diff --git a/cmd/kubelet/app/BUILD b/cmd/kubelet/app/BUILD index 44288076d72..a44bac058f1 100644 --- a/cmd/kubelet/app/BUILD +++ b/cmd/kubelet/app/BUILD @@ -54,8 +54,6 @@ go_library( "//pkg/credentialprovider/azure:go_default_library", "//pkg/credentialprovider/gcp:go_default_library", "//pkg/features:go_default_library", - "//pkg/genericapiserver/authenticator:go_default_library", - "//pkg/genericapiserver/authorizer:go_default_library", "//pkg/kubelet:go_default_library", "//pkg/kubelet/cadvisor:go_default_library", "//pkg/kubelet/cm:go_default_library", @@ -109,7 +107,9 @@ go_library( "//vendor:k8s.io/apimachinery/pkg/util/runtime", "//vendor:k8s.io/apimachinery/pkg/util/wait", "//vendor:k8s.io/apiserver/pkg/authentication/authenticator", + "//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory", "//vendor:k8s.io/apiserver/pkg/authorization/authorizer", + "//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory", "//vendor:k8s.io/apiserver/pkg/server/healthz", "//vendor:k8s.io/apiserver/pkg/util/feature", "//vendor:k8s.io/client-go/kubernetes", diff --git a/cmd/kubelet/app/auth.go b/cmd/kubelet/app/auth.go index 8c9fab4a648..ed10f5f13bd 100644 --- a/cmd/kubelet/app/auth.go +++ b/cmd/kubelet/app/auth.go @@ -21,17 +21,16 @@ import ( "fmt" "reflect" + "k8s.io/apimachinery/pkg/types" "k8s.io/apiserver/pkg/authentication/authenticator" + "k8s.io/apiserver/pkg/authentication/authenticatorfactory" "k8s.io/apiserver/pkg/authorization/authorizer" + "k8s.io/apiserver/pkg/authorization/authorizerfactory" clientset "k8s.io/client-go/kubernetes" authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1" authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1beta1" - "k8s.io/apimachinery/pkg/types" "k8s.io/kubernetes/pkg/apis/componentconfig" - apiserverauthenticator "k8s.io/kubernetes/pkg/genericapiserver/authenticator" - alwaysallowauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer" - apiserverauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer" "k8s.io/kubernetes/pkg/kubelet/server" ) @@ -62,7 +61,7 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo } func buildAuthn(client authenticationclient.TokenReviewInterface, authn componentconfig.KubeletAuthentication) (authenticator.Request, error) { - authenticatorConfig := apiserverauthenticator.DelegatingAuthenticatorConfig{ + authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{ Anonymous: authn.Anonymous.Enabled, CacheTTL: authn.Webhook.CacheTTL.Duration, ClientCAFile: authn.X509.ClientCAFile, @@ -82,13 +81,13 @@ func buildAuthn(client authenticationclient.TokenReviewInterface, authn componen func buildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz componentconfig.KubeletAuthorization) (authorizer.Authorizer, error) { switch authz.Mode { case componentconfig.KubeletAuthorizationModeAlwaysAllow: - return alwaysallowauthorizer.NewAlwaysAllowAuthorizer(), nil + return authorizerfactory.NewAlwaysAllowAuthorizer(), nil case componentconfig.KubeletAuthorizationModeWebhook: if client == nil { return nil, errors.New("no client provided, cannot use webhook authorization") } - authorizerConfig := apiserverauthorizer.DelegatingAuthorizerConfig{ + authorizerConfig := authorizerfactory.DelegatingAuthorizerConfig{ SubjectAccessReviewClient: client, AllowCacheTTL: authz.Webhook.CacheAuthorizedTTL.Duration, DenyCacheTTL: authz.Webhook.CacheUnauthorizedTTL.Duration, diff --git a/examples/apiserver/BUILD b/examples/apiserver/BUILD index 38ae7c0e9ad..d0a41a91f6c 100644 --- a/examples/apiserver/BUILD +++ b/examples/apiserver/BUILD @@ -16,7 +16,6 @@ go_library( "//cmd/libs/go2idl/client-gen/test_apis/testgroup/v1:go_default_library", "//examples/apiserver/rest:go_default_library", "//pkg/api:go_default_library", - "//pkg/genericapiserver/authorizer:go_default_library", "//pkg/genericapiserver/registry/generic:go_default_library", "//pkg/genericapiserver/registry/rest:go_default_library", "//pkg/genericapiserver/server:go_default_library", @@ -26,6 +25,7 @@ go_library( "//vendor:github.com/golang/glog", "//vendor:k8s.io/apimachinery/pkg/runtime/schema", "//vendor:k8s.io/apimachinery/pkg/util/errors", + "//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory", ], ) diff --git a/examples/apiserver/apiserver.go b/examples/apiserver/apiserver.go index bf443c9811c..7a0fbdf1b82 100644 --- a/examples/apiserver/apiserver.go +++ b/examples/apiserver/apiserver.go @@ -21,10 +21,10 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" utilerrors "k8s.io/apimachinery/pkg/util/errors" + "k8s.io/apiserver/pkg/authorization/authorizerfactory" "k8s.io/kubernetes/cmd/libs/go2idl/client-gen/test_apis/testgroup/v1" testgroupetcd "k8s.io/kubernetes/examples/apiserver/rest" "k8s.io/kubernetes/pkg/api" - "k8s.io/kubernetes/pkg/genericapiserver/authorizer" "k8s.io/kubernetes/pkg/genericapiserver/registry/generic" "k8s.io/kubernetes/pkg/genericapiserver/registry/rest" genericapiserver "k8s.io/kubernetes/pkg/genericapiserver/server" @@ -113,7 +113,7 @@ func (serverOptions *ServerRunOptions) Run(stopCh <-chan struct{}) error { return fmt.Errorf("failed to configure authentication: %s", err) } - config.Authorizer = authorizer.NewAlwaysAllowAuthorizer() + config.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer() config.SwaggerConfig = genericapiserver.DefaultSwaggerConfig() s, err := config.Complete().New() diff --git a/pkg/genericapiserver/BUILD b/pkg/genericapiserver/BUILD index 842a0828f41..d799748af3a 100644 --- a/pkg/genericapiserver/BUILD +++ b/pkg/genericapiserver/BUILD @@ -24,8 +24,6 @@ filegroup( name = "all-srcs", srcs = [ ":package-srcs", - "//pkg/genericapiserver/authenticator:all-srcs", - "//pkg/genericapiserver/authorizer:all-srcs", "//pkg/genericapiserver/endpoints:all-srcs", "//pkg/genericapiserver/registry:all-srcs", "//pkg/genericapiserver/server:all-srcs", diff --git a/pkg/genericapiserver/authenticator/BUILD b/pkg/genericapiserver/authenticator/BUILD deleted file mode 100644 index 12b89c71a07..00000000000 --- a/pkg/genericapiserver/authenticator/BUILD +++ /dev/null @@ -1,46 +0,0 @@ -package(default_visibility = ["//visibility:public"]) - -licenses(["notice"]) - -load( - "@io_bazel_rules_go//go:def.bzl", - "go_library", -) - -go_library( - name = "go_default_library", - srcs = [ - "delegating.go", - "loopback.go", - "requestheader.go", - ], - tags = ["automanaged"], - deps = [ - "//vendor:github.com/go-openapi/spec", - "//vendor:k8s.io/apiserver/pkg/authentication/authenticator", - "//vendor:k8s.io/apiserver/pkg/authentication/group", - "//vendor:k8s.io/apiserver/pkg/authentication/request/anonymous", - "//vendor:k8s.io/apiserver/pkg/authentication/request/bearertoken", - "//vendor:k8s.io/apiserver/pkg/authentication/request/headerrequest", - "//vendor:k8s.io/apiserver/pkg/authentication/request/union", - "//vendor:k8s.io/apiserver/pkg/authentication/request/x509", - "//vendor:k8s.io/apiserver/pkg/authentication/token/tokenfile", - "//vendor:k8s.io/apiserver/pkg/authentication/user", - "//vendor:k8s.io/apiserver/plugin/pkg/authenticator/token/webhook", - "//vendor:k8s.io/client-go/kubernetes/typed/authentication/v1beta1", - "//vendor:k8s.io/client-go/util/cert", - ], -) - -filegroup( - name = "package-srcs", - srcs = glob(["**"]), - tags = ["automanaged"], - visibility = ["//visibility:private"], -) - -filegroup( - name = "all-srcs", - srcs = [":package-srcs"], - tags = ["automanaged"], -) diff --git a/pkg/genericapiserver/authorizer/BUILD b/pkg/genericapiserver/authorizer/BUILD deleted file mode 100644 index 4da7033ec06..00000000000 --- a/pkg/genericapiserver/authorizer/BUILD +++ /dev/null @@ -1,47 +0,0 @@ -package(default_visibility = ["//visibility:public"]) - -licenses(["notice"]) - -load( - "@io_bazel_rules_go//go:def.bzl", - "go_library", - "go_test", -) - -go_test( - name = "go_default_test", - srcs = ["authz_test.go"], - library = ":go_default_library", - tags = ["automanaged"], - deps = [ - "//vendor:k8s.io/apiserver/pkg/authentication/user", - "//vendor:k8s.io/apiserver/pkg/authorization/authorizer", - ], -) - -go_library( - name = "go_default_library", - srcs = [ - "builtin.go", - "delegating.go", - ], - tags = ["automanaged"], - deps = [ - "//vendor:k8s.io/apiserver/pkg/authorization/authorizer", - "//vendor:k8s.io/apiserver/plugin/pkg/authorizer/webhook", - "//vendor:k8s.io/client-go/kubernetes/typed/authorization/v1beta1", - ], -) - -filegroup( - name = "package-srcs", - srcs = glob(["**"]), - tags = ["automanaged"], - visibility = ["//visibility:private"], -) - -filegroup( - name = "all-srcs", - srcs = [":package-srcs"], - tags = ["automanaged"], -) diff --git a/pkg/genericapiserver/server/BUILD b/pkg/genericapiserver/server/BUILD index d5658de94d4..f753367fd64 100644 --- a/pkg/genericapiserver/server/BUILD +++ b/pkg/genericapiserver/server/BUILD @@ -67,8 +67,6 @@ go_library( tags = ["automanaged"], deps = [ "//pkg/api:go_default_library", - "//pkg/genericapiserver/authenticator:go_default_library", - "//pkg/genericapiserver/authorizer:go_default_library", "//pkg/genericapiserver/endpoints:go_default_library", "//pkg/genericapiserver/endpoints/filters:go_default_library", "//pkg/genericapiserver/endpoints/openapi:go_default_library", @@ -99,9 +97,11 @@ go_library( "//vendor:k8s.io/apimachinery/pkg/version", "//vendor:k8s.io/apiserver/pkg/admission", "//vendor:k8s.io/apiserver/pkg/authentication/authenticator", + "//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory", "//vendor:k8s.io/apiserver/pkg/authentication/request/union", "//vendor:k8s.io/apiserver/pkg/authentication/user", "//vendor:k8s.io/apiserver/pkg/authorization/authorizer", + "//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory", "//vendor:k8s.io/apiserver/pkg/authorization/union", "//vendor:k8s.io/apiserver/pkg/endpoints/request", "//vendor:k8s.io/apiserver/pkg/server/healthz", diff --git a/pkg/genericapiserver/server/config.go b/pkg/genericapiserver/server/config.go index ec150acc6b1..683c1cd698f 100644 --- a/pkg/genericapiserver/server/config.go +++ b/pkg/genericapiserver/server/config.go @@ -43,17 +43,17 @@ import ( "k8s.io/apimachinery/pkg/version" "k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/authentication/authenticator" + "k8s.io/apiserver/pkg/authentication/authenticatorfactory" authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" + "k8s.io/apiserver/pkg/authorization/authorizerfactory" authorizerunion "k8s.io/apiserver/pkg/authorization/union" apirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/server/healthz" restclient "k8s.io/client-go/rest" certutil "k8s.io/client-go/util/cert" "k8s.io/kubernetes/pkg/api" - genericauthenticator "k8s.io/kubernetes/pkg/genericapiserver/authenticator" - genericauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer" genericapifilters "k8s.io/kubernetes/pkg/genericapiserver/endpoints/filters" apiopenapi "k8s.io/kubernetes/pkg/genericapiserver/endpoints/openapi" genericfilters "k8s.io/kubernetes/pkg/genericapiserver/server/filters" @@ -480,10 +480,10 @@ func (c *Config) Complete() completedConfig { Groups: []string{user.SystemPrivilegedGroup}, } - tokenAuthenticator := genericauthenticator.NewAuthenticatorFromTokens(tokens) + tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens) c.Authenticator = authenticatorunion.New(tokenAuthenticator, c.Authenticator) - tokenAuthorizer := genericauthorizer.NewPrivilegedGroups(user.SystemPrivilegedGroup) + tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup) c.Authorizer = authorizerunion.New(tokenAuthorizer, c.Authorizer) } diff --git a/pkg/genericapiserver/server/options/BUILD b/pkg/genericapiserver/server/options/BUILD index f51064df5c7..022f6123c9b 100644 --- a/pkg/genericapiserver/server/options/BUILD +++ b/pkg/genericapiserver/server/options/BUILD @@ -21,8 +21,6 @@ go_library( deps = [ "//pkg/api:go_default_library", "//pkg/features:go_default_library", - "//pkg/genericapiserver/authenticator:go_default_library", - "//pkg/genericapiserver/authorizer:go_default_library", "//pkg/storage/storagebackend:go_default_library", "//vendor:github.com/golang/glog", "//vendor:github.com/spf13/pflag", @@ -30,6 +28,8 @@ go_library( "//vendor:k8s.io/apimachinery/pkg/runtime/schema", "//vendor:k8s.io/apimachinery/pkg/util/net", "//vendor:k8s.io/apiserver/pkg/admission", + "//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory", + "//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory", "//vendor:k8s.io/apiserver/pkg/util/feature", "//vendor:k8s.io/apiserver/pkg/util/flag", "//vendor:k8s.io/client-go/kubernetes/typed/authentication/v1beta1", diff --git a/pkg/genericapiserver/server/options/authentication.go b/pkg/genericapiserver/server/options/authentication.go index 8b5bc0d49d3..0557db428ea 100644 --- a/pkg/genericapiserver/server/options/authentication.go +++ b/pkg/genericapiserver/server/options/authentication.go @@ -21,10 +21,10 @@ import ( "github.com/spf13/pflag" + "k8s.io/apiserver/pkg/authentication/authenticatorfactory" authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1" "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" - "k8s.io/kubernetes/pkg/genericapiserver/authenticator" ) type RequestHeaderAuthenticationOptions struct { @@ -57,12 +57,12 @@ func (s *RequestHeaderAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { // ToAuthenticationRequestHeaderConfig returns a RequestHeaderConfig config object for these options // if necessary, nil otherwise. -func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig() *authenticator.RequestHeaderConfig { +func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig() *authenticatorfactory.RequestHeaderConfig { if len(s.UsernameHeaders) == 0 { return nil } - return &authenticator.RequestHeaderConfig{ + return &authenticatorfactory.RequestHeaderConfig{ UsernameHeaders: s.UsernameHeaders, GroupHeaders: s.GroupHeaders, ExtraHeaderPrefixes: s.ExtraHeaderPrefixes, @@ -128,13 +128,13 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { s.RequestHeader.AddFlags(fs) } -func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticator.DelegatingAuthenticatorConfig, error) { +func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticatorfactory.DelegatingAuthenticatorConfig, error) { tokenClient, err := s.newTokenAccessReview() if err != nil { - return authenticator.DelegatingAuthenticatorConfig{}, err + return authenticatorfactory.DelegatingAuthenticatorConfig{}, err } - ret := authenticator.DelegatingAuthenticatorConfig{ + ret := authenticatorfactory.DelegatingAuthenticatorConfig{ Anonymous: true, TokenAccessReviewClient: tokenClient, CacheTTL: s.CacheTTL, diff --git a/pkg/genericapiserver/server/options/authorization.go b/pkg/genericapiserver/server/options/authorization.go index dfa04800915..5ecdacf928b 100644 --- a/pkg/genericapiserver/server/options/authorization.go +++ b/pkg/genericapiserver/server/options/authorization.go @@ -21,10 +21,10 @@ import ( "github.com/spf13/pflag" + "k8s.io/apiserver/pkg/authorization/authorizerfactory" authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1beta1" "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" - "k8s.io/kubernetes/pkg/genericapiserver/authorizer" ) // DelegatingAuthorizationOptions provides an easy way for composing API servers to delegate their authorization to @@ -69,13 +69,13 @@ func (s *DelegatingAuthorizationOptions) AddFlags(fs *pflag.FlagSet) { "The duration to cache 'unauthorized' responses from the webhook authorizer.") } -func (s *DelegatingAuthorizationOptions) ToAuthorizationConfig() (authorizer.DelegatingAuthorizerConfig, error) { +func (s *DelegatingAuthorizationOptions) ToAuthorizationConfig() (authorizerfactory.DelegatingAuthorizerConfig, error) { sarClient, err := s.newSubjectAccessReview() if err != nil { - return authorizer.DelegatingAuthorizerConfig{}, err + return authorizerfactory.DelegatingAuthorizerConfig{}, err } - ret := authorizer.DelegatingAuthorizerConfig{ + ret := authorizerfactory.DelegatingAuthorizerConfig{ SubjectAccessReviewClient: sarClient, AllowCacheTTL: s.AllowCacheTTL, DenyCacheTTL: s.DenyCacheTTL, diff --git a/pkg/kubeapiserver/authenticator/BUILD b/pkg/kubeapiserver/authenticator/BUILD index b11cc642c3b..6ff39665ef7 100644 --- a/pkg/kubeapiserver/authenticator/BUILD +++ b/pkg/kubeapiserver/authenticator/BUILD @@ -12,10 +12,10 @@ go_library( srcs = ["config.go"], tags = ["automanaged"], deps = [ - "//pkg/genericapiserver/authenticator:go_default_library", "//pkg/serviceaccount:go_default_library", "//vendor:github.com/go-openapi/spec", "//vendor:k8s.io/apiserver/pkg/authentication/authenticator", + "//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory", "//vendor:k8s.io/apiserver/pkg/authentication/group", "//vendor:k8s.io/apiserver/pkg/authentication/request/anonymous", "//vendor:k8s.io/apiserver/pkg/authentication/request/bearertoken", diff --git a/pkg/kubeapiserver/authenticator/config.go b/pkg/kubeapiserver/authenticator/config.go index a6aa6a4fb8f..b871d826fcb 100644 --- a/pkg/kubeapiserver/authenticator/config.go +++ b/pkg/kubeapiserver/authenticator/config.go @@ -22,6 +22,7 @@ import ( "github.com/go-openapi/spec" "k8s.io/apiserver/pkg/authentication/authenticator" + "k8s.io/apiserver/pkg/authentication/authenticatorfactory" "k8s.io/apiserver/pkg/authentication/group" "k8s.io/apiserver/pkg/authentication/request/anonymous" "k8s.io/apiserver/pkg/authentication/request/bearertoken" @@ -37,7 +38,6 @@ import ( "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc" "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" certutil "k8s.io/client-go/util/cert" - genericauthenticator "k8s.io/kubernetes/pkg/genericapiserver/authenticator" "k8s.io/kubernetes/pkg/serviceaccount" // Initialize all known client auth plugins. @@ -63,7 +63,7 @@ type AuthenticatorConfig struct { WebhookTokenAuthnConfigFile string WebhookTokenAuthnCacheTTL time.Duration - RequestHeaderConfig *genericauthenticator.RequestHeaderConfig + RequestHeaderConfig *authenticatorfactory.RequestHeaderConfig // TODO, this is the only non-serializable part of the entire config. Factor it out into a clientconfig ServiceAccountTokenGetter serviceaccount.ServiceAccountTokenGetter diff --git a/pkg/kubeapiserver/authorizer/BUILD b/pkg/kubeapiserver/authorizer/BUILD index 499bcd48b26..81b9b921280 100644 --- a/pkg/kubeapiserver/authorizer/BUILD +++ b/pkg/kubeapiserver/authorizer/BUILD @@ -25,9 +25,9 @@ go_library( deps = [ "//pkg/auth/authorizer/abac:go_default_library", "//pkg/controller/informers:go_default_library", - "//pkg/genericapiserver/authorizer:go_default_library", "//plugin/pkg/auth/authorizer/rbac:go_default_library", "//vendor:k8s.io/apiserver/pkg/authorization/authorizer", + "//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory", "//vendor:k8s.io/apiserver/pkg/authorization/union", "//vendor:k8s.io/apiserver/plugin/pkg/authorizer/webhook", ], diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go index 45c9fc44568..750edc2eddd 100644 --- a/pkg/kubeapiserver/authorizer/config.go +++ b/pkg/kubeapiserver/authorizer/config.go @@ -22,11 +22,11 @@ import ( "time" "k8s.io/apiserver/pkg/authorization/authorizer" + "k8s.io/apiserver/pkg/authorization/authorizerfactory" "k8s.io/apiserver/pkg/authorization/union" "k8s.io/apiserver/plugin/pkg/authorizer/webhook" "k8s.io/kubernetes/pkg/auth/authorizer/abac" "k8s.io/kubernetes/pkg/controller/informers" - genericauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac" ) @@ -80,9 +80,9 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) { // Keep cases in sync with constant list above. switch authorizationMode { case