From 475493ced69f47dd78d72ff98bf2c5853fc5ea19 Mon Sep 17 00:00:00 2001 From: p0lyn0mial Date: Wed, 27 Sep 2017 22:05:34 +0200 Subject: [PATCH] moved admission interfaces WantsClientCert, WantsAuthorizer and WantsExternalKubeClientSet to apiserver --- cmd/kube-apiserver/app/server.go | 32 +++++++++------ .../cmd/federation-apiserver/app/server.go | 2 + pkg/kubeapiserver/admission/BUILD | 2 + pkg/kubeapiserver/admission/init_test.go | 19 +-------- pkg/kubeapiserver/admission/initializer.go | 40 ++----------------- .../security/podsecuritypolicy/BUILD | 1 + .../security/podsecuritypolicy/admission.go | 3 +- plugin/pkg/admission/webhook/BUILD | 1 + plugin/pkg/admission/webhook/admission.go | 8 +++- .../pkg/admission/initializer/initializer.go | 19 +++++++-- .../admission/initializer/initializer_test.go | 32 +++++++++++++-- .../pkg/admission/initializer/interfaces.go | 7 ++++ .../namespace/lifecycle/admission_test.go | 2 +- .../apiserver/pkg/server/options/admission.go | 11 +++-- .../sample-apiserver/pkg/cmd/server/start.go | 2 +- 15 files changed, 98 insertions(+), 83 deletions(-) diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index 99d7993b972da..fb4e3d0cb5594 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -467,9 +467,28 @@ func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transp return nil, nil, nil, nil, nil, fmt.Errorf("failed to create admission plugin initializer: %v", err) } + // TODO: this is the wrong cert/key pair. + // Given the generic case of webhook admission from a generic apiserver, + // this key pair should be signed by the the API server's client CA. + // Read client cert/key for plugins that need to make calls out + certBytes, keyBytes := []byte{}, []byte{} + if len(s.ProxyClientCertFile) > 0 && len(s.ProxyClientKeyFile) > 0 { + var err error + certBytes, err = ioutil.ReadFile(s.ProxyClientCertFile) + if err != nil { + return nil, nil, nil, nil, nil, fmt.Errorf("failed to read proxy client cert file from: %s, err: %v", s.ProxyClientCertFile, err) + } + keyBytes, err = ioutil.ReadFile(s.ProxyClientKeyFile) + if err != nil { + return nil, nil, nil, nil, nil, fmt.Errorf("failed to read proxy client key file from: %s, err: %v", s.ProxyClientKeyFile, err) + } + } + err = s.Admission.ApplyTo( genericConfig, versionedInformers, + certBytes, + keyBytes, pluginInitializer) if err != nil { return nil, nil, nil, nil, nil, fmt.Errorf("failed to initialize admission: %v", err) @@ -498,19 +517,6 @@ func BuildAdmissionPluginInitializer(s *options.ServerRunOptions, client interna pluginInitializer := kubeapiserveradmission.NewPluginInitializer(client, externalClient, sharedInformers, apiAuthorizer, cloudConfig, restMapper, quotaRegistry) - // Read client cert/key for plugins that need to make calls out - if len(s.ProxyClientCertFile) > 0 && len(s.ProxyClientKeyFile) > 0 { - certBytes, err := ioutil.ReadFile(s.ProxyClientCertFile) - if err != nil { - return nil, err - } - keyBytes, err := ioutil.ReadFile(s.ProxyClientKeyFile) - if err != nil { - return nil, err - } - pluginInitializer = pluginInitializer.SetClientCert(certBytes, keyBytes) - } - pluginInitializer = pluginInitializer.SetServiceResolver(serviceResolver) pluginInitializer = pluginInitializer.SetProxyTransport(proxyTransport) diff --git a/federation/cmd/federation-apiserver/app/server.go b/federation/cmd/federation-apiserver/app/server.go index 666ff0dc55110..b8ffbc4aff4f7 100644 --- a/federation/cmd/federation-apiserver/app/server.go +++ b/federation/cmd/federation-apiserver/app/server.go @@ -219,6 +219,8 @@ func NonBlockingRun(s *options.ServerRunOptions, stopCh <-chan struct{}) error { err = s.Admission.ApplyTo( genericConfig, versionedInformers, + nil, + nil, pluginInitializer, ) if