Skip to content
Snippets Groups Projects
Commit d4e16258 authored by kaiyou's avatar kaiyou
Browse files

Merge branch 'feat-enable-proxy-authentication' into 'master' 

Enable proxy authentication to the apiserver

See merge request !6
parents b0d1ff39 e20028bf
No related branches found
No related tags found
1 merge request!6Enable proxy authentication to the apiserver
Pipeline #29722 passed
Stage: build
Stage: test
Hide whitespace changes
Inline Side-by-side
Showing
with 38 additions and 6 deletions
services/apiserver.go
+ 38
6
View file @ d4e16258
...@@ -20,6 +20,8 @@ import ( ...@@ -20,6 +20,8 @@ import (
"k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy" "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"
"k8s.io/apiserver/pkg/admission/plugin/webhook/mutating" "k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
"k8s.io/apiserver/pkg/admission/plugin/webhook/validating" "k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
"k8s.io/apiserver/pkg/authentication/request/headerrequest"
"k8s.io/apiserver/pkg/cel/openapi/resolver" "k8s.io/apiserver/pkg/cel/openapi/resolver"
"k8s.io/apiserver/pkg/endpoints/discovery/aggregated" "k8s.io/apiserver/pkg/endpoints/discovery/aggregated"
apifilters "k8s.io/apiserver/pkg/endpoints/filters" apifilters "k8s.io/apiserver/pkg/endpoints/filters"
...@@ -87,7 +89,7 @@ var kubeApiserver = &Unit{ ...@@ -87,7 +89,7 @@ var kubeApiserver = &Unit{
if err != nil { if err != nil {
return fmt.Errorf("could not initialize generic apiserver: %w", err) return fmt.Errorf("could not initialize generic apiserver: %w", err)
} }
aggregatorConfig, _ := buildAggregatorConfig(*config, clients) aggregatorConfig, _ := buildAggregatorConfig(c, *config, clients)
aggregatorServer, err := aggregatorConfig.Complete().NewWithDelegate(apiServer.GenericAPIServer) aggregatorServer, err := aggregatorConfig.Complete().NewWithDelegate(apiServer.GenericAPIServer)
if err != nil { if err != nil {
return fmt.Errorf("could not initialize aggregator: %w", err) return fmt.Errorf("could not initialize aggregator: %w", err)
...@@ -173,10 +175,17 @@ func buildConfig(c *Cluster) (config *server.Config, clients *k8s.Clients, err e ...@@ -173,10 +175,17 @@ func buildConfig(c *Cluster) (config *server.Config, clients *k8s.Clients, err e
err = fmt.Errorf("could not get api CA file: %w", err) err = fmt.Errorf("could not get api CA file: %w", err)
return return
} }
proxyCA, err := dynamiccertificates.NewDynamicCAContentFromFile("proxy-ca", c.pki.Proxy.CertPath())
if err != nil {
err = fmt.Errorf("could not get proxy CA file: %w", err)
return
}
config.SecureServing = &server.SecureServingInfo{ config.SecureServing = &server.SecureServingInfo{
Listener: listener, Listener: listener,
Cert: cert, Cert: cert,
ClientCA: clientCA, // not setup upstream, might be an issue // This is performed in vanilla when applying authentication configuration,
// especially in AuthenticationInfo.ApplyClientCet
ClientCA: dynamiccertificates.NewUnionCAContentProvider(clientCA, proxyCA),
} }
config.PublicAddress = c.networking.NodeAddress.Addr().AsSlice() config.PublicAddress = c.networking.NodeAddress.Addr().AsSlice()
...@@ -201,6 +210,15 @@ func buildConfig(c *Cluster) (config *server.Config, clients *k8s.Clients, err e ...@@ -201,6 +210,15 @@ func buildConfig(c *Cluster) (config *server.Config, clients *k8s.Clients, err e
clients.Informer.Core().V1().Pods().Lister(), clients.Informer.Core().V1().Pods().Lister(),
), ),
SecretsWriter: clients.Client.CoreV1(), SecretsWriter: clients.Client.CoreV1(),
// This is currently not strictly required, since we do not use proxified
// requests to apiservers themselves, though we might at some point. Private
// key is only delivered to apiserver itself, so little harm is done
