diff --git a/cmd/kube-apiserver/app/patch_openshift.go b/cmd/kube-apiserver/app/patch_openshift.go deleted file mode 100644 index 8744ae69c4731..0000000000000 --- a/cmd/kube-apiserver/app/patch_openshift.go +++ /dev/null @@ -1,18 +0,0 @@ -package app - -import ( - "k8s.io/apiserver/pkg/admission" - genericapiserver "k8s.io/apiserver/pkg/server" - clientgoinformers "k8s.io/client-go/informers" - "k8s.io/kubernetes/openshift-kube-apiserver/openshiftkubeapiserver" -) - -var OpenShiftKubeAPIServerConfigPatch openshiftkubeapiserver.KubeAPIServerConfigFunc = nil - -func PatchKubeAPIServerConfig(config *genericapiserver.Config, versionedInformers clientgoinformers.SharedInformerFactory, pluginInitializers *[]admission.PluginInitializer) error { - if OpenShiftKubeAPIServerConfigPatch == nil { - return nil - } - - return OpenShiftKubeAPIServerConfigPatch(config, versionedInformers, pluginInitializers) -} diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index a1f7c12f1b801..d2a3e0a54e339 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -135,17 +135,15 @@ cluster's shared state through which all other components interact.`, fs := cmd.Flags() if len(s.OpenShiftConfig) > 0 { + // if we are running openshift, we modify the admission chain defaults accordingly + admissionenablement.InstallOpenShiftAdmissionPlugins(s) + openshiftConfig, err := enablement.GetOpenshiftConfig(s.OpenShiftConfig) if err != nil { klog.Fatal(err) } enablement.ForceOpenShift(openshiftConfig) - // this forces a patch to be called - // TODO we're going to try to remove bits of the patching. - configPatchFn := openshiftkubeapiserver.NewOpenShiftKubeAPIServerConfigPatch(openshiftConfig) - OpenShiftKubeAPIServerConfigPatch = configPatchFn - args, err := openshiftkubeapiserver.ConfigToFlags(openshiftConfig) if err != nil { return err @@ -160,8 +158,6 @@ cluster's shared state through which all other components interact.`, cliflag.PrintFlags(cmd.Flags()) enablement.ForceGlobalInitializationForOpenShift() - admissionenablement.InstallOpenShiftAdmissionPlugins(s) - } else { // print default flags cliflag.PrintFlags(cmd.Flags()) @@ -611,7 +607,7 @@ func buildGenericConfig( return } - if err := PatchKubeAPIServerConfig(genericConfig, versionedInformers, &pluginInitializers); err != nil { + if err := openshiftkubeapiserver.OpenShiftKubeAPIServerConfigPatch(genericConfig, versionedInformers, &pluginInitializers); err != nil { lastErr = fmt.Errorf("failed to patch: %v", err) return } diff --git a/openshift-kube-apiserver/openshiftkubeapiserver/paramtoken/paramtoken.go b/openshift-kube-apiserver/openshiftkubeapiserver/paramtoken/paramtoken.go deleted file mode 100644 index 1993002e5daf8..0000000000000 --- a/openshift-kube-apiserver/openshiftkubeapiserver/paramtoken/paramtoken.go +++ /dev/null @@ -1,45 +0,0 @@ -package paramtoken - -import ( - "net/http" - "strings" - - "k8s.io/apiserver/pkg/authentication/authenticator" - "k8s.io/apiserver/pkg/util/wsstream" -) - -// Authenticator provides a way to authenticate tokens provided as a parameter -// This only exists to allow websocket connections to use an API token, since they cannot set an Authorize header -// For this authenticator to work, tokens will be part of the request URL, and are more likely to be logged or otherwise exposed. -// Every effort should be made to filter tokens from being logged when using this authenticator. -type Authenticator struct { - // param is the query param to use as a token - param string - // auth is the token authenticator to use to validate the token - auth authenticator.Token - // removeParam indicates whether the parameter should be stripped from the incoming request - removeParam bool -} - -func New(param string, auth authenticator.Token, removeParam bool) *Authenticator { - return &Authenticator{param, auth, removeParam} -} - -func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) { - // Only accept query param auth for websocket connections - if !wsstream.IsWebSocketRequest(req) { - return nil, false, nil - } - - q := req.URL.Query() - token := strings.TrimSpace(q.Get(a.param)) - if token == "" { - return nil, false, nil - } - authResponse, ok, err := a.auth.AuthenticateToken(req.Context(), token) - if ok && a.removeParam { - q.Del(a.param) - req.URL.RawQuery = q.Encode() - } - return authResponse, ok, err -} diff --git a/openshift-kube-apiserver/openshiftkubeapiserver/patch.go b/openshift-kube-apiserver/openshiftkubeapiserver/patch.go index 6c446c9fb8fff..85afbe7c112f4 100644 --- a/openshift-kube-apiserver/openshiftkubeapiserver/patch.go +++ b/openshift-kube-apiserver/openshiftkubeapiserver/patch.go @@ -14,7 +14,6 @@ import ( "k8s.io/client-go/tools/cache" "k8s.io/kubernetes/pkg/quota/v1/install" - kubecontrolplanev1 "github.com/openshift/api/kubecontrolplane/v1" "github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy" "github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/imagereferencemutators" "github.com/openshift/apiserver-library-go/pkg/admission/quota/clusterresourcequota" @@ -34,60 +33,59 @@ import ( "k8s.io/kubernetes/openshift-kube-apiserver/admission/scheduler/nodeenv" ) -type KubeAPIServerConfigFunc func(config *genericapiserver.Config, versionedInformers clientgoinformers.SharedInformerFactory, pluginInitializers *[]admission.PluginInitializer) error - -func NewOpenShiftKubeAPIServerConfigPatch(kubeAPIServerConfig *kubecontrolplanev1.KubeAPIServerConfig) KubeAPIServerConfigFunc { - return func(genericConfig *genericapiserver.Config, kubeInformers clientgoinformers.SharedInformerFactory, pluginInitializers *[]admission.PluginInitializer) error { - openshiftInformers, err := newInformers(genericConfig.LoopbackClientConfig) - if err != nil { - return err - } - - // AUTHORIZER - genericConfig.RequestInfoResolver = apiserverconfig.OpenshiftRequestInfoResolver() - // END AUTHORIZER - - // Inject OpenShift API long running endpoints (like for binary builds). - // TODO: We should disable the timeout code for aggregated endpoints as this can cause problems when upstream add additional endpoints. - genericConfig.LongRunningFunc = apiserverconfig.IsLongRunningRequest - - // ADMISSION - clusterQuotaMappingController := newClusterQuotaMappingController(kubeInformers.Core().V1().Namespaces(), openshiftInformers.OpenshiftQuotaInformers.Quota().V1().ClusterResourceQuotas()) - genericConfig.AddPostStartHookOrDie("quota.openshift.io-clusterquotamapping", func(context genericapiserver.PostStartHookContext) error { - go clusterQuotaMappingController.Run(5, context.StopCh) - return nil - }) - - *pluginInitializers = append(*pluginInitializers, - imagepolicy.NewInitializer(imagereferencemutators.KubeImageMutators{}, kubeAPIServerConfig.ImagePolicyConfig.InternalRegistryHostname), - restrictusers.NewInitializer(openshiftInformers.getOpenshiftUserInformers()), - sccadmission.NewInitializer(openshiftInformers.getOpenshiftSecurityInformers().Security().V1().SecurityContextConstraints()), - clusterresourcequota.NewInitializer( - openshiftInformers.getOpenshiftQuotaInformers().Quota().V1().ClusterResourceQuotas(), - clusterQuotaMappingController.GetClusterQuotaMapper(), - generic.NewRegistry(install.NewQuotaConfigurationForAdmission().Evaluators()), - ), - nodeenv.NewInitializer(kubeAPIServerConfig.ProjectConfig.DefaultNodeSelector), - admissionrestconfig.NewInitializer(*rest.CopyConfig(genericConfig.LoopbackClientConfig)), - ) - // END