-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
scheme.go
250 lines (232 loc) · 8.97 KB
/
scheme.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
/*
* Teleport
* Copyright (C) 2023 Gravitational, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package proxy
import (
"errors"
"strings"
"github.com/gravitational/trace"
"github.com/sirupsen/logrus"
"golang.org/x/exp/maps"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
metav1beta1 "k8s.io/apimachinery/pkg/apis/meta/v1beta1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/runtime/serializer"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/client-go/discovery"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/kubernetes/scheme"
"github.com/gravitational/teleport/lib/utils"
)
const (
// listSuffix is the suffix added to the name of the type to create the name
// of the list type.
// For example: "Role" -> "RoleList"
listSuffix = "List"
)
var (
// globalKubeScheme is the runtime Scheme that holds information about supported
// message types.
globalKubeScheme = runtime.NewScheme()
// globalKubeCodecs creates a serializer/deserizalier for the different codecs
// supported by the Kubernetes API.
globalKubeCodecs = serializer.NewCodecFactory(globalKubeScheme)
)
// Register all groups in the schema's registry.
// It manually registers support for `metav1.Table` because go-client does not
// support it but `kubectl` calls require support for it.
func init() {
// Register external types for Scheme
utilruntime.Must(registerDefaultKubeTypes(globalKubeScheme))
}
// registerDefaultKubeTypes registers the default types for the Kubernetes API into
// the given scheme.
func registerDefaultKubeTypes(s *runtime.Scheme) error {
// Register external types for Scheme
metav1.AddToGroupVersion(s, schema.GroupVersion{Version: "v1"})
if err := metav1.AddMetaToScheme(s); err != nil {
return trace.Wrap(err)
}
if err := metav1beta1.AddMetaToScheme(s); err != nil {
return trace.Wrap(err)
}
if err := scheme.AddToScheme(s); err != nil {
return trace.Wrap(err)
}
err := s.SetVersionPriority(corev1.SchemeGroupVersion)
return trace.Wrap(err)
}
// newClientNegotiator creates a negotiator that based on `Content-Type` header
// from the Kubernetes API response is able to create a different encoder/decoder.
// Supported content types:
// - "application/json"
// - "application/yaml"
// - "application/vnd.kubernetes.protobuf"
func newClientNegotiator(codecFactory *serializer.CodecFactory) runtime.ClientNegotiator {
return runtime.NewClientNegotiator(
codecFactory.WithoutConversion(),
schema.GroupVersion{
// create a serializer for Kube API v1
Version: "v1",
},
)
}
// gvkSupportedResourcesKey is the key used in gvkSupportedResources
// to map from a parsed API path to the corresponding resource GVK.
type gvkSupportedResourcesKey struct {
name string
apiGroup string
version string
}
// gvkSupportedResources maps a parsed API path to the corresponding resource GVK.
type gvkSupportedResources map[gvkSupportedResourcesKey]*schema.GroupVersionKind
// newClusterSchemaBuilder creates a new schema builder for the given cluster.
// This schema includes all well-known Kubernetes types and all namespaced
// custom resources.
// It also returns a map of resources that we support RBAC restrictions for.
func newClusterSchemaBuilder(log logrus.FieldLogger, client kubernetes.Interface) (serializer.CodecFactory, rbacSupportedResources, gvkSupportedResources, error) {
kubeScheme := runtime.NewScheme()
kubeCodecs := serializer.NewCodecFactory(kubeScheme)
supportedResources := maps.Clone(defaultRBACResources)
gvkSupportedRes := make(gvkSupportedResources)
if err := registerDefaultKubeTypes(kubeScheme); err != nil {
return serializer.CodecFactory{}, nil, nil, trace.Wrap(err)
}
// discoveryErr is returned when the discovery of one or more API groups fails.
var discoveryErr *discovery.ErrGroupDiscoveryFailed
// register all namespaced custom resources
_, apiGroups, err := client.Discovery().ServerGroupsAndResources()
switch {
case errors.As(err, &discoveryErr):
// If the discovery of one or more API groups fails, we still want to
// register the well-known Kubernetes types.
