mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
Merge pull request #40430 from deads2k/generic-28-factory
Automatic merge from submit-queue move genericapiserver authenticator and authorizer factories straight move to `apiserver`
This commit is contained in:
commit
ff67d8218e
@ -54,8 +54,6 @@ go_library(
|
||||
"//pkg/credentialprovider/azure:go_default_library",
|
||||
"//pkg/credentialprovider/gcp:go_default_library",
|
||||
"//pkg/features:go_default_library",
|
||||
"//pkg/genericapiserver/authenticator:go_default_library",
|
||||
"//pkg/genericapiserver/authorizer:go_default_library",
|
||||
"//pkg/kubelet:go_default_library",
|
||||
"//pkg/kubelet/cadvisor:go_default_library",
|
||||
"//pkg/kubelet/cm:go_default_library",
|
||||
@ -109,7 +107,9 @@ go_library(
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/runtime",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/wait",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
|
||||
"//vendor:k8s.io/apiserver/pkg/server/healthz",
|
||||
"//vendor:k8s.io/apiserver/pkg/util/feature",
|
||||
"//vendor:k8s.io/client-go/kubernetes",
|
||||
|
@ -21,17 +21,16 @@ import (
|
||||
"fmt"
|
||||
"reflect"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
|
||||
authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1beta1"
|
||||
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/kubernetes/pkg/apis/componentconfig"
|
||||
apiserverauthenticator "k8s.io/kubernetes/pkg/genericapiserver/authenticator"
|
||||
alwaysallowauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
||||
apiserverauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
||||
"k8s.io/kubernetes/pkg/kubelet/server"
|
||||
)
|
||||
|
||||
@ -62,7 +61,7 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo
|
||||
}
|
||||
|
||||
func buildAuthn(client authenticationclient.TokenReviewInterface, authn componentconfig.KubeletAuthentication) (authenticator.Request, error) {
|
||||
authenticatorConfig := apiserverauthenticator.DelegatingAuthenticatorConfig{
|
||||
authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{
|
||||
Anonymous: authn.Anonymous.Enabled,
|
||||
CacheTTL: authn.Webhook.CacheTTL.Duration,
|
||||
ClientCAFile: authn.X509.ClientCAFile,
|
||||
@ -82,13 +81,13 @@ func buildAuthn(client authenticationclient.TokenReviewInterface, authn componen
|
||||
func buildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz componentconfig.KubeletAuthorization) (authorizer.Authorizer, error) {
|
||||
switch authz.Mode {
|
||||
case componentconfig.KubeletAuthorizationModeAlwaysAllow:
|
||||
return alwaysallowauthorizer.NewAlwaysAllowAuthorizer(), nil
|
||||
return authorizerfactory.NewAlwaysAllowAuthorizer(), nil
|
||||
|
||||
case componentconfig.KubeletAuthorizationModeWebhook:
|
||||
if client == nil {
|
||||
return nil, errors.New("no client provided, cannot use webhook authorization")
|
||||
}
|
||||
authorizerConfig := apiserverauthorizer.DelegatingAuthorizerConfig{
|
||||
authorizerConfig := authorizerfactory.DelegatingAuthorizerConfig{
|
||||
SubjectAccessReviewClient: client,
|
||||
AllowCacheTTL: authz.Webhook.CacheAuthorizedTTL.Duration,
|
||||
DenyCacheTTL: authz.Webhook.CacheUnauthorizedTTL.Duration,
|
||||
|
@ -16,7 +16,6 @@ go_library(
|
||||
"//cmd/libs/go2idl/client-gen/test_apis/testgroup/v1:go_default_library",
|
||||
"//examples/apiserver/rest:go_default_library",
|
||||
"//pkg/api:go_default_library",
|
||||
"//pkg/genericapiserver/authorizer:go_default_library",
|
||||
"//pkg/genericapiserver/registry/generic:go_default_library",
|
||||
"//pkg/genericapiserver/registry/rest:go_default_library",
|
||||
"//pkg/genericapiserver/server:go_default_library",
|
||||
@ -26,6 +25,7 @@ go_library(
|
||||
"//vendor:github.com/golang/glog",
|
||||
"//vendor:k8s.io/apimachinery/pkg/runtime/schema",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/errors",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
|
||||
],
|
||||
)
|
||||
|
||||
|
@ -21,10 +21,10 @@ import (
|
||||
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
utilerrors "k8s.io/apimachinery/pkg/util/errors"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
|
||||
"k8s.io/kubernetes/cmd/libs/go2idl/client-gen/test_apis/testgroup/v1"
|
||||
testgroupetcd "k8s.io/kubernetes/examples/apiserver/rest"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
||||
"k8s.io/kubernetes/pkg/genericapiserver/registry/generic"
|
||||
"k8s.io/kubernetes/pkg/genericapiserver/registry/rest"
|
||||
genericapiserver "k8s.io/kubernetes/pkg/genericapiserver/server"
|
||||
@ -113,7 +113,7 @@ func (serverOptions *ServerRunOptions) Run(stopCh <-chan struct{}) error {
|
||||
return fmt.Errorf("failed to configure authentication: %s", err)
|
||||
}
|
||||
|
||||
config.Authorizer = authorizer.NewAlwaysAllowAuthorizer()
|
||||
config.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
|
||||
config.SwaggerConfig = genericapiserver.DefaultSwaggerConfig()
|
||||
|
||||
s, err := config.Complete().New()
|
||||
|
@ -24,8 +24,6 @@ filegroup(
|
||||
name = "all-srcs",
|
||||
srcs = [
|
||||
":package-srcs",
|
||||
"//pkg/genericapiserver/authenticator:all-srcs",
|
||||
"//pkg/genericapiserver/authorizer:all-srcs",
|
||||
"//pkg/genericapiserver/endpoints:all-srcs",
|
||||
"//pkg/genericapiserver/registry:all-srcs",
|
||||
"//pkg/genericapiserver/server:all-srcs",
|
||||
|
@ -1,46 +0,0 @@
|
||||
package(default_visibility = ["//visibility:public"])
|
||||
|
||||
licenses(["notice"])
|
||||
|
||||
load(
|
||||
"@io_bazel_rules_go//go:def.bzl",
|
||||
"go_library",
|
||||
)
|
||||
|
||||
go_library(
|
||||
name = "go_default_library",
|
||||
srcs = [
|
||||
"delegating.go",
|
||||
"loopback.go",
|
||||
"requestheader.go",
|
||||
],
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//vendor:github.com/go-openapi/spec",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/group",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/anonymous",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/bearertoken",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/headerrequest",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/union",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/x509",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/token/tokenfile",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/user",
|
||||
"//vendor:k8s.io/apiserver/plugin/pkg/authenticator/token/webhook",
|
||||
"//vendor:k8s.io/client-go/kubernetes/typed/authentication/v1beta1",
|
||||
"//vendor:k8s.io/client-go/util/cert",
|
||||
],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "package-srcs",
|
||||
srcs = glob(["**"]),
|
||||
tags = ["automanaged"],
|
||||
visibility = ["//visibility:private"],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "all-srcs",
|
||||
srcs = [":package-srcs"],
|
||||
tags = ["automanaged"],
|
||||
)
|
@ -1,47 +0,0 @@
|
||||
package(default_visibility = ["//visibility:public"])
|
||||
|
||||
licenses(["notice"])