ADMISSION - - // HANDLER CHAIN (with oauth server and web console) - genericConfig.BuildHandlerChainFunc, err = BuildHandlerChain(kubeAPIServerConfig.ConsolePublicURL, kubeAPIServerConfig.AuthConfig.OAuthMetadataFile) - if err != nil { - return err - } - // END HANDLER CHAIN - - genericConfig.AddPostStartHookOrDie("openshift.io-startkubeinformers", func(context genericapiserver.PostStartHookContext) error { - go kubeInformers.Start(context.StopCh) - go openshiftInformers.Start(context.StopCh) - return nil - }) - enablement.AppendPostStartHooksOrDie(genericConfig) +func OpenShiftKubeAPIServerConfigPatch(genericConfig *genericapiserver.Config, kubeInformers clientgoinformers.SharedInformerFactory, pluginInitializers *[]admission.PluginInitializer) error { + if !enablement.IsOpenShift() { + return nil + } + + openshiftInformers, err := newInformers(genericConfig.LoopbackClientConfig) + if err != nil { + return err + } + + // AUTHORIZER + genericConfig.RequestInfoResolver = apiserverconfig.OpenshiftRequestInfoResolver() + // END AUTHORIZER + // Inject OpenShift API long running endpoints (like for binary builds). + // TODO: We should disable the timeout code for aggregated endpoints as this can cause problems when upstream add additional endpoints. + genericConfig.LongRunningFunc = apiserverconfig.IsLongRunningRequest + + // ADMISSION + clusterQuotaMappingController := newClusterQuotaMappingController(kubeInformers.Core().V1().Namespaces(), openshiftInformers.OpenshiftQuotaInformers.Quota().V1().ClusterResourceQuotas()) + genericConfig.AddPostStartHookOrDie("quota.openshift.io-clusterquotamapping", func(context genericapiserver.PostStartHookContext) error { + go clusterQuotaMappingController.Run(5, context.StopCh) return nil + }) + + *pluginInitializers = append(*pluginInitializers, + imagepolicy.NewInitializer(imagereferencemutators.KubeImageMutators{}, enablement.OpenshiftConfig().ImagePolicyConfig.InternalRegistryHostname), + restrictusers.NewInitializer(openshiftInformers.getOpenshiftUserInformers()), + sccadmission.NewInitializer(openshiftInformers.getOpenshiftSecurityInformers().Security().V1().SecurityContextConstraints()), + clusterresourcequota.NewInitializer( + openshiftInformers.getOpenshiftQuotaInformers().Quota().V1().ClusterResourceQuotas(), + clusterQuotaMappingController.GetClusterQuotaMapper(), + generic.NewRegistry(install.NewQuotaConfigurationForAdmission().Evaluators()), + ), + nodeenv.NewInitializer(enablement.OpenshiftConfig().ProjectConfig.DefaultNodeSelector), + admissionrestconfig.NewInitializer(*rest.CopyConfig(genericConfig.LoopbackClientConfig)), + ) + // END ADMISSION + + // HANDLER CHAIN (with oauth server and web console) + genericConfig.BuildHandlerChainFunc, err = BuildHandlerChain(enablement.OpenshiftConfig().ConsolePublicURL, enablement.OpenshiftConfig().AuthConfig.OAuthMetadataFile) + if err != nil { + return err } + // END HANDLER CHAIN + + genericConfig.AddPostStartHookOrDie("openshift.io-startkubeinformers", func(context genericapiserver.PostStartHookContext) error { + go openshiftInformers.Start(context.StopCh) + return nil + }) + enablement.AppendPostStartHooksOrDie(genericConfig) + + return nil } // newInformers is only exposed for the build's integration testing until it can be fixed more appropriately.