tkestack · leoryu · Aug 25, 2021 · Aug 18, 2021 · Aug 18, 2021 · Aug 18, 2021
@@ -6,8 +6,7 @@ metadata:
  {{- include "tke-auth-api.labels" . | nindent 4 }}
 data:
  abac-policy.json: |
- {"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"system:kube-*|system:serviceaccount:kube-system:*","namespace":"*", "resource":"*","apiGroup":"*tkestack.io", "group": "*", "nonResourcePath":"*"}}
- {"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"^system:serviceaccount:tke:default$","namespace":"*", "resource":"*","apiGroup":"*", "group": "*", "nonResourcePath":"*"}}
+ {"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"system:*","namespace":"*", "resource":"*","apiGroup":"*", "group": "*", "nonResourcePath":"*"}}
  tke-auth-api.toml: |
  [secure_serving]
  tls_cert_file = "/app/certs/tke-auth-api/tls.crt"

@@ -47,7 +47,6 @@ import (
  "k8s.io/apiserver/pkg/authorization/authorizer"
  genericapiserver "k8s.io/apiserver/pkg/server"
  serverstorage "k8s.io/apiserver/pkg/server/storage"
- k8sinformers "k8s.io/client-go/informers"
 
  authapi "tkestack.io/tke/api/auth"
  authinternalclient "tkestack.io/tke/api/client/clientset/internalversion/typed/auth/internalversion"
@@ -71,7 +70,6 @@ import (
  "tkestack.io/tke/pkg/auth/authorization/aggregation"
  dexutil "tkestack.io/tke/pkg/auth/util/dex"
  casbinlogger "tkestack.io/tke/pkg/auth/util/logger"
- "tkestack.io/tke/pkg/util/apiclient"
  "tkestack.io/tke/pkg/util/log"
  "tkestack.io/tke/pkg/util/log/dex"
 )
@@ -87,7 +85,6 @@ type Config struct {
  OIDCExternalAddress string
  GenericAPIServerConfig *genericapiserver.Config
  VersionedSharedInformerFactory versionedinformers.SharedInformerFactory
- K8sSharedInformerFactory k8sinformers.SharedInformerFactory
  StorageFactory *serverstorage.DefaultStorageFactory
 
  DexConfig *dexserver.Config
@@ -148,11 +145,6 @@ func CreateConfigFromOptions(serverName string, opts *options.Options) (*Config,
  }
  versionedInformers := versionedinformers.NewSharedInformerFactory(clientgoExternalClient, 10*time.Minute)
 
- k8sClient, err := apiclient.BuildKubeClient()
- if err != nil {
- return nil, fmt.Errorf("failed to create real external clientset: %v", err)
- }
- k8sInformers := k8sinformers.NewSharedInformerFactory(k8sClient, 1*time.Minute)
  enforcer, err := setupCasbinEnforcer(opts.Authorization)
  if err != nil {
  return nil, err
@@ -169,7 +161,7 @@ func CreateConfigFromOptions(serverName string, opts *options.Options) (*Config,
  return nil, err
  }
 
- aggregateAuthz, err := aggregation.NewAuthorizer(authClient, opts.Authorization, opts.Auth, enforcer, opts.Authentication.PrivilegedUsername, k8sInformers)
+ aggregateAuthz, err := aggregation.NewAuthorizer(authClient, opts.Authorization, opts.Auth, enforcer, opts.Authentication.PrivilegedUsername)
  if err != nil {
  return nil, err
  }
@@ -208,7 +200,6 @@ func CreateConfigFromOptions(serverName string, opts *options.Options) (*Config,
  GenericAPIServerConfig: genericAPIServerConfig,
  StorageFactory: storageFactory,
  VersionedSharedInformerFactory: versionedInformers,
- K8sSharedInformerFactory: k8sInformers,
  DexConfig: dexConfig,
  DexStorage: dexConfig.Storage,
  CasbinEnforcer: enforcer,

@@ -41,7 +41,6 @@ func CreateServerChain(cfg *config.Config) (*genericapiserver.GenericAPIServer,
 
  apiServer.GenericAPIServer.AddPostStartHookOrDie("start-auth-api-server-informers", func(context genericapiserver.PostStartHookContext) error {
  cfg.VersionedSharedInformerFactory.Start(context.StopCh)
- cfg.K8sSharedInformerFactory.Start(context.StopCh)
  return nil
  })
 