|
||||
|
||||
load(
|
||||
"@io_bazel_rules_go//go:def.bzl",
|
||||
"go_library",
|
||||
"go_test",
|
||||
)
|
||||
|
||||
go_test(
|
||||
name = "go_default_test",
|
||||
srcs = ["authz_test.go"],
|
||||
library = ":go_default_library",
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/user",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
|
||||
],
|
||||
)
|
||||
|
||||
go_library(
|
||||
name = "go_default_library",
|
||||
srcs = [
|
||||
"builtin.go",
|
||||
"delegating.go",
|
||||
],
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
|
||||
"//vendor:k8s.io/apiserver/plugin/pkg/authorizer/webhook",
|
||||
"//vendor:k8s.io/client-go/kubernetes/typed/authorization/v1beta1",
|
||||
],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "package-srcs",
|
||||
srcs = glob(["**"]),
|
||||
tags = ["automanaged"],
|
||||
visibility = ["//visibility:private"],
|
||||
)
|
||||
|
||||
filegroup(
|
||||
name = "all-srcs",
|
||||
srcs = [":package-srcs"],
|
||||
tags = ["automanaged"],
|
||||
)
|
@ -67,8 +67,6 @@ go_library(
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//pkg/api:go_default_library",
|
||||
"//pkg/genericapiserver/authenticator:go_default_library",
|
||||
"//pkg/genericapiserver/authorizer:go_default_library",
|
||||
"//pkg/genericapiserver/endpoints:go_default_library",
|
||||
"//pkg/genericapiserver/endpoints/filters:go_default_library",
|
||||
"//pkg/genericapiserver/endpoints/openapi:go_default_library",
|
||||
@ -99,9 +97,11 @@ go_library(
|
||||
"//vendor:k8s.io/apimachinery/pkg/version",
|
||||
"//vendor:k8s.io/apiserver/pkg/admission",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/union",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/user",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/union",
|
||||
"//vendor:k8s.io/apiserver/pkg/endpoints/request",
|
||||
"//vendor:k8s.io/apiserver/pkg/server/healthz",
|
||||
|
@ -43,17 +43,17 @@ import (
|
||||
"k8s.io/apimachinery/pkg/version"
|
||||
"k8s.io/apiserver/pkg/admission"
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
|
||||
authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
|
||||
authorizerunion "k8s.io/apiserver/pkg/authorization/union"
|
||||
apirequest "k8s.io/apiserver/pkg/endpoints/request"
|
||||
"k8s.io/apiserver/pkg/server/healthz"
|
||||
restclient "k8s.io/client-go/rest"
|
||||
certutil "k8s.io/client-go/util/cert"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
genericauthenticator "k8s.io/kubernetes/pkg/genericapiserver/authenticator"
|
||||
genericauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
||||
genericapifilters "k8s.io/kubernetes/pkg/genericapiserver/endpoints/filters"
|
||||
apiopenapi "k8s.io/kubernetes/pkg/genericapiserver/endpoints/openapi"
|
||||
genericfilters "k8s.io/kubernetes/pkg/genericapiserver/server/filters"
|
||||
@ -480,10 +480,10 @@ func (c *Config) Complete() completedConfig {
|
||||
Groups: []string{user.SystemPrivilegedGroup},
|
||||
}
|
||||
|
||||
tokenAuthenticator := genericauthenticator.NewAuthenticatorFromTokens(tokens)
|
||||
tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens)
|
||||
c.Authenticator = authenticatorunion.New(tokenAuthenticator, c.Authenticator)
|
||||
|
||||
tokenAuthorizer := genericauthorizer.NewPrivilegedGroups(user.SystemPrivilegedGroup)
|
||||
tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
|
||||
c.Authorizer = authorizerunion.New(tokenAuthorizer, c.Authorizer)
|
||||
}
|
||||
|
||||
|