RequestHeaderConfig: &authenticatorfactory.RequestHeaderConfig{
UsernameHeaders: headerrequest.StaticStringSlice([]string{"X-Remote-User"}),
GroupHeaders: headerrequest.StaticStringSlice([]string{"X-Remote-Group"}),
ExtraHeaderPrefixes: headerrequest.StaticStringSlice([]string{"X-Remote-Extra"}),
CAContentProvider: proxyCA,
},
} }
auth, _, err := authConfig.New() auth, _, err := authConfig.New()
if err != nil { if err != nil {
...@@ -208,8 +226,9 @@ func buildConfig(c *Cluster) (config *server.Config, clients *k8s.Clients, err e ...@@ -208,8 +226,9 @@ func buildConfig(c *Cluster) (config *server.Config, clients *k8s.Clients, err e
return return
} }
config.Authentication = server.AuthenticationInfo{ config.Authentication = server.AuthenticationInfo{
APIAudiences: []string{audience}, APIAudiences: []string{audience},
Authenticator: auth, Authenticator: auth,
RequestHeaderConfig: authConfig.RequestHeaderConfig,
} }
// Setup authorizations // Setup authorizations
...@@ -347,14 +366,22 @@ func buildApiConfig(c *Cluster, config server.Config, clients *k8s.Clients) (*co ...@@ -347,14 +366,22 @@ func buildApiConfig(c *Cluster, config server.Config, clients *k8s.Clients) (*co
APIResourceConfigSource: generic.MergedResourceConfig, APIResourceConfigSource: generic.MergedResourceConfig,
StorageFactory: restOptionsGetter.StorageFactory, StorageFactory: restOptionsGetter.StorageFactory,
ClusterAuthenticationInfo: clusterauthenticationtrust.ClusterAuthenticationInfo{ ClusterAuthenticationInfo: clusterauthenticationtrust.ClusterAuthenticationInfo{
ClientCA: config.SecureServing.ClientCA, // This is duplicated information from the authentication layer, so that
// the start-cluster-authentication-info-controller controller properly
// populates the extension-apiserver-authentication ConfigMap with
// authentication info
ClientCA: config.SecureServing.ClientCA,
RequestHeaderCA: config.Authentication.RequestHeaderConfig.CAContentProvider,
RequestHeaderUsernameHeaders: config.Authentication.RequestHeaderConfig.UsernameHeaders,
RequestHeaderGroupHeaders: config.Authentication.RequestHeaderConfig.GroupHeaders,
RequestHeaderExtraHeaderPrefixes: config.Authentication.RequestHeaderConfig.ExtraHeaderPrefixes,
}, },
}, },
}, nil }, nil
} }
// Customize the generic config then build an aggregator config // Customize the generic config then build an aggregator config
func buildAggregatorConfig(config server.Config, clients *k8s.Clients) (*aggregator.Config, error) { func buildAggregatorConfig(c *Cluster, config server.Config, clients *k8s.Clients) (*aggregator.Config, error) {
generic := config generic := config
generic.MergedResourceConfig = aggregator.DefaultAPIResourceConfigSource() generic.MergedResourceConfig = aggregator.DefaultAPIResourceConfigSource()
generic.RESTOptionsGetter = k8s.PrepareStorage(aggregatorscheme.Codecs, aggregatorscheme.Scheme, generic.MergedResourceConfig) generic.RESTOptionsGetter = k8s.PrepareStorage(aggregatorscheme.Codecs, aggregatorscheme.Scheme, generic.MergedResourceConfig)
...@@ -365,6 +392,11 @@ func buildAggregatorConfig(config server.Config, clients *k8s.Clients) (*aggrega ...@@ -365,6 +392,11 @@ func buildAggregatorConfig(config server.Config, clients *k8s.Clients) (*aggrega
}, },
ExtraConfig: aggregator.ExtraConfig{ ExtraConfig: aggregator.ExtraConfig{
ServiceResolver: clients.ServiceResolver(), ServiceResolver: clients.ServiceResolver(),
// This is for the aggregation layer to authenticate proxified
// requests to webhooks and other aggregated services using a dedicated
// certificate and certificate authority
ProxyClientCertFile: c.masterCerts.Proxy.CertPath(),
ProxyClientKeyFile: c.masterCerts.Proxy.KeyPath(),
}, },
}, nil }, nil
} }
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment