mirror of
				https://github.com/k3s-io/kubernetes.git
				synced 2025-10-25 10:00:53 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			247 lines
		
	
	
		
			7.0 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			247 lines
		
	
	
		
			7.0 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| /*
 | |
| Copyright 2014 The Kubernetes Authors.
 | |
| 
 | |
| Licensed under the Apache License, Version 2.0 (the "License");
 | |
| you may not use this file except in compliance with the License.
 | |
| You may obtain a copy of the License at
 | |
| 
 | |
|     http://www.apache.org/licenses/LICENSE-2.0
 | |
| 
 | |
| Unless required by applicable law or agreed to in writing, software
 | |
| distributed under the License is distributed on an "AS IS" BASIS,
 | |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
| See the License for the specific language governing permissions and
 | |
| limitations under the License.
 | |
| */
 | |
| 
 | |
| package kubectl
 | |
| 
 | |
| import (
 | |
| 	"fmt"
 | |
| 	"net"
 | |
| 	"net/http"
 | |
| 	"net/http/httputil"
 | |
| 	"net/url"
 | |
| 	"os"
 | |
| 	"regexp"
 | |
| 	"strings"
 | |
| 	"time"
 | |
| 
 | |
| 	"github.com/golang/glog"
 | |
| 	"k8s.io/kubernetes/pkg/client/restclient"
 | |
| 	"k8s.io/kubernetes/pkg/util"
 | |
| )
 | |
| 
 | |
| const (
 | |
| 	DefaultHostAcceptRE   = "^localhost$,^127\\.0\\.0\\.1$,^\\[::1\\]$"
 | |
| 	DefaultPathAcceptRE   = "^/.*"
 | |
| 	DefaultPathRejectRE   = "^/api/.*/pods/.*/exec,^/api/.*/pods/.*/attach"
 | |
| 	DefaultMethodRejectRE = "POST,PUT,PATCH"
 | |
| )
 | |
| 
 | |
| var (
 | |
| 	// The reverse proxy will periodically flush the io writer at this frequency.
 | |
| 	// Only matters for long poll connections like the one used to watch. With an
 | |
| 	// interval of 0 the reverse proxy will buffer content sent on any connection
 | |
| 	// with transfer-encoding=chunked.
 | |
| 	// TODO: Flush after each chunk so the client doesn't suffer a 100ms latency per
 | |
| 	// watch event.
 | |
| 	ReverseProxyFlushInterval = 100 * time.Millisecond
 | |
| )
 | |
| 
 | |
| // FilterServer rejects requests which don't match one of the specified regular expressions
 | |
| type FilterServer struct {
 | |
| 	// Only paths that match this regexp will be accepted
 | |
| 	AcceptPaths []*regexp.Regexp
 | |
| 	// Paths that match this regexp will be rejected, even if they match the above
 | |
| 	RejectPaths []*regexp.Regexp
 | |
| 	// Hosts are required to match this list of regexp
 | |
| 	AcceptHosts []*regexp.Regexp
 | |
| 	// Methods that match this regexp are rejected
 | |
| 	RejectMethods []*regexp.Regexp
 | |
| 	// The delegate to call to handle accepted requests.
 | |
| 	delegate http.Handler
 | |
| }
 | |
| 
 | |
| // Splits a comma separated list of regexps into an array of Regexp objects.
