delegated authn/z: optionally opt-out of mandatory authn/authz kubeconfig #67545
Conversation
|
@sttts: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
do-not-merge/release-note-label-needed
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
k8s-ci-robot
added
the
sig/scheduling
sttts
force-pushed
the
sttts-auth-optional-kubeconfig
branch
from
fb07de6 to
9d43cb1
Compare
k8s-ci-robot
added
the
approved
sttts
added
release-note
k8s-ci-robot
added
cncf-cla: yes
sttts
force-pushed
the
sttts-auth-optional-kubeconfig
branch
from
9d43cb1 to
c19485b
Compare
k8s-ci-robot
added
the
approved
sttts
force-pushed
the
sttts-auth-optional-kubeconfig
branch
2 times, most recently
from
2ac1d50 to
3f34458
Compare
sttts
added
sig/auth
sttts
force-pushed
the
sttts-auth-optional-kubeconfig
branch
from
3f34458 to
8a384e0
Compare
k8s-ci-robot
added
area/apiserver
sig/api-machinery
sttts
force-pushed
the
sttts-auth-optional-kubeconfig
branch
from
8a384e0 to
74f594e
Compare
k8s-ci-robot
removed
the
approved
sttts
force-pushed
the
sttts-auth-optional-kubeconfig
branch
from
74f594e to
c9925dc
Compare
k8s-ci-robot
added
the
approved
sttts
force-pushed
the
sttts-auth-optional-kubeconfig
branch
from
c9925dc to
75976d9
Compare
|
@awly @yue9944882 after the prerequisite merged, this is pretty trivial now. ptal. |
| @@ -139,9 +142,14 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { | |||
| return | |||
| } | |||
|
|
|||
| var optionalKubeConfigSentence string | |||
| if s.RemoteKubeConfigFileOptional { | |||
| optionalKubeConfigSentence = " This is optional. If empty, all token requests are considered to be anonymous " + | |||
| @@ -336,6 +336,15 @@ func InClusterConfig() (*Config, error) { | |||
| }, nil | |||
| } | |||
|
|
|||
| type notInCluster struct{ error } | |||
There was a problem hiding this comment.
Use a package-level var NotInClusterErr = errors.New("...") instead
| @@ -41,6 +42,9 @@ type DelegatingAuthorizationOptions struct { | |||
| // RemoteKubeConfigFile is the file to use to connect to a "normal" kube API server which hosts the | |||
| // SubjectAccessReview.authorization.k8s.io endpoint for checking tokens. | |||
| RemoteKubeConfigFile string | |||
| // RemoteKubeConfigFileOptional is specifying whether not specifying the kubeconfig or | |||
| // a missing in-cluster config will be fatal. | |||
| RemoteKubeConfigFileOptional bool | |||
There was a problem hiding this comment.
if we don’t add it to the flagset,where can we set its value?
There was a problem hiding this comment.
the component using the option struct sets it.
There was a problem hiding this comment.
i thought that every field in option struct should be added to flagset
There was a problem hiding this comment.
No, why? We have many which are not.
There was a problem hiding this comment.
look into SecureServing as an example.
| // IsNotInCluster checks whether the error means that this process is not in a in-cluster context with | ||
| // KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT set as environment variables. | ||
| func IsNotInCluster(err error) bool { | ||
| _, ok := err.(notInCluster) |
There was a problem hiding this comment.
what about do a type switch? and we can handle nil check here
There was a problem hiding this comment.
see @awly suggestion #67545 (comment). That's even simpler.
| } else { | ||
| // without the remote kubeconfig file, try to use the in-cluster config. Most addon API servers will | ||
| // use this path | ||
| clientConfig, err = rest.InClusterConfig() | ||
| if err != nil && rest.IsNotInCluster(err) && s.RemoteKubeConfigFileOptional { |
| if len(s.ClientCert.ClientCA) == 0 { | ||
| glog.Warningf("No authentication-kubeconfig provided in order to lookup client-ca-file in configmap/%s in %s, so client certificate authentication to extension api-server won't work.", authenticationConfigMapName, authenticationConfigMapNamespace) | ||
| } | ||
| if len(s.RequestHeader.ClientCAFile) > 0 { |
| if err != nil { | ||
| return nil, err | ||
| if client == nil { | ||
| glog.Warningf("No authorization-kubeconfig provided, so SubjectAccessReview of authorization tokens won't work.") |
There was a problem hiding this comment.
nit: what about straightly return the union here?a long else block looks odd to me 👀
There was a problem hiding this comment.
I prefer the if block. The authorizers slice is constructed one by one by appending new authorizers. I think it is easier to reason about the code the way it is. The pattern is clear when another authorizer is added with another if block. Then an early return wouldn't work anymore.
|
/retest |
sttts
force-pushed
the
sttts-auth-optional-kubeconfig
branch
from
4a752b7 to
dcb9b10
Compare
|
@yue9944882 @awly addressed all comments. Anything left? |
sttts
force-pushed
the
sttts-auth-optional-kubeconfig
branch
from
dcb9b10 to
7675587
Compare
|
/retest |
|
@awly lgty? |
sttts
force-pushed
the
sttts-auth-optional-kubeconfig
branch
from
7675587 to
b996971
Compare
|
@sttts: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
| @@ -313,7 +318,7 @@ func DefaultKubernetesUserAgent() string { | |||
| func InClusterConfig() (*Config, error) { | |||
There was a problem hiding this comment.
Update the above comment to mention ErrNotInCluster
| @@ -44,6 +45,10 @@ const ( | |||
| DefaultBurst int = 10 | |||
| ) | |||
|
|
|||
| var ( | |||
There was a problem hiding this comment.
Remove parens, just var ErrNotInCluster = ...
sttts
added
the
lgtm
sttts
force-pushed
the
sttts-auth-optional-kubeconfig
branch
from
b996971 to
a671d65
Compare
k8s-ci-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awly, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Automatic merge from submit-queue (batch tested with PRs 66960, 67545). If you want to cherry-pick this change to another branch, please follow the instructions here. |
This adds
RemoteKubeConfigFileOptionalfield to the delegated authn/z option structs. If set to true, the authn/z kubeconfig file flags are optional. If no kubeconfig is given, all token requests are considered to be anonymous and no client CA is looked up in the cluster.Prerequisite for #64149 and #67069.