err != nil { diff --git a/pkg/kubeapiserver/admission/BUILD b/pkg/kubeapiserver/admission/BUILD index 95a3eb4c30655..ae4b077170d18 100644 --- a/pkg/kubeapiserver/admission/BUILD +++ b/pkg/kubeapiserver/admission/BUILD @@ -12,6 +12,7 @@ go_test( library = ":go_default_library", deps = [ "//vendor/k8s.io/apiserver/pkg/admission:go_default_library", + "//vendor/k8s.io/apiserver/pkg/admission/initializer:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", ], ) @@ -25,6 +26,7 @@ go_library( "//pkg/quota:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/meta:go_default_library", "//vendor/k8s.io/apiserver/pkg/admission:go_default_library", + "//vendor/k8s.io/apiserver/pkg/admission/initializer:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//vendor/k8s.io/client-go/kubernetes:go_default_library", ], diff --git a/pkg/kubeapiserver/admission/init_test.go b/pkg/kubeapiserver/admission/init_test.go index 74d24fe58ac55..be25c86ebf946 100644 --- a/pkg/kubeapiserver/admission/init_test.go +++ b/pkg/kubeapiserver/admission/init_test.go @@ -21,6 +21,7 @@ import ( "testing" "k8s.io/apiserver/pkg/admission" + genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer" "k8s.io/apiserver/pkg/authorization/authorizer" ) @@ -51,7 +52,7 @@ func (self *WantAuthorizerAdmission) SetAuthorizer(a authorizer.Authorizer) { } var _ admission.Interface = &WantAuthorizerAdmission{} -var _ WantsAuthorizer = &WantAuthorizerAdmission{} +var _ genericadmissioninit.WantsAuthorizer = &WantAuthorizerAdmission{} // TestWantsAuthorizer ensures that the authorizer is injected when the WantsAuthorizer // interface is implemented. @@ -106,19 +107,3 @@ func TestWantsServiceResolver(t *testing.T) { t.Errorf("plumbing fail - %v %v#", ok, got) } } - -type clientCertWanter struct { - doNothingAdmission - gotCert, gotKey []byte -} - -func (s *clientCertWanter) SetClientCert(cert, key []byte) { s.gotCert, s.gotKey = cert, key } - -func TestWantsClientCert(t *testing.T) { - i := &PluginInitializer{} - ccw := &clientCertWanter{} - i.SetClientCert([]byte("cert"), []byte("key")).Initialize(ccw) - if string(ccw.gotCert) != "cert" || string(ccw.gotKey) != "key" { - t.Errorf("plumbing fail - %v %v", ccw.gotCert, ccw.gotKey) - } -} diff --git a/pkg/kubeapiserver/admission/initializer.go b/pkg/kubeapiserver/admission/initializer.go index 1c62cfec2afa9..daf6e41f77dd8 100644 --- a/pkg/kubeapiserver/admission/initializer.go +++ b/pkg/kubeapiserver/admission/initializer.go @@ -22,6 +22,7 @@ import ( "k8s.io/apimachinery/pkg/api/meta" "k8s.io/apiserver/pkg/admission" + admissioninit "k8s.io/apiserver/pkg/admission/initializer" "k8s.io/apiserver/pkg/authorization/authorizer" clientset "k8s.io/client-go/kubernetes" "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" @@ -37,24 +38,12 @@ type WantsInternalKubeClientSet interface { admission.Validator } -// WantsExternalKubeClientSet defines a function which sets ClientSet for admission plugins that need it -type WantsExternalKubeClientSet interface { - SetExternalKubeClientSet(clientset.Interface) - admission.Validator -} - // WantsInternalKubeInformerFactory defines a function which sets InformerFactory for admission plugins that need it type WantsInternalKubeInformerFactory interface { SetInternalKubeInformerFactory(informers.SharedInformerFactory) admission.Validator } -// WantsAuthorizer defines a function which sets Authorizer for admission plugins that need it. -type WantsAuthorizer interface { - SetAuthorizer(authorizer.Authorizer) - admission.Validator -} - // WantsCloudConfig defines a function which sets CloudConfig for admission plugins that need it. type WantsCloudConfig interface { SetCloudConfig([]byte) @@ -77,12 +66,6 @@ type