feat(cluster): enabled authn by x509 and authz in webhook mode

tkestack · Jul 1, 2020 · f447e37 · f447e37
1 parent 38c227f
commit f447e37
Show file tree

Hide file tree

Showing 164 changed files with 2,363 additions and 1,031 deletions.
diff --git a/api/platform/cluster.go b/api/platform/cluster.go
@@ -64,3 +64,8 @@ func (in *Cluster) Host() (string, error) {
 
  return fmt.Sprintf("%s:%d", address.Host, address.Port), nil
 }
+
+func (in *Cluster) AuthzWebhookEnable() bool {
+ return in.Spec.Features.AuthzWebhookAddr != nil &&
+ (in.Spec.Features.AuthzWebhookAddr.Builtin != nil || in.Spec.Features.AuthzWebhookAddr.External != nil)
+}
diff --git a/api/platform/types.go b/api/platform/types.go
@@ -332,6 +332,9 @@ type ClusterFeature struct {
  Hooks map[HookType]string
  // +optional
  CSIOperator *CSIOperatorFeature
+ // For kube-apiserver authorization webhook
+ // +optional
+ AuthzWebhookAddr *AuthzWebhookAddr
 }
 
 type HA struct {
@@ -359,6 +362,20 @@ type CSIOperatorFeature struct {
  Version string
 }
 
+type AuthzWebhookAddr struct {
+ // +optional
+ Builtin *BuiltinAuthzWebhookAddr
+ // +optional
+ External *ExternalAuthzWebhookAddr
+}
+
+type BuiltinAuthzWebhookAddr struct{}
+
+type ExternalAuthzWebhookAddr struct {
+ IP string `json:"ip" protobuf:"bytes,1,name=ip"`
+ Port int32 `json:"port" protobuf:"varint,2,name=port"`
+}
+
 const (
  HookPreInstall HookType = "PreInstall"
  HookPostInstall HookType = "PostInstall"

diff --git a/api/platform/v1/cluster.go b/api/platform/v1/cluster.go
@@ -24,6 +24,8 @@ import (
  "math/rand"
  "time"
 
+ "tkestack.io/tke/pkg/util/http"
+
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  "tkestack.io/tke/pkg/util/ssh"
 )
@@ -147,3 +149,22 @@ func (in *Cluster) Host() (string, error) {
 
  return fmt.Sprintf("%s:%d", address.Host, address.Port), nil
 }
+
+func (in *Cluster) AuthzWebhookEnable() bool {
+ return in.Spec.Features.AuthzWebhookAddr != nil &&
+ (in.Spec.Features.AuthzWebhookAddr.Builtin != nil || in.Spec.Features.AuthzWebhookAddr.External != nil)
+}
+
+func (in *Cluster) AuthzWebhookExternEndpoint() (string, bool) {
+ if in.Spec.Features.AuthzWebhookAddr == nil {
+ return "", false
+ }
+
+ if in.Spec.Features.AuthzWebhookAddr.External == nil {
+ return "", false
+ }
+
+ ip := in.Spec.Features.AuthzWebhookAddr.External.IP
+ port := int(in.Spec.Features.AuthzWebhookAddr.External.Port)
+ return http.MakeEndpoint("https", ip, port, "/auth/authz"), true
+}