@ -21,8 +21,6 @@ go_library(
|
||||
deps = [
|
||||
"//pkg/api:go_default_library",
|
||||
"//pkg/features:go_default_library",
|
||||
"//pkg/genericapiserver/authenticator:go_default_library",
|
||||
"//pkg/genericapiserver/authorizer:go_default_library",
|
||||
"//pkg/storage/storagebackend:go_default_library",
|
||||
"//vendor:github.com/golang/glog",
|
||||
"//vendor:github.com/spf13/pflag",
|
||||
@ -30,6 +28,8 @@ go_library(
|
||||
"//vendor:k8s.io/apimachinery/pkg/runtime/schema",
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/net",
|
||||
"//vendor:k8s.io/apiserver/pkg/admission",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
|
||||
"//vendor:k8s.io/apiserver/pkg/util/feature",
|
||||
"//vendor:k8s.io/apiserver/pkg/util/flag",
|
||||
"//vendor:k8s.io/client-go/kubernetes/typed/authentication/v1beta1",
|
||||
|
@ -21,10 +21,10 @@ import (
|
||||
|
||||
"github.com/spf13/pflag"
|
||||
|
||||
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
|
||||
authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
|
||||
"k8s.io/client-go/rest"
|
||||
"k8s.io/client-go/tools/clientcmd"
|
||||
"k8s.io/kubernetes/pkg/genericapiserver/authenticator"
|
||||
)
|
||||
|
||||
type RequestHeaderAuthenticationOptions struct {
|
||||
@ -57,12 +57,12 @@ func (s *RequestHeaderAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
|
||||
// ToAuthenticationRequestHeaderConfig returns a RequestHeaderConfig config object for these options
|
||||
// if necessary, nil otherwise.
|
||||
func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig() *authenticator.RequestHeaderConfig {
|
||||
func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig() *authenticatorfactory.RequestHeaderConfig {
|
||||
if len(s.UsernameHeaders) == 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
return &authenticator.RequestHeaderConfig{
|
||||
return &authenticatorfactory.RequestHeaderConfig{
|
||||
UsernameHeaders: s.UsernameHeaders,
|
||||
GroupHeaders: s.GroupHeaders,
|
||||
ExtraHeaderPrefixes: s.ExtraHeaderPrefixes,
|
||||
@ -128,13 +128,13 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
s.RequestHeader.AddFlags(fs)
|
||||
}
|
||||
|
||||
func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticator.DelegatingAuthenticatorConfig, error) {
|
||||
func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticatorfactory.DelegatingAuthenticatorConfig, error) {
|
||||
tokenClient, err := s.newTokenAccessReview()
|
||||
if err != nil {
|
||||
return authenticator.DelegatingAuthenticatorConfig{}, err
|
||||
return authenticatorfactory.DelegatingAuthenticatorConfig{}, err
|
||||
}
|
||||
|
||||
ret := authenticator.DelegatingAuthenticatorConfig{
|
||||
ret := authenticatorfactory.DelegatingAuthenticatorConfig{
|
||||
Anonymous: true,
|
||||
TokenAccessReviewClient: tokenClient,
|
||||
CacheTTL: s.CacheTTL,
|
||||
|
@ -21,10 +21,10 @@ import (
|
||||
|
||||
"github.com/spf13/pflag"
|
||||
|
||||
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
|
||||
authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1beta1"
|
||||
"k8s.io/client-go/rest"
|
||||
"k8s.io/client-go/tools/clientcmd"
|
||||
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
||||
)
|
||||
|
||||
// DelegatingAuthorizationOptions provides an easy way for composing API servers to delegate their authorization to
|
||||
@ -69,13 +69,13 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
"The duration to cache 'unauthorized' responses from the webhook authorizer.")