ModeAlwaysAllow: - authorizers = append(authorizers, genericauthorizer.NewAlwaysAllowAuthorizer()) + authorizers = append(authorizers, authorizerfactory.NewAlwaysAllowAuthorizer()) case ModeAlwaysDeny: - authorizers = append(authorizers, genericauthorizer.NewAlwaysDenyAuthorizer()) + authorizers = append(authorizers, authorizerfactory.NewAlwaysDenyAuthorizer()) case ModeABAC: if config.PolicyFile == "" { return nil, errors.New("ABAC's authorization policy file not passed") diff --git a/pkg/genericapiserver/authenticator/delegating.go b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go similarity index 99% rename from pkg/genericapiserver/authenticator/delegating.go rename to staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go index d7d94a82f40..966a89a0b3e 100644 --- a/pkg/genericapiserver/authenticator/delegating.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package authenticator +package authenticatorfactory import ( "errors" diff --git a/pkg/genericapiserver/authenticator/loopback.go b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/loopback.go similarity index 81% rename from pkg/genericapiserver/authenticator/loopback.go rename to staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/loopback.go index a5cb4edc848..f31656529fe 100644 --- a/pkg/genericapiserver/authenticator/loopback.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/loopback.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package authenticator +package authenticatorfactory import ( "k8s.io/apiserver/pkg/authentication/authenticator" @@ -23,7 +23,7 @@ import ( "k8s.io/apiserver/pkg/authentication/user" ) -// newAuthenticatorFromToken returns an authenticator.Request or an error -func NewAuthenticatorFromTokens(tokens map[string]*user.DefaultInfo) authenticator.Request { +// NewFromTokens returns an authenticator.Request or an error +func NewFromTokens(tokens map[string]*user.DefaultInfo) authenticator.Request { return bearertoken.New(tokenfile.New(tokens)) } diff --git a/pkg/genericapiserver/authenticator/requestheader.go b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go similarity index 97% rename from pkg/genericapiserver/authenticator/requestheader.go rename to staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go index b719eccc002..3eeb238f056 100644 --- a/pkg/genericapiserver/authenticator/requestheader.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package authenticator +package authenticatorfactory type RequestHeaderConfig struct { // UsernameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins. diff --git a/pkg/genericapiserver/authorizer/OWNERS b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/OWNERS similarity index 100% rename from pkg/genericapiserver/authorizer/OWNERS rename to staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/OWNERS diff --git a/pkg/genericapiserver/authorizer/authz_test.go b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/authz_test.go similarity index 98% rename from pkg/genericapiserver/authorizer/authz_test.go rename to staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/authz_test.go index dc3df4c5337..73a42834882 100644 --- a/pkg/genericapiserver/authorizer/authz_test.go +++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/authz_test.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package authorizer +package authorizerfactory import ( "testing" diff --git a/pkg/genericapiserver/authorizer/builtin.go b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go similarity index 99% rename from pkg/genericapiserver/authorizer/builtin.go rename to staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go index 6d6c27760b8..85846619cc0 100644 --- a/pkg/genericapiserver/authorizer/builtin.go +++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package authorizer +package authorizerfactory import ( "errors" diff --git a/pkg/genericapiserver/authorizer/delegating.go b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/delegating.go similarity index 98% rename from pkg/genericapiserver/authorizer/delegating.go rename to staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/delegating.go index 56be85a242d..25b5aa9899d 100644 --- a/pkg/genericapiserver/authorizer/delegating.go +++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/delegating.