/
apiserver.go
144 lines (122 loc) · 6.11 KB
/
apiserver.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
package apiserver
import (
"fmt"
"sync"
"k8s.io/apimachinery/pkg/apimachinery/registered"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/serializer"
"k8s.io/apiserver/pkg/registry/rest"
genericapiserver "k8s.io/apiserver/pkg/server"
restclient "k8s.io/client-go/rest"
rbacclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
kinternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
authorizationapiv1 "github.com/openshift/api/authorization/v1"
"github.com/openshift/origin/pkg/authorization/authorizer"
"github.com/openshift/origin/pkg/authorization/registry/clusterrole"
"github.com/openshift/origin/pkg/authorization/registry/clusterrolebinding"
"github.com/openshift/origin/pkg/authorization/registry/localresourceaccessreview"
"github.com/openshift/origin/pkg/authorization/registry/localsubjectaccessreview"
"github.com/openshift/origin/pkg/authorization/registry/resourceaccessreview"
"github.com/openshift/origin/pkg/authorization/registry/role"
"github.com/openshift/origin/pkg/authorization/registry/rolebinding"
rolebindingrestrictionetcd "github.com/openshift/origin/pkg/authorization/registry/rolebindingrestriction/etcd"
"github.com/openshift/origin/pkg/authorization/registry/selfsubjectrulesreview"
"github.com/openshift/origin/pkg/authorization/registry/subjectaccessreview"
"github.com/openshift/origin/pkg/authorization/registry/subjectrulesreview"
)
type ExtraConfig struct {
CoreAPIServerClientConfig *restclient.Config
KubeInternalInformers kinternalinformers.SharedInformerFactory
RuleResolver rbacregistryvalidation.AuthorizationRuleResolver
SubjectLocator authorizer.SubjectLocator
// TODO these should all become local eventually
Scheme *runtime.Scheme
Registry *registered.APIRegistrationManager
Codecs serializer.CodecFactory
makeV1Storage sync.Once
v1Storage map[string]rest.Storage
v1StorageErr error
}
type AuthorizationAPIServerConfig struct {
GenericConfig *genericapiserver.RecommendedConfig
ExtraConfig ExtraConfig
}
type AuthorizationAPIServer struct {
GenericAPIServer *genericapiserver.GenericAPIServer
}
type completedConfig struct {
GenericConfig genericapiserver.CompletedConfig
ExtraConfig *ExtraConfig
}
type CompletedConfig struct {
// Embed a private pointer that cannot be instantiated outside of this package.
*completedConfig
}
// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
func (c *AuthorizationAPIServerConfig) Complete() completedConfig {
cfg := completedConfig{
c.GenericConfig.Complete(),
&c.ExtraConfig,
}
return cfg
}
// New returns a new instance of AuthorizationAPIServer from the given config.
func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget) (*AuthorizationAPIServer, error) {
genericServer, err := c.GenericConfig.New("authorization.openshift.io-apiserver", delegationTarget)
if err != nil {
return nil, err
}
s := &AuthorizationAPIServer{
GenericAPIServer: genericServer,
}
v1Storage, err := c.V1RESTStorage()
if err != nil {
return nil, err
}
apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(authorizationapiv1.GroupName, c.ExtraConfig.Registry, c.ExtraConfig.Scheme, metav1.ParameterCodec, c.ExtraConfig.Codecs)
apiGroupInfo.GroupMeta.GroupVersion = authorizationapiv1.SchemeGroupVersion
apiGroupInfo.VersionedResourcesStorageMap[authorizationapiv1.SchemeGroupVersion.Version] = v1Storage
if err := s.GenericAPIServer.InstallAPIGroup(&apiGroupInfo); err != nil {
return nil, err
}
return s, nil
}
func (c *completedConfig) V1RESTStorage() (map[string]rest.Storage, error) {
c.ExtraConfig.makeV1Storage.Do(func() {
c.ExtraConfig.v1Storage, c.ExtraConfig.v1StorageErr = c.newV1RESTStorage()
})
return c.ExtraConfig.v1Storage, c.ExtraConfig.v1StorageErr
}
func (c *completedConfig) newV1RESTStorage() (map[string]rest.Storage, error) {
rbacClient, err := rbacclient.NewForConfig(c.GenericConfig.LoopbackClientConfig)
if err != nil {
return nil, err
}
selfSubjectRulesReviewStorage := selfsubjectrulesreview.NewREST(c.ExtraConfig.RuleResolver, c.ExtraConfig.KubeInternalInformers.Rbac().InternalVersion().ClusterRoles().Lister())
subjectRulesReviewStorage := subjectrulesreview.NewREST(c.ExtraConfig.RuleResolver, c.ExtraConfig.KubeInternalInformers.Rbac().InternalVersion().ClusterRoles().Lister())
subjectAccessReviewStorage := subjectaccessreview.NewREST(c.GenericConfig.Authorizer)
subjectAccessReviewRegistry := subjectaccessreview.NewRegistry(subjectAccessReviewStorage)
localSubjectAccessReviewStorage := localsubjectaccessreview.NewREST(subjectAccessReviewRegistry)
resourceAccessReviewStorage := resourceaccessreview.NewREST(c.GenericConfig.Authorizer, c.ExtraConfig.SubjectLocator)
resourceAccessReviewRegistry := resourceaccessreview.NewRegistry(resourceAccessReviewStorage)
localResourceAccessReviewStorage := localresourceaccessreview.NewREST(resourceAccessReviewRegistry)
roleBindingRestrictionStorage, err := rolebindingrestrictionetcd.NewREST(c.GenericConfig.RESTOptionsGetter)
if err != nil {
return nil, fmt.Errorf("error building REST storage: %v", err)
}
v1Storage := map[string]rest.Storage{}
v1Storage["resourceAccessReviews"] = resourceAccessReviewStorage
v1Storage["subjectAccessReviews"] = subjectAccessReviewStorage
v1Storage["localSubjectAccessReviews"] = localSubjectAccessReviewStorage
v1Storage["localResourceAccessReviews"] = localResourceAccessReviewStorage
v1Storage["selfSubjectRulesReviews"] = selfSubjectRulesReviewStorage
v1Storage["subjectRulesReviews"] = subjectRulesReviewStorage
v1Storage["roles"] = role.NewREST(rbacClient.RESTClient())
v1Storage["roleBindings"] = rolebinding.NewREST(rbacClient.RESTClient())
v1Storage["clusterRoles"] = clusterrole.NewREST(rbacClient.RESTClient())
v1Storage["clusterRoleBindings"] = clusterrolebinding.NewREST(rbacClient.RESTClient())
v1Storage["roleBindingRestrictions"] = roleBindingRestrictionStorage
return v1Storage, nil
}