-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
adding TokenReview.auth.k8s.io/v1 webhook support
Signed-off-by: Chris Hein <me@chrishein.com>
- Loading branch information
1 parent
b5065bd
commit a9ebca3
Showing
13 changed files
with
1,170 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
/* | ||
Copyright 2021 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package main | ||
|
||
import ( | ||
"os" | ||
|
||
_ "k8s.io/client-go/plugin/pkg/client/auth/gcp" | ||
"sigs.k8s.io/controller-runtime/pkg/client/config" | ||
"sigs.k8s.io/controller-runtime/pkg/log" | ||
"sigs.k8s.io/controller-runtime/pkg/log/zap" | ||
"sigs.k8s.io/controller-runtime/pkg/manager" | ||
"sigs.k8s.io/controller-runtime/pkg/manager/signals" | ||
"sigs.k8s.io/controller-runtime/pkg/webhook" | ||
) | ||
|
||
func init() { | ||
log.SetLogger(zap.New()) | ||
} | ||
|
||
func main() { | ||
entryLog := log.Log.WithName("entrypoint") | ||
|
||
// Setup a Manager | ||
entryLog.Info("setting up manager") | ||
mgr, err := manager.New(config.GetConfigOrDie(), manager.Options{}) | ||
if err != nil { | ||
entryLog.Error(err, "unable to set up overall controller manager") | ||
os.Exit(1) | ||
} | ||
|
||
// Setup webhooks | ||
entryLog.Info("setting up webhook server") | ||
hookServer := mgr.GetWebhookServer() | ||
|
||
entryLog.Info("registering webhooks to the webhook server") | ||
hookServer.Register("/validate-v1-tokenreview", &webhook.Authentication{Handler: &authenticator{Client: mgr.GetClient()}}) | ||
|
||
entryLog.Info("starting manager") | ||
if err := mgr.Start(signals.SetupSignalHandler()); err != nil { | ||
entryLog.Error(err, "unable to run manager") | ||
os.Exit(1) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
/* | ||
Copyright 2021 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package main | ||
|
||
import ( | ||
"context" | ||
|
||
v1 "k8s.io/api/authentication/v1" | ||
"sigs.k8s.io/controller-runtime/pkg/client" | ||
|
||
"sigs.k8s.io/controller-runtime/pkg/webhook/authentication" | ||
) | ||
|
||
// authenticator validates tokenreviews | ||
type authenticator struct { | ||
Client client.Client | ||
decoder *authentication.Decoder | ||
} | ||
|
||
// authenticator admits a request by the token. | ||
func (v *authenticator) Handle(ctx context.Context, req authentication.Request) authentication.Response { | ||
if req.Spec.Token == "invalid" { | ||
return authentication.Unauthenticated("invalid is an invalid token", v1.UserInfo{}) | ||
} | ||
return authentication.Authenticated("", v1.UserInfo{}) | ||
} | ||
|
||
// authenticator implements authentication.DecoderInjector. | ||
// A decoder will be automatically injected. | ||
|
||
// InjectDecoder injects the decoder. | ||
func (v *authenticator) InjectDecoder(d *authentication.Decoder) error { | ||
v.decoder = d | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
/* | ||
Copyright 2021 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package authentication | ||
|
||
import ( | ||
"testing" | ||
|
||
. "github.com/onsi/ginkgo" | ||
. "github.com/onsi/gomega" | ||
|
||
"sigs.k8s.io/controller-runtime/pkg/envtest/printer" | ||
logf "sigs.k8s.io/controller-runtime/pkg/log" | ||
"sigs.k8s.io/controller-runtime/pkg/log/zap" | ||
) | ||
|
||
func TestAuthenticationWebhook(t *testing.T) { | ||
RegisterFailHandler(Fail) | ||
suiteName := "Authentication Webhook Suite" | ||
RunSpecsWithDefaultAndCustomReporters(t, suiteName, []Reporter{printer.NewlineReporter{}, printer.NewProwReporter(suiteName)}) | ||
} | ||
|
||
var _ = BeforeSuite(func(done Done) { | ||
logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) | ||
|
||
close(done) | ||
}, 60) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
/* | ||
Copyright 2021 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package authentication | ||
|
||
import ( | ||
"k8s.io/apimachinery/pkg/runtime" | ||
"k8s.io/apimachinery/pkg/runtime/serializer" | ||
) | ||
|
||
// Decoder knows how to decode the contents of a CRD version conversion | ||
// request into a concrete object. | ||
// TODO(droot): consider reusing decoder from admission pkg for this. | ||
type Decoder struct { | ||
codecs serializer.CodecFactory | ||
} | ||
|
||
// NewDecoder creates a Decoder given the runtime.Scheme | ||
func NewDecoder(scheme *runtime.Scheme) (*Decoder, error) { | ||
return &Decoder{codecs: serializer.NewCodecFactory(scheme)}, nil | ||
} | ||
|
||
// DecodeInto decodes the inlined object in the into the passed-in runtime.Object. | ||
func (d *Decoder) DecodeInto(content []byte, into runtime.Object) error { | ||
deserializer := d.codecs.UniversalDeserializer() | ||
return runtime.DecodeInto(deserializer, content, into) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
/* | ||
Copyright 2021 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
/* | ||
Package authentication provides implementation for authentication webhook and methods to implement authentication webhook handlers. | ||
See examples/authentication.go for an example of authentication webhooks. | ||
*/ | ||
package authentication | ||
|
||
import ( | ||
logf "sigs.k8s.io/controller-runtime/pkg/internal/log" | ||
) | ||
|
||
var log = logf.RuntimeLog.WithName("authentication") |
Oops, something went wrong.