|
||||
}
|
||||
|
||||
func (s *DelegatingAuthorizationOptions) ToAuthorizationConfig() (authorizer.DelegatingAuthorizerConfig, error) {
|
||||
func (s *DelegatingAuthorizationOptions) ToAuthorizationConfig() (authorizerfactory.DelegatingAuthorizerConfig, error) {
|
||||
sarClient, err := s.newSubjectAccessReview()
|
||||
if err != nil {
|
||||
return authorizer.DelegatingAuthorizerConfig{}, err
|
||||
return authorizerfactory.DelegatingAuthorizerConfig{}, err
|
||||
}
|
||||
|
||||
ret := authorizer.DelegatingAuthorizerConfig{
|
||||
ret := authorizerfactory.DelegatingAuthorizerConfig{
|
||||
SubjectAccessReviewClient: sarClient,
|
||||
AllowCacheTTL: s.AllowCacheTTL,
|
||||
DenyCacheTTL: s.DenyCacheTTL,
|
||||
|
@ -12,10 +12,10 @@ go_library(
|
||||
srcs = ["config.go"],
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//pkg/genericapiserver/authenticator:go_default_library",
|
||||
"//pkg/serviceaccount:go_default_library",
|
||||
"//vendor:github.com/go-openapi/spec",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/group",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/anonymous",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/bearertoken",
|
||||
|
@ -22,6 +22,7 @@ import (
|
||||
"github.com/go-openapi/spec"
|
||||
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
|
||||
"k8s.io/apiserver/pkg/authentication/group"
|
||||
"k8s.io/apiserver/pkg/authentication/request/anonymous"
|
||||
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
|
||||
@ -37,7 +38,6 @@ import (
|
||||
"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
|
||||
"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
|
||||
certutil "k8s.io/client-go/util/cert"
|
||||
genericauthenticator "k8s.io/kubernetes/pkg/genericapiserver/authenticator"
|
||||
"k8s.io/kubernetes/pkg/serviceaccount"
|
||||
|
||||
// Initialize all known client auth plugins.
|
||||
@ -63,7 +63,7 @@ type AuthenticatorConfig struct {
|
||||
WebhookTokenAuthnConfigFile string
|
||||
WebhookTokenAuthnCacheTTL time.Duration
|
||||
|
||||
RequestHeaderConfig *genericauthenticator.RequestHeaderConfig
|
||||
RequestHeaderConfig *authenticatorfactory.RequestHeaderConfig
|
||||
|
||||
// TODO, this is the only non-serializable part of the entire config. Factor it out into a clientconfig
|
||||
ServiceAccountTokenGetter serviceaccount.ServiceAccountTokenGetter
|
||||
|
@ -25,9 +25,9 @@ go_library(
|
||||
deps = [
|
||||
"//pkg/auth/authorizer/abac:go_default_library",
|
||||
"//pkg/controller/informers:go_default_library",
|
||||
"//pkg/genericapiserver/authorizer:go_default_library",
|
||||
"//plugin/pkg/auth/authorizer/rbac:go_default_library",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/union",
|
||||
"//vendor:k8s.io/apiserver/plugin/pkg/authorizer/webhook",
|
||||
],
|
||||
|
@ -22,11 +22,11 @@ import (
|
||||
"time"
|
||||
|
||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
|
||||
"k8s.io/apiserver/pkg/authorization/union"
|
||||
"k8s.io/apiserver/plugin/pkg/authorizer/webhook"
|
||||
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
|
||||
"k8s.io/kubernetes/pkg/controller/informers"
|
||||
genericauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
||||
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
|
||||
)
|
||||
|
||||
@ -80,9 +80,9 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
|
||||
// Keep cases in sync with constant list above.
|
||||
switch authorizationMode {
|
||||
case ModeAlwaysAllow:
|
||||
authorizers = append(authorizers, genericauthorizer.NewAlwaysAllowAuthorizer())
|
||||
authorizers = append(authorizers, authorizerfactory.NewAlwaysAllowAuthorizer())
|
||||
case ModeAlwaysDeny:
|
||||
authorizers = append(authorizers, genericauthorizer.NewAlwaysDenyAuthorizer())
|
||||
authorizers = append(authorizers, authorizerfactory.NewAlwaysDenyAuthorizer())
|
||||
case ModeABAC:
|
||||
if config.PolicyFile == "" {
|
||||
return nil, errors.New("ABAC's authorization policy file not passed")
|
||||
|
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package authenticator
|
||||
package authenticatorfactory
|
||||
|
||||
import (
|
||||
"errors"
|
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package authenticator
|
||||
package authenticatorfactory
|
||||
|
||||
import (
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
@ -23,7 +23,7 @@ import (
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
)
|
||||
|
||||
// newAuthenticatorFromToken returns an authenticator.Request or an error
|
||||
func NewAuthenticatorFromTokens(tokens map[string]*user.DefaultInfo) authenticator.Request {
|
||||
// NewFromTokens returns an authenticator.Request or an error
|
||||
func NewFromTokens(tokens map[string]*user.DefaultInfo) authenticator.Request {
|
||||
return bearertoken.New(tokenfile.New(tokens))
|
||||
}
|
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package authenticator
|
||||
package authenticatorfactory
|
||||
|
||||
type RequestHeaderConfig struct {
|
||||
// UsernameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins.
