kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

network proxy with admission wh 

Kubernetes-commit: 1289bdaba41848c0d19892cc749798e540b56e8a
This commit is contained in:
Jefftree 2019-11-12 17:35:45 -08:00 committed by Kubernetes Publisher
parent facd355a68
commit 16fa20a151
1 changed files with 32 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
pkg/util/webhook/authentication.go
View File

@ -26,6 +26,8 @@ import (
"time" "time"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
utilnet "k8s.io/apimachinery/pkg/util/net"
egressselector "k8s.io/apiserver/pkg/server/egressselector"
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd" "k8s.io/client-go/tools/clientcmd"
clientcmdapi "k8s.io/client-go/tools/clientcmd/api" clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
@ -38,6 +40,7 @@ type AuthenticationInfoResolverWrapper func(AuthenticationInfoResolver) Authenti
// NewDefaultAuthenticationInfoResolverWrapper builds a default authn resolver wrapper // NewDefaultAuthenticationInfoResolverWrapper builds a default authn resolver wrapper
func NewDefaultAuthenticationInfoResolverWrapper( func NewDefaultAuthenticationInfoResolverWrapper(
proxyTransport *http.Transport, proxyTransport *http.Transport,
egressSelector *egressselector.EgressSelector,
kubeapiserverClientConfig *rest.Config) AuthenticationInfoResolverWrapper { kubeapiserverClientConfig *rest.Config) AuthenticationInfoResolverWrapper {
webhookAuthResolverWrapper := func(delegate AuthenticationInfoResolver) AuthenticationInfoResolver { webhookAuthResolverWrapper := func(delegate AuthenticationInfoResolver) AuthenticationInfoResolver {
@ -46,7 +49,23 @@ func NewDefaultAuthenticationInfoResolverWrapper(
if hostPort == "kubernetes.default.svc:443" { if hostPort == "kubernetes.default.svc:443" {
return kubeapiserverClientConfig, nil return kubeapiserverClientConfig, nil
} }
return delegate.ClientConfigFor(hostPort) ret, err := delegate.ClientConfigFor(hostPort)
if err != nil {
return nil, err
}
if egressSelector != nil {
networkContext := egressselector.Master.AsNetworkContext()
var egressDialer utilnet.DialFunc
egressDialer, err = egressSelector.Lookup(networkContext)
if err != nil {
return nil, err
}
ret.Dial = egressDialer
}
return ret, nil
}, },
ClientConfigForServiceFunc: func(serviceName, serviceNamespace string, servicePort int) (*rest.Config, error) { ClientConfigForServiceFunc: func(serviceName, serviceNamespace string, servicePort int) (*rest.Config, error) {
if serviceName == "kubernetes" && serviceNamespace == corev1.NamespaceDefault && servicePort == 443 { if serviceName == "kubernetes" && serviceNamespace == corev1.NamespaceDefault && servicePort == 443 {
@ -56,10 +75,20 @@ func NewDefaultAuthenticationInfoResolverWrapper(
if err != nil { if err != nil {
return nil, err return nil, err
} }
if proxyTransport != nil && proxyTransport.DialContext != nil {
if egressSelector != nil {
networkContext := egressselector.Cluster.AsNetworkContext()
var egressDialer utilnet.DialFunc
egressDialer, err = egressSelector.Lookup(networkContext)
if err != nil {
return nil, err
}
ret.Dial = egressDialer
} else if proxyTransport != nil && proxyTransport.DialContext != nil {
ret.Dial = proxyTransport.DialContext ret.Dial = proxyTransport.DialContext
} }
return ret, err return ret, nil
}, },
} }
} }