.io/apimachinery/pkg/version"
"k8s.io/apiserver/pkg/admission"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
authorizerunion "k8s.io/apiserver/pkg/authorization/union"
apirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/server/healthz"
restclient "k8s.io/client-go/rest"
certutil "k8s.io/client-go/util/cert"
"k8s.io/kubernetes/pkg/api"
genericauthenticator "k8s.io/kubernetes/pkg/genericapiserver/authenticator"
genericauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
genericapifilters "k8s.io/kubernetes/pkg/genericapiserver/endpoints/filters"
apiopenapi "k8s.io/kubernetes/pkg/genericapiserver/endpoints/openapi"
genericfilters "k8s.io/kubernetes/pkg/genericapiserver/server/filters"
@ -480,10 +480,10 @@ func (c *Config) Complete() completedConfig {
Groups: []string{user.SystemPrivilegedGroup},
}
tokenAuthenticator := genericauthenticator.NewAuthenticatorFromTokens(tokens)
tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens)
c.Authenticator = authenticatorunion.New(tokenAuthenticator, c.Authenticator)
tokenAuthorizer := genericauthorizer.NewPrivilegedGroups(user.SystemPrivilegedGroup)
tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
c.Authorizer = authorizerunion.New(tokenAuthorizer, c.Authorizer)
}

4
pkg/genericapiserver/server/options/BUILD
View File

@ -21,8 +21,6 @@ go_library(
deps = [
"//pkg/api:go_default_library",
"//pkg/features:go_default_library",
"//pkg/genericapiserver/authenticator:go_default_library",
"//pkg/genericapiserver/authorizer:go_default_library",
"//pkg/storage/storagebackend:go_default_library",
"//vendor:github.com/golang/glog",
"//vendor:github.com/spf13/pflag",
@ -30,6 +28,8 @@ go_library(
"//vendor:k8s.io/apimachinery/pkg/runtime/schema",
"//vendor:k8s.io/apimachinery/pkg/util/net",
"//vendor:k8s.io/apiserver/pkg/admission",
"//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
"//vendor:k8s.io/apiserver/pkg/util/feature",
"//vendor:k8s.io/apiserver/pkg/util/flag",
"//vendor:k8s.io/client-go/kubernetes/typed/authentication/v1beta1",

12
pkg/genericapiserver/server/options/authentication.go
View File

@ -21,10 +21,10 @@ import (
"github.com/spf13/pflag"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/kubernetes/pkg/genericapiserver/authenticator"
)
type RequestHeaderAuthenticationOptions struct {
@ -57,12 +57,12 @@ func (s *RequestHeaderAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
// ToAuthenticationRequestHeaderConfig returns a RequestHeaderConfig config object for these options
// if necessary, nil otherwise.
func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig() *authenticator.RequestHeaderConfig {
func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig() *authenticatorfactory.RequestHeaderConfig {
if len(s.UsernameHeaders) == 0 {
return nil
}
return &authenticator.RequestHeaderConfig{
return &authenticatorfactory.RequestHeaderConfig{
UsernameHeaders: s.UsernameHeaders,
GroupHeaders: s.GroupHeaders,
ExtraHeaderPrefixes: s.ExtraHeaderPrefixes,
@ -128,13 +128,13 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
s.RequestHeader.AddFlags(fs)
}
func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticator.DelegatingAuthenticatorConfig, error) {
func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticatorfactory.DelegatingAuthenticatorConfig, error) {
tokenClient, err := s.newTokenAccessReview()
if err != nil {
return authenticator.DelegatingAuthenticatorConfig{}, err
return authenticatorfactory.DelegatingAuthenticatorConfig{}, err
}
ret := authenticator.DelegatingAuthenticatorConfig{
ret := authenticatorfactory.DelegatingAuthenticatorConfig{
Anonymous: true,
TokenAccessReviewClient: tokenClient,
CacheTTL: s.CacheTTL,

