Skip to content

Commit

Permalink
add support for serving metrics with authn/authz
Browse files Browse the repository at this point in the history
Signed-off-by: zhangzujian <[email protected]>
  • Loading branch information
zhangzujian committed Jul 17, 2024
1 parent 46463b9 commit 3885359
Show file tree
Hide file tree
Showing 4 changed files with 137 additions and 6 deletions.
25 changes: 24 additions & 1 deletion charts/kube-ovn/templates/ovn-CR.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,18 @@ rules:
- get
- list
- watch

- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand All @@ -271,3 +282,15 @@ rules:
- daemonsets
verbs:
- get
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
29 changes: 28 additions & 1 deletion charts/kube-ovn/templates/ovn-CRB.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,20 @@ subjects:
- kind: ServiceAccount
name: kube-ovn-cni
namespace: {{ .Values.namespace }}

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-ovn-cni
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
Expand All @@ -52,3 +65,17 @@ subjects:
- kind: ServiceAccount
name: kube-ovn-app
namespace: {{ .Values.namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-ovn-app
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kube-ovn-app
namespace: kube-system
52 changes: 52 additions & 0 deletions dist/images/install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3170,6 +3170,18 @@ rules:
- get
- list
- watch
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
Expand All @@ -3183,6 +3195,20 @@ subjects:
- kind: ServiceAccount
name: kube-ovn-cni
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-ovn-cni
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kube-ovn-cni
namespace: kube-system
EOF

cat <<EOF > kube-ovn-app-sa.yaml
Expand Down Expand Up @@ -3214,6 +3240,18 @@ rules:
- daemonsets
verbs:
- get
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
Expand All @@ -3227,6 +3265,20 @@ subjects:
- kind: ServiceAccount
name: kube-ovn-app
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-ovn-app
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kube-ovn-app
namespace: kube-system
EOF

kubectl apply -f kube-ovn-crd.yaml
Expand Down
37 changes: 33 additions & 4 deletions pkg/server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,14 @@ import (
"strconv"
"strings"

"k8s.io/apiserver/pkg/endpoints/filters"
"k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/server"
"k8s.io/apiserver/pkg/server/options"
"k8s.io/client-go/rest"
"k8s.io/klog/v2"

"github.com/kubeovn/kube-ovn/pkg/client/clientset/versioned/scheme"
)

func SecureServing(addr, svcName string, handler http.Handler) (<-chan struct{}, error) {
Expand All @@ -31,9 +36,15 @@ func SecureServing(addr, svcName string, handler http.Handler) (<-chan struct{},
}
}

opt := options.NewSecureServingOptions()
var clientConfig *rest.Config
opt := options.NewSecureServingOptions().WithLoopback()
authnOpt := options.NewDelegatingAuthenticationOptions()
authzOpt := options.NewDelegatingAuthorizationOptions()
opt.ServerCert.PairName = svcName
opt.ServerCert.CertDirectory = ""
authnOpt.RemoteKubeConfigFileOptional = true
authzOpt.RemoteKubeConfigFileOptional = true

if host != "" {
ip := net.ParseIP(host)
if ip == nil {
Expand All @@ -55,14 +66,32 @@ func SecureServing(addr, svcName string, handler http.Handler) (<-chan struct{},
return nil, fmt.Errorf("failed to genarate self signed certificates: %v", err)
}

var c *server.SecureServingInfo
if err = opt.ApplyTo(&c); err != nil {
var serving *server.SecureServingInfo
var authn server.AuthenticationInfo
var authz server.AuthorizationInfo
if err = opt.ApplyTo(&serving, &clientConfig); err != nil {
klog.Error(err)
return nil, fmt.Errorf("failed to apply secure serving options to secure serving info: %v", err)
}
if err = authnOpt.ApplyTo(&authn, serving, nil); err != nil {
klog.Error(err)
return nil, fmt.Errorf("failed to apply authn options to authn info: %v", err)
}
if err = authzOpt.ApplyTo(&authz); err != nil {
klog.Error(err)
return nil, fmt.Errorf("failed to apply authz options to authz info: %v", err)
}

handler = filters.WithAuthorization(handler, authz.Authorizer, scheme.Codecs)
handler = filters.WithAuthentication(handler, authn.Authenticator, filters.Unauthorized(scheme.Codecs), nil, nil)

requestInfoResolver := &request.RequestInfoFactory{}
handler = filters.WithRequestInfo(handler, requestInfoResolver)
handler = filters.WithCacheControl(handler)
server.AuthorizeClientBearerToken(clientConfig, &authn, &authz)

stopCh := make(chan struct{}, 1)
_, listenerStoppedCh, err := c.Serve(handler, 0, stopCh)
_, listenerStoppedCh, err := serving.Serve(handler, 0, stopCh)
if err != nil {
klog.Error(err)
return nil, fmt.Errorf("failed to serve on %s: %v", addr, err)
Expand Down

0 comments on commit 3885359

Please sign in to comment.