UPSTREAM: <carry>: kube-apiserver: allow injection of kube-apiserver …

…options Origin-commit: 33a71aff9bb4e204bf2e15af4cdfb5bd0525ce4e
openshift · Dec 6, 2021 · 7e05451 · 7e05451
1 parent 6f523cd
commit 7e05451
Show file tree

Hide file tree

Showing 7 changed files with 125 additions and 4 deletions.
diff --git a/cmd/kube-apiserver/app/patch_openshift.go b/cmd/kube-apiserver/app/patch_openshift.go
@@ -0,0 +1,34 @@
+package app
+
+import (
+	"k8s.io/apiserver/pkg/admission"
+	genericapiserver "k8s.io/apiserver/pkg/server"
+	clientgoinformers "k8s.io/client-go/informers"
+	"k8s.io/kubernetes/pkg/master"
+)
+
+type KubeAPIServerConfigFunc func(config *genericapiserver.Config, versionedInformers clientgoinformers.SharedInformerFactory, pluginInitializers *[]admission.PluginInitializer) (genericapiserver.DelegationTarget, error)
+
+var OpenShiftKubeAPIServerConfigPatch KubeAPIServerConfigFunc = nil
+
+type KubeAPIServerServerFunc func(server *master.Master) error
+
+func PatchKubeAPIServerConfig(config *genericapiserver.Config, versionedInformers clientgoinformers.SharedInformerFactory, pluginInitializers *[]admission.PluginInitializer) (genericapiserver.DelegationTarget, error) {
+	if OpenShiftKubeAPIServerConfigPatch == nil {
+		return genericapiserver.NewEmptyDelegate(), nil
+	}
+
+	return OpenShiftKubeAPIServerConfigPatch(config, versionedInformers, pluginInitializers)
+}
+
+var OpenShiftKubeAPIServerServerPatch KubeAPIServerServerFunc = nil
+
+func PatchKubeAPIServerServer(server *master.Master) error {
+	if OpenShiftKubeAPIServerServerPatch == nil {
+		return nil
+	}
+
+	return OpenShiftKubeAPIServerServerPatch(server)
+}
+
+var StartingDelegate genericapiserver.DelegationTarget = genericapiserver.NewEmptyDelegate()
diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go
@@ -209,6 +209,10 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
 		return nil, err
 	}
 
+	if err := PatchKubeAPIServerServer(kubeAPIServer); err != nil {
+		return nil, err
+	}
+
 	// aggregator comes last in the chain
 	aggregatorConfig, err := createAggregatorConfig(*kubeAPIServerConfig.GenericConfig, completedOptions.ServerRunOptions, kubeAPIServerConfig.ExtraConfig.VersionedInformers, serviceResolver, kubeAPIServerConfig.ExtraConfig.ProxyTransport, pluginInitializer)
 	if err != nil {
@@ -364,6 +368,7 @@ func CreateKubeAPIServerConfig(s completedServerRunOptions) (
 func buildGenericConfig(
 	s *options.ServerRunOptions,
 	proxyTransport *http.Transport,
+
 ) (
 	genericConfig *genericapiserver.Config,
 	versionedInformers clientgoinformers.SharedInformerFactory,
@@ -478,6 +483,12 @@ func buildGenericConfig(
 		return
 	}
 
+	StartingDelegate, err = PatchKubeAPIServerConfig(genericConfig, versionedInformers, &pluginInitializers)
+	if err != nil {
+		lastErr = fmt.Errorf("failed to patch: %v", err)
+		return
+	}
+
 	err = s.Admission.ApplyTo(
 		genericConfig,
 		versionedInformers,

diff --git a/pkg/kubeapiserver/options/admission.go b/pkg/kubeapiserver/options/admission.go
@@ -115,6 +115,8 @@ func (a *AdmissionOptions) ApplyTo(
 		return nil
 	}
 
+	a.GenericAdmission.Decorators = append(a.GenericAdmission.Decorators, Decorators...)
+
 	if a.PluginNames != nil {
 		// pass PluginNames to generic AdmissionOptions
 		a.GenericAdmission.EnablePlugins, a.GenericAdmission.DisablePlugins = computePluginNames(a.PluginNames, a.GenericAdmission.RecommendedPluginOrder)

diff --git a/pkg/kubeapiserver/options/patch.go b/pkg/kubeapiserver/options/patch.go
@@ -0,0 +1,9 @@
+package options
+
+import "k8s.io/apiserver/pkg/admission"
+
+var RegisterAllAdmissionPlugins = registerAllAdmissionPlugins
+
+var DefaultOffAdmissionPlugins = defaultOffAdmissionPlugins
+
+var Decorators = []admission.Decorator{}
diff --git a/pkg/kubeapiserver/options/plugins.go b/pkg/kubeapiserver/options/plugins.go
@@ -142,7 +142,7 @@ func RegisterAllAdmissionPlugins(plugins *admission.Plugins) {
 }
 