8
pkg/genericapiserver/server/options/authorization.go
View File

@ -21,10 +21,10 @@ import (
"github.com/spf13/pflag"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1beta1"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
)
// DelegatingAuthorizationOptions provides an easy way for composing API servers to delegate their authorization to
@ -69,13 +69,13 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
"The duration to cache 'unauthorized' responses from the webhook authorizer.")
}
func (s *DelegatingAuthorizationOptions) ToAuthorizationConfig() (authorizer.DelegatingAuthorizerConfig, error) {
func (s *DelegatingAuthorizationOptions) ToAuthorizationConfig() (authorizerfactory.DelegatingAuthorizerConfig, error) {
sarClient, err := s.newSubjectAccessReview()
if err != nil {
return authorizer.DelegatingAuthorizerConfig{}, err
return authorizerfactory.DelegatingAuthorizerConfig{}, err
}
ret := authorizer.DelegatingAuthorizerConfig{
ret := authorizerfactory.DelegatingAuthorizerConfig{
SubjectAccessReviewClient: sarClient,
AllowCacheTTL: s.AllowCacheTTL,
DenyCacheTTL: s.DenyCacheTTL,

2
pkg/kubeapiserver/authenticator/BUILD
View File

@ -12,10 +12,10 @@ go_library(
srcs = ["config.go"],
tags = ["automanaged"],
deps = [
"//pkg/genericapiserver/authenticator:go_default_library",
"//pkg/serviceaccount:go_default_library",
"//vendor:github.com/go-openapi/spec",
"//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
"//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
"//vendor:k8s.io/apiserver/pkg/authentication/group",
"//vendor:k8s.io/apiserver/pkg/authentication/request/anonymous",
"//vendor:k8s.io/apiserver/pkg/authentication/request/bearertoken",

4
pkg/kubeapiserver/authenticator/config.go
View File

@ -22,6 +22,7 @@ import (
"github.com/go-openapi/spec"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
"k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/anonymous"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
@ -37,7 +38,6 @@ import (
"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
certutil "k8s.io/client-go/util/cert"
genericauthenticator "k8s.io/kubernetes/pkg/genericapiserver/authenticator"
"k8s.io/kubernetes/pkg/serviceaccount"
// Initialize all known client auth plugins.
@ -63,7 +63,7 @@ type AuthenticatorConfig struct {
WebhookTokenAuthnConfigFile string
WebhookTokenAuthnCacheTTL time.Duration
RequestHeaderConfig *genericauthenticator.RequestHeaderConfig
RequestHeaderConfig *authenticatorfactory.RequestHeaderConfig
// TODO, this is the only non-serializable part of the entire config. Factor it out into a clientconfig
ServiceAccountTokenGetter serviceaccount.ServiceAccountTokenGetter

2
pkg/kubeapiserver/authorizer/BUILD
View File

@ -25,9 +25,9 @@ go_library(
deps = [
"//pkg/auth/authorizer/abac:go_default_library",
"//pkg/controller/informers:go_default_library",
"//pkg/genericapiserver/authorizer:go_default_library",
"//plugin/pkg/auth/authorizer/rbac:go_default_library",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
"//vendor:k8s.io/apiserver/pkg/authorization/union",
"//vendor:k8s.io/apiserver/plugin/pkg/authorizer/webhook",
],

6
pkg/kubeapiserver/authorizer/config.go
View File

@ -22,11 +22,11 @@ import (
"time"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/apiserver/pkg/authorization/union"
"k8s.io/apiserver/plugin/pkg/authorizer/webhook"
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
"k8s.io/kubernetes/pkg/controller/informers"
genericauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
)
@ -80,9 +80,9 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
// Keep cases in sync with constant list above.
switch authorizationMode {
case ModeAlwaysAllow:
authorizers = append(authorizers, genericauthorizer.NewAlwaysAllowAuthorizer())
authorizers = append(authorizers, authorizerfactory.NewAlwaysAllowAuthorizer())
case ModeAlwaysDeny:
authorizers = append(authorizers, genericauthorizer.NewAlwaysDenyAuthorizer())
authorizers = append(authorizers, authorizerfactory.NewAlwaysDenyAuthorizer())
case ModeABAC:
if config.PolicyFile == "" {
return nil, errors.New("ABAC's authorization policy file not passed")