@@ -44,7 +44,6 @@ import (
  "tkestack.io/tke/pkg/auth/filter"
  "tkestack.io/tke/pkg/business/apiserver"
  controllerconfig "tkestack.io/tke/pkg/controller/config"
- "tkestack.io/tke/pkg/util/log"
 )
 
 const (
@@ -132,11 +131,7 @@ func CreateConfigFromOptions(serverName string, opts *options.Options) (*Config,
  if err != nil {
  return nil, err
  }
- clusterInspector, err := filter.NewClusterInspector(platformClient.PlatformV1(), opts.Authentication.PrivilegedUsername)
- if err != nil {
- log.Errorf("create clusterInspector failed: %+v", err)
- return nil, err
- }
+ clusterInspector := filter.NewClusterInspector(platformClient.PlatformV1(), opts.Authentication.PrivilegedUsername)
  genericAPIServerConfig.BuildHandlerChainFunc = handler.BuildHandlerChain(nil, nil, []filter.Inspector{clusterInspector})
 
  cfg := &Config{

@@ -1,21 +1,4 @@
 ---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- annotations:
- rbac.authorization.kubernetes.io/autoupdate: "true"
- labels:
- kubernetes.io/bootstrapping: rbac-defaults
- name: tke-bind
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cluster-admin
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: tke
----
 kind: Service
 apiVersion: v1
 metadata:
@@ -113,8 +96,7 @@ metadata:
  namespace: tke
 data:
  abac-policy.json: |
- {"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"system:kube-*|system:serviceaccount:kube-system:*","namespace":"*", "resource":"*","apiGroup":"*tkestack.io", "group": "*", "nonResourcePath":"*"}}
- {"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"^system:serviceaccount:tke:default$","namespace":"*", "resource":"*","apiGroup":"*", "group": "*", "nonResourcePath":"*"}}
+ {"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","spec":{"user":"system:*","namespace":"*", "resource":"*","apiGroup":"*", "group": "*", "nonResourcePath":"*"}}
  tke-auth-api.toml: |
  [secure_serving]
  tls_cert_file = "/app/certs/server.crt"

@@ -41,7 +41,6 @@ import (
  "tkestack.io/tke/pkg/apiserver/util"
  "tkestack.io/tke/pkg/auth/filter"
  "tkestack.io/tke/pkg/platform/apiserver"
- "tkestack.io/tke/pkg/util/log"
 )
 
 const (
@@ -105,11 +104,7 @@ func CreateConfigFromOptions(serverName string, opts *options.Options) (*Config,
  if err != nil {
  return nil, fmt.Errorf("failed to create real external clientset: %v", err)
  }
- clusterInspector, err := filter.NewClusterInspector(clientgoExternalClient.PlatformV1(), opts.Authentication.PrivilegedUsername)
- if err != nil {
- log.Errorf("create clusterInspector failed: %+v", err)
- return nil, err
- }
+ clusterInspector := filter.NewClusterInspector(clientgoExternalClient.PlatformV1(), opts.Authentication.PrivilegedUsername)
  genericAPIServerConfig.BuildHandlerChainFunc = handler.BuildHandlerChain(nil, nil, []filter.Inspector{clusterInspector})
  versionedInformers := versionedinformers.NewSharedInformerFactory(clientgoExternalClient, 10*time.Minute)
 

diff --git a/docs/design-proposals/Auth RBAC.md b/docs/design-proposals/Auth RBAC.md
@@ -8,27 +8,7 @@ replace (
  github.com/deislabs/oras => github.com/deislabs/oras v0.8.0
  go.etcd.io/etcd => go.etcd.io/etcd v0.5.0-alpha.5.0.20200819165624-17cef6e3e9d5
  google.golang.org/grpc => google.golang.org/grpc v1.26.0
- k8s.io/api => k8s.io/api v0.19.7
- k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.19.7
- k8s.io/apimachinery => k8s.io/apimachinery v0.19.7
- k8s.io/apiserver => k8s.io/apiserver v0.19.7
- k8s.io/cli-runtime => k8s.io/cli-runtime v0.19.7
  k8s.io/client-go => k8s.io/client-go v0.19.7
- k8s.io/cloud-provider => k8s.io/cloud-provider v0.19.7
- k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.19.7
- k8s.io/code-generator => k8s.io/code-generator v0.19.7
- k8s.io/component-base => k8s.io/component-base v0.19.7
- k8s.io/cri-api => k8s.io/cri-api v0.19.7
- k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.19.7
- k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.19.7
- k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.19.7
- k8s.io/kube-proxy => k8s.io/kube-proxy v0.19.7
- k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.19.7
- k8s.io/kubectl => k8s.io/kubectl v0.19.7
- k8s.io/kubelet => k8s.io/kubelet v0.19.7
- k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.19.7
- k8s.io/metrics => k8s.io/metrics v0.19.7
- k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.19.7
 )
 
 require (
@@ -120,7 +100,6 @@ require (
  k8s.io/kube-aggregator v0.19.7
  k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6
  k8s.io/kubectl v0.19.7
- k8s.io/kubernetes v1.19.7
  k8s.io/metrics v0.19.7
  k8s.io/utils v0.0.0-20200729134348-d5654de09c73
  rsc.io/letsencrypt v0.0.3 // indirect