 | |
| func MakeRegexpArray(str string) ([]*regexp.Regexp, error) {
 | |
| 	parts := strings.Split(str, ",")
 | |
| 	result := make([]*regexp.Regexp, len(parts))
 | |
| 	for ix := range parts {
 | |
| 		re, err := regexp.Compile(parts[ix])
 | |
| 		if err != nil {
 | |
| 			return nil, err
 | |
| 		}
 | |
| 		result[ix] = re
 | |
| 	}
 | |
| 	return result, nil
 | |
| }
 | |
| 
 | |
| func MakeRegexpArrayOrDie(str string) []*regexp.Regexp {
 | |
| 	result, err := MakeRegexpArray(str)
 | |
| 	if err != nil {
 | |
| 		glog.Fatalf("Error compiling re: %v", err)
 | |
| 	}
 | |
| 	return result
 | |
| }
 | |
| 
 | |
| func matchesRegexp(str string, regexps []*regexp.Regexp) bool {
 | |
| 	for _, re := range regexps {
 | |
| 		if re.MatchString(str) {
 | |
| 			glog.V(6).Infof("%v matched %s", str, re)
 | |
| 			return true
 | |
| 		}
 | |
| 	}
 | |
| 	return false
 | |
| }
 | |
| 
 | |
| func (f *FilterServer) accept(method, path, host string) bool {
 | |
| 	if matchesRegexp(path, f.RejectPaths) {
 | |
| 		return false
 | |
| 	}
 | |
| 	if matchesRegexp(method, f.RejectMethods) {
 | |
| 		return false
 | |
| 	}
 | |
| 	if matchesRegexp(path, f.AcceptPaths) && matchesRegexp(host, f.AcceptHosts) {
 | |
| 		return true
 | |
| 	}
 | |
| 	return false
 | |
| }
 | |
| 
 | |
| // Make a copy of f which passes requests along to the new delegate.
 | |
| func (f *FilterServer) HandlerFor(delegate http.Handler) *FilterServer {
 | |
| 	f2 := *f
 | |
| 	f2.delegate = delegate
 | |
| 	return &f2
 | |
| }
 | |
| 
 | |
| // Get host from a host header value like "localhost" or "localhost:8080"
 | |
| func extractHost(header string) (host string) {
 | |
| 	host, _, err := net.SplitHostPort(header)
 | |
| 	if err != nil {
 | |
| 		host = header
 | |
| 	}
 | |
| 	return host
 | |
| }
 | |
| 
 | |
| func (f *FilterServer) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 | |
| 	host := extractHost(req.Host)
 | |
| 	if f.accept(req.Method, req.URL.Path, host) {
 | |
| 		glog.V(3).Infof("Filter accepting %v %v %v", req.Method, req.URL.Path, host)
 | |
| 		f.delegate.ServeHTTP(rw, req)
 | |
| 		return
 | |
| 	}
 | |
| 	glog.V(3).Infof("Filter rejecting %v %v %v", req.Method, req.URL.Path, host)
 | |
| 	rw.WriteHeader(http.StatusForbidden)
 | |
| 	rw.Write([]byte("<h3>Unauthorized</h3>"))
 | |
| }
 | |
| 
 | |
| // ProxyServer is a http.Handler which proxies Kubernetes APIs to remote API server.
 | |
| type ProxyServer struct {
 | |
| 	handler http.Handler
 | |
| }
 | |
| 
 | |
| // NewProxyServer creates and installs a new ProxyServer.
 | |
| // It automatically registers the created ProxyServer to http.DefaultServeMux.
 | |
| // 'filter', if non-nil, protects requests to the api only.
 | |
| func NewProxyServer(filebase string, apiProxyPrefix string, staticPrefix string, filter *FilterServer, cfg *restclient.Config) (*ProxyServer, error) {
 | |
| 	host := cfg.Host
 | |
| 	if !strings.HasSuffix(host, "/") {
 | |
| 		host = host + "/"
 | |
| 	}
 | |
| 	target, err := url.Parse(host)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	proxy := newProxy(target)
 | |
| 	if proxy.Transport, err = restclient.TransportFor(cfg); err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	proxyServer := http.Handler(proxy)
 | |
| 	if filter != nil {
 | |
| 		proxyServer = filter.HandlerFor(proxyServer)
 | |
| 	}
 | |
| 
 | |
| 	if !strings.HasPrefix(apiProxyPrefix, "/api") {
 | |
| 		proxyServer = stripLeaveSlash(apiProxyPrefix, proxyServer)
 | |
| 	}
 | |
| 
 | |
| 	mux := http.NewServeMux()
 | |
| 	mux.Handle(apiProxyPrefix, proxyServer)
 | |
| 	if filebase != "" {
 | |
| 		// Require user to explicitly request this behavior rather than
 | |
| 		// serving their working directory by default.