 // DefaultOffAdmissionPlugins get admission plugins off by default for kube-apiserver.
-func DefaultOffAdmissionPlugins() sets.String {
+func defaultOffAdmissionPlugins() sets.String {
 	defaultOnPlugins := sets.NewString(
 		lifecycle.PluginName,                    // NamespaceLifecycle
 		limitranger.PluginName,                  // LimitRanger

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/patch_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/patch_policy.go
@@ -0,0 +1,65 @@
+package bootstrappolicy
+
+import (
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
+)
+
+var ClusterRoles = clusterRoles
+
+func OpenshiftClusterRoles() []rbacv1.ClusterRole {
+	const (
+		// These are valid under the "nodes" resource
+		NodeMetricsSubresource = "metrics"
+		NodeStatsSubresource   = "stats"
+		NodeSpecSubresource    = "spec"
+		NodeLogSubresource     = "log"
+	)
+
+	roles := clusterRoles()
+	roles = append(roles, []rbacv1.ClusterRole{
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "system:node-admin",
+			},
+			Rules: []rbacv1.PolicyRule{
+				// Allow read-only access to the API objects
+				rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("nodes").RuleOrDie(),
+				// Allow all API calls to the nodes
+				rbacv1helpers.NewRule("proxy").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
+				rbacv1helpers.NewRule("*").Groups(legacyGroup).Resources("nodes/proxy", "nodes/"+NodeMetricsSubresource, "nodes/"+NodeSpecSubresource, "nodes/"+NodeStatsSubresource, "nodes/"+NodeLogSubresource).RuleOrDie(),
+			},
+		},
+		{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "system:node-reader",
+			},
+			Rules: []rbacv1.PolicyRule{
+				// Allow read-only access to the API objects
+				rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("nodes").RuleOrDie(),
+				// Allow read access to node metrics
+				rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("nodes/"+NodeMetricsSubresource, "nodes/"+NodeSpecSubresource).RuleOrDie(),
+				// Allow read access to stats
+				// Node stats requests are submitted as POSTs.  These creates are non-mutating
+				rbacv1helpers.NewRule("get", "create").Groups(legacyGroup).Resources("nodes/" + NodeStatsSubresource).RuleOrDie(),
+				// TODO: expose other things like /healthz on the node once we figure out non-resource URL policy across systems
+			},
+		},
+	}...)
+
+	addClusterRoleLabel(roles)
+	return roles
+}
+
+var ClusterRoleBindings = clusterRoleBindings
+
+func OpenshiftClusterRoleBindings() []rbacv1.ClusterRoleBinding {
+	bindings := clusterRoleBindings()
+	bindings = append(bindings, []rbacv1.ClusterRoleBinding{
+		rbacv1helpers.NewClusterBinding("system:node-admin").Users("system:master", "system:kube-apiserver").Groups("system:node-admins").BindingOrDie(),
+	}...)
+
+	addClusterRoleBindingLabel(bindings)
+	return bindings
+}
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -178,8 +178,8 @@ func NodeRules() []rbacv1.PolicyRule {
 	return nodePolicyRules
 }
 
-// ClusterRoles returns the cluster roles to bootstrap an API server with
-func ClusterRoles() []rbacv1.ClusterRole {
+// clusterRoles returns the cluster roles to bootstrap an API server with
+func clusterRoles() []rbacv1.ClusterRole {
 	roles := []rbacv1.ClusterRole{
 		{
 			// a "root" role which can do absolutely anything
@@ -569,7 +569,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
 const systemNodeRoleName = "system:node"
 
 // ClusterRoleBindings return default rolebindings to the default roles
-func ClusterRoleBindings() []rbacv1.ClusterRoleBinding {
+func clusterRoleBindings() []rbacv1.ClusterRoleBinding {
 	rolebindings := []rbacv1.ClusterRoleBinding{
 		rbacv1helpers.NewClusterBinding("cluster-admin").Groups(user.SystemPrivilegedGroup).BindingOrDie(),
 		rbacv1helpers.NewClusterBinding("system:monitoring").Groups(user.MonitoringGroup).BindingOrDie(),