Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add mappings for Webhook authorization mode. #7344

Merged
merged 2 commits into from
Aug 1, 2019
Merged

Add mappings for Webhook authorization mode. #7344

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bc96753
Add mappings for Webhook authorization mode.
anderseknert Jul 30, 2019
c167a84
Update generated files
anderseknert Jul 31, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions pkg/apis/kops/componentconfig.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -385,6 +385,12 @@ type KubeAPIServerConfig struct {
AuthenticationTokenWebhookCacheTTL *metav1.Duration `json:"authenticationTokenWebhookCacheTtl,omitempty" flag:"authentication-token-webhook-cache-ttl"`
// AuthorizationMode is the authorization mode the kubeapi is running in
AuthorizationMode *string `json:"authorizationMode,omitempty" flag:"authorization-mode"`
// File with webhook configuration for authorization in kubeconfig format. The API server will query the remote service to determine whether to authorize the request.
AuthorizationWebhookConfigFile *string `json:"authorizationWebhookConfigFile,omitempty" flag:"authorization-webhook-config-file"`
// The duration to cache authorized responses from the webhook token authorizer. Default is 5m. (default 5m0s)
AuthorizationWebhookCacheAuthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheAuthorizedTtl,omitempty" flag:"authorization-webhook-cache-authorized-ttl"`
// The duration to cache authorized responses from the webhook token authorizer. Default is 30s. (default 30s)
AuthorizationWebhookCacheUnauthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheUnauthorizedTtl,omitempty" flag:"authorization-webhook-cache-unauthorized-ttl"`
// AuthorizationRBACSuperUser is the name of the superuser for default rbac
AuthorizationRBACSuperUser *string `json:"authorizationRbacSuperUser,omitempty" flag:"authorization-rbac-super-user"`
// ExperimentalEncryptionProviderConfig enables encryption at rest for secrets.
Expand Down
6 changes: 6 additions & 0 deletions pkg/apis/kops/v1alpha1/componentconfig.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -385,6 +385,12 @@ type KubeAPIServerConfig struct {
AuthenticationTokenWebhookCacheTTL *metav1.Duration `json:"authenticationTokenWebhookCacheTtl,omitempty" flag:"authentication-token-webhook-cache-ttl"`
// AuthorizationMode is the authorization mode the kubeapi is running in
AuthorizationMode *string `json:"authorizationMode,omitempty" flag:"authorization-mode"`
// File with webhook configuration for authorization in kubeconfig format. The API server will query the remote service to determine whether to authorize the request.
AuthorizationWebhookConfigFile *string `json:"authorizationWebhookConfigFile,omitempty" flag:"authorization-webhook-config-file"`
// The duration to cache authorized responses from the webhook token authorizer. Default is 5m. (default 5m0s)
AuthorizationWebhookCacheAuthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheAuthorizedTtl,omitempty" flag:"authorization-webhook-cache-authorized-ttl"`
// The duration to cache authorized responses from the webhook token authorizer. Default is 30s. (default 30s)
AuthorizationWebhookCacheUnauthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheUnauthorizedTtl,omitempty" flag:"authorization-webhook-cache-unauthorized-ttl"`
// AuthorizationRBACSuperUser is the name of the superuser for default rbac
AuthorizationRBACSuperUser *string `json:"authorizationRbacSuperUser,omitempty" flag:"authorization-rbac-super-user"`
// ExperimentalEncryptionProviderConfig enables encryption at rest for secrets.
Expand Down
6 changes: 6 additions & 0 deletions pkg/apis/kops/v1alpha1/zz_generated.conversion.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions pkg/apis/kops/v1alpha2/componentconfig.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -385,6 +385,12 @@ type KubeAPIServerConfig struct {
AuthenticationTokenWebhookCacheTTL *metav1.Duration `json:"authenticationTokenWebhookCacheTtl,omitempty" flag:"authentication-token-webhook-cache-ttl"`
// AuthorizationMode is the authorization mode the kubeapi is running in
AuthorizationMode *string `json:"authorizationMode,omitempty" flag:"authorization-mode"`
// File with webhook configuration for authorization in kubeconfig format. The API server will query the remote service to determine whether to authorize the request.
AuthorizationWebhookConfigFile *string `json:"authorizationWebhookConfigFile,omitempty" flag:"authorization-webhook-config-file"`
// The duration to cache authorized responses from the webhook token authorizer. Default is 5m. (default 5m0s)
AuthorizationWebhookCacheAuthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheAuthorizedTtl,omitempty" flag:"authorization-webhook-cache-authorized-ttl"`
// The duration to cache authorized responses from the webhook token authorizer. Default is 30s. (default 30s)
AuthorizationWebhookCacheUnauthorizedTTL *metav1.Duration `json:"authorizationWebhookCacheUnauthorizedTtl,omitempty" flag:"authorization-webhook-cache-unauthorized-ttl"`
// AuthorizationRBACSuperUser is the name of the superuser for default rbac
AuthorizationRBACSuperUser *string `json:"authorizationRbacSuperUser,omitempty" flag:"authorization-rbac-super-user"`
// ExperimentalEncryptionProviderConfig enables encryption at rest for secrets.
Expand Down
6 changes: 6 additions & 0 deletions pkg/apis/kops/v1alpha2/zz_generated.conversion.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions pkg/apis/kops/validation/validation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,13 @@ func validateKubeAPIServer(v *kops.KubeAPIServerConfig, fldPath *field.Path) fie
}
}