2
pkg/genericapiserver/authenticator/delegating.go → staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
View File

@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
package authenticator
package authenticatorfactory
import (
"errors"

6
pkg/genericapiserver/authenticator/loopback.go → staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/loopback.go
View File

@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
package authenticator
package authenticatorfactory
import (
"k8s.io/apiserver/pkg/authentication/authenticator"
@ -23,7 +23,7 @@ import (
"k8s.io/apiserver/pkg/authentication/user"
)
// newAuthenticatorFromToken returns an authenticator.Request or an error
func NewAuthenticatorFromTokens(tokens map[string]*user.DefaultInfo) authenticator.Request {
// NewFromTokens returns an authenticator.Request or an error
func NewFromTokens(tokens map[string]*user.DefaultInfo) authenticator.Request {
return bearertoken.New(tokenfile.New(tokens))
}

2
pkg/genericapiserver/authenticator/requestheader.go → staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go
View File

@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
package authenticator
package authenticatorfactory
type RequestHeaderConfig struct {
// UsernameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins.

0
pkg/genericapiserver/authorizer/OWNERS → staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/OWNERS
View File

2
pkg/genericapiserver/authorizer/authz_test.go → staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/authz_test.go
View File

@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
package authorizer
package authorizerfactory
import (
"testing"

2
pkg/genericapiserver/authorizer/builtin.go → staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go
View File

@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
package authorizer
package authorizerfactory
import (
"errors"

2
pkg/genericapiserver/authorizer/delegating.go → staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/delegating.go
View File

@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
package authorizer
package authorizerfactory
import (
"time"

4
test/integration/auth/auth_test.go
View File

@ -43,6 +43,7 @@ import (
"k8s.io/apiserver/pkg/authentication/serviceaccount"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest"
"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
"k8s.io/client-go/tools/clientcmd/api/v1"
@ -52,7 +53,6 @@ import (
"k8s.io/kubernetes/pkg/apis/autoscaling"
"k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
apiserverauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
"k8s.io/kubernetes/plugin/pkg/admission/admit"
"k8s.io/kubernetes/test/integration"
"k8s.io/kubernetes/test/integration/framework"
@ -502,7 +502,7 @@ func getPreviousResourceVersionKey(url, id string) string {
func TestAuthModeAlwaysDeny(t *testing.T) {
// Set up a master
masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.GenericConfig.Authorizer = apiserverauthorizer.NewAlwaysDenyAuthorizer()
masterConfig.GenericConfig.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer()
_, s := framework.RunAMaster(masterConfig)
defer s.Close()

4
test/integration/framework/BUILD
View File

@ -35,8 +35,6 @@ go_library(
"//pkg/controller:go_default_library",
"//pkg/controller/replication:go_default_library",
"//pkg/generated/openapi:go_default_library",
"//pkg/genericapiserver/authenticator:go_default_library",
"//pkg/genericapiserver/authorizer:go_default_library",
"//pkg/genericapiserver/server:go_default_library",
"//pkg/kubectl:go_default_library",
"//pkg/kubelet/client:go_default_library",
@ -57,9 +55,11 @@ go_library(
"//vendor:k8s.io/apimachinery/pkg/util/wait",
"//vendor:k8s.io/apimachinery/pkg/watch",
"//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
"//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
"//vendor:k8s.io/apiserver/pkg/authentication/request/union",
"//vendor:k8s.io/apiserver/pkg/authentication/user",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
"//vendor:k8s.io/apiserver/pkg/authorization/union",
"//vendor:k8s.io/client-go/rest",
],