WantsServiceResolver interface { SetServiceResolver(ServiceResolver) } -// WantsClientCert defines a fuction that accepts a cert & key for admission -// plugins that need to make calls and prove their identity. -type WantsClientCert interface { - SetClientCert(cert, key []byte) -} - // ServiceResolver knows how to convert a service reference into an actual // location. type ServiceResolver interface { @@ -106,8 +89,6 @@ type PluginInitializer struct { serviceResolver ServiceResolver // for proving we are apiserver in call-outs - clientCert []byte - clientKey []byte proxyTransport *http.Transport } @@ -142,14 +123,6 @@ func (i *PluginInitializer) SetServiceResolver(s ServiceResolver) *PluginInitial return i } -// SetClientCert sets the client cert & key (identity used for calling out to -// web hooks) which is needed by some plugins. -func (i *PluginInitializer) SetClientCert(cert, key []byte) *PluginInitializer { - i.clientCert = cert - i.clientKey = key - return i -} - // SetProxyTransport sets the proxyTransport which is needed by some plugins. func (i *PluginInitializer) SetProxyTransport(proxyTransport *http.Transport) *PluginInitializer { i.proxyTransport = proxyTransport @@ -163,7 +136,7 @@ func (i *PluginInitializer) Initialize(plugin admission.Interface) { wants.SetInternalKubeClientSet(i.internalClient) } - if wants, ok := plugin.(WantsExternalKubeClientSet); ok { + if wants, ok := plugin.(admissioninit.WantsExternalKubeClientSet); ok { wants.SetExternalKubeClientSet(i.externalClient) } @@ -171,7 +144,7 @@ func (i *PluginInitializer) Initialize(plugin admission.Interface) { wants.SetInternalKubeInformerFactory(i.informers) } - if wants, ok := plugin.(WantsAuthorizer); ok { + if wants, ok := plugin.(admissioninit.WantsAuthorizer); ok { wants.SetAuthorizer(i.authorizer) } @@ -191,13 +164,6 @@ func (i *PluginInitializer) Initialize(plugin admission.Interface) { wants.SetServiceResolver(i.serviceResolver) } - if wants, ok := plugin.(WantsClientCert); ok { - if i.clientCert == nil || i.clientKey == nil { - panic("An admission plugin wants a client cert/key, but they were not provided.") - } - wants.SetClientCert(i.clientCert, i.clientKey) - } - if wants, ok := plugin.(WantsProxyTransport); ok { wants.SetProxyTransport(i.proxyTransport) } diff --git a/plugin/pkg/admission/security/podsecuritypolicy/BUILD b/plugin/pkg/admission/security/podsecuritypolicy/BUILD index a377da0fb2873..ed752d9e017bd 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/BUILD +++ b/plugin/pkg/admission/security/podsecuritypolicy/BUILD @@ -24,6 +24,7 @@ go_library( "//vendor/k8s.io/apimachinery/pkg/labels:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", "//vendor/k8s.io/apiserver/pkg/admission:go_default_library", + "//vendor/k8s.io/apiserver/pkg/admission/initializer:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", ], diff --git a/plugin/pkg/admission/security/podsecuritypolicy/admission.go b/plugin/pkg/admission/security/podsecuritypolicy/admission.go index 1a68ab3ffa740..e0eb705a4e1c5 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/admission.go +++ b/plugin/pkg/admission/security/podsecuritypolicy/admission.go @@ -26,6 +26,7 @@ import ( "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apiserver/pkg/admission" + genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/kubernetes/pkg/api" @@ -82,7 +83,7 @@ func (plugin *podSecurityPolicyPlugin) Validate() error { } var _ admission.Interface = &podSecurityPolicyPlugin{} -var _ kubeapiserveradmission.WantsAuthorizer = &podSecurityPolicyPlugin{} +var _ genericadmissioninit.WantsAuthorizer = &podSecurityPolicyPlugin{} var _ kubeapiserveradmission.WantsInternalKubeInformerFactory = &podSecurityPolicyPlugin{} // NewPlugin