|
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package authorizer
|
||||
package authorizerfactory
|
||||
|
||||
import (
|
||||
"testing"
|
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package authorizer
|
||||
package authorizerfactory
|
||||
|
||||
import (
|
||||
"errors"
|
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package authorizer
|
||||
package authorizerfactory
|
||||
|
||||
import (
|
||||
"time"
|
@ -43,6 +43,7 @@ import (
|
||||
"k8s.io/apiserver/pkg/authentication/serviceaccount"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
|
||||
"k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest"
|
||||
"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
|
||||
"k8s.io/client-go/tools/clientcmd/api/v1"
|
||||
@ -52,7 +53,6 @@ import (
|
||||
"k8s.io/kubernetes/pkg/apis/autoscaling"
|
||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
|
||||
apiserverauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
||||
"k8s.io/kubernetes/plugin/pkg/admission/admit"
|
||||
"k8s.io/kubernetes/test/integration"
|
||||
"k8s.io/kubernetes/test/integration/framework"
|
||||
@ -502,7 +502,7 @@ func getPreviousResourceVersionKey(url, id string) string {
|
||||
func TestAuthModeAlwaysDeny(t *testing.T) {
|
||||
// Set up a master
|
||||
masterConfig := framework.NewIntegrationTestMasterConfig()
|
||||
masterConfig.GenericConfig.Authorizer = apiserverauthorizer.NewAlwaysDenyAuthorizer()
|
||||
masterConfig.GenericConfig.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer()
|
||||
_, s := framework.RunAMaster(masterConfig)
|
||||
defer s.Close()
|
||||
|
||||
|
@ -35,8 +35,6 @@ go_library(
|
||||
"//pkg/controller:go_default_library",
|
||||
"//pkg/controller/replication:go_default_library",
|
||||
"//pkg/generated/openapi:go_default_library",
|
||||
"//pkg/genericapiserver/authenticator:go_default_library",
|
||||
"//pkg/genericapiserver/authorizer:go_default_library",
|
||||
"//pkg/genericapiserver/server:go_default_library",
|
||||
"//pkg/kubectl:go_default_library",
|
||||
"//pkg/kubelet/client:go_default_library",
|
||||
@ -57,9 +55,11 @@ go_library(
|
||||
"//vendor:k8s.io/apimachinery/pkg/util/wait",
|
||||
"//vendor:k8s.io/apimachinery/pkg/watch",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/union",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/user",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/union",
|
||||
"//vendor:k8s.io/client-go/rest",
|
||||
],
|
||||
|
@ -33,9 +33,11 @@ import (
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/apimachinery/pkg/watch"
|
||||
authauthenticator "k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
|
||||
authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
authauthorizer "k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
|
||||
authorizerunion "k8s.io/apiserver/pkg/authorization/union"
|
||||
restclient "k8s.io/client-go/rest"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
@ -56,8 +58,6 @@ import (
|
||||
"k8s.io/kubernetes/pkg/controller"
|
||||
replicationcontroller "k8s.io/kubernetes/pkg/controller/replication"
|
||||
"k8s.io/kubernetes/pkg/generated/openapi"
|
||||
"k8s.io/kubernetes/pkg/genericapiserver/authenticator"
|
||||
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
||||
genericapiserver "k8s.io/kubernetes/pkg/genericapiserver/server"
|
||||
"k8s.io/kubernetes/pkg/kubectl"
|
||||
kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
|
||||
@ -214,7 +214,7 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv
|
||||
Groups: []string{user.SystemPrivilegedGroup},
|
||||
}
|
||||
|
||||
tokenAuthenticator := authenticator.NewAuthenticatorFromTokens(tokens)