10
test/integration/framework/master_utils.go
View File

@ -33,9 +33,11 @@ import (
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apimachinery/pkg/watch"
authauthenticator "k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/user"
authauthorizer "k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
authorizerunion "k8s.io/apiserver/pkg/authorization/union"
restclient "k8s.io/client-go/rest"
"k8s.io/kubernetes/pkg/api"
@ -56,8 +58,6 @@ import (
"k8s.io/kubernetes/pkg/controller"
replicationcontroller "k8s.io/kubernetes/pkg/controller/replication"
"k8s.io/kubernetes/pkg/generated/openapi"
"k8s.io/kubernetes/pkg/genericapiserver/authenticator"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
genericapiserver "k8s.io/kubernetes/pkg/genericapiserver/server"
"k8s.io/kubernetes/pkg/kubectl"
kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
@ -214,7 +214,7 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv
Groups: []string{user.SystemPrivilegedGroup},
}
tokenAuthenticator := authenticator.NewAuthenticatorFromTokens(tokens)
tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens)
if masterConfig.GenericConfig.Authenticator == nil {
masterConfig.GenericConfig.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(alwaysEmpty))
} else {
@ -222,7 +222,7 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv
}
if masterConfig.GenericConfig.Authorizer != nil {
tokenAuthorizer := authorizer.NewPrivilegedGroups(user.SystemPrivilegedGroup)
tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
masterConfig.GenericConfig.Authorizer = authorizerunion.New(tokenAuthorizer, masterConfig.GenericConfig.Authorizer)
} else {
masterConfig.GenericConfig.Authorizer = alwaysAllow{}
@ -357,7 +357,7 @@ func NewMasterConfig() *master.Config {
genericConfig := genericapiserver.NewConfig()
kubeVersion := version.Get()
genericConfig.Version = &kubeVersion
genericConfig.Authorizer = authorizer.NewAlwaysAllowAuthorizer()
genericConfig.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
genericConfig.AdmissionControl = admit.NewAlwaysAdmit()
genericConfig.EnableMetrics = true

50
vendor/BUILD vendored
View File

@ -14045,3 +14045,53 @@ go_library(
srcs = ["k8s.io/apiserver/pkg/util/trie/trie.go"],
tags = ["automanaged"],
)
go_library(
name = "k8s.io/apiserver/pkg/authentication/authenticatorfactory",
srcs = [
"k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go",
"k8s.io/apiserver/pkg/authentication/authenticatorfactory/loopback.go",
"k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go",
],
tags = ["automanaged"],
deps = [
"//vendor:github.com/go-openapi/spec",
"//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
"//vendor:k8s.io/apiserver/pkg/authentication/group",
"//vendor:k8s.io/apiserver/pkg/authentication/request/anonymous",
"//vendor:k8s.io/apiserver/pkg/authentication/request/bearertoken",
"//vendor:k8s.io/apiserver/pkg/authentication/request/headerrequest",
"//vendor:k8s.io/apiserver/pkg/authentication/request/union",
"//vendor:k8s.io/apiserver/pkg/authentication/request/x509",
"//vendor:k8s.io/apiserver/pkg/authentication/token/tokenfile",
"//vendor:k8s.io/apiserver/pkg/authentication/user",
"//vendor:k8s.io/apiserver/plugin/pkg/authenticator/token/webhook",
"//vendor:k8s.io/client-go/kubernetes/typed/authentication/v1beta1",
"//vendor:k8s.io/client-go/util/cert",
],
)
go_test(
name = "k8s.io/apiserver/pkg/authorization/authorizerfactory_test",
srcs = ["k8s.io/apiserver/pkg/authorization/authorizerfactory/authz_test.go"],
library = ":k8s.io/apiserver/pkg/authorization/authorizerfactory",
tags = ["automanaged"],
deps = [
"//vendor:k8s.io/apiserver/pkg/authentication/user",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
],
)
go_library(
name = "k8s.io/apiserver/pkg/authorization/authorizerfactory",
srcs = [
"k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go",
"k8s.io/apiserver/pkg/authorization/authorizerfactory/delegating.go",
],
tags = ["automanaged"],
deps = [
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
"//vendor:k8s.io/apiserver/plugin/pkg/authorizer/webhook",
"//vendor:k8s.io/client-go/kubernetes/typed/authorization/v1beta1",
],
)