creates a new PSP admission plugin. diff --git a/plugin/pkg/admission/webhook/BUILD b/plugin/pkg/admission/webhook/BUILD index c90a9320dab2a..79d17e4db4a6c 100644 --- a/plugin/pkg/admission/webhook/BUILD +++ b/plugin/pkg/admission/webhook/BUILD @@ -52,6 +52,7 @@ go_library( "//vendor/k8s.io/apimachinery/pkg/util/runtime:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library", "//vendor/k8s.io/apiserver/pkg/admission:go_default_library", + "//vendor/k8s.io/apiserver/pkg/admission/initializer:go_default_library", "//vendor/k8s.io/client-go/kubernetes:go_default_library", "//vendor/k8s.io/client-go/rest:go_default_library", ], diff --git a/plugin/pkg/admission/webhook/admission.go b/plugin/pkg/admission/webhook/admission.go index 63dd7903c1d56..f664243914438 100644 --- a/plugin/pkg/admission/webhook/admission.go +++ b/plugin/pkg/admission/webhook/admission.go @@ -38,6 +38,7 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apiserver/pkg/admission" + genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer" clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" "k8s.io/kubernetes/pkg/api" @@ -114,8 +115,8 @@ type GenericAdmissionWebhook struct { var ( _ = admissioninit.WantsServiceResolver(&GenericAdmissionWebhook{}) - _ = admissioninit.WantsClientCert(&GenericAdmissionWebhook{}) - _ = admissioninit.WantsExternalKubeClientSet(&GenericAdmissionWebhook{}) + _ = genericadmissioninit.WantsClientCert(&GenericAdmissionWebhook{}) + _ = genericadmissioninit.WantsExternalKubeClientSet(&GenericAdmissionWebhook{}) ) func (a *GenericAdmissionWebhook) SetProxyTransport(pt *http.Transport) { @@ -140,6 +141,9 @@ func (a *GenericAdmissionWebhook) SetExternalKubeClientSet(client clientset.Inte } func (a *GenericAdmissionWebhook) Validate() error { + if a.clientCert == nil || a.clientKey == nil { + return fmt.Errorf("the GenericAdmissionWebhook admission plugin requires a client certificate and the private key to be provided") + } if a.hookSource == nil { return fmt.Errorf("the GenericAdmissionWebhook admission plugin requires a Kubernetes client to be provided") } diff --git a/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer.go b/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer.go index c0b1e1d25b756..3120087e17ec2 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer.go @@ -27,14 +27,21 @@ type pluginInitializer struct { externalClient kubernetes.Interface externalInformers informers.SharedInformerFactory authorizer authorizer.Authorizer + // serverIdentifyingClientCert used to provide identity when calling out to admission plugins + serverIdentifyingClientCert []byte + // serverIdentifyingClientKey private key for the client certificate used when calling out to admission plugins + serverIdentifyingClientKey []byte } // New creates an instance of admission plugins initializer. -func New(extClientset kubernetes.Interface, extInformers informers.SharedInformerFactory, authz authorizer.Authorizer) (pluginInitializer, error) { +// TODO(p0lyn0mial): make the parameters public, this construction seems to be redundant. +func New(extClientset kubernetes.Interface, extInformers informers.SharedInformerFactory, authz authorizer.Authorizer, serverIdentifyingClientCert, serverIdentifyingClientKey []byte) (pluginInitializer, error) { return pluginInitializer{ - externalClient: extClientset, - externalInformers: extInformers, - authorizer: authz, + externalClient: extClientset, + externalInformers: extInformers, + authorizer: authz, + serverIdentifyingClientCert: serverIdentifyingClientCert, + serverIdentifyingClientKey: serverIdentifyingClientKey, }, nil } @@ -52,6 +59,10 @@ func (i pluginInitializer) Initialize(plugin admission.Interface) { if wants, ok := plugin.