// This is because the discovery of API groups can fail if the APIService
// is not available. Usually, this happens when the API service is not local
// to the cluster (e.g. when API is served by a pod) and the service is not
// reachable.
// In this case, we still want to register the other resources that are
// available in the cluster.
log.WithError(err).Debugf("Failed to discover some API groups: %v", maps.Keys(discoveryErr.Groups))
case err != nil:
return serializer.CodecFactory{}, nil, nil, trace.Wrap(err)
}
for _, apiGroup := range apiGroups {
group, version := getKubeAPIGroupAndVersion(apiGroup.GroupVersion)
for _, apiResource := range apiGroup.APIResources {
// register all types
gvkSupportedRes[gvkSupportedResourcesKey{
name: apiResource.Name, /* pods, configmaps, ... */
apiGroup: group,
version: version,
}] = &schema.GroupVersionKind{
Group: group,
Version: version,
Kind: apiResource.Kind, /* Pod, ConfigMap ...*/
}
}
// Skip well-known Kubernetes API groups because they are already registered
// in the scheme.
if _, ok := knownKubernetesGroups[group]; ok {
continue
}
groupVersion := schema.GroupVersion{Group: group, Version: version}
for _, apiResource := range apiGroup.APIResources {
// Skip cluster-scoped resources because we don't support RBAC restrictions
// for them.
if !apiResource.Namespaced {
continue
}
// build the resource key to be able to look it up later and check if
// if we support RBAC restrictions for it.
resourceKey := allowedResourcesKey{
apiGroup: group,
resourceKind: apiResource.Name,
}
// Namespaced custom resources are allowed if the user has access to
// the namespace where the resource is located.
// This means that we need to map the resource to the namespace kind.
supportedResources[resourceKey] = utils.KubeCustomResource
// create the group version kind for the resource
gvk := groupVersion.WithKind(apiResource.Kind)
// check if the resource is already registered in the scheme
// if it is, we don't need to register it again.
if _, err := kubeScheme.New(gvk); err == nil {
continue
}
// register the resource with the scheme to be able to decode it
// into an unstructured object
kubeScheme.AddKnownTypeWithName(
gvk,
&unstructured.Unstructured{},
)
// register the resource list with the scheme to be able to decode it
// into an unstructured object.
// Resource lists follow the naming convention: <resource-kind>List
kubeScheme.AddKnownTypeWithName(
groupVersion.WithKind(apiResource.Kind+listSuffix),
&unstructured.Unstructured{},
)
}
}
return kubeCodecs, supportedResources, gvkSupportedRes, nil
}
// getKubeAPIGroupAndVersion returns the API group and version from the given
// groupVersion string.
// The groupVersion string can be in the following formats:
// - "v1" -> group: "", version: "v1"
// - "<group>/<version>" -> group: "<group>", version: "<version>"
func getKubeAPIGroupAndVersion(groupVersion string) (group string, version string) {
splits := strings.Split(groupVersion, "/")
switch {
case len(splits) == 1:
return "", splits[0]
case len(splits) >= 2:
return splits[0], splits[1]
default:
return "", ""
}
}
// knownKubernetesGroups is a map of well-known Kubernetes API groups that
// are already registered in the scheme and we don't need to register them
// again.
var knownKubernetesGroups = map[string]struct{}{
// core group
"": {},
"apiregistration.k8s.io": {},
"apps": {},
"events.k8s.io": {},
"authentication.k8s.io": {},
"authorization.k8s.io": {},
"autoscaling": {},
"batch": {},
"certificates.k8s.io": {},
"networking.k8s.io": {},
"policy": {},
"rbac.authorization.k8s.io": {},
"storage.k8s.io": {},
"admissionregistration.k8s.io": {},
"apiextensions.k8s.io": {},
"scheduling.k8s.io": {},
"coordination.k8s.io": {},
"node.k8s.io": {},
"discovery.k8s.io": {},
"flowcontrol.apiserver.k8s.io": {},
"metrics.k8s.io": {},
}