|
||||
tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens)
|
||||
if masterConfig.GenericConfig.Authenticator == nil {
|
||||
masterConfig.GenericConfig.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(alwaysEmpty))
|
||||
} else {
|
||||
@ -222,7 +222,7 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv
|
||||
}
|
||||
|
||||
if masterConfig.GenericConfig.Authorizer != nil {
|
||||
tokenAuthorizer := authorizer.NewPrivilegedGroups(user.SystemPrivilegedGroup)
|
||||
tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
|
||||
masterConfig.GenericConfig.Authorizer = authorizerunion.New(tokenAuthorizer, masterConfig.GenericConfig.Authorizer)
|
||||
} else {
|
||||
masterConfig.GenericConfig.Authorizer = alwaysAllow{}
|
||||
@ -357,7 +357,7 @@ func NewMasterConfig() *master.Config {
|
||||
genericConfig := genericapiserver.NewConfig()
|
||||
kubeVersion := version.Get()
|
||||
genericConfig.Version = &kubeVersion
|
||||
genericConfig.Authorizer = authorizer.NewAlwaysAllowAuthorizer()
|
||||
genericConfig.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
|
||||
genericConfig.AdmissionControl = admit.NewAlwaysAdmit()
|
||||
genericConfig.EnableMetrics = true
|
||||
|
||||
|
50
vendor/BUILD
vendored
50
vendor/BUILD
vendored
@ -14045,3 +14045,53 @@ go_library(
|
||||
srcs = ["k8s.io/apiserver/pkg/util/trie/trie.go"],
|
||||
tags = ["automanaged"],
|
||||
)
|
||||
|
||||
go_library(
|
||||
name = "k8s.io/apiserver/pkg/authentication/authenticatorfactory",
|
||||
srcs = [
|
||||
"k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go",
|
||||
"k8s.io/apiserver/pkg/authentication/authenticatorfactory/loopback.go",
|
||||
"k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go",
|
||||
],
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//vendor:github.com/go-openapi/spec",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/authenticator",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/group",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/anonymous",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/bearertoken",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/headerrequest",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/union",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/request/x509",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/token/tokenfile",
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/user",
|
||||
"//vendor:k8s.io/apiserver/plugin/pkg/authenticator/token/webhook",
|
||||
"//vendor:k8s.io/client-go/kubernetes/typed/authentication/v1beta1",
|
||||
"//vendor:k8s.io/client-go/util/cert",
|
||||
],
|
||||
)
|
||||
|
||||
go_test(
|
||||
name = "k8s.io/apiserver/pkg/authorization/authorizerfactory_test",
|
||||
srcs = ["k8s.io/apiserver/pkg/authorization/authorizerfactory/authz_test.go"],
|
||||
library = ":k8s.io/apiserver/pkg/authorization/authorizerfactory",
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//vendor:k8s.io/apiserver/pkg/authentication/user",
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
|
||||
],
|
||||
)
|
||||
|
||||
go_library(
|
||||
name = "k8s.io/apiserver/pkg/authorization/authorizerfactory",
|
||||
srcs = [
|
||||
"k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go",
|
||||
"k8s.io/apiserver/pkg/authorization/authorizerfactory/delegating.go",
|
||||
],
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
|
||||
"//vendor:k8s.io/apiserver/plugin/pkg/authorizer/webhook",
|
||||
"//vendor:k8s.io/client-go/kubernetes/typed/authorization/v1beta1",
|
||||
],
|
||||
)
|
||||
|
Loading…
Reference in New Issue
Block a user