(WantsAuthorizer); ok { wants.SetAuthorizer(i.authorizer) } + + if wants, ok := plugin.(WantsClientCert); ok { + wants.SetClientCert(i.serverIdentifyingClientCert, i.serverIdentifyingClientKey) + } } var _ admission.PluginInitializer = pluginInitializer{} diff --git a/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer_test.go b/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer_test.go index 03540d907ff3e..2bd805ff5ed8b 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer_test.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/initializer/initializer_test.go @@ -31,7 +31,7 @@ import ( // TestWantsAuthorizer ensures that the authorizer is injected // when the WantsAuthorizer interface is implemented by a plugin. func TestWantsAuthorizer(t *testing.T) { - target, err := initializer.New(nil, nil, &TestAuthorizer{}) + target, err := initializer.New(nil, nil, &TestAuthorizer{}, nil, nil) if err != nil { t.Fatalf("expected to create an instance of initializer but got an error = %s", err.Error()) } @@ -46,7 +46,7 @@ func TestWantsAuthorizer(t *testing.T) { // when the WantsExternalKubeClientSet interface is implemented by a plugin. func TestWantsExternalKubeClientSet(t *testing.T) { cs := &fake.Clientset{} - target, err := initializer.New(cs, nil, &TestAuthorizer{}) + target, err := initializer.New(cs, nil, &TestAuthorizer{}, nil, nil) if err != nil { t.Fatalf("expected to create an instance of initializer but got an error = %s", err.Error()) } @@ -62,7 +62,7 @@ func TestWantsExternalKubeClientSet(t *testing.T) { func TestWantsExternalKubeInformerFactory(t *testing.T) { cs := &fake.Clientset{} sf := informers.NewSharedInformerFactory(cs, time.Duration(1)*time.Second) - target, err := initializer.New(cs, sf, &TestAuthorizer{}) + target, err := initializer.New(cs, sf, &TestAuthorizer{}, nil, nil) if err != nil { t.Fatalf("expected to create an instance of initializer but got an error = %s", err.Error()) } @@ -73,6 +73,20 @@ func TestWantsExternalKubeInformerFactory(t *testing.T) { } } +// TestWantsClientCert ensures that the client certificate and key are injected +// when the WantsClientCert interface is implemented by a plugin. +func TestWantsClientCert(t *testing.T) { + target, err := initializer.New(nil, nil, nil, []byte("cert"), []byte("key")) + if err != nil { + t.Fatalf("expected to create an instance of initializer but got an error = %s", err.Error()) + } + wantClientCert := &clientCertWanter{} + target.Initialize(wantClientCert) + if string(wantClientCert.gotCert) != "cert" || string(wantClientCert.gotKey) != "key" { + t.Errorf("expected client cert to be initialized, clientCert = %v, clientKey = %v", wantClientCert.gotCert, wantClientCert.gotKey) + } +} + // WantExternalKubeInformerFactory is a test stub that fulfills the WantsExternalKubeInformerFactory interface type WantExternalKubeInformerFactory struct { sf informers.SharedInformerFactory @@ -114,9 +128,19 @@ func (self *WantAuthorizerAdmission) Validate() error { re var _ admission.Interface = &WantAuthorizerAdmission{} var _ initializer.WantsAuthorizer = &WantAuthorizerAdmission{} -// TestAuthorizer is a test stub for testing that fulfills the authorizer interface. +// TestAuthorizer is a test stub that fulfills the WantsAuthorizer interface. type TestAuthorizer struct{} func (t *TestAuthorizer) Authorize(a authorizer.Attributes) (authorized bool, reason string, err error) { return false, "", nil } + +// wantClientCert is a test stub for testing that fulfulls the WantsClientCert interface. +type clientCertWanter struct { + gotCert, gotKey []byte +} + +func (s *clientCertWanter) SetClientCert(cert, key []byte) { s.gotCert, s.gotKey = cert, key } +func (s *clientCertWanter) Admit(a admission.Attributes) error { return nil } +func (s *clientCertWanter) Handles(o admission.Operation) bool { return false } +func (s *clientCertWanter) Validate() error { return nil } diff --git a/staging/src/k8s.io/apiserver/pkg/admission/initializer/interfaces.go b/staging/src/k8s.io/apiserver/pkg/admission/initializer/interfaces.go index a216c9888fab5..b8a72f8c1b521 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/initializer/interfaces.