if v.AuthorizationMode != nil && strings.Contains(*v.AuthorizationMode, "Webhook") {
if v.AuthorizationWebhookConfigFile == nil {
flds := [2]*string{v.AuthorizationMode, v.AuthorizationWebhookConfigFile}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's an unusual syntax - I would have expected you could just use []*string{ v.AuthorizationMode, v.AuthorizationWebhookConfigFile}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I literally wrote my first lines of Go last week, so any unusual syntax is more due to incompetence rather than any desire to be different ;) In this case though I think I saw this syntax used on line 257 above and figured there's probably a point in doing it like that.

allErrs = append(allErrs, field.Invalid(fldPath, flds, "Authorization mode Webhook requires AuthorizationWebhookConfigFile to be specified"))
}
}

return allErrs
}

Expand Down
29 changes: 29 additions & 0 deletions pkg/apis/kops/validation/validation_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,10 +146,12 @@ func TestValidateSubnets(t *testing.T) {

func TestValidateKubeAPIServer(t *testing.T) {
str := "foobar"
authzMode := "RBAC,Webhook"

grid := []struct {
Input kops.KubeAPIServerConfig
ExpectedErrors []string
ExpectedDetail string
}{
{
Input: kops.KubeAPIServerConfig{
Expand All @@ -158,6 +160,7 @@ func TestValidateKubeAPIServer(t *testing.T) {
ExpectedErrors: []string{
"Invalid value::KubeAPIServer",
},
ExpectedDetail: "ProxyClientCertFile and ProxyClientKeyFile must both be specified (or not all)",
},
{
Input: kops.KubeAPIServerConfig{
Expand All @@ -166,6 +169,7 @@ func TestValidateKubeAPIServer(t *testing.T) {
ExpectedErrors: []string{
"Invalid value::KubeAPIServer",
},
ExpectedDetail: "ProxyClientCertFile and ProxyClientKeyFile must both be specified (or not all)",
},
{
Input: kops.KubeAPIServerConfig{
Expand All @@ -175,11 +179,36 @@ func TestValidateKubeAPIServer(t *testing.T) {
"Invalid value::KubeAPIServer",
},
},
{
Input: kops.KubeAPIServerConfig{
AuthorizationMode: &authzMode,
},
ExpectedErrors: []string{
"Invalid value::KubeAPIServer",
},
ExpectedDetail: "Authorization mode Webhook requires AuthorizationWebhookConfigFile to be specified",
},
}
for _, g := range grid {
errs := validateKubeAPIServer(&g.Input, field.NewPath("KubeAPIServer"))

testErrors(t, g.Input, errs, g.ExpectedErrors)

if g.ExpectedDetail != "" {
found := false
for _, err := range errs {
if err.Detail == g.ExpectedDetail {
found = true
}
}
if !found {
for _, err := range errs {
t.Logf("found detail: %q", err.Detail)
}

t.Errorf("did not find expected error %q", g.ExpectedDetail)
}
}
}
}

Expand Down
15 changes: 15 additions & 0 deletions pkg/apis/kops/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 18 additions & 0 deletions pkg/flagbuilder/buildflags_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,24 @@ func TestBuildAPIServerFlags(t *testing.T) {
},
Expected: "--audit-webhook-batch-max-size=1000 --insecure-port=0 --secure-port=0",
},
{
Config: &kops.KubeAPIServerConfig{
AuthorizationWebhookConfigFile: fi.String("/authorization.yaml"),
},
Expected: "--authorization-webhook-config-file=/authorization.yaml --insecure-port=0 --secure-port=0",
},
{
Config: &kops.KubeAPIServerConfig{
AuthorizationWebhookCacheAuthorizedTTL: &metav1.Duration{Duration: 100 * time.Second},
},
Expected: "--authorization-webhook-cache-authorized-ttl=1m40s --insecure-port=0 --secure-port=0",
},
{
Config: &kops.KubeAPIServerConfig{
AuthorizationWebhookCacheUnauthorizedTTL: &metav1.Duration{Duration: 10 * time.Second},
},
Expected: "--authorization-webhook-cache-unauthorized-ttl=10s --insecure-port=0 --secure-port=0",
},
}

for _, test := range grid {
Expand Down