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package authorizer +package authorizerfactory import ( "time" diff --git a/test/integration/auth/auth_test.go b/test/integration/auth/auth_test.go index b7b80271b3b..dd438a7050d 100644 --- a/test/integration/auth/auth_test.go +++ b/test/integration/auth/auth_test.go @@ -43,6 +43,7 @@ import ( "k8s.io/apiserver/pkg/authentication/serviceaccount" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" + "k8s.io/apiserver/pkg/authorization/authorizerfactory" "k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest" "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" "k8s.io/client-go/tools/clientcmd/api/v1" @@ -52,7 +53,6 @@ import ( "k8s.io/kubernetes/pkg/apis/autoscaling" "k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/auth/authorizer/abac" - apiserverauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer" "k8s.io/kubernetes/plugin/pkg/admission/admit" "k8s.io/kubernetes/test/integration" "k8s.io/kubernetes/test/integration/framework" @@ -502,7 +502,7 @@ func getPreviousResourceVersionKey(url, id string) string { func TestAuthModeAlwaysDeny(t *testing.T) { // Set up a master masterConfig := framework.NewIntegrationTestMasterConfig() - masterConfig.GenericConfig.Authorizer = apiserverauthorizer.NewAlwaysDenyAuthorizer() + masterConfig.GenericConfig.Authorizer = authorizerfactory.NewAlwaysDenyAuthorizer() _, s := framework.RunAMaster(masterConfig) defer s.Close() diff --git a/test/integration/framework/BUILD b/test/integration/framework/BUILD index 8c304e964b4..8053177f7cb 100644 --- a/test/integration/framework/BUILD +++ b/test/integration/framework/BUILD @@ -35,8 +35,6 @@ go_library( "//pkg/controller:go_default_library", "//pkg/controller/replication:go_default_library", "//pkg/generated/openapi:go_default_library", - "//pkg/genericapiserver/authenticator:go_default_library", - "//pkg/genericapiserver/authorizer:go_default_library", "//pkg/genericapiserver/server:go_default_library", "//pkg/kubectl:go_default_library", "//pkg/kubelet/client:go_default_library", @@ -57,9 +55,11 @@ go_library( "//vendor:k8s.io/apimachinery/pkg/util/wait", "//vendor:k8s.io/apimachinery/pkg/watch", "//vendor:k8s.io/apiserver/pkg/authentication/authenticator", + "//vendor:k8s.io/apiserver/pkg/authentication/authenticatorfactory", "//vendor:k8s.io/apiserver/pkg/authentication/request/union", "//vendor:k8s.io/apiserver/pkg/authentication/user", "//vendor:k8s.io/apiserver/pkg/authorization/authorizer", + "//vendor:k8s.io/apiserver/pkg/authorization/authorizerfactory", "//vendor:k8s.io/apiserver/pkg/authorization/union", "//vendor:k8s.io/client-go/rest", ], diff --git a/test/integration/framework/master_utils.go b/test/integration/framework/master_utils.go index f803c80e44c..ac84f890ec5 100644 --- a/test/integration/framework/master_utils.go +++ b/test/integration/framework/master_utils.go @@ -33,9 +33,11 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/watch" authauthenticator "k8s.io/apiserver/pkg/authentication/authenticator" + "k8s.io/apiserver/pkg/authentication/authenticatorfactory" authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union" "k8s.io/apiserver/pkg/authentication/user" authauthorizer "k8s.io/apiserver/pkg/authorization/authorizer" + "k8s.io/apiserver/pkg/authorization/authorizerfactory" authorizerunion "k8s.io/apiserver/pkg/authorization/union" restclient "k8s.io/client-go/rest" "k8s.io/kubernetes/pkg/api" @@ -56,8 +58,6 @@ import ( "k8s.io/kubernetes/pkg/controller" replicationcontroller "k8s.io/kubernetes/pkg/controller/replication" "k8s.io/kubernetes/pkg/generated/openapi" - "k8s.io/kubernetes/pkg/genericapiserver/authenticator" - "k8s.io/kubernetes/pkg/genericapiserver/authorizer" genericapiserver "k8s.io/kubernetes/pkg/genericapiserver/server" "k8s.io/kubernetes/pkg/kubectl" kubeletclient "k8s.io/kubernetes/pkg/kubelet/client" @@ -214,7 +214,7 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv Groups: []string{user.SystemPrivilegedGroup}, } - tokenAuthenticator := authenticator.NewAuthenticatorFromTokens(tokens) + tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens) if masterConfig.GenericConfig.Authenticator == nil { masterConfig.GenericConfig.Authenticator = authenticatorunion.New(tokenAuthenticator, authauthenticator.RequestFunc(alwaysEmpty)) } else { @@ -222,7 +222,7 @@ func startMasterOrDie(masterConfig *master.Config, incomingServer *httptest.Serv } if masterConfig.GenericConfig.Authorizer != nil { - tokenAuthorizer := authorizer.NewPrivilegedGroups(user.SystemPrivilegedGroup) + tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup) masterConfig.GenericConfig.Authorizer = authorizerunion.New(tokenAuthorizer, masterConfig.GenericConfig.Authorizer) } else { masterConfig.GenericConfig.Authorizer = alwaysAllow{} @@ -357,7 +357,7 @@ func NewMasterConfig() *master.Config { genericConfig := genericapiserver.NewConfig() kubeVersion := version.Get() genericConfig.Version = &kubeVersion - genericConfig.Authorizer = authorizer.NewAlwaysAllowAuthorizer() + genericConfig.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer() genericConfig.AdmissionControl = admit.NewAlwaysAdmit() genericConfig.EnableMetrics = true diff --git a/vendor/BUILD b/vendor/BUILD index f166d397dd7..63516166f28 100644 --- a/vendor/BUILD +++ b/vendor/BUILD @@ -14045,3 +14045,53 @@ go_library( srcs = ["k8s.io/apiserver/pkg/util/trie/trie.go"], tags = ["automanaged"], ) + +go_library( + name = "k8s.io/apiserver/pkg/authentication/authenticatorfactory", + srcs = [ + "k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go", + "k8s.io/apiserver/pkg/authentication/authenticatorfactory/loopback.go", + "k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go", + ], + tags = ["automanaged"], + deps = [ + "//vendor:github.com/go-openapi/spec", + "//vendor:k8s.io/apiserver/pkg/authentication/authenticator", + "//vendor:k8s.io/apiserver/pkg/authentication/group", + "//vendor:k8s.io/apiserver/pkg/authentication/request/anonymous", + "//vendor:k8s.io/apiserver/pkg/authentication/request/bearertoken", + "//vendor:k8s.io/apiserver/pkg/authentication/request/headerrequest", + "//vendor:k8s.io/apiserver/pkg/authentication/request/union", + "//vendor:k8s.io/apiserver/pkg/authentication/request/x509", + "//vendor:k8s.io/apiserver/pkg/authentication/token/tokenfile", + "//vendor:k8s.io/apiserver/pkg/authentication/user", + "//vendor:k8s.io/apiserver/plugin/pkg/authenticator/token/webhook", + "//vendor:k8s.io/client-go/kubernetes/typed/authentication/v1beta1", + "//vendor:k8s.io/client-go/util/cert", + ], +) + +go_test( + name = "k8s.io/apiserver/pkg/authorization/authorizerfactory_test", + srcs = ["k8s.io/apiserver/pkg/authorization/authorizerfactory/authz_test.go"], + library = ":k8s.io/apiserver/pkg/authorization/authorizerfactory", + tags = ["automanaged"], + deps = [ + "//vendor:k8s.io/apiserver/pkg/authentication/user", + "//vendor:k8s.io/apiserver/pkg/authorization/authorizer", + ], +) + +go_library( + name = "k8s.io/apiserver/pkg/authorization/authorizerfactory", + srcs = [ + "k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go", + "k8s.io/apiserver/pkg/authorization/authorizerfactory/delegating.go", + ], + tags = ["automanaged"], + deps = [ + "//vendor:k8s.io/apiserver/pkg/authorization/authorizer", + "//vendor:k8s.io/apiserver/plugin/pkg/authorizer/webhook", + "//vendor:k8s.io/client-go/kubernetes/typed/authorization/v1beta1", + ], +)