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/initializer/interfaces.go @@ -40,3 +40,10 @@ type WantsAuthorizer interface { SetAuthorizer(authorizer.Authorizer) admission.Validator } + +// WantsClientCert defines a fuction that accepts a cert & key for admission +// plugins that need to make calls and prove their identity. +type WantsClientCert interface { + SetClientCert(cert, key []byte) + admission.Validator +} diff --git a/staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission_test.go b/staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission_test.go index 1ac18c45ae483..c3e8162e72cb0 100644 --- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission_test.go +++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission_test.go @@ -48,7 +48,7 @@ func newHandlerForTestWithClock(c clientset.Interface, cacheClock clock.Clock) ( if err != nil { return nil, f, err } - pluginInitializer, err := kubeadmission.New(c, f, nil) + pluginInitializer, err := kubeadmission.New(c, f, nil, nil, nil) if err != nil { return handler, f, err } diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/admission.go b/staging/src/k8s.io/apiserver/pkg/server/options/admission.go index 8f385f52a9f97..bbfd2f7332c3e 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/admission.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/admission.go @@ -73,9 +73,14 @@ func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet) { // In addition the method lazily initializes a generic plugin that is appended to the list of pluginInitializers // note this method uses: // genericconfig.LoopbackClientConfig -// genericconfig.SharedInformerFactory // genericconfig.Authorizer -func (a *AdmissionOptions) ApplyTo(c *server.Config, informers informers.SharedInformerFactory, pluginInitializers ...admission.PluginInitializer) error { +func (a *AdmissionOptions) ApplyTo( + c *server.Config, + informers informers.SharedInformerFactory, + serverIdentifyingClientCert []byte, + serverIdentifyingClientKey []byte, + pluginInitializers ...admission.PluginInitializer, +) error { pluginNames := a.PluginNames if len(a.PluginNames) == 0 { pluginNames = a.enabledPluginNames() @@ -90,7 +95,7 @@ func (a *AdmissionOptions) ApplyTo(c *server.Config, informers informers.SharedI if err != nil { return err } - genericInitializer, err := initializer.New(clientset, informers, c.Authorizer) + genericInitializer, err := initializer.New(clientset, informers, c.Authorizer, serverIdentifyingClientCert, serverIdentifyingClientKey) if err != nil { return err } diff --git a/staging/src/k8s.io/sample-apiserver/pkg/cmd/server/start.go b/staging/src/k8s.io/sample-apiserver/pkg/cmd/server/start.go index 8bdeb19e1b51f..c2381e511ccf6 100644 --- a/staging/src/k8s.io/sample-apiserver/pkg/cmd/server/start.go +++ b/staging/src/k8s.io/sample-apiserver/pkg/cmd/server/start.go @@ -119,7 +119,7 @@ func (o WardleServerOptions) Config() (*apiserver.Config, error) { return nil, err } - if err := o.Admission.ApplyTo(&serverConfig.Config, serverConfig.SharedInformerFactory, admissionInitializer); err != nil { + if err := o.Admission.ApplyTo(&serverConfig.Config, serverConfig.SharedInformerFactory, nil, nil, admissionInitializer); err != nil { return nil, err }