-
Notifications
You must be signed in to change notification settings - Fork 38.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apiserver: document how to run sample-apiserver standalone outside the cluster #55476
apiserver: document how to run sample-apiserver standalone outside the cluster #55476
Conversation
06014f4
to
770bc0c
Compare
@@ -375,6 +375,10 @@ func (s *DelegatingAuthenticationOptions) getClientConfig() (*rest.Config, error | |||
} | |||
|
|||
func (s *DelegatingAuthenticationOptions) newTokenAccessReview() (authenticationclient.TokenReviewInterface, error) { | |||
if len(s.RequestHeader.ClientCAFile) > 0 || s.SkipInClusterLookup { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can have a clientCAFile and a tokenaccessreview.
@@ -35,6 +35,9 @@ type DelegatingAuthorizationOptions struct { | |||
// SubjectAccessReview.authorization.k8s.io endpoint for checking tokens. | |||
RemoteKubeConfigFile string | |||
|
|||
// DisableAuthorization is used to explicitly disable any authorization, mostly for development purposes. | |||
DisableAuthorization bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would I want this lever? What's hard about doing development with a pod and image?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we want to extract openapi from a server, i.e. just launch the server, do one curl and terminate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and about pod and image: people want to run an apiserver inside an idea. a multi-process setup is far too complicated. Am happy to call this option explicitly "dev-only" or something like that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Am happy to call this option explicitly "dev-only" or something like that.
Thing is, I really don't even want devs using it. Lack of consideration for security has produced sins we're still paying for after 3 years. What if you made it system:masters
only and used a client cert. That gives you the single file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it starts up without a config, but only accepts system:masters
, that sounds fine, works for development, but any non-dev use-case immediately need a secure setup. Is this was what you mean? If not, please elaborate.
if err != nil { | ||
return err | ||
if s.DisableAuthorization { | ||
c.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return early here, then no else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Thanks @sttts ! This will be very handy for dev setup and openapi generation for non-GO clients. |
This seems like the wrong way to go about that. I would instead try to find a way to get openapi docs without launching a server at all. |
@deads2k , do you how to get the openapi doc without any api server? May be something like that can be added to code-generators. |
I don't disagree, but I fear this means a huge refactoring of our openapi code. |
770bc0c
to
2464fe5
Compare
@deads2k updated, only granting access to group |
2464fe5
to
f703bc2
Compare
582508c
to
64b50c8
Compare
48dcdb7
to
d22ec24
Compare
1ea8307
to
1c8d56a
Compare
@sttts: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1c8d56a
to
9222aa6
Compare
9222aa6
to
c14fa27
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Can confirm this works for local development.
c14fa27
to
81b0198
Compare
/retest |
81b0198
to
ad21a4a
Compare
@deads2k lgty? |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
This PR documents how to run the sample-apiserver outside of a cluster for development.
tl/dr: local client CA with
system:masters
group membership. Then authorization is skipped.