 | |
| 		mux.Handle(staticPrefix, newFileHandler(staticPrefix, filebase))
 | |
| 	}
 | |
| 	return &ProxyServer{handler: mux}, nil
 | |
| }
 | |
| 
 | |
| // Listen is a simple wrapper around net.Listen.
 | |
| func (s *ProxyServer) Listen(address string, port int) (net.Listener, error) {
 | |
| 	return net.Listen("tcp", fmt.Sprintf("%s:%d", address, port))
 | |
| }
 | |
| 
 | |
| // ListenUnix does net.Listen for a unix socket
 | |
| func (s *ProxyServer) ListenUnix(path string) (net.Listener, error) {
 | |
| 	// Remove any socket, stale or not, but fall through for other files
 | |
| 	fi, err := os.Stat(path)
 | |
| 	if err == nil && (fi.Mode()&os.ModeSocket) != 0 {
 | |
| 		os.Remove(path)
 | |
| 	}
 | |
| 	// Default to only user accessible socket, caller can open up later if desired
 | |
| 	oldmask, _ := util.Umask(0077)
 | |
| 	l, err := net.Listen("unix", path)
 | |
| 	util.Umask(oldmask)
 | |
| 	return l, err
 | |
| }
 | |
| 
 | |
| // Serve starts the server using given listener, loops forever.
 | |
| func (s *ProxyServer) ServeOnListener(l net.Listener) error {
 | |
| 	server := http.Server{
 | |
| 		Handler: s.handler,
 | |
| 	}
 | |
| 	return server.Serve(l)
 | |
| }
 | |
| 
 | |
| func newProxy(target *url.URL) *httputil.ReverseProxy {
 | |
| 	director := func(req *http.Request) {
 | |
| 		req.URL.Scheme = target.Scheme
 | |
| 		req.URL.Host = target.Host
 | |
| 		req.URL.Path = singleJoiningSlash(target.Path, req.URL.Path)
 | |
| 	}
 | |
| 	return &httputil.ReverseProxy{Director: director, FlushInterval: ReverseProxyFlushInterval}
 | |
| }
 | |
| 
 | |
| func newFileHandler(prefix, base string) http.Handler {
 | |
| 	return http.StripPrefix(prefix, http.FileServer(http.Dir(base)))
 | |
| }
 | |
| 
 | |
| func singleJoiningSlash(a, b string) string {
 | |
| 	aslash := strings.HasSuffix(a, "/")
 | |
| 	bslash := strings.HasPrefix(b, "/")
 | |
| 	switch {
 | |
| 	case aslash && bslash:
 | |
| 		return a + b[1:]
 | |
| 	case !aslash && !bslash:
 | |
| 		return a + "/" + b
 | |
| 	}
 | |
| 	return a + b
 | |
| }
 | |
| 
 | |
| // like http.StripPrefix, but always leaves an initial slash. (so that our
 | |
| // regexps will work.)
 | |
| func stripLeaveSlash(prefix string, h http.Handler) http.Handler {
 | |
| 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 | |
| 		p := strings.TrimPrefix(req.URL.Path, prefix)
 | |
| 		if len(p) >= len(req.URL.Path) {
 | |
| 			http.NotFound(w, req)
 | |
| 			return
 | |
| 		}
 | |
| 		if len(p) > 0 && p[:1] != "/" {
 | |
| 			p = "/" + p
 | |
| 		}
 | |
| 		req.URL.Path = p
 | |
| 		h.ServeHTTP(w, req)
 | |
| 	})
 | |
| }
 |